ISAserver.org Monthly Newsletter of July 2007 Sponsored by: Burstek

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Questions for Which I Have No Answer

Every week I get questions on the Web boards, mailing list and personal e-mail for which I have no answer. These questions represent a variety of issues and many of them have been asked over the years and I have never had an answer for them. I thought maybe I should publish some of the recent ones to see if anyone has an answer to these classically unanswerable ISA Firewall questions:

"I recently got a problem as windows live messenger stopped working suddenly on my ISA 2k4 std edition, there is no block rule configured nor any reconfigurations to existing rules, how can you help me?"

This is the classic "it used to work but now it doesn't". How do I answer this question? My first thought is to check what has changed on the ISA Firewall since it stopped working. My second thought would be to check what's changed about the client application. But I suspect the answer to this question has nothing to do with the ISA Firewall, as most troubleshooting issues turn out to be.

"Thank you for you very inspiring articles on www.isaserver.org. I really need your help related to URL and Domain block list. I have read your article and I have tried to implement it, but on the blocklist.xml file that published on: http://www.tacteam.net/isaserverorg/download/blocklist.zip, it cannot run on my ISA server2006 edition. How I can get the block list file which supports the ISA server2006 trial version?"

That's a good question. I have no idea how you would edit the .xml file. However, if I really wanted to do this, I'd install ISA 2004, install the block list, and then do an in-place upgrade.

"How are you? I am trying to configure Site-to-site VPN between ISA 2006 and Cisco ASA 5520 Firewall but still out of luck due to IP Negotiation Security when I ping from ISA Server 2006."

These site-to-site VPN questions are always a no go. I have no idea how to connect Cisco or third party products to the ISA Firewall over a site to site VPN. If someone wants to use the ISA Firewall, they should use it on both ends, otherwise I won't get involved. However, Stefaan Pouseele is very interested in these issues, so you might check out his blog for troubleshooting these situations.

"I need your help. Please tell me about blocking & unblocking msn, yahoo & skype on ISA 2004 & 2006. And is it possible that I run a 2006 CD to upgrade my 2004 network? Will it take all setting and configuration automatically and will not affect my network? Do u have ISA server book in PDF format?"

You can't block Skype, as far as I know, unless you want to implement least privilege and allow only outbound access based on control of destination sites. Even then, it is almost impossible. As for MSN and Yahoo, I don't know. If I had this problem I would check to see if there is a destination that is required by the client program to connect to and then block that site or not allow access to that site if you are using least privilege. ISA 2006 is not going to make it any easier. You are going to have to use network monitor and see if you can create an HTTP Security Filter configuration setting if destination site control will not work for you.

The above are just a few questions which I have received that I have no answer to. There are many others :-)

If you have answers to these questions let me know and I wll publish them in next month's newsletter.

Thanks!

Tom

tshinder@isaserver.org

=======================

Quote of the Month - About the time we think we can make ends meet, somebody moves the ends"

-- Herbert Hoover

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 1: DNS Resolvers, DNS Forwarders, DNS Caching and Recursion
• The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 2
• The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 3
• The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 4
• Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall (Part 1)

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Routing and Remote Access stops responding in Windows Server 2003
• You are incorrectly prompted to provide your user name and password when you visit a Web site in the Intranet zone after you upgrade to Internet Security and Acceleration Server 2004 Service Pack 2
• ISA Server 2004 blocks requests that include the Accept-Encoding HTTP header when a forward proxy is used
• In ISA Server 2004, a downstream server forwards an incorrect FTP URL to an upstream server
• An ISA Server 2004 downstream server does not reuse the TCP connections to a third-party upstream server
• ISA Server 2006 and ISA Server 2004 do not reject weakly encrypted authentication requests for access to an SSL Web site after you configure ISA Server to require 128-bit encryption
• The TechNet "Events and Errors Message Center" offers detailed explanations, recommendations, and additional resources that apply to event IDs

5. Tip of the Month

One of the most frustrating troubleshooting problems for the ISA Firewall is authentication prompts popping up when they should not. If you are using ISA Firewall security best practices, you know that all client systems should be configured as Web Proxy and Firewall clients (servers should never be configured as Firewall clients). With this type of configuration, you might find that your Web Proxy clients are prompted for authentication when they should not be. If you are encountering this problem, and you are using WPAD autodiscovery, then follow the suggestions in the following KB article for the fix: http://support.microsoft.com

And speaking of authentication issues that can drive you nutty - how about Java related authentication issues? One person found that a recent hotfix solved his problem. Check out the thread on the Web boards at http://forums.isaserver.org and follow the link to the hotfix.

6. ISA Firewall Links of the Month

Update for Publishing Microsoft Exchange Server 2007 for Microsoft Internet Security and Acceleration (ISA) Server 2006

http://www.microsoft.com/downloads/details.aspx?familyid=82B717CE-5B63-4098-8425-BBF4A5B7E09C&displaylang=en

ISA Firewall Best Practices Analyzer Version 5

http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en

ISA Firewall Capacity Planner Tool http://www.microsoft.com/isaserver/capacityplanner.swf ISA Firewall Capacity Planner Tool

http://www.microsoft.com/isaserver/capacityplanner.swf

DNS Cache Tool for ISA Server 2006

http://www.microsoft.com/downloads/details.aspx?familyid=f148c238-d707-4871-82b2-b8606579b67d&displaylang=en

7. Blog Posts

ISA Firewall Auto Log Off Controls Can Be a Security Issue for OWA Publishing

http://blogs.isaserver.org/shinder/2007/07/19/isa-firewall-auto-log-off-controls-can-be-a-security-issue-for-owa-publishing/

Basic Troubleshooting for IPsec based VPN's

http://blogs.isaserver.org/pouseele/2007/07/07/basic-troubleshooting-for-ipsec-based-vpns/

ISA Firewall Best Practices Analyzer Updated to Version 5

http://blogs.isaserver.org/shinder/2007/07/04/isa-firewall-best-practices-analyzer-updated-to-version-5/

Basic Troubleshooting for RPC/HTTP Publishing (Exchange 2003)

http://blogs.isaserver.org/shinder/2007/06/27/basic-troubleshooting-for-rpchttp-publishing-exchange-2003/

8. Ask Dr. Tom

QUESTION: Hello,

I have a problem in configuring ISA 2006 as an edge firewall. I have 2 NICs one for internal network and one for external. The problem is that I want to associate IP addresses from the same subnet for both NICs and it seems ISA has a problem with this since it drops the packets as spoofed.

The bottom line is that I want to configure the ISA Server as an edge firewall with both Internal and External NICs with IP addresses from the SAME subnet (e.g. 192.168.1.135 for the Internal NIC and 192.168.1.140 for the external NIC). How do I do that without ISA dropping the packets. In other words, I want all packets from the Internal network addresses to be routed through the internal network adapter ONLY and the external adapter to be on the SAME subnet with the internal one.

Thank you in advance, Cristian Ghetau

ANSWER: You can't do this with the ISA Firewall. Each interface on the ISA Firewall must be on a different network ID. This is a critical configuration since you want the ISA Firewall to be in the physical path between hosts on different ISA Firewall Networks. For this reason, the ISA Firewall ensures high network security by requiring that you do not place the internal and external interfaces on the same network ID. Be happy that the ISA Firewall is forcing you to secure your networks!

QUESTION: Hi Thomas,

Thanks in advance if you are able to reply to this ISA2004 question!

I have a web service hosted on an internal application server sitting behind a ISA2004 box - I believe it is possible to port forward incoming SSL(HTTPS) web service requests onto the internally hosted web service as HTTP - i.e. terminate the encryption at the ISA box?

Is it possible to do the opposite? That is the internal application server makes a HTTP(no encryption) web service call out via the ISA box, the ISA box upgrades the connection to use HTTPS(encryption) - note the internet hosted web service may challenge and require a client certificate - which the ISA box would have to manage?

Kind Regards
Jeremy Cook

ANSWER: The answer to the first question is "Yes." You can terminate an SSL connection on the external interface of the ISA Firewall and forward it as HTTP. This is sometimes referred to as "SSL offloading". However, I do not recommend this configuration as you leave the data unsecured between the ISA Firewall's internal interface and the destination Web server. In addition, you may run into link translation problems. With the security and configuration issues related to "SSL offloading" I generally recommend against it, but again, it is possible.

As for the second question, the only way you'll get outbound SSL protocol transition from HTTP to SSL is if you use Web proxy chaining - and in that case, only the link between the chained Web proxy servers will be SSL protected. There really is no reason to implement this type of configuration, since after the initial CONNECT, all data is going to pass as SSL tunneled data. If you're doing this for security reasons (that is to say, you want the ISA Firewall to perform application layer inspection on the information in the SSL tunnel), then you'll need to get ClearTunnel from www.collectivesoftware.com

Regarding the User Certificate, the ISA Firewall has no access to User Certificates stored on the client system, so it could never present a User Certificate on behalf of the client system.

QUESTION: Hey Tom,

In your article, " Configuring the ISA Firewall as an Outbound Filtering SMTP Relay " (Section 'Configure System Policy on the ISA Firewall to Allow Outbound SMTP from the Local Host Network') you stated, "We need to configure the ISA firewall's System Policy to allow outbound messages from the firewall's Local Host Network to the default External Network."

Can I ask you why the System Policy for SMTP traffic was edited to allow the outbound mail relay? Could a general Firewall policy that allowed SMTP traffic from Internal to External handle this? Why did you conduct this adjustment to policy to a System Policy?

Thank you very much for your assistance. I am learning a lot from isaserver.org.

Dee McClanahan

ANSWER: The reason why we need to configure System Policy is that the SMTP Relay is on the ISA Firewall itself in this scenario. While you could create an Access Rule, configuring System Policy is the better option because rules are evaluated from the top down, and System Policy Rules are always evaluated before Access Rules.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.