ISAserver.org Monthly Newsletter of July 2008 Sponsored by: Winfrasoft

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Summer Vacation Odds and Ends

It is that time of the year when most of us will be thinking about going on vacation. I know that is what I am thinking about! This week I am going to take a "working vacation" in Las Vegas. As you might know, Tim Mullen puts together a Microsoft Ninja network security class every year and he invites me and Jim Harrison to help him teach this class each year at Black Hat USA in Las Vegas. If you are going to Black Hat in Las Vegas this year, make sure to look us up! It is never too late to register for the class either. You can register on site if you like. Check out the details of this class.

I had some great conversations last week with Greg Bell from Collective Software. Greg is a top notch ISA firewall add-on developer and every time I get a chance to talk with him, I always end up learning something about the ISA firewall that I did not know before. Greg has the soul of a teacher, and is able to communicate very complex programming concepts in a way that even a total non-coder like me can understand.

Anyhow, I had a chance to test out Collective Software's new captive portal add-on for ISA firewalls, called Captivate. Captivate is a very cool piece of software and answers the demand in the ISA firewall community for a flexible and easy to configure captive portal. I have written a two part article series about this so make sure to check the ISAserver.org site regularly to see when the articles are published. Or consider subscribing to the Real-Time Article Update.

And speaking of needed improvements for the ISA firewall, I ran into another excellent piece of software that recently hit the market, Backup For ISA Server. As all ISA firewall admins know, the backup and restore facility included with the product is not what we would consider top of the line. There's no easy or reliable method for automating backups of the ISA firewall configuration and the log files. And there's definitely no easy way for making sure that your restoration is going to work. I had a chance to test out Winfrasoft's Backup for ISA Server recently and did a review of the product. I think that by the time you read that review, you will be as impressed as I was with Winfrasoft's effort. You can read the review here.

That is it for this month. I hope to be able to share with you next month all the interesting questions and issues that come up in the Microsoft Ninja class. The Blackhat attendees are the sharpest on the block, so you can be sure that we'll have some challenging questions ahead of us.

Until next month!

Thanks!

Tom

tshinder@isaserver.org

=====================
Quote of the Month - "The art of medicine consists in amusing the patient while nature cures the disease."- Your Editor, Dr. Thomas W Shinder MD, MCSE, MVP
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Your New ISA Firewall: ISA 2006 Service Pack 1 - Part 2: Traffic Simulator and Enhanced Diagnostic Logging
• Implementing and Troubleshooting Certificate Deployment in ISA Server 2006
• Your New ISA Firewall: ISA 2006 Service Pack 1 (Part 1)
• Kaspersky Anti-Virus Voted ISAserver.org Readers' Choice Award Winner - Anti-Virus
• Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 3)
• ISA Server 2006 Service Pack 1: New features and enhancements
• OCS 2007 and ISA 2006: Firewall Design and Architecture

4. KB Articles of the Month

• List of problems that are fixed in Internet Security and Acceleration Server 2006 Service Pack 1
• HOW TO: Export, Install, and Configure Certificates to Internet Security and Acceleration Server
• You may not receive notifications for new messages after you publish an internal Exchange Server 2007 by using the Exchange remote procedure call (RPC) server publishing rule
• You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains
• How to install ISA Server hotfixes and updates

5. Tip of the Month

Probably one of the most difficult and frustrating aspects of ISA firewall configuration is trying to get it work with all the Web features included with Exchange Server 2007. While I think we have most of the configuration down, there are still a lot of components to the solution that are undocumented or under documented. The worse offender is the confusion behind publishing the Exchange Server 2007 autodiscovery service. For some help in this area, check out the discussion on the Web boards where Jason Jones and Levwinski work to help shed some light on this mystery.

http://forums.isaserver.org/m_2002055762/mpage_1/key_/tm.htm#2002070040

6. ISA Firewall Links of the Month

• Publishing SharePoint with ISA 2006
• Using ISA Server with Macintosh clients
• New Free Tools for ISA Server 2004/2006
• ISA Firewall Quick Tip : Uninstalling MSDE From ISA Server 2006

7. Blog Posts

• Test Button Considerations
• Hotfix for Whale Communications Intelligent Application Gateway 2007 - update 2 for improved SharePoint publishing
• Troubleshooting IAG Path Validation Problems
• 64-bit RPC traffic fails across ISA Sever 2006
• You cannot remove ISA Server 2006 updates on a computer that is running ISA Server 2006 Configuration Storage Server or the ISA Server Management MMC snap-in
• Changing the Defaults for ISA 2006 SP1 Diagnostic Logging
• Publishing Microsoft CRM 4.0 through ISA Server 2006
• You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

8. Ask Dr. Tom

QUESTION:

Dear Dr. Thomas,

I am a new network administrator with a Water corporation here in Uganda. Inside the LAN, everyone uses ISA client to connect to the internet and it all works fine.

However, using the same computers installed with ISA client to connect to the internet outside the corporate LAN using any Broadband connection available, the connection fails.

I have tried to disable the ISA client (and uninstalling) and disabling all the proxy settings on the Web browser, with no success at all.

Thanks and regards, Joseph

ANSWER:
Hi Joseph,

From what I understand, you have the Firewall client installed on your laptop computers. When you use those laptop computers on the corpnet, everything works fine. However, if you take those laptop computers off the corpnet and connect them to the Internet from an external location, those machines are no longer able to connect to the Internet.

If this is true, then the most likely reason for their failures to connect is that you are configuring the Firewall and Web proxy client to use a specific address to connect to the ISA firewall. What you should do is configure both the Firewall client and the Web proxy client (the Web browser) to use autodiscovery. When autodiscovery is enabled, the Firewall client will disable itself if it cannot find the ISA firewall. The same is true for the Web proxy client, if the browser cannot auto-detect the ISA firewall, it will not configure itself as a Web proxy client.

If you choose this option, keep in mind that you will need to configure a WPAD entry in your DNS and/or DHCP server. You will also need to enable the ISA firewall to publish autodiscovery information.

QUESTION:

Hi Tom,

I face a problem on ISA, I hope you can guide me to solve it.

I am setting up ISA 2006 Enterprise edition. If I go to www.micrsoft.com I am able to get that page, but when I try www.google.com or www.yahoo.com it prompt me error message. Error Code 502: proxy error. As a summary, I only able to surf to Microsoft website, but not others.

Can you guide me out on this problem? Thanks and Best Regards, Hong Kah Y

ANSWER:
Hi Hong Kah Yern,

The 502 error indicates that the ISA firewall blocked the connection. If all sites are blocked except for the Microsoft sites that would indicate that you have not created an Access Rule that allows connections to other sites. You are able to reach the Microsoft.com sites because those sites are allowed under System Policy rules.

QUESTION:

Hey Tom,

I was thinking of doing some server consolidation and one idea was to put an ISA firewall on the host machine and then configure several guests on the ISA firewall host machine. What do you think of this? Any problems? Thanks! Sammy.

ANSWER:
Hi Sammy,

In general, I think that network security devices, like the ISA firewall, should be on a dedicated device, so that the firewall is not subjected to security weaknesses in the hypervisor or the software installed on virtual machines.

However, if you do want to go with this design, I suggest that you do not install the ISA firewall on the host system. Instead, install the ISA firewall in a VM. Then assign the physical host's external interface an invalid IP address so that no one on the Internet will be able to connect to the IP address on the host's physical external interface. Then create a multihomed ISA firewall virtual machine and bind the VM's external interface to the external NIC and bind the VM's internal interface to the host's internal NIC. Give the VM's external interface a valid IP address so that it can connect to the Internet, and give the internal interface a valid IP address on the Internal Network.

As for the other VMs on the machine, bind their NICs to the host's internal interface, and assign them a valid IP address on the Internal Network. Put them on the same network ID as the internal interface of the ISA VM's virtual interface. Using this configuration, no on will be able to establish any connections to the host machine's external interface, and will have to go through the ISA firewall VM to get to the Internal Network and the virtual machines that have IP addresses on that Internal Network.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.