• Short Takes on What's Happening in the ISA Firewall Space
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Short Takes on What's Happening in the ISA Firewall Space

This month I'd like to share with you a bunch of quick snippets of information about what's happening in the ISA firewall space.

ISA firewall Blogs on ISAserver.org!

That's right! ISAserver.org is hosting blogs focused on ISA firewall topics. Both Stefaan Pouseele and I have blogs up on the ISAserver.org site. Check them out at http://blogs.isaserver.org and make sure to subscribe to the RSS feeds. Both Stefaan and I share tips and tricks that you won't find anywhere on the Internet on our blogs.

ISA Firewall Sizing Calculator is Now Online

For years ISA firewall admins have wanted a way to determine how to size their ISA firewalls and know how many ISA firewalls to deploy based on their deployment scenarios. That wish is now a reality! You can find the new ISA firewall sizing calculator at www.microsoft.com/isaserver. Just click the calculator icon at the top of the page.

ISA Firewall Core White Paper

Over the years there have been a ton of questions on how the ISA firewall's core firewall engine works. This is valuable information because people who want to bring the ISA firewall into the corporate network want proof positive that the ISA firewall controls all traffic to and through the ISA firewall device and prevents all exploits against the core operating system. This white paper puts an end to the "but it runs on Windows" argument that fossilized "hardware" firewall admins mutter when you tell them that you're bringing an ISA firewall onto the network. Find the white paper at http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx

Web Farm Load Balancing Coming in ISA Server 2006 Firewalls

The next version of the ISA firewall (ISA Server 2006) will include a fantastic feature known as "Web farm load balancing". This feature supports publishing Web farms located behind the ISA firewall and enables load balancing and failover and failback for servers in the Web farm without requiring NLB on the Web farm. The ISA firewalls will manage these features and thus takes away the requirement for NLB on the Web farm. This is a great tool that obviates the use of external load balancers and can save your company tens of thousands of dollars for every Web farm you publish.

That's it for now.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "Although prepared for martyrdom, I prefer that it be postponed" Sir Winston Churchill

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Publishing Outlook Web Access and Outlook RPC/HTTP with ISA Server 2006 Enterprise Edition Firewalls using Forms-based Authentication (Single Member Array without NLB)
• Optimizing ISA 2004 caching (Part 1)
• Publishing OWA and Outlook RPC/HTTP with ISA Server 2006 EE Firewalls using Forms-based Authentication (Single Member Array without NLB): Part 2: DNS and Certificate Deployment Issues
• Implementing an IPSEC Site to Site VPN between ISA Server 2006 Beta and Cisco PIX 501
• Using a Unihomed ISA Firewall at Branch Offices to Reduce WAN Bandwidth Usage and Cache SSL Responses from Main Office Web Servers
• Optimizing ISA 2004 caching (Part 2)
• Debunking the Myth that the ISA Firewall Should Not be a Domain Member
• Symantec AntiVirus - Voted ISAserver.org Readers' Choice Award Winner - Anti Virus

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004
• Routing and Remote Access stops responding in Windows Server 2003
• Client computers that are behind a NAT device cannot access resources that are behind ISA Server 2004
• Error message when Web browser clients that are located behind an ISA Server 2004 firewall try to access certain external Web sites: "502 Proxy Error"
• ISA Server 2004 blocks UDP traffic between two networks
• You cannot assign a static IP address for client computers in a site-to-site VPN connection in Microsoft Internet Security and Acceleration Server 2004
• You cannot trace the details of the traffic that passes through the Web Proxy Filter in Internet Security and Acceleration (ISA) Server 2004
• How to bypass the Web Proxy service in ISA Server 2004
• Enabling RADIUS authentication for the OWA Forms-Based Authentication in ISA Server 2004

5. Tip of the Month

The question on how to block Skype comes up often on the ISAserver.org message boards. Blocking Skype is a difficult process, because the application was designed from the ground up to subvert network security and firewalls. RAJP (Ray) on the ISAserver.org Web boards comes up with an excellent solution:

"Here's the method we use:

1. A company policy against installing non-company-owned software.

2. Restricted User rights for everyone. If they cannot install it, they cannot run it.

3. A highly restrictive outbound traffic policy.

4. Daily monitoring of traffic dropped from the Internal network to the Internet due to the rule in #3.

When someone has inappropriately elevated rights on their computer, usually caused by someone leaving them in the software install group, sometimes Skype and other trash gets installed. The amount of traffic in rule #4 is actually very small on a daily basis (1,800 employees) until someone fires up Skype. That thing tries to hit hundreds of outbound ports in a minute or so. It really lights up the logs.

5. Sic the Help Desk on them to check their software inventory, tell the local IT staff to explain in writing why this person has inappropriately elevated rights on their computer, send the offending employee a copy of the policy and ask them to send it back in after having signed it to acknowledge they understand the company policy (copying their manager on it).

6. The next time it goes directly to Human Resources to be dealt with. This is not a technology problem; it's a people problem, both for the employee and the local IT staff that let them have inappropriately elevated rights."

Great advice Ray! This goes to show a multilayed approach should be used for controlling malicious insiders as well as external attackers. Thanks! -Tom.

6. ISA Firewall Links of the Month

Tim Mullen and Jim Harrison are going to host a fantastic two day ISA firewall class at this year's Black Hat conference in Las Vegas. You can get all the information about it in my blog over at http://blogs.isaserver.org/shinder/2006/06/20/isa-ninjitsu-designing-building-and-maintaining-enterprise-firewall-and-dmz-topologies-with-microsoft-isa-server-2004/

By the way, if you haven't subscribed to my blog yet, you should! Both Stefaan Pouseele and myself have active blogs on the ISAserver.org site and we share a lot of news, tips and tricks you won't find anywhere else. If you haven't checked out the ISAserver.org blogs, then do it now. We're at http://blogs.isaserver.org

Microsoft has released an ISA firewall sizing calculator! ISA firewall admins have been asking for one of these for the last six years and now you get one. Go to the main ISA firewall page over at www.microsoft.com/isaserver and click the calculator icon in the graphc at the top of the page.

Another hot release is the ISA Firewall Core white paper that you can find at http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx This is the kind of information you can throw at the "hardware" firewall guys when they mumble their typical know-nothing drivel about "but it run on Windows… but it runs on Windows... but...but...but..."

Do you need some help explaining to the boss why an ISA firewall would be the choice for secure remote access? Then check out this "boss level" white paper on Secure Remote and Outbound Internet Access Using ISA Server 2006 Web Proxy at http://www.microsoft.com/isaserver/2006/prodinfo/Firewall_Corewp.mspx

Are you thinking of expanding into branch offices? You're going to need a firewall and a gateway to the main office. You might be thinking of using an ISA firewall to meet these needs but you need something to explain the value to you boss. Here's a Microsoft White Paper that's also written at "boss level" so that you can get your boss to sign on with your ISA firewall deployment plans for the branch office http://www.microsoft.com/isaserver/2006/prodinfo/Branch_Officewp.mspx

7. Ask Dr. Tom

QUESTION: I'm wondering which version of the ISA firewall I should use in the next couple of months. Should I use ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition? Thanks! -Ted.

ANSWER: Hi Ted. Both the standard and enterprise editions of the ISA firewall provide the same level of stateful packet inspection and high grade application layer inspection. So both versions of the ISA firewall will provide you a significantly higher level of security than what you would find in a typical "hardware" firewall.

However, there are some significant differences. These include

• Price. The standard edition ISA firewall is about $1500US per processor. The Enterprise Edition goes for about $6000 per processor.
• CARP. Only the Enterprise Edition supports creating CARP Web caching arrays.
• NLB. The Standard Edition ISA firewall does not support NLB. The Enterprise Edition of the ISA firewall supports both integrated NLB and NLB with bidirectional affinity.
• Central Policy Management. The standard edition of the ISA firewall does not support centralized policy management; each ISA firewall must be managed separately. In contrast, the Enterprise Edition of the ISA firewall enables you to manage hundreds or thousands of ISA firewall from a centralized policy management console.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.