ISAserver.org Monthly Newsletter of June 2007 Sponsored by: BurstekWelcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
1. Web Proxy Filter Tricks and TrapsA friend recently had a problem with the Web proxy filter. He noticed that when he unbound the Web Proxy Filter from the HTTP protocol, the ability to configure the HTTP Security Filter went away. That is to say, the configuration interface was no longer accessible because the "Configure HTTP" setting was gone from the right click menu on the Access Rule or Web Publishing Rule. My friend also noticed another thing - when the Web Proxy Filter was bound to the HTTPS protocol, outbound connections to SSL Web sites were not possible. This all seemed very strange to him since he wanted to publish a secure Web server and assumed that the Web Proxy Filter would be required for the HTTPS in order to allow the HTTP Security Filter to do its security work. Are these problems normal, or did my friend do something wrong with his ISA Firewall? Let us look at these problems and then try to come to a conclusion. It is true that when you unbind the Web Proxy Filter from the HTTP protocol, the configuration interface will no longer be available. This is a bug that has existed before ISA 2004 was released and continues to be a bug in ISA 2006. However, just because you cannot see the configuration interface for the Web Proxy filter does not mean that the settings in the HTTP Security Filter are not working. How is that? Let us look at the two HTTP/S related scenarios:
Web Publishing Rules always use the Web Proxy filter, regardless of whether the Web Proxy Filter is bound to the HTTP protocol. That is because the Web listener is intimately connected to the Web Proxy Filter. You cannot break the connection between a Web listener and the Web Proxy Filter, not even by removing the Web Proxy Filter from the HTTP protocol. Outbound access is another story. When clients are configured as Web Proxy clients for outbound access, they will be exposed to the Web Proxy filter and the configuration settings in the HTTP Security Filter. Why? Because Web Proxy clients are communicating directly with the Web Proxy filter. And because Web Proxy clients communicate directly with the Web Proxy filter, they are able to benefit from the settings in the HTTP Security Filter, even though the configuration interface has disappeared because the Web Proxy Filter was unbound from the HTTP protocol In contrast, SecureNET and Firewall clients will no longer benefit from the Web Proxy filter if you unbind the Web Proxy Filter from the HTTP protocol. This means that SecureNET and Firewall clients will not benefit from the security settings in the HTTP Security Filter and will not be able to leverage the ISA Firewall's Web cache. Remember, SecureNET and Firewall clients do not communicate directly with the Web Proxy Filter as Web Proxy clients do - they need the "hook in" to the Web Proxy Filter by binding the Web Proxy Filter to the HTTP protocol. Why would you want to unbind the Web Proxy filter from the HTTP protocol? One reason for unbinding the Web Proxy Filter from the HTTP protocol is so that you can get true Direct Access to sites that do not play nice with Web proxies. You put the site in question in your Direct Access list, and the Web Proxy client will bypass its Web Proxy configuration when accessing that site and leverage either its SecureNET or Firewall client configuration. And because the Web Proxy filter is unbound from the HTTP protocol, the SecureNET or Firewall client request will not be funneled up to the Web Proxy filter for access to that site. Now to answer the second question: Why does binding the Web Proxy Filter to the HTTPS protocol stop all connections to secure SSL sites? The reason for this is that for outbound connections, the SSL termination point is at the destination Web server, not the ISA Firewall. The ISA Firewall is secure by default, and fails closed. Since the Web Proxy Filter cannot evaluate what is going on inside an SSL tunnel, it will deny the connection since it cannot determine if the connection meets ISA Firewall security requirements. Note that this is not the case for inbound SSL connections to securely published Web sites. Why? Because in the inbound scenarios the SSL connection is terminated at the ISA Firewall. That means that the ISA Firewall decrypts the SSL protected content, which enables it to use the Web Proxy filter and HTTP Security Filter to examine the unencrypted HTTP content. In most cases, a second SSL connection is established to the published secure server, but traffic is allowed over this connection only when it has passed security inspection by the ISA Firewall when in its unencrypted state. Want to Learn More ISA Firewall Secrets? The ISA Firewall and Microsoft Network Security Troika - Tim Mullen (thor), Jim Harrison and myself will be teaching a Microsoft Security Ninja class at this year's Black Hat in Las Vegas. As an ISAserver.org member, you qualify for a $200 discount for this class! If you are interested in signing up and getting the discount, send me a note at tshinder@isaserver.org and we will get you fixed up. For more information about the class, check out http://blogs.isaserver.org/shinder/2007/06/02/microsoft-ninjitsu-black-belt-edition/ BTW - we will be covering more than just the ISA Firewall and will expand into related area pivotal to Microsoft network security. Thanks! Tom ======================= Quote of the Month - "It's nice to be nice to the nice" ======================= 2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!
Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
3. ISAserver.org Learning Zone Articles of InterestWe have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:
4. KB Articles of the MonthHere are some interesting and useful ISA Server related articles posted by Microsoft in the last month:
5. Tip of the MonthLots of folks have problems troubleshooting RPC/HTTP connections through the ISA Firewall. Here is a great thread on the ISAserver.org message boards that will help you solve some of your RPC/HTTP troubleshooting issues: http://forums.isaserver.org/m_2002023851/mpage_2/key_/tm.htm#2002045787 Having problems with your Domain Controllers computer set? Maybe you have the wrong entries in there because the domain controllers have changed addresses or the ISA Firewall was moved. What is the best thing to do? Some people want to monkey around with the Registry or edit the ADAM database, but it would be better for you to create your domain controllers computer set and then go into group policy and remove the old one and put in your customer DC set. This tip is courtesy of Tim Mullen, lead instructor of the Microsoft Security Ninja training class. Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
6. ISA Firewall Links of the MonthKerberos Constrained Delegation in ISA Server 2006 http://www.microsoft.com/technet/isa/2006/kcd.mspx ISA Server Operations Guide http://www.microsoft.com/technet/isa/2006/operations_guide.mspx ISA Server 2006 Events Help http://www.microsoft.com/technet/isa/2006/downloads/events.mspx ISA Server Team Blog http://blogs.technet.com/isablog/ 7. Blog PostsMultiple PPTP VPN clients behind a NAT device http://blogs.isaserver.org/pouseele/2007/06/17/multiple-pptp-vpn-clients-behind-a-nat-device/ OT: OWA versus Full Outlook Client Comparison http://blogs.isaserver.org/shinder/2007/06/11/ot-owa-versus-full-outlook-client-comparison/ OT: Installation of Office 2007 Applications Break Outlook 2003 Junk Email Filter Fun Facts About the Session Tab in 2006 ISA Firewall Monitoring Some Fun Facts About MSDE Logging that I Bet You Didn't Know About Microsoft set to release new build of upcoming mid-market "Centro" product 8. Ask Dr. TomQUESTION: Hi, ANSWER: Yes, all outbound traffic through the ISA Firewall will show the source IP address to be the primary IP address on the interface of the ISA Firewall that the traffic is leaving. This is not a configurable option. QUESTION: Hi Tom, ANSWER: More security is always better than less security. If you already have an ASA device, there is no reason why you cannot put it in production with the ISA Firewall. If you are interested in a back to back Firewall configuration, put the ISA Firewall behind the ASA, since you want your strongest security closest to the assets requiring protection. Then configure the ASA to allow inbound connections only to the ports used by the ISA Firewall's Web and Server Publishing Rules. On the ASA, allow all outbound traffic from the IP address(es) on the external interface of the ISA Firewall. That is all there is to it! QUESTION: Dear Sir, ANSWER: This is a very easy task! What you need to do is configure the HTTP security filter for the rule that you want to block the .exe file downloads. If you have multiple rules that allow HTTP downloads of .exe files, then you need to configure the filter for each rule. Right click on the rule and click "Configure HTTP". Then on the General tab, put a checkmark in the Block responses containing Windows executable content. Click OK and then click Apply to save the changes to ISA Firewall policy. Got a question for Dr. Tom? Send it to tshinder@isaserver.org. Why Do IT Departments Choose Burstek's Security Software? Get a Free Trial of Burstek for ISA and See.
TechGenix Sites
|
