ISAserver.org Monthly Newsletter of June 2008 Sponsored by: Wavecrest

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Five Improvements I Would Like to See in the TMG Firewall

Over the years I have spent a lot of time thinking about the new features I would like to see in the next version of the ISA Firewall. Of course, there are the usual suspects, support for multiple ISPs, the ability to control the source IP address on the external interface of the ISA Firewall for specific hosts making outbound connections, the ability to control which applications can connect to the Internet through the ISA Firewall, outbound SSL bridging, Policy based routing and many more.

But something that I have not given a lot of thought to is “improvements” in the ISA firewall. To me, an improvement is not a new feature, it is an enhancement of something that the ISA firewall already does. In contrast, a new feature is a new feature, allowing the ISA firewall to do something completely new.

So I started thinking about improvements that could be made to the current ISA firewall’s functionality that would add value to the upcoming Forefront TMG firewall. Here is a short list of 5:

The Ability to Get Per User Reports

We already have advanced logging and reporting with the ISA firewall. But something that ISAserver.org members have been asking for the last eight years is per user reporting. Almost all ISA firewall admins have been asked by their bosses for information about a particular user’s activity. The Forefront TMG should include a mechanism that allows you to get a report on a particular user’s activity over the last day, week, month, quarter, six months or year.

The Create New Network Rule Wizard Should Ask You To Create Network Rules

This is something that catches me often, even after working with the ISA Firewall for years. How many times have you had to troubleshoot a connection after creating an ISA firewall Network and then creating Access Rules to allow outbound connections? I am embarrassed to admit how often it happens to me. The problem? I forget to create a Network Rule to connect the new ISA Firewall Network to other Networks. The New Network Rule Wizard should ask you if you want to create Network Rules to connect the new ISA Firewall Network to other Networks, and then start the New Network Rule Wizard for you.

LDAP Should Be Supported for Outbound Connections (Access Rules)

We already have the ability to use LDAP for inbound connections in Web Publishing Rules. Why can we not use LDAP for outbound connections for the Web Proxy client? This functionality seems to be already built into the Web Proxy filter, so it should not be that hard to support it for outbound Web Proxy client requests. Note: I say that it should not be that hard because I am not the one who has to do it. Nothing is impossible for the guy who does not have to do it :-). Let us see the Forefront TMG support LDAP for forward proxy connections.

The Ability to Group Rules

While it is nice to be able to sort rules by column, it would be nice to be able to group rules and keep the rule number they already have. The problem with the ISA firewall is that if you move rules next to one another, you also change the rule order. It would be great if the Forefront TMG firewall allowed us to group rules without changing the rule number. This would make it much easier to keep track of the rules.

Support for SSTP

The ISA Firewall leverages RRAS for remote access VPN connections and has already provided support for PPTP and L2TP/IPsec. Now that we have Windows Server 2008 and the SSTP protocol that can be used by the Vista VPN clients, the Forefront TMG firewall should support SSTP. I was surprised not to see this when working with the Beta 1 version of the Forefront TMG firewall.

What do you think? Are these “improvements” too much to ask? Do you have any improvements in existing functionality that you would like to see included with the Forefront TMG firewall? Let me know! Send me a note at tshinder@isaserver.org and I will let people who can help make these wishes a reality know.

Some follow up from last month regarding the Essential Business Server implementation of the Forefront TMG. There were not too many complaints, but there were a few that came up on multiple occasions:

• Many wondered why the EBS implementation of the Forefront TMG is not taking advantage of ISA firewall security? There is no customization of the HTTP Security Filter. Also, the Web Publishing Rules do not require pre-authentication at the ISA Firewall and are allowing anonymous connections to the published server. This completely violates core tenets of ISA firewall security and many wondered why these tenets were ignored.
• There is a single outbound access rule that allow anonymous outbound connections for all protocols through the ISA firewall. This again ignores the value of the ISA firewall in authenticating, logging and reporting user activity.
• What happed to the Firewall client? The Firewall client is a key security feature included with the ISA/TMG firewalls. There is no provision for automatically installing the Firewall client on the TMG client computers.
• Many people were confused by the rules named Allow traffic from internal network targeting internal servers to bypass Security Server, for mixed case domains. No one understood what this meant and wondered why Direct Access is not being used instead of allowing hosts to bounce back through the Forefront TMG firewall

I am still interested in your concerns over the EBS TMG configuration. Continue to send me your observations and I will share them again next month.

Until next month!

Thanks!

Tom

tshinder@isaserver.org
=====================
Quote of the Month - "The Best Firewall is the one between your ears” - Your Editor, Dr. Thomas W Shinder MD, MCSE, MVP
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 3)
• Customizing IAG 2007 Portal Pages
• ISA Server 2006 Service Pack 1: New features and enhancements
• OCS 2007 and ISA 2006: Firewall Design and Architecture
• Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 2)
• VirtualizationAdmin.com - New Virtualization site added to the TechGenix Network!

4. KB Articles of the Month

• Blank page or page cannot be displayed when you view SSL sites through ISA Server
• The Microsoft Firewall service crashes randomly when you use ISA Server 2006 to publish a Web server by enabling forms-based authentication
• When you use ISA Server 2006 to publish a Web server, and authentication delegation is enabled, some Web content may not be displayed correctly when a user accesses the published Web server
• How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration
• ISA Server 2004 does not listen for Web proxy requests after you enable a network adaptor or remove an IP address

5. Tips of the Month

Do you wonder why SQL logging is not showing IP addresses? Then check out this thread on the ISAserver.org Web boards. There are some other good tips in this thread, so make sure to read all the posts

6. ISA Firewall Links of the Month

• Understanding Why ISA Server re-prompts for Authentication when Passwords Expire
• Isolating problems that seem to be related to ISA Server– Part IV
• Troubleshooting OWA 2007 Publishing Rules on ISA Server 2006
• Setting Up Terminal Server Gateway with ISA Server
• TMG New Features - Policy Enforcement

7. Blog Posts

• Using RADIUS to Support Multiple Untrusted Domains For Web Publishing
• Installing the ISA Firewall in a Trusting Domain - Think Again
• Interesting Notes from the Forefront TMG Firewall Release Notes
• Site to Site VPN Between ISA 2006 and TMG - Update Your IPsec Settings
• Jason Jones Introduces New ISA Firewall Blog

8. Ask Dr. Tom

QUESTION:
Tom,
I have read several of your articles on isaserver.org and appreciate the insight you give. I have an interesting issue with our ISA server at work. We are running ISA 2006 and user PCs have the Firewall client installed on their PCs. When the Firewall client is enabled and a user tries to access this certain website internally that uses a redirector page the site/page is painfully slow to load up to a minute in some cases and the screen will just show "redirecting to thesitename". When we disable the ISA client on the users PCs the page loads very fast as should. This issue is only when going this particular site and the user being on the companies internal network (externally from the internet the page loads very fast) with the ISA client enabled on the user's PC. Any idea on where to start troubleshooting this? Thanks, Brandon

ANSWER:
Hi Brandon. It is hard to tell exactly what the problem is without knowing the details, but I will take a stab at this. It sounds like the initial connection is to an internal site, and then the internal site redirects the connection to an external site. Given that situation, it is likely that the first connection was made using Direct Access, and the second connection was made via either the Firewall client or Web Proxy client configuration.

My best guess, given the amount of information I have, is that the first connection was very fast because your internal DNS server was able to respond quickly to the request for the IP address of the internal site. However, when the client switched over to the Web Proxy or Firewall client configuration, the external DNS server responsible for answering DNS queries for the redirected site was slow to respond.

It could be another problem, but it would take some network traces using NetMon 3.x to find out what the other causes could be. One thing to look for is how long it takes to switch from the SecureNAT to the Firewall or Web Proxy client configuration. You can also check to see how long it takes for the DNS query to complete for the external site.

QUESTION:
I managed to set up the ISA Firewall 2006 however I am facing a problem I have a SMTP server and POP3 server provided by the ISP.

SMTP Server :smtp.ispdomain.com
POP serv:pop3.isapdomain.com

The IP address of the ISA Firewall’s LAN Interface is 10.0.0.10. How do I enable port forwarding so that I point my internal client in outlook mail client to point to 10.0.0.10 (ISA SERVER).

ANSWER:
I do not think port forwarding is the issue here, since this is an outbound access scenario. Port forwarding is typically associated with an inbound access scenario where you are using Server Publishing Rules.

I suspect that your problem might be related to your Firewall client configuration. I have written an article on this issue. This should help you solve your problems.

QUESTION:
Dear Tom,

I installed ISA Server 2006 it is working perfectly. The only problem is with ping and remote desktop connection to external network. All the clients in network can ping and remote to ISA machine, but all the PCs cannot ping the external network also cannot remote to external.

pinging from  local client to external

eg:- Z:\>ping yahoo.com
Ping request could not find host yahoo.com. Please check the name and try again.

pinging from local clients to Isa machine

Z:\>ping erauisa

Pinging erauisa.eraunited.com [192.168.200.12] with 32 by

Reply from 192.168.200.12: bytes=32 time<1ms TTL=128
Reply from 192.168.200.12: bytes=32 time<1ms TTL=128
Reply from 192.168.200.12: bytes=32 time<1ms TTL=128
Reply from 192.168.200.12: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.200.12:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Hoping for your kind consideration. Thank you and best regards, Shiyas

ANSWER:
Hi Shiyas,

It looks like you have a DNS problem here. You can resolve internal host names but you cannot resolve external host names. The clue to this situation can be found by the response to your ping request to the yahoo.com site, where the response was “could not find host yahoo.com”. Make sure that your internal DNS servers are configured to resolve both internal and external host names.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.