• ISA Firewall Scripts Right on the CD
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. ISA Firewall Scripts Right on the CD

One thing we don't cover enough at ISAserver.org is scripted solutions for the ISA firewall. Jim Harrison has done a great job taking up the slack over at www.isatools.org. If you haven't visited Jim's site, its well worth your time. He had a number of excellent scripts there that will automate many of your ISA firewall configuration and administration tasks.

What you might not know is that right on your ISA Server 2004 CD is a collection of administration scripts you can customize and use. Most of these scripts require that you make an edit here or there, but its nothing complex or difficult. Here's a list of the scripts on the CD:

--Activesessions.vbs

This script creates and executes a query on the FPCSessionsMonitor collection for the Firewall service sessions and displays the active sessions that existed when the query started. Run this script from a command prompt by entering the following command:

CScript ActiveSessions.vbs

--Addadmin.vbs

This script adds a specific user as an administrator with permissions to monitor the ISA Server computer and network activity, for example, to view logs and reports, but not to configure any specific monitoring functionality. NOTE: The user name defined in this script is fictitious. You must replace this fictitious user account name by a real user account in your organization.

--Addcacherule.vbs

This script creates a new URL set in the URL sets collection of the proxy, adds URLs to the URL set, and creates two new cache rules for caching content with a fixed TTL range from all sites on the External network except the sites in the new URL set.

--Addconnectivityverifier.vbs

This script creates a new connectivity verifier.

--Addruleandurlset.vbs

This script creates a new URL set in the URLSets collection of the firewall, adds sites to the URL set, creates a new access rule, and adds the new URL set to the objects referenced in the URLSets property of the access rule.

--Configurealerts.vbs

This script retrieves the collection of alerts defined in an ISA Server array, iterates through the collection, and set the e-mail address associated with each alert definition. NOTE: The parameters set in the SetSendMail method are fictitious. Replace the fictitious SMTP server name, From line, and To line by a real SMTP server in your organization and appropriate From and To lines.

--Controlaccessbyscheduleanduserset.vbs

The script creates the access rules, user set, and URL set needed to allow a specific group of workers in an organization restricted access to the Internet. The group is allowed to access only the sites listed in the URL set and only during the hours specified in the "Work hours" schedule supplied with ISA Server 2004. All other workers using computers that belong to the Internal network are granted unlimited access to the Internet. NOTE: The user names defined in this script are fictitious. You must replace these fictitious user account names by real user accounts in your organization.

--Httpfilterconfig.vbs

New policy rules use a default HTTP filtering configuration, which is not defined in a vendor parameters set and cannot be exported to an XML file. In ISA Server Management, you can right-click the name of a policy rule and then click Configure HTTP to open the "Configure HTTP policy for rule" dialog box. After you click OK in this dialog box and click the Apply button, a new vendor parameters set containing the configuration for the HTTP Filter Web filter is created for the rule. This configuration can be exported from the vendor parameters set of the rule to an XML file and then imported from the XML file to other rules. This script exports the configuration for the HTTP Filter Web filter from the corresponding vendor parameters set of the specified policy rule to the specified file, or imports the configuration for the HTTP Filter Web filter from the specified file to a new vendor parameters set of the specified policy rule.

--Importexport.vbs

This script exports the configuration of the array object of an ISA Server computer to a specified XML file or imports the configuration in a specified XML file to array object of the ISA Server computer. The following two parameters must be included on the command line:

• The letter "e" or "i" to indicate whether the configuration will be exported or imported.
• The name of the XML file.

--Setnetworkrelation.vbs

This script creates a new network rule that defines a NAT relationship between any network belonging to the predefined All Protected Networks network set and the External network. This rule will apply to any new perimeter network created in the future because such a network will be included automatically to the All Protected Networks network set.

--Showicmpsystempolicy.vbs

This script retrieves the collection of system policy rules defined in an ISA Server array and implicitly uses the _NewEnum property to iterate through the collection and display the names of the system policy rules for ICMP and the user sets to which each rule applies. We recommend running this script from a command prompt by entering the following command:

CScript ShowICMPSystemPolicy.vbs

Have a cool script to configure or manage your ISA firewall? Send it along to tshinder@isaserver.org and we'll feature your work in the next newsletter. Thanks! -Tom.

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Enabling Secure SSL OWA Access through the ISA Firewall: Part 1: Learning the Basics with HTTP to HTTP Bridging
• One More Week to Win a Free Copy of the Shinder's Book
• ISA Server 2004 Standard Edition Service Pack 1 Released (ver 1.1)
• Share Your Thoughts with Us through the ISAserver.org Site Survey
• Understanding the ISA 2004 Access Rule Processing
• Understanding and Implementing ISA 2004 as an Application Firewall with the RPC Stateful Inspection Filter

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• How to obtain the latest ISA Server 2004 service pack
• Clients receive a "500 Server" error message if a Web server requires a Certificate Revocation List in ISA Server 2004
• Your QuickTime Player with a Firewall Client may not retransmit in Internet Security and Acceleration Server 2004
• How to Configure Client Proxy Server Settings by Using a Registry File
• Configuration changes that are made to Routing and Remote Access when you install Internet Security and Acceleration (ISA) Server 2004
• An unknown network protocol appears in an ISA Server report
• Differences between server publishing rules and access rules in ISA Server 2004
• The features and limitations of a single-homed ISA Server 2004 computer
• You receive a "Resource allocation failure" alert on your Internet Security and Acceleration Server 2004 computer
• Logging to an SQL database in ISA Server 2004 does not work
• Users are repeatedly prompted to provide their credentials when they access a Web site

5. Post of the Month

I haven't seen this problem myself yet, but if you see Netlogon error 5719 in your ISA firewall's Event Logs, then Lex Penrose might have a fix for you:

Hi,

If you get this error :
---------------------
NETLOGON Event 5719 :
This computer was not able to set up a secure session with a domain controller in domain EDU due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
---------------------
Then you need to make your netlogon service dependant on your fwsrv service

hklm/system/currentcontrolset/services/netlogon:
reg_multi_sz : dependonservice -> add : fwsrv

Hope this helps you guys out.

Kind regards,
Lex Penrose.

Thanks Lex!

6. ISA Firewall Links of the Month

We've got a bunch of great links for you this month. Check out the tasty ISA firewall morsels below for the goodies.

Order the ISA Server 2004 Enterprise Edition CD and trial kit:
http://www.microsoft.com/isaserver/evaluation/trial/default.asp

Very cool hands-on interactive training for ISA firewalls:
http://www.isa2004training.com

Performance is an issue with any firewall and the ISA firewall is no exception. Check out this document for tips and tricks on how to squeeze max performance out of your ISA stateful packet and application layer inspection firewall.

Performance Best Practices
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/bestpractices.mspx

All firewalls have a base operating system on which the firewall software runs on. Even so-called "hardware" firewalls have operating systems. Of course, the ISA firewall has an operating system, which can be either Windows 2000 or Windows Server 2003 (I prefer Windows Server 2003 because of its security enhancements). Check out these two papers on how to harden the OS on your ISA firewall:

Hardening the Windows Infrastructure on the ISA Server 2004 Computer
http://www.microsoft.com//technet/prodtechnol/isa/2004/plan/hardeningwindows.mspx

ISA Server 2004 Security Hardening Guide
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx

We hear from a lot of people who want the ISA firewall to generate redirects at the ISA firewall, not at a published Web server behind the ISA firewall. Unfortunately, there's no way to do this with the built-in ISA firewall features. However, the folks at Collective Software have come up with a great tool called WebDirect for ISA Server 2004. It can issue HTTP and HTTPS redirects. You can download a fully functioning demo (which is not even timebombed) at:

WebDirect
http://www.collectivesoftware.com/Products/

Write to me at tshinder@isaserver.org and let me know what you think of it!

I'm starting to see a ton of questions about ISA Server 2004 Enterprise Edition now that it's hit the streets. This is some powerful ISA firewall software and I highly recommend it if you're an organization that requires strong stateful packet and application layer inspection, high availability, and centralized management console for 2 to 2000 ISA firewalls from a single location and management interface and need to push policy to ISA firewall's located throughout the world. The first step is to figure out how to install the thing! Check out the following document FIRST before even trying to install ISA Server 2004 Enterprise Edition:

ISA Server 2004 Enterprise Edition Configuration Guide
http://download.microsoft.com/download/6/9/0/690d2ee7-a4e0-4c0a-80d4-1e30ebcac1de/ISA_2004_EE_Configuration_Guide.doc

Like I do every month, I want to point out again the great information in the ISA deployment kits. There are kits for rolling out the ISA firewall in the branch office, using the ISA firewall to protect Exchange Servers, using the ISA firewall as a cutting edge IPSec and SSL VPN server and VPN site to site VPN gateway, and more. Check out the kits listed below for more info:

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

7. Ask Dr. Tom

QUESTION: Hello Dr Shinder: I'm trying to setup a test ISA Server to evaluate what the new version is like. I have read your article on controlling the source IP for published servers on an ISA server (http://www.isaserver.org/pages/article_p.asp?id=994).

I am trying to get an Exchange Server in this similar situation to use a different source IP address when sending mail. The only hitch is that the exchange server is installed on the same server, and I am using a second internal IP to host exchange on and publish the second external IP to that internal IP.

ANSWER: This is something ISA firewall admins have been asking about for years. While you can't do it if there is a NAT relationship between the External Network and the host, you can do this if you create a Route relationship. Here's some great info from ISA firewall trainer extraordinaire, Ronald Beekelaar:

Create a new network rule:

From the single server to the External Network, and use a Route relationship. Then list that network rule as first one in the list. Of course, you will have to make sure that the server has a "routable" (public) IP address.

QUESTION: We have what I think isn't an unusual setup. We have three branch offices that need to connect to the main office and the Internet. There's an ISA firewall at each location. What I need is to be able to control access at each office using the local ISA firewall, and force all computers to use the main office ISA firewall to get to the Internet and to main office computer resources. I can create a site to site VPN, but the leaves the possibility of computers at the branch offices to reach the Internet using the local ISA firewall and I do not want that. What I want is for the VPN link to be the default gateway. Is this possible?

ANSWER: There are a couple of ways you can solve this problem. The first is to use a site to site VPN, but configure the Remote Site Network (at the branch office) representing at the main office to include all addresses in the IPv4 address range except those used on the branch office network and the local host network ID (127.0.0.0/8). You have to be familiar with IP addressing to get the address ranges right, but this does work. Then you configure rules to allow the branch office access to the main office. Create a Network Rule that sets a NAT relationship between from the Branch office to the main office.

At the main office you do not configure a Remote Site Network for the branch office. Just configure the main office ISA firewall to be a VPN server. There is already a default rule that routes VPN clients to Internet. Create a new Network Rule at the main office that sets a NAT relationship between the VPN Clients Network and the Internet, then create Access Rules allowing VPN clients access to whatever you want them to access.

This configuration sets things up where are connections from the branch offices are NATed from the branch office to the main office and Internet. It also forces all Internet connections out through the main office link, which is the same link used to establish the VPN connection. Note that this isn't actually a site to site link, since the main office will see the branch office as normal VPN client.

An alternative to this approach is to create a VPN connectoid on the branch office ISA firewall and configure the branch office ISA firewall to use that as a dial-up entry. You would then configure the VPN connection to be the branch office's default gateway in the dial-up configuration. The reason why I prefer the pseudo-site to site VPN configuration is that the autodial feature seems to hang the ISA firewall and often requires rebooting the machine to allow you to manually dial the connection.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org