• Answers to the Top Three Questions Asked by ISA Firewall Administrators
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Answers to the Top Three Questions Asked by ISA Firewall Administrators

There are three questions that come up over and over again on the ISAServer.org messages, mailing list and on the msnews.com newsgroup postings. It would be accurate to say that I encountered one or more questions on each of these subjects every day for the last five years. Because of the frequency of these questions, I would consider these, from the end-user's point of view, the top three design changes required by the ISA firewall.

These questions aren't listed in any order, and the questions selected here aren't part of a detailed quantitative assessment I've made over the years. But, when you see the same thing, every day for almost five years, you get a pretty good idea of what's real and what's not.

1. How do I use multiple Internet Connections? I have a DSL and a Cable Connection and want to use both to combine bandwidth and provide fault tolerance and failover

The ISA firewall depends on the underlying Windows networking components to supporting routing connections to and through the ISA firewall. These means you can have one interface that has a default gateway, and typically you'll have only a single default gateway listed on that interface. You could consider dead gateway detection, which is part of the Windows network feature list, but you'll need to be aware of its most likely not what you had in mind.

What I see every day in the mailing lists, Web boards, newsgroups and in letters people send to me directly or when people call me on the phone, is support for:

• Multiple ISP connections using different connectivity methods. For example, they want to have a DSL line, a cable line and a T1 and be able to use all three.
• Bandwidth aggregation from all the lines, so that they can potentially have a total throughput that is close to the sum of the rated capacity of each line.
• Transparent failover for all the lines, so that if they have three lines, and two of the lines go offline, users will be totally unaware of the outage. The only time users would notice connectivity issues would be when all the lines go down.
• Protocol based routing. Many of the people asking for multiple ISP support want to be able to route certain protocols to specific ISP connections in order to perform a "poor man's" bandwidth shaping solution. For example, if they have an ISDN 128K line, a DSL line, and a 15Mbps FiOS line, they want to send all Kazaa/streaming music traffic to the ISDN line, and leave the DSL and FiOS lines for business activities and protocols.

The fact is the ISA firewall does not support multiple ISPs right out of the box. However, if you want all these features, I highly recommend that you check out RainConnect at www.rainfinity.com

2. I need user names, machines names, sites names, and application names in the ISA firewall's log files. How do I do that?

The good news here is that there is answer to this question and you don't have to buy any extra software. Here are the solutions:

User names - Configure the clients as Firewall and Web proxy clients. The Firewall client will always send the user name to the ISA firewall for all connections it is responsible for. These are connections for all Winsock applications. The Web proxy clients will always try to authenticate when the ISA firewall asks it to.

Machine names - Configure the clients as Firewall clients. The Firewall client software will include the machine name and this information will appear in your logs.

Site names - Configure the clients as Web proxy clients. The Web proxy client sends a request for a URL to the ISA firewall's Web proxy filter. This means the ISA firewall has full knowledge of the URL being requested, not just the IP address of the destination Web server. Web proxy client configuration is required if you want to see the URLs users are accessing in the ISA firewall's Web proxy filter logs.

Application names - Configure the clients as Firewall clients. The Firewall client will always forward the application name the user uses to connect to a resource through the ISA firewall. The name of the executable appears in the log files and you can use this information to block the application in the future by configuring the Firewall client .ini files. Let's see a packet filter hardware firewall do that!

3. I need to map outbound connections from my SMTP servers to specific addresses on the external interface of the ISA firewall so that reverse DNS lookups do not fail. How do I do that?

This is a very, very, VERY common question that I've seen just about daily since ISA Server 2000 was in early beta. What people want to do is bind an IP address on the external interface of the ISA firewall to a host on one of the ISA firewall's Protected Networks. The most common reason for this is that the company has multiple mail servers responsible for mail for multiple SMTP domains, and they want to make sure that the reverse lookups do not resolve to the same IP address on the ISA firewall, since this falls outside of RFC (the last time I checked the RFC is said that you can't have multiple SMTP domains pointing to the same IP address).

Unfortunately, you can't bind a specific IP address on the external interface of the ISA firewall to a host on the corporate network. There were some tricks you could use with the Firewall client in ISA Server 2000, but those do not work in ISA Server 2004, as Firewall client wspcfg.ini configuration files are no longer supported. At this time, there is no fix to this issue.

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Remote Access VPN and a Twist on the Dangers of Split Tunneling
• Enabling Internet Access for VPN Clients Connected to an ISA Firewall
• Creating URL and Domain Deny Lists using ISA Server 2004
• Blocklists for ISA Firewalls
• ISA Server 2004 is Ignoring my Web Publishing Rule
• Configuring an Untrusted Wireless DMZ on the ISA Firewall - Part 2: Installing and Configuring the ISA Firewall
• Configuring an Untrusted Wireless DMZ on the ISA Firewall: Part 1: Defining the Infrastructure and Setting Up the Split DNS
• Implementing Checkpoint NG R55 Firewall and Microsoft ISA 2004 Firewall IPSec Site-to-Site VPN

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• Blank page or page cannot be displayed when you view SSL sites through ISA Server
• Enabling RADIUS authentication for the OWA Forms-Based Authentication in ISA Server 2004
• You cannot use an IP address for AutoDiscovery in ISA Server 2004 Web Proxy Client
• You cannot access an ISA Server 2004 Web site through a hardware balancer that is configured to use local triangulation
• The ISA Server RPC filter blocks RPC traffic after Windows Server 2003 Service Pack 1 is installed on a computer that is running ISA Server 2004 or ISA Server 2000
• Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004
• You may receive a blank page when your browser submits a POST request to an ASP Web page through ISA Server 2004
• You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery

5. Post of the Month

Mark Nyquist comes to the rescue of ISA firewall admins everywhere with some great scripts that allow you to bring your ISA firewall's advanced logging information into text format. Let's let Mark explain them to you:

Hey Tom,

Glad to share - I've certainly gotten a lot of help from your site.

Background: I really like the live filtering features for log viewing that the ISA server MMC console provides. The problem is that most log analysis programs want text file output. So - since I didn't want to choose between good live diagnostic tools or good analytical programs, I wrote the attached scripts to be run nightly: ISADump.vbs and MSDEtoWebSpy.vbs.

Basically, the first script connects to the ISA server, finds all the ISA log databases, checks to see if a dump has already been made, and if not, dumps it as a text file with an .MSDE extension. The second script will go through the previously dumped .MSDE files, check to see if it's already done a conversion, and if not, parses through it to convert the BIGINT numbers to IP addresses, and puts it in a file format that WebSpy's "Microsoft ISA Server" filter can recognize. (This could more than likely be modified to convert to other formats as well.)

Note: MSDE does not allow remote TCP/IP connections by default. You need to run C:\Program Files\Microsoft SQL Server\80\Tools\Binn\SVRNETCN.exe and enable it before you can run these scripts from a remote machine. (Requires a SQL restart)

Download the scripts at: http://www.msfirewall.org/isa2004/webspyscripts.zip

Thanks Mark!

6. ISA Firewall Links of the Month

Anyone out there have problems with VPN clients connecting to an ISA 2000 firewall running Windows Server 2003 SP1? I thought so. Here you go:

http://support.microsoft.com/Default.aspx?scid=kb;en-us;897651&spid=2107

I've always wondered about the voodoo in interpreting the ISA firewall's error codes. No link on how to do this, but Jim Harrison rubs the magic lantern and drops a great tip into our laps:

"That's a Winsock error (10053) - connection aborted. Drop the high word (8007) and use calc to translate the remaining hex word (2745)."

Everything you wanted to know about HTTP compression support for the ISA firewall:

http://support.microsoft.com/default.aspx/kb/838365/en-us

Clint Denham is a past master with the ISA firewall and he's unleashed a great, once untold secret, onto the ISA firewall admin community:

"When installed, ISA modifies the registry entry for EnablePMTUDiscovery to 0. This effectively makes ISAs MTU 576. Set HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery to 1, reboot and see if it makes a difference. ISA does this in accordance with KB Article 324270 How To Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003"

http://support.microsoft.com/default.aspx?scid=324270

Mike Gower has put together a great doc on publishing multiple Web sites and OWA using SSL. Check it out at:

http://www.itblueprint.ca/docs/isa2004/publishing/Publishing%20multiple%20websites%20and%20OWA%20using%20SSL.pdf

Also, check out Mike's doc on the ISA firewall's VPN-Q feature and how to implement it at:

http://www.itblueprint.ca/docs/isa2004/quarantine/Implementing%20ISA%202004%20Quarantine.pdf

The Microsoft ISA firewall docs team fried up a very tasty article on Monitoring and Troubleshooting Performance for ISA firewalls. Definitely read this doc before posting on the message boards about how ISA slowed down your Kazaa connections :)

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ISA_2004_PerfTroubleshooting.mspx

Quick links to ISA deployment kits:

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

7. Ask Dr. Tom

QUESTION: I've currently established a network at my home, which is similar to your topology in http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html. But instead of Wireless DMZ, I created a wireless LAN.

On the WLAN, there are two clients, one desktop and one laptop. On the LAN, I have three servers, one desktop and one printer. On the ISA firewall there are three NICs installed, with one connected to the Internet and the other two connected to the LAN and WLAN segments. I've created two subnets, 192.168.0.0/24 (LAN) and 192.168.1.0/24 (WLAN). On the ISA firewall there is a caching DNS server installed and on the DC on the default Internal Network there is a DNS server, which uses the ISA firewall's caching-only DNS server as a forwarder.

Now my question is: can I configure the WLAN as an internal Network or must it be configured as a perimeter Network? -RichMan.

ANSWER: The ISA firewall console's interface is a bit misleading when configuring ISA firewall Networks. While the ISA firewall console allows you to create Network Rules that are of the type Perimeter Network and Internal Network, the fact is that the ISA firewall sees these ISA firewall Networks as being exactly the same in terms of ISA firewall management and configuration. You can confirm this by creating a new internal ISA firewall Network and a perimeter ISA firewall Network. Right click on each of the Networks and click Properties. You'll see that the options are exactly the same. The designation of internal or perimeter is to help you keep track of things are do not represent any functional differences.

QUESTION: I am currently setting up a single FE and a BE Exchange 2003 environment. I've read Microsoft's preferred method of having a FE machine in the same network as the BE machine and just allowing SSL to the FE machine.

I see the philosophy in the doing this as opposed to setting up a FE machine in a DMZ/perimeter network; in that, if the FE machine is compromised in the DMZ by another machine in the DMZ it has a chance of compromising the domain. Conversely, if the FE machine is compromised in the main network as your BE machine, Domain Controllers, clients, etc. everything is compromised still.

So, I am contemplating a best solution for this deployment. Is it possible for a DMZ deployment of the FE machine with IPsec tunnels to the BE machine and the DCs to be safe? Consideration: backup process from backup server in the main network using an IPsec tunnel to the FE machine? Also, using 2003 SP1 and only allowing 443, 3389, and IPsec incoming?

I am scratching my head over all the of the possible complications this could possibly have. Ideally: I am looking for RPC over HTTPS and OWA/SSL to the FE machine from the Internet, and keeping security between the FE and BE machines.

Tom, if you could drop some input and your opinion on this I would appreciate it. Thanks! --Scott

ANSWER: I think there are multiple roads to Rome, and it just depends on how fancy and how paranoid you want to get. I prefer to put the front-end Exchange Server on a DMZ and the back end on the production network or a dedicated network services segment. The rationale for putting the front-end Exchange Server on the DMZ is that if a worm or intentional focused attack compromises the Exchange Server, you can limit the damage done by the compromised FE server on the rest of the Network.

Note that I do not recommend putting the FE Exchange Server on an anonymous access DMZ. An anonymous access DMZ allows anonymous connections from anywhere on the Internet to the FE Exchange Server; if you wanted that, you could put a lowly hardware firewall in front of the front-end/back-end Exchange Server and cross your fingers while waiting for your new job :) Instead, put the FE Exchange Server in an authenticated access only DMZ. Users must first authenticate at the ISA firewall before being allowed to access the FE Exchange Server, or any other services on the authenticated DMZ segment.

While the approach Microsoft takes in their front-end/back-end Exchange Server article is a valid one that does work, I don't think it fully leverages the security the ISA firewall can provide your organization. The advantage of the Microsoft approach is that its simpler. The drawback is that if the FE device, which is an Internet facing device, is compromised, you can't as easily minimize the damage as you could if you put it in an authenticated only DMZ. While the actual security gain is not huge (because the front-end/back-end must both be in the same domain), you do reduce the attack surface in way that you would not be able to if the front-end/back-end were both on the same ISA firewall Network.

Using IPSec through the ISA firewall from the DMZ to the BE Exchange Server's ISA firewall Network isn't a good solution because you encapsulate all protocols in the IPSec header(s) and the ISA firewall is unable to perform stateful application layer inspection or make any type of assessment of the communications hidden in the IPSec protected communication. This represents the same type of security compromise you have with uninspected VPN and SSL tunnels moving through the ISA firewall. While the ISA firewall has built-in security technologies to help mitigate some of the threats inherent in VPN and SSL communications, it does not have anything in its firewall tool-chest to prevent attacks from being tunneled via IPSec.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org