ISAserver.org Monthly Newsletter of May 2007 Sponsored by: Burstek

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Ten Smart Things You can Do with the ISA Firewall

Last month I went over my top ten stupid ISA Firewall tricks. Hopefully you didn't' find yourself doing anything on that list! This month, I cover the ten smartest things you can do with the ISA Firewall. I hope all my readers find themselves doing almost everything on this list.

Install the Firewall Client on Client Operating Systems

The Firewall client enables you to require authentication for almost all UDP and TCP protocols for Winsock applications. In addition to requiring authentication, you also can record authentication information in the ISA Firewall's log files. All secure ISA Firewall installations have the Firewall client deployed.

Configure Clients as Web Proxy Clients

A computer is configured as a Web proxy client when the browser is configured to use the ISA Firewall as a Web proxy server. You can use Group Policy or autoconfiguration to automatically configure your clients as Web proxy clients, so you never need to "touch" the clients to make the configuration. Web proxy clients add to security and performance for client-side Web performance.

Use Separate Firewalls for Inbound and Outbound Access

This is something that Jim Harrison covered at a Black Hat conference a few years ago. In order to increase security, performance and reliability, you should use separate ISA Firewalls (or firewall arrays) for inbound and outbound connections. The inbound ISA Firewall might accept connections for published Web sites, remote access VPN connections, or inbound SMTP mail. Outbound connections are those initiated by internal users and go out to the Internet.

Use the ISA Firewall for Security Segment Partitioning

Not all machines on your network are exposed to the same level of risk and importance. It's important that you separate machines that belong to different security zones from one another by partitioning them using the ISA Firewall. Examples of types of machines that belong to different security partitions include client operating systems, network server services, and Internet facing devices, such as front-end Exchange Servers. Each of these example machine types should be separated from one another by using the ISA Firewall to partition them.

Join the ISA Firewall to the Domain

One of the most important things you can do to increase the security the ISA Firewall can provide is to join the ISA Firewall to your user domain. It's a common misconception that joining the ISA Firewall to a workgroup is more secure - the truth and the fact is that workgroup ISA Firewalls are less secure. For details on the enhanced security provided by domain membership, check out http://isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Put the Front-end Exchange Server (or CAS) in an Authenticated Access DMZ

For a secure configuration, is absolutely critical that you separate Internet facing devices from non-Internet facing devices. The best example of this is the front-end (or CAS) and back-end Exchange Server. The front-end Exchange Server is an Internet facing device that accepts inbound connections from Internet hosts, while the back-end Exchange Server never accepts connections from external hosts. Because of this, the ISA Firewall must be used to separate the front-end and back-end Exchange Servers from one another because of their different security zone membership.

Use SSL to SSL Bridging

When an external user establishes an SSL connection to one of your published servers, that user has a reasonable expectation that you have secured that SSL connection from end to end. If you use so-called "SSL offloading" by using SSL to HTTP bridging, then you've violated that implicit agreement and potentially open yourself up for legal liabilities if information is stolen on the non-secured channel. Be smart - use SSL to SSL bridging to provide end to end security. If you have performance issues, upgrade your hardware. Try an SSL encryption card first.

Use a Split DNS Infrastructure

A split DNS infrastructure allows you and your users to use the same names to access resources regardless of the users' locations. A split DNS requires that you have at least two DNS servers for the same DNS zone: one that is used exclusively by external users and one used exclusively by internal users. For more information about a split DNS infrastructure, check out the articles listed at http://isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html and http://isaserver.org/tutorials/2004illegaltldsplitdns.html

Create Allow Rules, Avoid Deny Rules

The ideal network security configuration is based on least privilege. Least privilege provides users access to what they need and nothing more. When least privilege is used in ISA Firewall configuration, you create only Allow Rules that allow users access to what they need - everything else by default is excluded. In a perfect least privilege world, you would only need to create Allow Rules, and no Deny Rules, since everything that is not explicitly allowed is denied.

Inspect Outbound SSL Connections

Probably the biggest threat to your networks today is what's coming into them over encrypted channels. That is one of the reasons why you don't want to allow outbound VPN connections from your network to any external network - the Firewall can't inspect what's being transferred over the encrypted VPN channel. The same situation is found with SSL encrypted sessions - the Firewall can't see what's being done over the encrypted channel. Malware can take advantage of this and import other malware components over the encrypted channel. You need a Firewall that can inspect outbound SSL connections and the ISA Firewall is that firewall. You can get outbound SSL inspection by using an ISA Firewall add-in called ClearTunnel. Find out about ClearTunnel and how it will secure your ISA Firewall Networks at http://collectivesoftware.com/

Thanks!

Tom

tshinder@isaserver.org

=======================

Quote of the Month - "Those are my principles, and if you don't like them…well, I have others"

-- Groucho Marx

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Using the ISA 2004 Firewall's Diagnostic Log Viewer
• Terminating VPN Connections in Front of the ISA Firewall (Part 3)
• Terminating VPN Connections in Front of the ISA Firewall (Part 2)
• Terminating VPN Connections in Front of the ISA Firewall (Part 1)
• GFI WebMonitor - Voted ISAserver.org Readers' Choice Award Winner - Access Control

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• You cannot access your mailbox on an Exchange Server 2003 front-end server by using Entourage 2004 for Mac
• Error message when you try to synchronize the time on a multi-homed computer that is running Internet Security and Acceleration (ISA) Server 2004: "FWX_E_OUTBOUND_PATH_THROUGH_DROPPED"
• Error message when you view an ISA 2004 or an ISA 2006 SSL Web site: "Error Code: 500 Internal Server error. The context has expired and can no longer be used"
• Error message when a client computer tries to access an FTP site through ISA Server 2004: "Error Code: 502 Proxy Error"
• List of problems that are fixed in Microsoft Internet Security and Acceleration Server 2004 Service Pack 3
• When an Internet Security and Acceleration Server 2004 client performs an action that uses the HTTP POST method, the action may be performed multiple times
• Throughput for an ISA Server that is running on a Windows Server 2003 Service Pack 2 (SP2)-based multiprocessor computer may be greatly reduced or completely blocked
• ISA Server 2004 returns reverse-proxy custom error pages, even in forward-proxy situations
• The Microsoft Firewall service stops unexpectedly in ISA Server 2004
• Hosts that are listed in the client CARP exceptions list in Microsoft ISA Server 2004 may resolve to different array member nodes and cause unexpected behavior for multi-host Web sites

5. Tip of the Month

Trying to get the ISA Firewall to work with various VoIP solutions is always guaranteed to create some wailing and gnashing of teeth. One popular device is the Polycom VoIP solution. There have been a lot of questions on how to get the ISA Firewall to work with the Polycom VoIP gateway and we've never had any good answers before. We might be getting closer to a fix, though, as you'll see in this thread on the Web boards: http://forums.isaserver.org/m_2002044000/mpage_1/key_/tm.htm#2002045007

Want to restrict users' access to the Firewall client application? Adrian Dimcev provides you the answer here: http://forums.isaserver.org/Restrict_Access_to_FWC/m_2002029448/tm.htm

A fix for the Symbian spelling error that prevents phones from working with OMA: http://forums.isaserver.org/m_2002037649/mpage_1/key_/tm.htm#2002044421

6. ISA Firewall Links of the Month

Jim Harrison's ISAtools.org site has the tools you need to keep your ISA Firewall running smoothly:

http://www.isatools.org

Jason Fossen's site contains dozens of scripts to help automate your ISA Firewall configuration and management.

http://www.isascripts.org/

Need to impress your customer with the security and acceptance of the ISA Firewall? Then check out these case studies!

http://www.microsoft.com/casestudies/search.aspx?ProTaxID=1269

How to securely publish your CSS:

http://www.microsoft.com/technet/isa/2006/deployment/secure_css_publishing.mspx

One of the great new features included with the 2006 ISA Firewall is the Kerberos Constrained Delegation feature that enables you to use User Certificate authentication at the ISA Firewall and then delegate those credentials as Kerberos credentials to the published Web site. Check out this recently released article on the details and configuration tips and tricks:

http://www.microsoft.com/technet/isa/2006/kcd.mspx

7. Blog Posts

IAG 2007 SSL VPN Gateway Preparing Service Pack 1

http://blogs.isaserver.org/shinder/2007/05/24/iag-2007-ssl-vpn-gateway-preparing-service-pack-1/

Three Cheers to Marc Grote for Solving my Exchange 2007 32-bit Woes!

http://blogs.isaserver.org/shinder/2007/05/23/three-cheers-to-marc-grote-for-solving-my-exchange-2007-32-bit-woes/

Question Links on ISAserver.org Articles

http://blogs.isaserver.org/shinder/2007/05/22/questions-links-on-isaserverorg-articles/

Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part3)

http://blogs.isaserver.org/pouseele/2007/05/19/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part3/

How to access an FTP site that requires authentication using Internet Explorer

http://blogs.isaserver.org/shinder/2007/05/18/how-to-access-an-ftp-site-that-requires-authentication-using-internet-explorer/

Fix FTP Download Problems through the ISA Firewall with a Registry Edit

http://blogs.isaserver.org/shinder/2007/05/18/fix-ftp-download-problems-through-the-isa-firewall-with-a-registry-edit/

Help for the ISA Firewall RPC Protocol Challenged

http://blogs.isaserver.org/shinder/2007/05/16/help-for-the-isa-firewall-rpc-protocol-challenged/

Microsoft enters WAN optimization market with Packeteer

http://blogs.isaserver.org/shinder/2007/05/10/microsoft-enters-wan-optimization-market-with-packeteer/

8. Ask Dr. Tom

QUESTION: Hi Tom,

I need help and thank you in advance. How do I set up ISA 2006 server as web proxy (caching) server only and not to use firewall and VPN? If Possible how do I configure ISA 2006 Standard edition for only web caching? Since our organization already has a hardware firewall and VPN, we don't need firewall and VPN.

Thanks again! Gani

ANSWER: I get this question fairly often and the answer is that you can't take away the firewall components from the ISA Firewall. When you purchased the ISA Firewall, you purchased an enterprise grade network firewall with VPN server/gateway and Web proxy capabilities. However, in spite of those additional capabilities, the ISA Firewall is always a network firewall - that's what it was designed to be and how it should be deployed.

Most people may have a firewall already in place. That's a good thing! But now you have an additional firewall to shore up the weaknesses in your current firewall configuration. There are many ways you can deploy the ISA Firewall together with your current firewall. My favorite configuration is the parallel firewall setup, where both the ISA Firewall and your current firewall are at the edge of the network. You can then use the ISA Firewall for high security connectivity while still having your current firewall for connections that require a lower degree of security. For more information about ISA Firewall configurations that you can deploy with existing firewalls, check out my article on ISAserver.org that addresses this issue at http://isaserver.org/tutorials/2004isapixdmz.html

For an entertaining look at the "non-security" provided by the most popular "firewall", check out http://blogs.isaserver.org/shinder/2006/06/21/chapter-3x-of-dr-ts-rant-on-pix-firewalls/

QUESTION: Hi Tom,

We have designed our network as ISA having 3 NICs. One is connected to DMZ , second to internal network and third to Router. Please suggest about configuring NICs and their Subnets. We are having DMZ and router with Private IP and in the same Subnet. And this is not working.

Please look into the issue.

Thanks! -- Vinay Kumar

ANSWER: There are several things to consider in this configuration:

• External NIC should have an IP address, subnet mask, and default gateway
• The DMZ NIC should have an IP address and a subnet mask
• The Internal interface should have an IP address, subnet mask, and DNS server address. The DNS server should be able to resolve both internal and Internet host names
• Make sure you create a network rule that connects the DMZ to the Internet, and a Network Rule that connects the DMZ to the Internal Network, if you want to communicate between the DMZ and the Internal Network
• Configure the servers on the DMZ to use the DMZ NIC's IP address as their default gateway
• Configure the clients on the Internal Network as Firewall and Web proxy clients. Configure the Servers on the Internal Network as SecureNET (SecureNAT) clients and optionally as Web proxy clients (never install the Firewall client software on servers)

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.