|
Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org
Bandwidth management plug-in for ISA Server
1204902901875.gif) ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time.
Read more details and download a free trial
1. Top Five ISA and TMG Firewall Deployment Tips
In a recent Webcast I did with Forefront Edge Product Manager Adam Jung, I had a chance to do some demos of the ISA 2006 firewall features and did a short preview of the new TMG. We had a great time and the only downside was that we all wished we had more time to share the great features and capabilities of the ISA and TMG firewalls!
If you want to see the Webcast, check it out: ISA 2006 in Under an Hour.
During the presentation I had a chance to collect what I consider to be the top five tips that will help you have as smooth a deployment as possible when introducing a new ISA firewall. In the over 8 years I have spent with ISA Server, I have discovered a set of five tips that will help make your ISA Server deployment go more smoothly.
- Determine your requirements before you deploy the ISA Firewall. Do you want outbound access control? Do you want inbound access control? Do you want both? Do you want to authenticate outbound connections? For all protocols or just Web protocols? Do you want to authenticate inbound connections? What types of inbound connections do you want to authenticate? Do you want strong outbound access control for all protocols or for just HTTP? Do you have multiple sites you need to manage? What level of high availability do you require? The answers to these questions will allow you to determine how to most efficiently deploy the ISA Firewall.
- If you want to use ISA for both inbound and outbound connections, you will find it easier to manage, and see noticeable performance improvements if you use separate ISA firewalls for inbound and outbound connections.
- In scenarios where you are using ISA for only inbound connections and want to pre-authenticate users at the ISA Firewall, LDAP authentication is your best option. This allows you to put the ISA Firewall outside of your domain, while still being able to authenticate both users and groups contained in the Active Directory database. In contrast, you cannot leverage Active Directory groups when using RADIUS authentication.
- You will not get disappointed with the ISA firewall’s performance if you size the hardware to meet your requirements in Advance. Check out the ISA Server Capacity Planner.
- As part of your network gear, the ISA firewall depends on a number of networking services to perform optimally. Make sure that your DHCP, DNS, routing, Active Directory and PKI infrastructures are in place before deploying the ISA firewall.
On another note, I wanted to let you know about a cool new utility that Collective Software has put out recently. Suppose you want to prevent anonymous access to the whole site (authenticate everyone) but not pass credentials over HTTP (you want to pass credentials only over SSL), how would you do that?
At first it might seem easy, consider the following scenario:
RULE A: I create a Web Publishing Rule that allows access to /* and that Web Publishing Rule uses an SSL listener with FBA and applies to authenticated users.
RULE B: I create a Web Publishing Rule that allows access to /public and /marketing on the same site and that uses an HTTP listener that does not require auth and applies to all users
All other folders require SSL and authentication
I put RULE B above RULE A. Now users are required to auth and use SSL for all content that is not /public or /marketing, and can anonymously access the /public and /marketing folders over an unencrypted connection.
However, this solution does not require authentication for the entire site! What the filter allows us to do is require authentication for the entire site, and enforce SSL for the authentication, and also allow us to configure HTTP connections to portions of the site that do not require SSL.
If this seems like something attractive to you (and it does to me!), then check out Collective Software’s PageGuard.
Until next month!
Thanks!
Tom
=======================
Quote of the Month - “I’d rather have a bottle in front of me than a frontal lobotomy."
-- Anonymous
=======================
2. ISA Server 2006 Migration Guide - Order Today!
|
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..
Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did. |
Click here to Order
your copy today
|
Bandwidth management plug-in for ISA Server
ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time.
Read more details and download a free trial
3. ISAserver.org Learning Zone Articles of Interest
We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:
4. KB Articles of the Month
Sorry, no KB articles of the month. The MCP search site is not working correctly, and the regular Microsoft search site still has not been fixed to allow searching based on how long ago the KB article modified. Hopefully by next month the MCP search site will be repaired.
5. Tips of the Month
One of the most common requests regarding ISA firewall reporting relates to user activity. What these ISA firewall admins want to do is monitor Internet usage of a particular user and provide a report of the user’s activities to his manager. The problem is that even though the build-in reports are very interesting and provide some helpful general information about activity to and through the ISA Firewall, it does not provide these per-user reports that most ISA firewall admins need. However, there are some solutions. Check out this thread on the ISAserver.org Web boards for a few tips on how to get this information.
Bandwidth management plug-in for ISA Server
ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time.
Read more details and download a free trial
6. ISA Firewall Links of the Month
7. Blog Posts
8. Ask Dr. Tom
QUESTION:
Hi Thomas,
I was recently given the task of implementing ISA 2006 in our environment on the DMZ. Doing many searches on the net and not exactly finding what I needed, I came across your website. I found an interesting article:
http://www.isaserver.org/tutorials/ISA_Server_DMZ_Scenarios.html
By the way, I am not a networking guy, but a computer programmer who is determined to understand and deploy ISA in our DMZ environment.
My precise task at the moment is using an SSL VPN connection through IE to successfully VPN a user from a published website into our environment.
I have installed ISA 2006 Standard. I am using Radius for the authentication, since I do not have access to our Active Directory environment. I created a user group in Active Directory, which includes the users I would like to give access.
Issue 1:
- Launch ISA 2006. On the Virtual Private Network (VPN) under the VPN Clients tab I click the Enable VPN Client Access option, which is part of Step 1.
- Under the groups tab, the Add and Remove buttons are grayed out. So I cannot add the user group I created in Active Directory. I am guessing since I am not part of the domain, I cannot access Active Directory. What do you suggest I do at this point?
I have been following specific instructions in a book called ISA Server 2006 - Unleashed by SAMS. Adding the user group is a key step for user access.
Currently we have one ISA 2006 server in our Firm environment on the DMZ and none in our domain or any where else.
Is it even possible to allow users VPN access using SSL VPN through a published website in our current set up? Do we need two ISA Servers, External and Internal for this VPN task?
I am running low on options and have past my deadline. If you have a moment, please let me know your thoughts. Thank you! --TM
ANSWER:
Looks like you got the wrong book! You should have got Dr. Tom Shinder’s Migration Guide and then you would know the difference between a PPTP or L2TP/IPsec VPN and an SSL VPN. Once you get my book, I will be happy to provide clarification on anything covered in the VPN network with the ISA Firewall chapters.
QUESTION:
I have an interesting problem, and I think it boils down to NAT-T, but I am not certain. I have clients at my office behind an ISA2006 firewall. We use CISCO VPN client software to connect to our customer network in order to manage their servers from the client PCs. For one of our customers, we are able to establish multiple simultaneous VPN connections with the CISCO software. The issue arises when 2 people try to use Remote Desktop to connect to the servers. Only 1 connection will work at a time.
On my ISA firewall, I see errors from the computer unable to connect in the log.
Client IP - 192.x.x.63
Destination IP - 64.x.x.33
Destination Port - 0
Protocol - IPsec ESP
Action - Failed Connection Attempt
Rule - Allow cisco vpn client
Result Code - 0x80070034 ERROR_DUP_NAME
I have been in touch with their network team, and it appears to be in my side, but I am unable to find a solution.
Thanks for any assistance,
ANSWER:
This is a very common problem when the ISA firewall has to work together with non-RFC compliant VPN hardware. This problem is typically seen when connecting to cheap NAT devices that advertise themselves as firewalls and VPN servers, but can also be seen with more expensive that is either out of date, or needs a firmware update. Check with the admin on the other side of the VPN to confirm that there is no requirement that the source IKE port is not required to be 500.
Also, make sure that you have a rule in place to allow outbound NAT-T and IKE.
Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
Bandwidth management plug-in for ISA Server
ISA Server has a rich feature set right out-of-the-box. However, it lacks an integrated bandwidth manager. Bandwidth control is an essential tool, especially if your Internet costs are high. Bandwidth Splitter for ISA Server is a plug-in that covers the lack of Bandwidth management in ISA Server. Its features include traffic shaping (throttling), traffic quotas, and powerful monitoring tool that allows you to control your bandwidth in real-time.
Read more details and download a free trial
| 