The #1 unofficial ISA Server resource site

ISAserver.org Newsletter of November 2004

Sponsored by: Rainfinity
ISAserver.org Newsletter
November, 2004

In this issue: Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

ISA Web Seminar--Deliver High Availability for ALL your Network Resources. Register Today!

You are invited to attend this web seminar and learn how RainConnect and RainWall can offer ISA Server customers a highly available, integrated Internet and firewall platform that ensures simplification of distributed management while maximizing security and Internet resources. Do not miss this opportunity.

Register today @ http://www.rainfinity.com/isawebseminar



1. How to Make the ISA Firewall as Dumb as a Traditional Hardware Firewall

By Thomas W Shinder MD, MVP

One of the worst ways to start my day is to read a post like this:

"We want to install ISA Server 2004 in Web cache mode. We already have a hardware firewall so we don't need ISA in firewall mode. How can I do that?"

What's up with these people who want to dumb down their ISA firewalls? It's like saying "My Ferrari goes too fast; can you give me instructions on how to remove three tires to slow it down? I already have a Yugo if I want to go fast"

The ISA firewall is a state of the art, third generation firewall that provides both the stateful filtering that any "hardware" firewall provides and adds to that the ISA firewall's stateful application layer inspection that the traditional hardware firewall doesn't provide.

When I ask some of these guys what the deal is with dumbing down their ISA firewalls, I hear stuff like:

"I feel more comfortable with a hardware firewall in front."

"I don't trust Microsoft security."

"Isn't ISA a Proxy Server?"

I feel more comfortable when I have my teddy bear in bed with me because I believe it will stop monsters from coming out of the closet, but just because it makes me comfortable doesn't mean the teddy bear is going to prevent the monsters from coming out of the closet. If you don't trust Microsoft security, why are you running any Microsoft software? Host security is as important, and arguably more important, than the network security provided by a firewall. And no, Proxy Server 2.0 was retired years ago - the ISA firewall is a FIREWALL.

However, it's clear that many firewall experts and administrators are still concerned about those monsters coming out of the closet, and "hardware" firewalls are their teddy bears. While we can never turn the ISA firewall into a teddy bear, we can make it look like one for those die-hards who feel uncomfortable without a "hardware" firewall.

To this end, we'll go over things you can do to make your ISA firewall as dumb (and insecure) as a hardware firewall.
  • Install the ISA firewall in Unihomed Web Proxy Mode
  • Create an "All Open" Outbound Access Rule
  • Never Require Authentication for Outbound Access
  • Don't Install the Firewall Client
  • Don't Configure the Browsers as Web Proxy Clients
  • Don't Use the HTTP Security Filter
  • Don't Join the ISA Firewall to Your Active Directory Domain
When you install the ISA firewall in unihomed Web Proxy mode, the only host on your network that is fully firewalled by the ISA firewall is the ISA firewall itself. The unihomed ISA firewall in this configuration acts as only a forward and reverse Web proxy. While the ISA firewall retains its firewall functionality to protect itself, you're at the mercy of your packet filter based firewall for protecting the rest of your network.

Ever wonder why the level 1 techs on the other side of the phone always tell you to "open a port" even though no firewall in the world has an "Open Port" button? The reason is that "hardware" firewalls assume that you're going to let everything from everyone outbound to the Internet, so the only ports that need to be "opened" are those inbound from the Internet (there are some non-sensical assumptions about "open a port" but we'll talk about those issues at another time). You can reduce your overall level of security to that provided by a hardware firewall by creating an "All Open" Access Rule on the ISA firewall so that all users have access to all protocols when connecting to the Internet.

Authentication is such a bother. Users complain that they're not allowed to get to certain sites using certain protocols while other users seemed to be allowed to do so. That isn't fair, is it? Everyone was able to do whatever they wanted to on the Internet when you had the "hardware" firewall. That's clear evidence that there's something wrong with the ISA firewall, right? Make your ISA firewall like your hardware firewall and do not force authentication on any of your ISA firewall's Access Rules.

The Firewall client allows clients protected by the ISA firewall to transparently send user credentials over an encrypted channel to the ISA firewall for authentication purposes. This allows the ISA firewall to enforce strong user/group based access control over user connections. Since the hardware firewall doesn't require user/group based access control, there's no reason to install the Firewall client. And if you do have a hardware firewall that allows authentication for outbound access, then install the Firewall client but don't require encryption of the channel, so that it acts like your hardware firewall's unencrypted channel for sending usernames and passwords.

The Web Proxy client configuration allows the Web browser to automatically send user credentials to the ISA firewall and communicate directly with the ISA firewall's Web proxy component. You don't want to configure the machines as Web proxy clients because the "hardware" firewall doesn't authenticate users and even if it did, you don't want Web access to be too fast due to the Web proxy components, since your hardware firewall isn't able to cache Web pages to speed up Internet access.

The ISA firewall is a powerhouse stateful filtering and stateful application layer inspection firewall. One of the key stateful application layer inspection features of the ISA firewall is its HTTP Security Filter. This filter allows the ISA firewall to fully inspect virtually any aspect of an HTTP communication and block it based on the parameters of your choice. The hardware firewall doesn't have the smarts to fully inspect communications moving through it, so you want to make sure you don't configure the HTTP Security Filter on the ISA firewall.

One last thing, do NOT join the ISA firewall to your Active Directory domain. If you did that, you would be able to use the Firewall client, you would be able to use integrated authentication for outbound access to transparently send user credentials to the ISA firewall for authenticated Web access, you'd be able to record applications that users use to connect to the Internet through the ISA firewall, you'd be able to simplify VPN remote access client and gateway configuration, you'd be able to use user certificate mapping, you'd be able to simplify pre-authentication of incoming Web requests -- you'd be able do these things and a lot more. Your hardware firewall can't do any of these things, so be sure your ISA firewall is just like your "hardware" firewall and don't join the ISA firewall to the domain.

There you have it. Your ISA firewall is now just like your hardware firewall. Do you feel more secure? Hopefully, all this has put in context the "security" you believe the "hardware" firewall allegedly provides your organization. While you can certainly keep your current hardware firewall and put it in front of the ISA firewall (the more layers bad guys have to go through, the better), don't fool yourself that just because you paid five times more for the "hardware" firewall, that means it's even half as secure as your ISA firewall.

Next month we'll show how hardware-based ISA firewalls solve the problems seen with traditional packet filter based hardware firewalls and provide the stateful application layer inspection required to protect today's corporate networks.

Editor's Note:
What do you think? Am I full of stuff or right on? Did I accurately represent the level of security your "hardware" firewall provides? Did you know that your ISA firewall can actually provide a much higher level of security than your current hardware firewall? Are you afraid of making your ISA firewall a domain member? Let me know! I'll share the results of your responses in the next newsletter. Thanks! -Tom.

ISA Firewall Alert:
Microsoft wants to know how you use your ISA firewalls with SharePoint Portal Server. Send me a note at tshinder@isaserver.org and I'll make sure that your SharePoint Portal Server publishing wishes and concerns are heard. Thanks! -Tom

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Pre-order Today!

By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Pre-order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.


Click here to Order your
copy today

ISA Web Seminar--Deliver High Availability for ALL your Network Resources. Register Today!

You are invited to attend this web seminar and learn how RainConnect and RainWall can offer ISA Server customers a highly available, integrated Internet and firewall platform that ensures simplification of distributed management while maximizing security and Internet resources. Do not miss this opportunity.

Register today @ http://www.rainfinity.com/isawebseminar



3. ISAserver.org Learning Zone Articles of Interest


We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

4. KB Articles of the Month


Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

5. Post of the Month


Some of you have had problems getting site to site VPNs working with third party VPN gateways using IPSec tunnel mode. The ISA firewall completely support IETF compliant IPSec tunnel mode site to site VPN configurations. However, some vendors aren't always up to speed with interoperability concerns. Check out this great post from JW on the ISAserver.org Web forum (http://forums.isaserver.org):
"Following up a little...

I went back and forth with WatchGuard on the issue until they finally replied with a work around using the policy editor. You may notice that they never actually answered my question of WHEN or IF they would actually be compliant with the spec.

Topic: RE: MUVPN behind ISA 2004 %3C-%3E V60 NAT-T (10 of 10), Read 4 times
Conf: IPsec MUVPN
From: W G Moderator
Date: Friday, October 29, 2004 12:38 PM

Here is what you need to do in order to have the Vclass accept IKE solicitations when the source port is not 500:

Add in a policy like this:
Src IP = ANY (or NAT box external IP)
Dst IP = PUBLIC_PORT_IP
Service = IKE
Firewall = PASS

-----Original Message-----
Hi guys, my apologies for not mentioning this sooner, (I got lost in details and justification, and distracted from the original question of IF and WHEN it would be compliant) but it states right in the release notes of the latest firmware (Vclass 5.1.1 sp1 hf1), "Known Limitations and Issues", on page 4:

VPN (IKE and IPSec)
NAT-T is restricted to devices that do not change the source port of regular IKE packets (UDP 500). Typically, devices that support IPSec passthrough will not change the source port and should function correctly with NAT-T.

This is clearly showing that it is not compliant with the latest NAT-T specs, so is there any way to know when or if NAT-T will be correctly supported?

JW"
Thanks JW! Just goes to show that the ISA firewall not only sets the standard for stateful application layer inspection firewalls, but is also standards based!

ISA Web Seminar--Deliver High Availability for ALL your Network Resources. Register Today!

You are invited to attend this web seminar and learn how RainConnect and RainWall can offer ISA Server customers a highly available, integrated Internet and firewall platform that ensures simplification of distributed management while maximizing security and Internet resources. Do not miss this opportunity.

Register today @ http://www.rainfinity.com/isawebseminar



6. ISA Firewall Links of the Month


Microsoft continues to pump out tons of great technical docs on how to install, configure and maintain your ISA firewall. First, check out this literal bevy of ISA Firewall Deployment Kits!

ISA 2004 Branch Office Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_branchoffice-Rev%201%2003.doc

ISA 2004 Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc

ISA 2004 Quick Start Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_quickstartguide-Rev%201%2003.doc

ISA 2004 Configuration Guide
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc

ISA 2004 VPN Deployment Kit
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc

Those deployment kits should provide you enough reading to get you through the cold months of Winter. But just in case you're caught in your Aspen ski lounge without enough ISA firewall material to read, check out these chestnuts for you to peruse over an open fire(wall):

Test Out the New ISA Firewall Software for Four Months -- Free (try doing that with a PIX)
http://www.microsoft.com/isaserver/evaluation/trial/

Get Some Hands-on Experience with ISA Firewall Hands-on Labs (at no cost to you)
http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx

Finally, if you want to hear me talk about how you can use a hardware-based ISA firewall to protect your remote access connections to Microsoft Exchange, then register for my talk Protecting Microsoft Exchange - Solutions for the Secure Remote Access Challenge at https://attendlive.livemeeting.com/RegistrationForms/SPM/NetworkEngines/111604.aspx. You'll even see a case study on how The United Way used a hardware based ISA firewall to keep the bad guys away using the ISA based NS hardware firewall.

7. Ask Dr. Tom


QUESTION: Hi Tom,
We have an Exchange 2003 Server behind ISA firewall. Inbound e-mail works fine with an SMTP Server Publishing Rule. Problem is, all outbound mail just queues up. We have set an outbound DNS and SMTP rule and an nslookup from the exchange server resolves the IP address of Internet hosts just fine. Any idea why outbound mail is stuck? Cheers! --Tony

ANSWER: There are a number of things that can cause problems with outbound mail. You mention that you have created Access Rules allowing outbound access to the DNS and SMTP protocols from the Exchange Server to the Internet, so the Exchange Server should be able to use both those protocols to send resolve MX domain names and send mail outbound to the SMTP servers.

You were able to do an nslookup, so you know that the DNS protocol is working correctly. You might want to do some more testing with nslookup and use the set type = MX command to see if you can resolve Internet MX domain names.

Next, use the telnet program on the Exchange Server to see if you can telnet to TCP port 25 on your ISP's SMTP server. This will confirm whether your SMTP Access Rules is working correctly.

Double check your Exchange Server's SMTP service configuration. Are you using a smart host? How is the SMTP resolving MX domain names? Is it using the DNS server configuration on the Exchange Server's NIC, or did you configure it to use an "external" DNS server? If so, make sure that external DNS server is accessible.

Finally, use the Network Monitor application on the Exchange Server and the ISA firewall to see where in the path the connection is failing. Good luck! -Tom.

ISA Web Seminar--Deliver High Availability for ALL your Network Resources. Register Today!

You are invited to attend this web seminar and learn how RainConnect and RainWall can offer ISA Server customers a highly available, integrated Internet and firewall platform that ensures simplification of distributed management while maximizing security and Internet resources. Do not miss this opportunity.

Register today @ http://www.rainfinity.com/isawebseminar


Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2004. All rights reserved.