• Serving the ISA Firewall Community: What can ISAserver.org Do for You?
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Serving the ISA Firewall Community: What can ISAserver.org Do for You?

With the new year coming at us with a bullet, I'd thought I'd take an opportunity to review with everyone what we have on ISAserver.org to help out the ISA firewall community, and introduce some things we have in mind for the future. With your help we hope to expose new avenues of communication that will allow you to get the most out of your ISA firewall experience.

At this time we have the following features that I think provide the most value to the ISA firewall community:

• Hundreds of articles on how to configure the ISA firewall for a huge number of networking scenarios
• Most articles include links to message board sections where you can ask questions about the content of the article to the author
• The ISAserver.org mailing list where you can ask questions about ISA firewall problems and get answers
• The monthly newsletter where you get a rundown on what's been happening on ISAserver.org for the last month, and also get some tips and tricks and links to interesting stuff in the ISA firewall world
• Real time article updates and RSS feeds, which enable you to get real time updates when new content is released on the site
• Sections on hardware ISA firewalls and software add-ons that provide extra value for the ISA firewall. ISAserver.org members can also comment on the hardware and software offerings and rate the products

We've had a lot of success with these interactive features of the site and now we're thinking of the future and taking things to the next level. I've had a few ideas on what we can do to provide extra value for ISAserver.org members and I'd like to share a few of those with you:

• Weekly newsletter covering the week's KB articles, where I discuss the articles and the implications of your ISA firewall deployment
• Weekly "Questions of the Week" newsletter, where I answer in depth two questions I've received from email queries, the ISAserver.org message boards, and the ISAserver.org mailing list
• A weekly podcast, where I discuss some of the interesting ISA firewall issues of the week, articles that have gone up on the site, and interviews with Microsoft ISA firewall project managers and support professionals
• An ISAserver.org "reference architecture" guide, that walks you through the steps of creating the core lab network on which you can replicate all the configurations and scenarios discussed in the articles at www.isaserver.org
• An ISAserver.org certification program where you take a little quiz after reading an article, and then send it to us. After you get X number of credits on the quizzes, you get a continuing education certificate from us recognizing your professional efforts to stay up to date on ISA firewalls

That's just a few of the things we have in mind. We don't have the personnel to implement all of these new features right away, but if there is something you'd like to see happen quickly, let me know. Send me a note at tshinder@isaserver.org with your opinion. Finally, if there's something I didn't mention, but that you'd like to see on the ISAserver.org site, let me know! Thanks! -Tom.

=======================

Quote of the Month - "Give a man a match and he'll be warm for a minute. Light a man on fire and he'll be warm the rest of his life"

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 5: Configuring the Clients and DNS Infrastructure
• Installing ISA Server 2004 Enterprise Edition - Part 2 - Installing ISA Server 2004 Firewall on two Servers
• MSTerminalServices.org - New Terminal Services and Server Based Computing Website added to the TechGenix Network!
• Bypassing the Firewall Client using Locallat.txt File
• Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 4: Configuring the Edge ISA Firewall
• Installing ISA Server 2004 Enterprise Edition - Part 1 - Installing and Configuring the Configuration Storage Server
• Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 3: Creating Services Access Rules and Joining Machines to the Domainand Joining Machines to the Domain

4. KB Articles of the Month

Here are some interesting and useful ISA Server related Q articles posted by Microsoft in the last month:

• MMS stream splitting is not supported in ISA Server 2004
• ISA Server 2004 does not listen for Web proxy requests after you enable a network adaptor or remove an IP address
• You may experience a long delay when you try to use Internet Explorer to access a redirected Web page and Internet Explorer uses ISA Server 2004 as a Web proxy server
• POP3 clients cannot connect to an Exchange Server computer that is behind an ISA Server firewall
• You may experience high memory usage on an ISA Server 2004-based computer that logs messages to an MSDE database
• Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004
• Routing and Remote Access stops responding in Windows Server 2003
• In Internet Security and Acceleration Server 2004, the password appears to be automatically generated in the "Dialing Configuration" dialog box, but the dial-up connection does not work

5. Tip of the Month

Ever find yourself in this position:

• The Firewall client is installed on the client machine

• The Require all users to authenticate option is enabled on the Web proxy listener for the network(s) that the Firewall client(s) are connecting from

• Users get hit with multiple authentication prompts from out of no where?

If so, there's a fix. You need to add the SkipAuthenticationForRoutingInformation value into your Registry. The step by step configuration information can be found in the KB article You receive error messages if the Internet Security and Acceleration Server 2004 Firewall Client program is configured for auto-discovery or if you try to configure this program for auto-discovery at http://support.microsoft.com/default.aspx?scid=kb;en-us;885683

HTH, Tom

6. ISA Firewall Links of the Month

Do you use the Firewall client on your client systems? I sure hope so, because the Firewall client significantly adds to the level of security the ISA firewall can provide your organization. As a Firewall client fan, you'll want the Firewall client tool pack. It includes tools that enable you to set autodiscovery settings and Web browser config on the Firewall clients, and also has a number of diagnostic tools. Check out the Firewall Client Tool for ISA Server 2004 at

http://www.microsoft.com/downloads/details.aspx?FamilyID=F20F6267-273D-4870-B1E8-799B261B4786&displaylang=en

Ever wonder what's in your Web cache and how to remove stuff in the cache? If so, then you need the cachedir.exe tool. Check it out at

http://www.microsoft.com/downloads/details.aspx?FamilyID=88117626-D72C-4CC8-A15F-C1FBDBCFF688&displaylang=en

Want to know how to install and configure the ISA firewall to publish Exchange Server services, like OWA, OMA, Exchange ActiveSync, POP3, SMTP and IMAP4? Then check out the ISA/Exchange Deployment Kit at

http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/isa2004se_exchangekit-rev%201%2005.doc

Are you looping back through the ISA firewall when you shouldn't be doing so? If so, then check out Configuring Internal Client Access to Internal Resources in ISA Server 2004 at

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/internalclientaccess.mspx

Are you looking to deploy remote access quarantine for your VPN clients but don't have the time or the inclination of putting together a development project to support it? Then check out Fred Esnouf's QSS security suite for ISA firewalls. He's recently released a an update, which you can learn out at

http://www.esnouf.net/qss_main.htm

Finally, here's something everyone needs. Who doesn't have problems connecting to the Microsoft Update site through the ISA firewall? Right, no one. To get a handle on this problem we all need to read Troubleshooting Windows Update v5 Authentication Issues at

http://www.microsoft.com/technet/prodtechnol/winxppro/support/updateauthen.mspx

7. Ask Dr. Tom

QUESTION: I have two interfaces on my ISA firewall: one interface connected to the Internet and one interface connected to the corporate network. There are five network IDs managed by a router on the corporate network. I create four internal Networks for the network IDs that weren't covered by the default Internal network. Now I'm seeing errors on my ISA firewall indicating that my other Internal Networks are not "reachable" from the Internal Network interface. What gives?

ANSWER: All IP addresses behind a single NIC on the ISA firewall as considered to be part of the same Network. Their ISA firewall's view of Networks is that communications between different Networks must traverse the ISA firewall. Any communications that take place directly between two hosts take place on the same Network. So, even though you have multiple Network IDs located behind the same Network interface on the ISA firewall, the ISA firewall considers them all a single Network because the ISA firewall doesn't handle communications between any two hosts located behind the same ISA firewall NIC. This discourages the poor practice of looping back through the ISA firewall to reach hosts on the same Network.

QUESTION: My clients on the corporate Network are able to connect to all Web sites except the Web sites we manage on our Internal network. What's up with that?

ANSWER: The most likely reason for this problem is that your corporate network clients are attempting to access the Web sites by looping back through the ISA firewall. You can correct this problem by configuring the Web Proxy and Firewall clients to use direct access for internal IP addresses and domains, and to configure a split DNS so that internal network hosts resolve names for internal resources to their internal IP addresses.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org