• Deployment Scenarios for the ISA Firewall
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. Deployment Scenarios for the ISA Firewall

Over the years I've read well over a hundred thousand posts on the ISA Firewall here on ISAserver.org. In addition, I've probably read over 50,000 e-mail messages regarding the ISA Firewall on the ISAserver.org mailing list. In addition to this, I get about ten questions a day sent to my e-mail address on issues regarding ISA Firewall planning, deployment configuration and maintenance. And of course, I've been involved with well over a hundred ISA Firewall deployments where I've been the primary consultant.

With all this experience with the ISA Firewall I've seen and heard just about every type of deployment possible for the ISA Firewall. And over the years, there has been one nagging question that's always racked my brain:

Why do people limit themselves to the "hork mode" configuration of the ISA Firewall?

It never ceases to amaze me that so many ISA Firewall owners gut their ISA Firewalls by deploying The Firewall in unihomed "hork" mode and rip out 90% of the security the ISA Firewall can provide.

Is it that they've all been "hypnotized" by high margin "hardware" firewall salesman?

Do they hang out at ABM'er (All But Microsoft) sites like the SecurityFocus "firewall wizards" and figure that the ISA Firewall isn't a real firewall? (If the ISA Firewall can't be a real firewall, then Check Point must not be a "real" firewall either).

Or is it that the "network guys", who know all about routing and switching protocols decided they should hijack network security because there is some imagined relationship between network security and routing and switching protocols?

I know these are just some of the reasons. But for those ISA Firewall admins who aren't being pressured by high margin sales guys, ABM'ers, and political intrigue related to job security for "grandfathered in" network guys, they might be deploying the ISA Firewall in Hork Mode because they're just not aware of all the deployment options.

The reason this came to mind is that a number of people who attended my sessions at the recent ExchangeConnections conference seemed surprised that the ISA Firewall was a firewall. For some reason they thought it was a Web proxy server, related in some way to Proxy 2.0. They were amazed when I explained and demonstrated the powerful firewall features included in the 2006 ISA Firewall. All this made me think that somehow for the last six years I must have been preaching to the choir, and somehow hadn't got the message out to the masses.

Well, let me tell you now - the ISA Firewall is a firewall first, second and last. You can't rip out the firewall components from the ISA Firewall. You just can't. Why? Because the ISA Firewall is designed to be an enterprise grade network firewall, on par with Check Point. The Web proxy features as an extension of the ISA Firewall's core firewall feature set. That's all, just extensions. The Firewall will work just fine without the Web proxy features, but the Web proxy features extend the security provided by the ISA Firewall core firewall engine, so you should use them.

If you're new to the ISA Firewall, or if you've been using the ISA Firewall for years, you should check out the white paper on the ISA Firewall's core firewall engine and how it provides robust protection not only for your network, but for the ISA Firewall itself. There's a reason why there are no documented cases of a correctly configured ISA Firewall being compromised, and you'll find those reasons at http://www.microsoft.com/isaserver/prodinfo/firewall_corewp.mspx

Once you clear your head and realize that the ISA Firewall is a network firewall, on par with Check Point and far superior to a PIX, you can then start thinking about how to deploy the ISA Firewall on your network. While by no means a comprehensive list of deployment options, here's a list of a few deployment options for both the Standard and Enterprise Editions of the ISA Firewall:

Standard Edition

• Front-end firewall in single firewall scenario
• Front-end firewall in back to back firewall scenario
• Back-end firewall in back to back firewall scenario
• Parallel firewall in multiple front-end firewall scenario
• Parallel firewall in multiple back-end firewall scenario
• Multihomed front-end firewall with dedicated DMZ network NIC(s)
• Multihomed back-end firewall with dedicated DMZ network NIC(s)
• Internal network services segment perimeter network firewall
• Internal department segmentation firewall
• Multihomed perimeter network firewall with dedicated services networks
• Dedicated VPN server and gateway
• Dedicated Web and Server Publishing Firewall
• Dedicated outbound access control firewall
• Dedicated outbound access control Web proxy and caching Firewall
• Branch office multipurpose firewall, site to site VPN gateway and Web proxy and caching server

Enterprise Edition

• Front-end redundant firewall array in edge firewall scenario
• Front-end redundant firewall array in back to back firewall scenario
• Back-end redundant firewall array in back to back firewall scenario
• Parallel redundant firewall array in multiple front-end firewall scenario
• Parallel redundant firewall array in multiple back-end firewall scenario
• Multihomed redundant front-end firewall array with dedicated DMZ network NIC(s)
• Multihomed redundant back-end firewall array with dedicated DMZ network NIC(s)
• Internal network services segment redundant perimeter firewall array
• Internal department segmentation redundant firewall array
• Multihomed perimeter network redundant firewall array with dedicated services networks
• Dedicated redundant VPN server and gateway
• Dedicated Web and Server Publishing redundant Firewall array
• Dedicated redundant outbound access control firewall array
• Dedicated redundant outbound access control Web proxy and caching Firewall array
• Branch office multipurpose firewall, site to site VPN gateway and Web proxy and caching server with centralized management and control

Did I miss any? Let me know! Also, let me know the reasons why your company might not be using the ISA Firewall to its full extent. Maybe there's something we can do, or Microsoft can do, to help your company get out of the security hole you might be in by not fully deploying the ISA Firewall in full firewall mode.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "Would you rather be feared or loved? I want both - I want people to fear how much they love me"

--Anon.

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• GFI WebMonitor - Voted ISAserver.org Readers' Choice Award Winner - Monitoring and Administration
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 2 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• ISA Server 2006 as a Kitchen Utensil: Part 2 - Internal Attacks
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 3 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• Load Balancing Web-Proxy Clients With ISA Server 2004 Standard Edition (Part 2)
• Find a career with Dell! The Dell Careers Blog is Open
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 4 - Single Exchange Server with Separate DC Scenario/LDAP Authentication
• ISA Firewall Publishing OWA and RPC/HTTP with a Single IP Address: Part 5 - Single Exchange Server with Separate DC Scenario/LDAP Authentication

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• You cannot access your mailbox on an Exchange Server 2003 front-end server by using Entourage 2004 for Mac
• After you repair or update ISA Server 2004, the ISA Server 2004 firewall service may not start on a Windows Server 2003-based computer that has been upgraded from Windows 2000 Server
• How to use the Windows Server 2003 Routing and Remote Access Service or ISA Server 2006 or ISA Server 2004 with a DSL router for Internet access
• The DHCP clients may not obtain the configuration script when you use DHCP Option 252 to automatically configure Internet Explorer
• Users are repeatedly prompted to provide their credentials when they access a Web site
• How to configure an ISA Server computer for a very large number of authentication requests
• Error message when you try to back up or export the configuration in ISA Server 2006 or in ISA Server 2004: "There is not enough memory to complete the operation"
• An ISA server requests credentials when client computers in the same domain use Internet Explorer to access Web sites that contain Java programs

5. Tip of the Month

We featured a tip from Jason Jones last month and he's come to the plate again with another great tip! Check this out:

"When an Office application opens, it creates a new session as opposed to riding on the back of IE. Subsequently, ISA will ask for authentication as the session is new. This is an age old ISA publishing problem when using SharePoint and document libraries.

There is now a way to solve it in ISA2k6 by using HTML form authentication with persistent cookies which allow applications outside the browser to use cookies (e.g. office apps). HOWEVER, the cookies are "persistent" e.g. they do not get deleted when you close the browser or office apps so could potentially be accessed and/or brute forced if left in an Internet cafe or public location. The cookies timeouts still apply though, so they will expire based upon timeout configuration in ISA, which isn't quite so bad.

There is an option for "use persistent cookies only on private computers" which goes someway to combat this as the users have to choose "private computer" in the FBA form in order to activate the persistent cookie feature. Hence only users that really need the streamlined Office docs approach can choose private and all others will be fine accessing other sharepoint data with the public computer option. Obviously, users should only use private computer when using machines they trust e.g. not in an Internet cafe!

Hope this helps... -JJ"

Thanks for the great info, Jason! Just another reason why people should be using ISA Firewall and not Blue Coat for secure remote access to Microsoft Exchange and SharePoint servers. For the complete thread, head on over to http://forums.isaserver.org/document_library_file_access_prompts_for_logon_credentials/m_2002031680/tm.htm

6. ISA Firewall Links of the Month

Have you heard of Whale? If not, Whale is an SSL VPN solution that's built on ISA Firewalls. Microsoft purchased Whale earlier this year and has made Whale part of the Microsoft Forefront family of security products. I plan to do a lot of Whale in the next year, so if you want to get up to speed, check out http://www.microsoft.com/isaserver/whale/default.mspx

Download a preconfigured VHD of the ISA 2006 Firewall at http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=msvhds&DisplayLang=en

If you haven't hit the ISA Firewall virtual labs yet, you should. It'll give you a nice sort-of hands on experience with the ISA Firewall product. But remember to use ISAserver.org as your source for the real life details on how to get these scenarios working! Check out the labs at http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx

Want to know more about secure log off from published Web sites? Then go here http://www.microsoft.com/technet/isa/2006/logoff.mspx

A lot of people have asked me in the last year how to customize the ISA Firewall's HTML forms. Now that the 2006 ISA Firewall supports customization of forms, you'll do yourself a favor by checking out this article http://www.microsoft.com/technet/isa/2006/html_forms.mspx

BLOG POSTS:

ISA Firewall Flood Mitigation Settings

http://blogs.isaserver.org/shinder/2006/11/18/isa-firewall-flood-mitigation-settings/

ISA Firewall Certificate Revocation Checking

http://blogs.isaserver.org/shinder/2006/11/18/isa-firewall-certificate-revocation-checking/

ISA Firewalls and MDaemon — Outbound SMTP Problems

http://blogs.isaserver.org/shinder/2006/11/18/isa-firewalls-and-mdaemon-outbound-smtp-problems/

Preparing the ISA Server 2006 for Kerberos Constrained Delegation

http://blogs.isaserver.org/pouseele/2006/11/16/preparing-the-isa-server-2006-for-kerberos-constrained-delegation/

About the Microsoft command-line FTP Client

http://blogs.isaserver.org/pouseele/2006/11/09/about-the-microsoft-command-line-ftp-client/

7. Ask Dr. Tom

QUESTION: Hi Tom, I have looked over the site many times and finally I pose the question as I cannot seem to find it. Do you have an article that pertains to publishing ActiveSync/OMA via ISA 2004 that is using forms based authentication for OWA? I have multiple IP available for the external interface. We use split DNS and have deployed (in test environment) OWA published via ISA for external and internal clients with FBA used as authentication. I know there are separate listeners needed, etc. was just looking for some confirmation regarding the exact setup. Thanks for your time! Your site has proven very helpful to us as we move our OWA/OMA services out to an ISA array setup. Thanks! -Thorin.

ANSWER: Hi Thorin, thanks for the kind words about the site!

Since you have multiple IP addresses available to you, this should be an easy configuration. You're correct that you'll need two Web listeners, one to listen on the IP address that resolves to the FQDN for the OWA Web Publishing Rule and the other to listen on the IP address that resolves to the FQDN that will listen for the OMA Web Publishing Rule.

You'll need to create two Web Publishing Rules, one for the OWA site and one for the OMA site. You'll also need two certificates, one for the OWA site and one for the OMA site. The common names will need to be different, for example owa.domain.com and oma.domain.com. Since you have a split DNS in place, clients will be able to move between the internal and external networks easily. Congrats for putting the split DNS together! Your users and bosses always love it when they don't have to remember different names and it makes you the IT Hero.

After that, everything should just work. Note that on the TO tab of each of the rules, there is no problem using the same name for both the rules, and in fact you have to do this, since both the OMA and OWA sites use the same certificate on the Exchange Web server itself.

HTH,

Tom

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.