ISAserver.org Monthly Newsletter of November 2007 Sponsored by: Redline Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Registry Entries for Your New ISA Firewall

A sad thing happened to me last week - my primary ISA Firewall died. This was a very nice little Scorpio based Celestix box that was originally designed for ISA 2000. In the five years I had this ultra-reliable Celestix box, I upgraded it to ISA 2004 and then to ISA 2006. Even though that little ISA Firewall only had 256 MB of RAM and a Pentium III 1.2GHz processor, it performed like a champ for my small office.

The good news was that I had another Celestix firewall sitting in a box in my office, so I deployed the new Celestix ISA Firewall to take over duties from the previous one. I considered importing my old configuration to the new ISA Firewall, but over the years the old rule set had become very ungainly, with many proof-of-concept configurations and extraneous rules and other litter that tends to gather over the years. So, instead of taking the easy way out, I decided to create an entirely new ISA Firewall. Of course, I later realized that I couldn't have imported my old ISA 2006 rules into the new box, as I was running ISA 2006 Standard Edition and the new Celestix ISA Firewall was running ISA 2006 Enterprise Edition.

I'll do a review later on the Celestix Firewall setup and configuration in detail, but at this time I wanted to focus on something that a lot of us tend to forget when setting up a new ISA Firewall: Registry settings. While most of us are pretty good at saving our firewall configuration after making a change, one thing that most of us forget to do is document any Registry changes we've made on the system over time. If you're one of those guys with a change control spreadsheet for each of your servers, then my hat's off to you! I need to do the same thing.

There aren't too many must have Registry changes, but there are three of them that I consider mandatory for almost all ISA Firewall admins:

• Enable Path MTU Discovery on the ISA Firewall
• Enable Black Hole Router Detection on the ISA Firewall
• Disable spurious authentication prompts due to Autodiscovery

To enable Path MTU Discovery on the ISA Firewall, follow the instructions at Microsoft KB Article 902347. This article also describes the Access Rule you need to create to allow Path MTU Discovery to work.

To Enable Black Hole Router detection, check out: How to Troubleshoot Black Hole Router Issues.

To disable spurious authentication prompts due to Autodiscovery, check out: Users are prompted for authentication credentials when Internet Explorer is configured for automatic discovery in ISA Server 2004.

There are a couple of other things you might want to do, that many ISA Firewall admins forget. First, make sure that the Web Proxy listener is enabled on the local host network. This will help with downloading your automatic updates. Also, you might want to consider enabling the System Policy Rule that allows you to download CRLs, this will also help you with reaching the System Policy allowed sites if you want to use your browser to reach them (actually, any Microsoft site is safe in this regard, IMO).

There's still a lot of configuring to do, but my firewall policy is a lot cleaner than it was before. And since this was an outbound only firewall, I don't have to worry about certificates for Web Listeners. The machine is a lot faster and performance shows notable improvements.

Do you have any "must have" settings on your ISA Firewalls that aren't evident to the new ISA Firewall admin? If so, let me know! Send them to me at tshinder@isaserver.org and I'll share them with everyone in the next newsletter.

Thanks!

Tom

=======================

Quote of the Month - "Encephalopathy is better than no 'lopathy at all."

-- Anonymous medical student

=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Creating a DNS Infrastructure to Support Exchange Server 2003
• Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 1)
• Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 2)
• Creating an ISA Reports Web Server
• Configuring the ISA Firewall to Support Certificate-Based EAP-TLS Authentication (Part 3)
• Creating a Custom VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 1)

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• HTTP compression support in ISA Server 2006
• Clients may receive an "Error Code 500 Internal Server Error" error message when they try to visit a Web site that you publish by using ISA Server 2006 or ISA Server 2004
• ISA Server 2004 and ISA Server 2006 do not support traffic redirection
• The RADIUS authentication process in ISA Server 2006 and ISA Server 2004
• How to enable ICMP traffic from protected SecureNet clients to external hosts in ISA Server 2006 and ISA Server 2004
• The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server
• How to bypass the Web Proxy service in ISA Server 2006 or in ISA Server 2004

5. Tips of the Month

I've seen a number of posts recently on how to get the Forefront Client Security client and System Center agents to work with the ISA Firewall. Here's a thread on the ISAserver.org Web boards that might help you steer in the right direction:http://forums.isaserver.org/m_2002056073/mpage_1/key_/tm.htm#2002056814

Looking for some methods for blocking file transfers over the IM channel using the ISA Firewall? Then check out this thread on the Web boards: http://forums.isaserver.org/m_2002056448/mpage_1/key_/tm.htm#2002056448

Recent information coming in to me indicates that setting up certificates to support Exchange 2007 publishing might not be nearly as complex as we thought it might be. The Exchange 2007 documentation team has done a bang up job at confusing us, making us believe that SAN certificates are required. However, this might not be the case, and we might be able to do things the exact way we used to with the easy to configure Exchange 2003. If so, I'll follow up on this finding in the next newsletter. This will certainly be good news, especially for those of us who have no interest in the Unified Communications feature included in Exchange 2007.

6. ISA Firewall Links of the Month

• Questionable Users?
• Trusted Web Proxy Servers Appear to be Launching DoS Attacks!
• Assigning a Static IP address to VPN Users

7. Blog Posts

• Multiple L2TP/IPsec VPN clients behind a NAT device
• Fixing Windows Media Player Authentication Prompts
• Windows Essential Business Server Suite Announced
• Clearing the Cached WPAD Script
• Two XSS on Blue Coat ProxySG Management Console

8. Ask Dr. Tom

QUESTION: Hi Thomas,

We'd like to join the ISA 2008 TAP program. I'm not sure in what state the program is right now, but is there still a chance of joining? If so, we'd also like you to become our TAP assistant. -Lourens van Dyk

ANSWER: I've had a number of people ask me about this in the last couple of months. From my understanding, the TAP program is now closed, so they won't be entering any new companies into the program. If I hear any information about them re-opening the TAP program, I'll be sure to let everyone know about it.

QUESTION: I would appreciate it if you could help with the current situation I'm having. I've been using ISA 2000 without any issues for years, I decided recently to configure a ISA 2006 server to replace the 2000 box and afford functionality for Sharepoint that was not available in 2000.

My problem is this. I have 5 subnets:

10.100.10.0/22 - Local to head office
10.100.20.0/22 - Namibia
10.100.30.0/22 - Durban
10.100.40.0/22 - Port Elizabeth
10.100.50.0/22 - Cape Town

10.100.10.0/22 works fine and clients can connect without a problem but all the other subnets cannot. They have all been added to the routing table and to the Internal Network config.

Pinging from the subnets works, but any other protocol is dropped as spoofed. When I examine the logs it would seem that ISA is seeing the Serial interface of the router (i.e. 192.168.100.2 - Namibia) and dropping the packet.

I have created access and subnets for these locations but without any luck. Been battling for 3 weeks and am unable to find any help on the subject.

Could you give me some advice on what to try next. You response will be greatly appreciated.

Kind regards, Jeremy

ANSWER: I looks like you've come up with the answer here yourself! I assume that all of these subnets are behind the same ISA Firewall interface. Since all subnets behind the same ISA Firewall interface must be part of the same ISA Firewall Network, you need to include all of the IP addresses in each of those subnets in the definition of the ISA Firewall Network for which that interface is the "root". In addition, if you have devices that are performing some kind of NAT behind the ISA Firewall, the IP addresses that the NAT devices are presenting to the ISA Firewall must also be included in the ISA Firewall Network that will be seeing these source IP addresses. In the example you provided, it appears that one of your routers is performing some kind of NAT and presenting a source IP address of 192.168.100.2. You need to include that IP address as part of the ISA Firewall Network. Finally, make sure your routers are pointing to the nearest ISA Firewall interface as their default gateway if you're depending on a SecureNET configuration for any hosts on your network.

QUESTION: Hi Tom,

I have just upgraded based on the feature that allows the ISA Firewall to fall back to Basic authentication when the ISA Firewall detects a non-browser client. This is still not working for me. I have Listener set up for FBA and OWA and it works fine. However, my Blackberry devices still get denied. I have a rule configured as Basic and this works if I move it up the list. This of course changes OWA to basic. I am only using the Blackberry internet service not BES, so in theory I thought they would hit my OWA FBA rule and then revert to basic Any ideas?. I have got a work around in that I can publish FBA from Exchange but didn't need an upgrade to do that. -Lee Burley

ANSWER: The problem you have here is that the user-agent sent by the Blackberry service must not be included on the list of non-browser user-agents used by the ISA Firewall for its fallback mechanism. What you need to do is check your ISA Firewall's log files to determine the user-agent connecting via the Blackberry service. Once you do that, you might be able to include that user-agent in the list the ISA Firewall uses for the failback to Basic mechanism.

QUESTION: Hi Tom,

I want to set up a wireless system:

1. For the company's employees, with laptops to have access to the internal network and internet.
2. For guests or clients, only Internet.

ANSWER: There is a very popular configuration and it's easy to set up. What you need are three NICs in your ISA Firewall: one external interface with the default gateway configured on it, and internal interface that faces the default Internal Network, and a DMZ interface. You'll need to create an ISA Firewall Network definition for the DMZ Network, and make sure that you define Network Rules for the DMZ that defines the Route relationship between the DMZ and the default Internal Network and the DMZ and the Internet. If you find that you have connectivity issues between the DMZ Network and anywhere else, check the ISA Firewall's log files. If you find that the connection is denied and there is no rule listing what rule denied the connection, then the reason for the failure was an absent Network Rule. For the complete details on how to create the wireless DMZ Network, check out the following article here on ISAserver.org:
Configuring an Untrusted Wireless DMZ on the ISA Firewal

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.