ISAserver.org Monthly Newsletter of November 2008 Sponsored by: GFI

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Follow Up on PARS

Last month I talked about a phenomenon that I labeled the "PowerShell Abdication of Responsibility Syndrome" or PARS. In that article I pointed out that PARS seems to be leading application developers to ignore the user interface and offload their responsibility for creating a usable interface by forcing users to use PowerShell. I then called up Microsoft Exchange 2007 as the poster boy of a poorly designed user interface and the archetypical PARS victim.

I usually get a few letters to the editor each month, but I was totally unprepared for the responses I got to the PARS article! I received dozens of letters in response and the most interesting thing about these responses is that they were all of one voice - everyone disliked being forced to use PowerShell when in the past they could trust Microsoft to create an elegant and functional user interface.

Here is what several of you said about PARS:

Steven said:
"I love the article Tom - and yes, I'll sign that petition any day!
I just had a reminder of PowerHell this weekend as I migrated our internal Exchange 2007 box to new hardware. A process that was VERY simple with Exchange 2003 became a real pain in the you know what, especially when it came to moving public folders! Yes, PF, the feature they "forgot" about in 2007 after doing a really good job of them in 2003 SP's. It seems the new public folder management UI in 2007 SP1 is still VERY useless as you cannot see replication status or force propagation of settings down a tree - something that Exchange 2003 had liked ages ago. After diving through a load of PowerHell scripts on Microsoft.com I found that they were pretty useless too.

But yes, Exchange 2007 uptake speed is relative to the speed of its UI.... Slow slow slow. There are some bits I like, but I would LOVE 2007 architecture with a 2003 UI!"

Felicio said:
"I don't know if you had planned to create a vote pool, but as MS Gold Partner consultant in Brazil which deploy and administer many Exchange servers since version 5.5 and Microsoft Security* products since Proxy Server* Ok not a security product, but just to you get the point, as you said the PARS on Exchange 2007 is definably a boring strategy (to keep a health level on words).
If ISA team goes through with this, they should be aware this will turn TMG more Linux-like and make the things to us, MS partners harder as the efficient and well designed GUI is one of key points when we compete with Linux "appliances"."

Dave said:
"I was reading through your October newsletter (PARS) commentary and I could not agree more on the PowerShell thing. With budgets tightening and doing more with less personnel, who has time to sit and type in several lines of complicated, hard to remember command code to do what can be done with one mouse click. Not I! I just do not get Microsoft design logic sometimes. Using PowerShell is a nice option for the Admins that have plenty of time on their hands to sit and twiddle their fingers but it should be just that, an option! My philosophy to Microsoft is K.I.S.S. (keep it simple stupid) Keep the GUI!"

Dirk said:
"I totally agree with your article.
As a long-time Exchange admin (and ISA admin) I find it very hard to find the necessary Power-shell commands to do a good installation and my day-to-day job. It is very hard to get a good view on the available functionalities if you have to revert to a command-line. With a GUI you can just explore the different panels and easily get a view of the possibilities of the product. I wonder whether it is so hard to develop a full-blown user interface?

Richard said:
"I could not agree more with your comments in your recent article. I have been using Exchange since the MSMail days. It has remained one of the best products Microsoft had until Exchange 2007 was released. I have had more issues with Exchange 2007 migrations than any other version and this is almost exclusively due to the lack of support for day to day tasks in the GUI. I totally agree with what you said about Windows Admins having been one for 12 years now. I started off in IT looking after SCO Unix and Netware and Windows was a breath of fresh air when I found everything was just a click away.
Well done for voicing what the rest of us have been thinking. I only hope someone listens...."

Eddy said:
"Thanks Tom for your editorial in the latest ISAserver.org newsletter of 30 October. I just wanted to give you my feedback and say that I agree whole heartedly with your assessment of why Exchange 2007 has not been taken up more. Certainly the requirement for new hardware is a small part of the reason but for me certainly the reason I have not pushed for the upgrade to be done is because of the high reliance on PowerShell. I am the Senior Systems Administrator here and responsible for Exchange and ISA and I have been in the IT industry for more than 15 years after a career in electronics and at my age I am not keen to start learning a new language or way of doing things. For me the GUI interface is far clearer and less prone to errors."

Jeff said:
"Wow, are you ever right.
I sit in a computer room with two AS400s, an RS6000 and a bunch of Windows 2003 servers.
The AS400s are the most stable, reliable machines you could ever work on. Although they have command line input, each can prompt up a formatted window with help to create a command without knowing the intricate details of the command. This technology is twenty years old. And you cannot give these machines away as everyone wants a Windows Server.
The RS6000 is running AIX (or should I say DOS 8.0) has cryptic commands that need an encyclopedia sized manual to figure out.
Windows servers (ISA, TS, DNS, DHCP, etc) were moving in the right direction that is away from command lines to an interactive interface assisting the user toward being more "productive".
Now we are going to be forced back to PowerShell, scripting and a command line interface?
Welcome to Dos 9.0."

It is clear that no one likes PARS and that the future of computing is not in going to the dark side (command prompt). I think the ISA/TMG team realizes that their firewall is a complex product and the most important thing they can do to improve the overall security posture of the product is to make it easy to configure, which will reduce the number of configuration related security incidents. For this reason and more, it is unlikely they will go down the path of the Exchange 2007 product team and will likely go in a completely different direction, in that the ISA/TMG team will break new ground in usability.

Until next month,

Tom

=====================
Quote of the Month - "I like to get behind early so that I have more time to catch up'.- Dr. Tom Shinder
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)
  
• How to Publish Microsoft Exchange Active Sync (EAS) with ISA Server 2006 (Part 2)
  
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)
  
• GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Monitoring and Management
  
• X-Forwarded-For and the ISA Firewall: Track your Originating Client through a Web-proxy Chain and on Your IIS
  

4. KB Articles of the Month

• Interoperability of Routing and Remote Access and Internet Security and Acceleration Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition
  
• FIX: When you use HTTP to HTTPS redirection in ISA Server 2006, port 0 is appended to the URL
  
• FIX: A VPN client that uses RADIUS authentication may not log on to the internal network when the User Mapping option is enabled in ISA Server 2006
  
• FIX: ISA Server 2006 may be overloaded with authorization attempts after you apply hotfix 955113
  
• Kerberos authentication to remote Web servers fails for Web proxy clients
  
• Some Windows services do not run as expected after you install ISA Server 2006 Supportability Update on a computer that is a member of an Active Directory domain
  

5. Tip of the Month

Here is an interesting solution to a problem with ADAM installation for ISA 2006 Enterprise edition:

"I had exactly the same error message while installing ISA Server 2006 EE in fresh Windows Server 2003 R2 SP2 installation week ago. Nothing I found from the Internet helped, so I opened MS Premier Case.

The result was that after I uninstalled Windows SP2 I was able to install ISA and even after that I reinstalled Windows SP2 and ISA 2006 SP1 and everything worked fine.

If you have Windows 2003 SP1 and ISA 2006 you have to install ADAM SP1 before installing Windows SP2 but in R2 the ADAM SP1 is included.

Microsoft was not able to explain why this happened"

So, if you find that you're having problems with ADAM installing properly when trying to install ISA Enterprise edition, then try this out. For the full thread, check out the ISAserver.org Web boards.

6. ISA Firewall Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• Security Considerations with Forefront Edge Virtual Deployments
  
• Evaluate Microsoft Internet Security Acceleration Server 2006 SP1 today
  
• Evaluate Microsoft Forefront codename "Stirling" Beta today
  
• How to Buy Forefront Edge Security and Access Products
  

7. Blog Posts

• ISA Firewall Operations Guide
  
• Cool ISA Firewall Rule Ordering Trick
  
• TMG Firewall Admins - Beware the SQL Server 2005 SP2 Security Update
  
• The TMG EBS and TMB MBE Issue Resolved
  
• Update on IAG 2007 SP2 Availability
  
• Web requests from an ISA-local web application may receive unexpected authentication prompts
  

8. Ask Dr. Tom

QUESTION:

Hi Thomas,

I often read your blog posts and articles on the internet, especially about ISA server. I have a question about ISA 2006. I am using Windows ISA 2006 server as a 2-legged firewall. I only want to use the ISA server as firewall for authenticating users against the Active Directory. The ISA firewall is in-line with the core switch. I disabled the WebProxy listener on the internal network, added only the internal VLAN's to the Inside network address set. I disabled NAT from the internal network to the external network, so all traffic is routed. NAT is done by the ISA server firewall.

I noticed that when connecting from the inside to the outside, all packets keep their original source IP addresses. Only HTTP connections are changed by the ISA firewall. The ISA firewall replaces the original IP address from the client by its own external IP address. Do you maybe know a way to change this behavior, or is this by design?

With kind regards,
René Jorissen

ANSWER:

Hi René,

You say that you disabled the Web Proxy listener on the ISA firewall Network from which the clients are connecting. If so, no clients should be able to connect to the external network through the ISA firewall using Web proxy client connections. However, that doesn't mean that the Web Proxy filter has been disabled.

When the Web Proxy listener on the ISA Firewall Network from which the clients connect is disabled, you remove support for Web Proxy clients. However, you can still support both SecureNAT and Firewall clients. When the Web Proxy Filter is bound to the HTTP protocol (which is the default setting), all HTTP connections from SecureNAT and Firewall clients is passed to the Web Proxy Filter. This causes the ISA firewall to proxy the connections from these clients. When the connections are proxied, the original source IP address is replaced with the IP address of the ISA firewall's external interface.

You can change this behavior by unbinding the Web Proxy Filter from the HTTP protocol. When you do this, the original source IP address will be seen by upstream devices when there is a route relationship between the source and destination, as in your example.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.