Sponsored by: RainFinity
& GFi
Software Ltd.
ISAserver.org Newsletter
October, 2002
In this issue:
Welcome to the Isaserver.org newsletter! Each month we will
bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to:
tshinder@isaserver.org
Learn how to Implementing Microsoft ISA Server with Microsoft Exchange Server
Special Offer for ISA Customers from Rainfinity: Attend
a Free Web Seminar on how you can Implement Microsoft
ISA Server with Microsoft Exchange Server. Attend this
event, and hear author and distinguished Microsoft expert
Dr. Thomas Shinder, share his tips and insights
on using the ISA Server's filters to publish Microsoft
Exchange Servers to keep them safe from Internet intruders.
Register today for this free web seminar scheduled for Thursday, November
14th at 9:00 a.m Pacific.
|
1. Site UpdatesBy Stephen Chetcuti
As promised in our previous newsletter, this month saw the launch
of our free article update service and new URL naming system.
We also have a special announcement to make, after months of
hard work, Dr.Thomas Shinder's new ISA Server book 'ISA Server
and Beyond' is in the final stages of completion, and is ready
to be launched in the coming days!
You are all familiar with Dr.Shinder's excellent work on
ISAserver.org, with weekly ISA Server articles and continuous
support on the site's message boards. This is Tom's second
ISA Server book, his first was released over a year ago and
gained widespread approval throughout the ISA Server admin
community, immediately ranking as a Top 500 book on Amazon.com,
with full 5-star ratings from reviewers. His second book includes
new content on ISA Server and tackles other W2K security topics
and is sure to be another must read for all ISA Server admins.
Be one of the first to receive Tom's new book and take advantage
of Amazon.com's pre-order discount of 30% today by clicking
here.
Onto site updates, keep up to date with all articles published
on ISAserver.org by subscribing to the newly launched ISAserver.org
mailing lists! By opting to subscribe to the Monthly Article
Update, you'll receive a summary and link to all newly added
articles for that month. One can also subscribe to the Real
Time Article Update for instant notification of newly added
articles. Can you afford to pass on the opportunity to stay
on top of your favorite ISA Server resource? Click
here to subscribe.
Best Regards,
Stephen Chetcuti
2. Thomas Shinder's new ISA Server book
out soon!
|
By Thomas W Shinder, M.D., MCSE, etc.
New ISA Server/Win2k/XP Security book out soon! The
security stuff is sort of interesting, but the really
hot stuff is the new ISA Server material! We're including
stuff on DMZs, firewall chaining, hierarchical Web caching,
SSL connections, SSL publishing, OWA, Secure IMAP/SMTP/POP3,
and publishing services on the ISA Server itself! There's
a lot more too!
Click
here to pre-order from Amazon.com today!
|
Click
here to Pre-Order your
copy today at 30% discount!
|
3. Preparing your ISA Server Network Infrastructure
By Thomas W Shinder, M.D., MCSE, etc.
Are you getting ready to install an ISA Server on your network? Do you
already have an ISA Server on your network? Whether you have an ISA Server
already on your network or you're getting ready to put one up, the most
important thing for your ISA Server deployment success is the appropriate
supporting network infrastructure. Whether we're talking about a small shop
or a large enterprise, I figure about 70% of the problems people have with
ISA Server are related to an inadequate or incorrectly configured network
infrastructure.
What are the key elements of your network infrastructure? Some of the most
important issues that affect ISA Server include:
- IP addressing scheme and DHCP
- DNS infrastructure
- NetBIOS name resolution infrastructure
You'll go a long way toward your ISA Server success if you can get a handle
on each of these areas. Let's now take a closer look at each one of them.
IP addressing scheme and DHCP
The IP addressing scheme has to do with what IP addresses you use on your
internal network and on the external interface of the ISA Server (and maybe
DMZ segments as well). The addressing scheme extends to more than just a
single network. If you have branch offices, the IP addresses used in those
offices are also part of your IP addressing scheme.
How do you assign network IDs to your networks? Did you sit down with a
pencil and piece of graph paper and map out the network IDs for each or your
network segments? Or did your IP addressing scheme just sort of "grow that
way"? It's important you create your IP addressing scheme in a mindful way
if you wish to avoid problems with VPN clients and remote network
connectivity.
For example, suppose you run a VPN server at the main office and you use the
10.0.0.0/8 private address network ID for those networks. You should think
ahead at what number you want to assign to the "stub" network that the
internal interface of the ISA Server attaches to if you plan to have VPN
clients call your main network. You have a couple of choices: first, you
could summarize all internal network IDs by making your stub network ID
10.0.0.0/8. This greatly simplifies the routing table on the ISA Server, as
you only need to create a single routing table entry, pointing to the router
interface on the same network ID as the internal interface of the ISA
Server, to summarize all the subnets of your network.
On the other hand, you might want to use an "off subnet" address on your
stub network. The off subnet address gives you more control over what
resources an VPN client can access. Off subnet stub networks allow you to
prevent users from subverting your network security infrastructure by
changing the "use gateway on remote network" setting on the VPN client.
For more information on VPN client security, network address, and off subnet
addressing advantages, check out
http://www.isaserver.org/tutorial/VPN_Client_Security_Issues.html
The ISA Server should not be a DHCP client or DHCP server. The only
exception to this is when you must use dynamically assigned addresses on the
external interface. The internal interface of the ISA Server should always
have a static IP address. Never place a DHCP server on the ISA Server
itself. If you do, your packet filters logs will fill with so many DHCP
related entries that they will be unusable for troubleshooting and security
investigations.
VPN clients can obtain IP addresses via a static address pool configured on
the ISA Server, or from a DHCP server on the internal network. You can use a
DHCP server on the internal network, but keep in mind that you will only be
able to assign IP address to the DCHP clients; you won't be able to assign
DHCP options to the VPN clients connecting to an ISA/VPN server. The reason
for this has to do with how the DCHP Relay Agent and the "internal"
interface used by RRAS are influenced by the ISA Server. The end result is
that the DHCP Relay Agent can't do its job, and the VPN clients are not
assigned DHCP options.
DNS Infrastructure
Your DNS infrastructure is absolutely, positively, the key to ISA Server
success. So many problems are related to ISA Server admins not understanding
how DNS works with ISA Server and ISA Server clients. Once you get a good
understanding of DNS, you'll be in much better shape to solve those hard to
troubleshoot problems.
The first thing to work out is what are the DNS requirements for each ISA
Server client type. The default settings of the ISA Server clients work like
this:
- SecureNAT client -- SecureNAT clients must resolve Internet host names on
their own. The ISA Server will not perform name resolution on behalf of the
SecureNAT client
- Web Proxy client -- Web Proxy client requests have name resolution performed
by the ISA Server. The ISA Server will use the DNS server addresses
configured on its own interfaces to resolve the name included in the
requests by Web Proxy clients. You don't have to configure a DNS Server
setting on a Web Proxy client unless the Web Proxy client is also
configured as a SecureNAT client. In that case you need to configure it with
a DNS server address.
- Firewall client -- By default. Firewall clients allow the ISA Server to
resolve names on their behalf. You do not need to configure a DNS server
address on a Firewall client. If you don't want the ISA Server to resolve
names for the Firewall client, you can configure the Firewall client to
resolve names itself. For more information on how to configure the
mspclnt.ini file to permit local name resolution for the Firewall client,
check out Jim Harrison's seminal article on Firewall client configuration at
http://www.isaserver.org/tutorial/ISA_Clients__Part_3_The_Firewall_Client.html
You need to decide how external DNS host names are going to be resolved for
your network clients. Will you be running your own DNS server or will you
allow your ISP's DNS server to resolve all requests for Internet host name
resolution.
You'll want to allow your ISP to resolve all Internet host names only if you
run a very small network that doesn't have a DNS server of its own. If you
have even a single DNS server, you should consider configuring it to resolve
Internet host names. This DNS server could be the Domain Controller on your
internal network, or you could even use the ISA Server itself. If your only
Windows 2000 Sever is the ISA Server itself, you can use the DNS Server on
the ISA Server to resolve Internet host names. For information on
configuring a DNS Server on the ISA Server itself, check out
http://www.isaserver.org/article/Running_a_DNS_Server_on_the_ISA_Server.html
If you choose not to run any DNS server at all, then you need to configure
your ISA Server to use your ISP's DNS Server for host name resolution. In
the vast majority of cases where there is no internal DNS server, you'll be
using a dial-up interface and a dynamically assigned IP addresses. The DNS
server address is assigned via IPCP, so you don't need to manually assign
the DNS server address on the external dial-up interface.
You should run your own DNS services if you have the choice to do so. Put
the DNS server on an internal network server. Create a Protocol Rule that
allows both DNS Query and DNS Zone Transfer, and create a client address set
that includes the DNS server's address and allow that client address set
access to the DNS protocol rule.
If you're using a Windows 2000 DNS server, you should be able to resolve
host names right away. You can resolve Internet host names right out of the
box because the Root Hints file has been "primed" with the names and IP
addresses of the Internet Root Servers. However, if your DNS server is on an
Active Directory domain controller, you might have made the fatal mistake of
letting the Active Directory Wizard configure DNS for you. For more
information about the problems related to the Active Directory DNS Wizard
and how to fix them, check out
http://infocenter.cramsession.com/techlibrary/GetHtml.asp?ID=1261&GetDes=&CatID=330
Configure the SecureNAT clients to use your internal DNS server if you've
configured it to resolve Internet host names. If you don't have an internal
DNS server, configure the SecureNAT clients to use your ISP's DNS server.
Configure the ISA Server to use your internal DNS server if the DNS server
is configured to resolve Internet host names. Make sure you make the
internal interface of the ISA Server the "primary" adapter and configure the
internal interface to use the internal DNS Server. There is no need to put a
DNS server address on the external interface.
DNS is also important for resolving the name of the internal interface of
the ISA Server when the client is configured as a Firewall client. Make sure
all your clients are configured with a primary DNS suffix that matches the
domain you have configured in your DNS server. This is configured
automatically if your clients are domain members, but for domain members you
need to do this manually.
NetBIOS Name Resolution Infrastructure
Your ISA Server clients do not need to resolve NetBIOS names to work
properly. If you have configured your DNS infrastructure properly, and you
have Windows 2000/XP/2003 clients and servers, then you're in good shape
with using only DNS. But if you have downlevel clients, you're going to need
a supporting NetBIOS name resolution infrastructure.
In practice, a NetBIOS name resolution infrastructure means a WINS server
infrastructure. If you have downlevel clients, or if you want to do things
like map network drives for your VPN clients, then you should install a WINS
server on the internal network. WINS servers aren't resource intensive and
for the most part that are self tuning. WINS Server are especially important
if you want to be able to use the dreaded browser service to browse the
network using Network Neighborhood or any of its cousins. WINS is also very
helpful for downlevel clients when they need to resolve the name of the
internal interface of the ISA Server.
Summary
In this article I touched upon just a few of the important network
infrastructure issues you need to address when deploying ISA Servers on your
network. While the ISA Server is a versatile, powerful and easy to use
firewall, it's not a plug and play solution. You need a good understanding
of TCP/IP and Microsoft networking services before putting the ISA Server on
your network. You'll have the best experience and the least amount of
problems if you do some planning and configure your network infrastructure
to support your ISA Server.
Downloads content checking & anti-virus for ISA
Server with GFI DownloadSecurity!
GFI DownloadSecurity for ISA Server enables you to assert control over what
files your users download from HTTP & FTP sites.
Downloaded files are content checked for viruses, malicious
content and objectionable material, and can be quarantined
based on file type and which user downloaded them. GFI
DownloadSecurity handles the security risk of file downloads
without resorting to blocking all file downloads at
firewall level! Blocking of file downloads is an unpopular
policy, and results in your having to temporarily open
ports/file types for users, resulting in additional
administration and potential security holes.
Click
here to download your free trial!
|
4. ISAServer.org Learning Zone articles of Interest
We have a great group of articles in the Learning Zone that will help you
get a handle on your most difficult configuration issues. Here are just a
few of the newer and more interesting articles:
5. Q Articles of the Month
Here are some interesting and useful ISA Server related Q articles posted by
Microsoft in the last month:
6. Post of the Month!
A number of you have had problems removing a dial-up entry from the ISA
Management console. If those perpetual dial-up entries are causing your
pain, then you need to check up on this post Dave Fosbenner made a few days
ago on the ISAServer.org Message Boards (http://forums.isaserver.org/):
"I have found that if you have a DUN entry in ISA that
you no longer user, and you've removed the DUN icon from
Win2000 in My Network Places, you will get an event ID error
14142 every 3-5 seconds in ISA, even if you have unchecked
"use DUN entry" in ISA and you aren't using the DUN entry
anymore. I haven't found anyway to remove a DUN entry within
ISA from the Policy Elements section, however, I found I
was able to remove the DUN entry in the registry.
It's at the key:
HKLM\SOFTWARE\Microsoft\Fpc\Arrays\<GUID>\Policy Elements\Dialup
Entries
1. Stop the ISA services.
2. Save the registry key under Dialup Entries.
3. Delete the registry key under Dialup Entries.
4. Restart ISA services
The Dialup entry should no longer appear in ISA, and the
14142 errors should be gone."
Learn how to Implementing Microsoft ISA Server with
Microsoft Exchange Server
Special Offer for ISA Customers from Rainfinity: Attend
a Free Web Seminar on how you can Implement Microsoft
ISA Server with Microsoft Exchange Server. Attend this
event, and hear author and distinguished Microsoft expert
Dr. Thomas Shinder, share his tips and insights
on using the ISA Server's filters to publish Microsoft
Exchange Servers to keep them safe from Internet intruders.
Register
today for this free web seminar scheduled for Thursday,
November 14th at 9:00 a.m Pacific.
|
7. ISA Server Link of the Month
Quite of few of you are on the cutting edge! I've got a number of requests
for information on running ISA Server on Windows 2003. The good news is that
ISA Server runs quite nicely on Windows 2003, but there are a few issues
that you need to watch out for. Microsoft helps us all out by posting some
useful instructions on how to run ISA Server on Windows 2003. Check it out
at:
http://www.microsoft.com/isaserver/setupnetserver.asp
8. Ask Dr. Tom
QUESTION:
I'm trying to "Publish" a server using Microsoft ISA. This internal server
is a HTTPS server. My ISA server machine doesn't have two NICs. When I try
to access the published server using the external IP address from any client
I cannot get to it. ISA log
gives status of this request as "10060". When I try to access the published
server using the external IP address from the ISA machine itself I'm able to
get to it. I checked all the configuration setting but I cannot figure out
why any client other than the ISA machine itself is not able to access the
published server?
ANSWER:
I not sure exactly what you're doing here, but it sounds like you're trying
to publish a server using a unihomed ISA Server. You can't publish servers
using Web or Server Publishing Rules with a unihomed ISA Server. Note that a
modem or ISDN terminal adapter counts as an interface, so a machine with an
internal NIC and a modem is not considered unihomed. The ISA Server needs to
know what's internal and what's internal in order to publish servers. If you
have only a single interface, there isn't an internal or external interface
for the ISA Server to work with.
QUESTION:
I have this particular problem. Recently my boss tried to download the new
Macromedia Shockwave Player plug-in for IE. Unfortunately it reported
"Download Interrupted." I was looking thru the message boards and you
suggested configuring the HTTP Redirector. Well I tried this but it did not
work. I also tried doing this from other computers on my LAN and it didn't
work either but when I tried it from our Web server, which is in the DMZ,
there was no problem. I have concluded that the problem lies in the ports
available to us and those that are available in the DMZ As I understand it,
IP filters can be configured to either outbound or inbound and Protocol
Rules which are for local clients are outbound. At this point I'm not to
keen on fooling around with any of the settings right now because this seems
to be my only problem. My configuration for the DMZ (tri-homed by the way)
is port 80 in & out for the Web server NIC and the DMZ NIC. I have also
configured outbound ftp port 21 on both Web server NIC and the DMZ NIC. Have
you resolved this issue since the last time or do you have any new
suggestions?
ANSWER:
I've noticed the same problems with accessing Shockwave site using the Web
Proxy client configuration. Unfortunately, there isn't any clear explanation
why the Web Proxy service has problems with the Shockwave download site, but
its likely that the site requires a interpretation of a command not
supported by the ISA Server's Web Proxy service. When I get more information
on this problem I'll share it over at http://www.isaserver.org/Thomas_Shinder/
The best solution is to configure the site for Direct Access. For example,
you can go into the ISA Management console, expand your server name and then
click on the Client Configuration node. Double click on the Web Browser
entry in the right pane of the console. In the Web Browser Properties dialog
box, click on the Direct Access tab. What you want to do is add an entry to
the "Directly access these servers or domains" list. Click the Add button.
Select the Domain or computer option and type in www.adobe.com (without the
quotes). Note that you MUST use the Autoconfiguration script in order for
the browser to use the Direct Access entries you configure in this list.
The Direct Access entry will force the Web browser to bypass the Web Proxy
service. That's fine, but if the client is configured as *only* a Web Proxy
client, it won't have any way to get to the Internet. You'll need to
configure the client as a SecureNAT or Firewall client so that it has
alternate means available to access the Internet.
Learn how to Implementing Microsoft ISA Server with Microsoft Exchange Server
Special Offer for ISA Customers from Rainfinity: Attend
a Free Web Seminar on how you can Implement Microsoft
ISA Server with Microsoft Exchange Server. Attend this
event, and hear author and distinguished Microsoft expert
Dr. Thomas Shinder, share his tips and insights
on using the ISA Server's filters to publish Microsoft
Exchange Servers to keep them safe from Internet intruders.
Register today for this free web seminar scheduled for Thursday, November
14th at 9:00 a.m Pacific.
|
|
