• ISA Firewalls at the Forefront
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. ISA Firewalls at the Forefront

Many of you might be aware of Microsoft's new Forefront family of security products. As Microsoft moves more into turning itself into a security company, you see more products dedicated to host, service and network security. At this time, there are four general product lines that participate in the Microsoft Forefront family of products. These include:

• ISA Firewalls We're all very aware of ISA Firewalls. The ISA Firewall is designed to be an edge security gateway that performs packet and application layer inspection on all connections moving to and through the ISA Firewall. The ISA Firewall is a comprehensive product, including network firewall, remote access VPN server, site to site VPN gateway and forward/reverse proxy server. ISA Firewalls are on the forefront of the Forefront security product line
• Whale Whale is an "appliance-ized" version of an ISA Firewall that includes the Whale software that provides SSL VPN capabilities. Microsoft purchased Whale earlier this year and the future of the Whale product is currently unknown. Whale features might be included in the next version of the ISA Firewall, or the ISA Firewall product line might see some significant splintering with the next version, with a dedicated Forefront ISA SSL VPN Gateway product broken out of the main ISA Firewall product line.
• Antigen The Antigen family of products is aimed at protecting datastreams for Exchange, SharePoint, and Live Communication Servers. In time, the Antigen name will fade away and these products will take new names with Forefront at the beginning of each product name.
• Forefront Client Security Forefront Client Security is a new product that will be introduced toward the end of this year. Forefront Client Security will provide enterprise level antimalware control and include integrated antivirus, antispyware and Security State Assessment. This product is the first completely new product that is included in the Forefront product line, and as such, I've noticed that a lot of people are confusing Forefront for Forefront Client Security. Client Security is just one product in the Forefront product line, so it's inaccurate to refer to Forefront Client Security as "Forefront". In addition, Forefront is not "Frontbridge", which is a hosted Exchange solution Microsoft purchased last year and is not referred to as Exchange Hosted Services.

I've been spending a lot of time with both ISA Firewalls and Forefront Client Security in the last year and I see these two products working hand in hand to secure your organization. The ISA Firewall, with its stateful packet and application layer inspection capabilities, will help prevent malicious code from entering or leaving your network at the edge, while the Forefront Client Security product will provide the critical host-based security required to protect hosts in the event that attackers are able to use out-of-band methods to bypass the ISA Firewall's protection.

ISA Firewalls will remain at the forefront of Microsoft's accelerating security initiative, but look forward to an increasing number of products that will join the ISA Firewall as dedicated Microsoft security solutions. Also, look forward to all the Forefront security solutions, including the ISA Firewall, to work closely together, so that network forensics and action-based telemetry will be easier and more effective than ever.

If you have questions about the Forefront line of security products and how the ISA Firewall will integrate with those products, let me know! Also, if you have ideas on how the ISA Firewall can creatively work with other Forefront products, let me know that too, and I'll get that information to people who can help make it a reality.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "In general, the art of government consists of taking as much money as possible from one class of citizens to give to another."

--Voltaire

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• ISA Server 2006 as a Kitchen Utensil: Part 1 - External Attacks
• LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 4)
• TechGenix Proudly Introduces ISAserver.org's New Look!
• LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 3)
• LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 2)
• LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 1)
• Blog post: ISA Server 2006 and KB917025
• Blog post: Solving the Secure FTP dilemma with ISA Server 2004 and 2006
• Blog post: DNS Best Practices
• Blog post: Missing in Action ? Log Off When User Leaves Site
• Blog post: Using the MVPS HOSTS File Block List on the ISA Firewall to Block Non-Productive Sites

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Internet Security and Acceleration Server 2004 stops responding or performs slowly after you configure a Web listener to use OWA forms-based authentication
• How to delete the Web cache in Internet Security and Acceleration (ISA) Server 2006 or in ISA Server 2004
• How to prevent the caching of content from certain Web sites in Internet Security and Acceleration (ISA) Server 2006 or in ISA Server 2004
• How to permit non-Microsoft programs to connect to the Internet through Internet Security and Acceleration Server 2006 or in ISA Server 2004
• The Firewall service may not start in Internet Security and Acceleration (ISA) Server 2004 after you select a certificate for a, SSL listener
• Limitations of a single-homed ISA Server 2006 or ISA Server 2004 computer
• The Internet Security and Acceleration (ISA) Server Setup log files
• The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server
• How to configure ISA Server 2004 to log data to an SQL Server database
• How ISA Server caches responses to Web publishing client requests in reverse proxy mode

5. Tip of the Month

Nice tip coming down the pike from Jason Jones regarding the configuration of the HTTP Security Filter for ActiveSync publishing rules:

"I have used the MS recommendations with great success for ActiveSync - check here: http://www.microsoft.com/technet/isa/2004/plan/firewall-exchange2003.mspx

The only issue with these settings is that they block Windows Mobile 5.0 clients unless you disable to "block executables" part of the HTTP filter for your ActiveSync rule. Windows Mobile 2003 seems unaffected by this setting, but v5.0 does."

You can see the original thread at http://forums.isaserver.org/m_2002027329/mpage_1/key_/tm.htm#2002028154

6. ISA Firewall Links of the Month

Collective Software's ClearTunnel application has finally gone RTM! Now you can inspect outbound SSL connections, just like with Blue Coat devices, but at a fraction of the cost. Now you can put the money in your pocket instead of giving away your cash to pay the insane margin's Blue Coat resellers get! Check out ClearTunnel at www.collectivesoftware.com

Everyone interested in a highly secure environment wants to run the Firewall client on all workstations. I know I do! Download the new Firewall client that will work on both 32 and 64 bit systems (but not Vista) over at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=45855498-66BA-43D3-A8F1-37837D380389

Test out a "clean room" implementation of the ISA Firewall in its role as protector for Exchange, SharePoint and LCS servers. Your "clean room" is a TechNet Virtual Lab and you can sign up for your sessions at: http://www.microsoft.com/technet/traincert/virtuallab/secure.mspx

A lot of folks try to make the ISA Firewall do things it's not designed to do. Are you one of those guys? If so, check out the white paper Troubleshooting Unsupported Configurations in ISA 2004 over at http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx

Here's a great article on the ISA Team blog on how to troubleshoot intermittent Pop-up credentials dialog boxes: https://blogs.technet.com/isablog/archive/2006/10/05/Troubleshooting-Intermittent-Pop_2D00_up-Credentials-in-ISA-Server-2004-.aspx

7. Ask Dr. Tom

QUESTION: Thomas,

I've been reading a lot of your posts and am impressed with your knowledge. I'm using ISA 2004 SP2 and have run into the problem when I select the firewall rule option to send the original client header to the web server, that the solution breaks and the web site can no longer be access through ISA. I've read that the published web server needs to become a SecureNET client of ISA and have the networking rules modified so that its default gateway is the ISA server.

All this just so the web app can access the client IP address? Please tell me there is a simpler solution.

I'm currently reading up on using the ISA SDK to insert the client address as another element in the HTTP request.

I'm also going to check out ISA 2006, but from your notes I don't see where this issue has been improved.

If you have the time, I would appreciate your insights and guidance.

ANSWER: There is an easier way! While you have the option to preserve the Host header in a Web Publishing Rule, I don't think this is what you're looking for. What it sounds like to me is that you want to preserve the client IP address so that the published Web server receives the original client IP address instead of the ISA Firewall's internal interface IP address. If this is what you're looking for, both ISA 2004 and ISA 2006 Firewalls will solve your problem.

Double click on your Web Publishing Rule and click the To tab. On the To tab, select the option Requests appear to come from the original client. Click OK and then click apply to save the changes to Firewall policy.



The issue with making the Web server a SecureNET client is a basic TCP/IP problem, not an ISA Firewall related issue. Think about the problem and you'll see that it makes sense. If the published Server needs to communicate with a system that has an IP address for which it does not have a routing table entry, the published Web server must use its default gateway to forward those responses. There is no "magic" that would allow any system to guess how to route the responses.

That's the nice thing about having the ISA Firewall replace the source IP address with it's own IP address. In that way, the published Web server most likely already has a route to the internal IP address of the ISA Firewall, so the default gateway configuration is immaterial. In fact, in this scenario, the published Web server doesn't even need a default gateway if it already has a route to the network ID on which the ISA Firewall's internal IP address is located.

All this said, keep in mind that in order for the ISA Firewall to provide real security, the ISA Firewall needs to be in the physical path between the client and published Web server. This is the primary reason why you should avoid deploying unihomed ISA Firewalls and fully deploy the firewall as it was designed. You wouldn't deploy a unihomed Check Point Server. Same is true with a well-designed and highly secure ISA Firewall configuration - you wouldn't deploy it with a single NIC if you have high security in mind. -Tom.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.