• The Future of the ISA Firewall
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
• ISAserver.org Learning Zone Articles of Interest
• KB Articles of the Month
• Tip of the Month
• ISA Firewall Links of the Month
• Ask Dr. Tom

1. The Future of the ISA Firewall

Now that ISA 2006 is officially released to the public, ISA Firewall admins are getting to try out the new features included in the latest version of the Microsoft's stateful packet and application layer inspection firewall. Most of those I've talked to have been a little taken aback by what appears to be lack of new features in the product, especially in those areas where ISA Firewall fans have been requesting fixes for almost six years.

While I hate to sound like an apologist for the 2006 ISA Firewall, the fact is that the new version contains dozens of updates and feature enhancements that any ISA Firewall admin will appreciate. It just takes some digging to find them. But once you find them you'll be happy with what you see! For comprehensive coverage of what the ISA 2006 Firewall has to offer, check out my article on why the ISA 2006 Firewall is better than 2000 and 2004.

Looking forward, I don't expect the same sense of disappoint with the next version of the ISA Firewall. While the 2006 ISA Firewall can be considered a "point" upgrade or ISA 2004 "R2", the next version of the ISA Firewall will likely introduce earth-shaking changes like those we saw during the transition from 2000 to 2004. What do I see in the ISA Firewall's future? I can't say for sure, but if I had to bet a nickel at this time, the next version of the ISA Firewall will include the following:

• SSL VPN functionality Microsoft acquired Whale Communications earlier this year to fill in a big gap in the ISA Firewall, and that's full featured SSL VPN functionality. You know that Microsoft is going to work hard to get the Whale features integrated into the ISA Firewall as they play catch-up with other firewall vendors.

• Integrated content filtering The ISA Firewall has always supported content filtering additions, such as Websense and SurfControl. However, there's a perception in the market that these content filtering engines aren't as integrated into the product as they should be, which has given competitors of the ISA firewall a bit of an advantage. Microsoft purchased Dynacomm's iFilter a while ago, and I would not be surprised to see this product's feature set integrated into the next ISA Firewall

• Support for multiple gateways/ISPs One of the most common requests for the ISA Firewall is the ability to use multiple gateways or ISPs. Broadband ISP connections are inexpensive and customers want the ability to use multiple ISPs for failover and even bandwidth aggregation. The next version of the ISA Firewall must be able to provide this functionality in the next version, or else it will fall hopelessly behind its competitors and be relegated to a simple forward and reverse proxy device.

• Enhanced WAN acceleration/WAFS Branch offices are big business and the ISA 2004 SP2 and ISA 2006 Firewalls are taking advantage of this with BITS caching, HTTP compression, Diffserv and other features to make the ISA Firewall an attractive solution for the branch office. However, there's more that can be done in this space, and Microsoft's recent announcement of its partnership with Citrix for TCP optimization and WAN acceleration indicates that perhaps some of these technologies will be baked into the next version of the ISA Firewall.

• Integrated Outbound SSL inspection Outbound inspection of SSL tunnels is a must. Denying the importance of this is just putting your head in the sand. At this time, the ISA Firewall can be enabled for outbound SSL tunnel inspection using Collective Software's ClearTunnel application. But this feature is so important, so critical to secure networking, that it must be integrated with the ISA Firewall core product. I expect that Microsoft will realize this and include outbound SSL application layer inspection with the next version of the ISA Firewall

• SIP application layer gateway SIP support is a complex problem, but its one that the ISA Server dev team has to come up with an answer. VoIP is the current "big thing" and the ISA Firewall should not only be an enabler for this technology, it should also provide security for this key VoIP protocol. I look forward to some type of SIP support in the next version of the ISA Firewall.

• Application control Developers of dangerous applications have learned all sorts of ways to bypass firewalls. If push comes to shove, they can always use HTTP as a transport, since they know that no firewalls will have HTTP closed outbound. What a modern firewall needs to do in addition to controlling protocols is controlling the applications that can be used to connect through the Firewall. I expect future versions of the ISA Firewall to be able to determine what application the user is using to connect to the Internet, and if that application is on a deny list, or is not on an allow list, then all sessions initiated by that application are automatically closed by the ISA Firewall.

• Enhanced application layer inspection filters When the 2000 ISA Firewall hit the streets, it was the thought leader in application layer inspection firewalls. However, in the interim, most of the ISA Firewall's competitors have caught up with the ISA Firewall when it comes to application layer inspection. I expect future versions of the ISA Firewall to have intelligent application layer inspection filters for protocols such as those used by Active Directory, SQL, VoIP, IMAP4, SMB/CIFS, and many others. I expect that with the release of the next ISA Firewall, the ISA brand will regain its leadership position as "The" application layer inspection firewall.

• Support for installing on Windows Longhorn "bare bones" OS (core) One issue that often slows the adoption of the ISA Firewall is the superstitious concerns "network guys" have over the ISA Firewall running on a base Windows operating system. This superstition is so finely tuned and ingrained, that they cost their companies millions of dollars to feed that superstition, much to the delight of the hardware firewall sales guys. With the next version of the ISA Firewall, I expect that we'll be able to install it on the Longhorn "core" OS, that doesn't contain all the ghouls and goblins that concern the "network guys" and will make it easier to end run them and convince more clear headed technical decision makers that the ISA Firewall is the firewall of choice on any Microsoft network.

I'm sure there are many more things that could and will show up in the next version of the ISA Firewall. What do you think? Anything I left out of this list? Are there any ground breaking features that would be included in the ISA Firewall that would blow the ASA's, Netscreen's, Check Point's, and Blue Coat's out of the water for good? If so, let me know! I'll let the ISA Firewall Product Group know about your ideas and who knows, maybe they'll show up in the next version of the ISA Firewall.

Thanks!

Tom tshinder@isaserver.org

=======================

Quote of the Month - "We succeed only as we identify in life, or in war, or in anything else, a single overriding objective, and make all other considerations bend to that one objective."

US President Dwight D. Eisenhower (1890 - 1969), speech, April 2, 1957

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Creating a Branch Office Site to Site VPN Connection using the Branch Office Connectivity Wizard
• What is the ISA 2006 Firewall?
• White Paper: Why ISA 2006 is a Better Solution than ISA 2000 and 2004
• Load Balancing Web-Proxy Clients With ISA Server 2004 Standard Edition (Part 1)
• What are ISA 2006 Firewall Web Publishing Rules and Why Do We Like Them?
• LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 1)

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2
• How to create a policy that enables only Web proxy clients in Internet Security and Acceleration Server 2006 or Internet Security and Acceleration Server 2004
• How to publish a Citrix Metaframe version 1.8 server by using Internet Security and Acceleration Server 2006 or ISA Server 2004
• The Firewall service may not start in Internet Security and Acceleration (ISA) Server 2004 after you select a certificate for a, SSL listener
• Users receive an "Error Code 502: Proxy error. The parameter is incorrect. (87)" error when they visit certain URLs after you configure HTTP content filtering based on signatures or on extensions in ISA Server 2004
• Clients may receive an "Error 792: The L2TP connection attempt failed because security negotiation timed out." error message when they try to complete a VPN connection to ISA Server 2006 or to ISA Server 2004
• How to Configure Client Web Proxy Server Settings by Using a Registry File
• You cannot configure ISA Server 2004 to use different servers for RADIUS authentication and for RADIUS accounting
• Error message and error code "0xc00403557" when you use the export feature or the backup feature in ISA Server 2004: "ISA Server cannot load the property page"

5. Tip of the Month

Have you had problems with the ISA Server cannot load property page error? If so, ISAserver.org Web boards poster meddlingBanter might have the solution for you:

"I just had this problem yesterday and looking around the web found that one solution is to open a new mmc console and then load the ISA server snap-in again. This works but kind of a backwards solution. So today I went back to the problem and thought maybe my settings for the ISA Server Management console view were corrupt. Sure enough that was the problem. I cleared out my console view settings by going to File>Options>Delete Files button. I then shut down the console and restarted the ISA Server Management console and everything was back to normal. In case you're wondering how to get into the management console even though you get an error, just keep clicking continue until the console loads up."

You can see the original thread at http://forums.isaserver.org/m_2002025965/mpage_1/key_/tm.htm#2002026852

6. ISA Firewall Links of the Month

Nice article on the ISA Firewall's new capabilities
http://www.redmondmag.com/columns/article.asp?EditorialsID=1448

New Firewall client for the ISA 2006 Firewall now available! Download it at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=45855498-66BA-43D3-A8F1-37837D380389

Collective Software's ClearTunnel application (www.collectivesoftware.com) is just about to exit beta! ClearTunnel gives you the ability to perform application layer inspection on outbound SSL sessions. When you pair up ISA Firewalls with ClearTunnel, you get superior security at a much lower price than a Blue Coat solution. Take the money you would have handed over to pay the Blue Coat sales guy's margin and buy yourself a new car or a boat. Why should he get the cars and boats and not you? That's how much you'll save by making the ISA Firewall choice.

Read about how ISA Firewalls and Citrix will partner to provide a better branch office solution
http://www.microsoft.com/presspass/press/2006/aug06/08-23MSCitrixPR.mspx

Check out the ISA 2006 Firewall's technical documentation library at
http://www.microsoft.com/technet/isa/2006/library/default.mspx

BLOG POSTS:

Block the VML Vulnerability with ISA Firewall's HTTP Security Filter
http://blogs.isaserver.org/shinder/2006/09/23/block-the-vml-vulnerability-with-isa-firewalls-http-security-filter/

An IPSec tunnel mode connection is not implemented as a routable interface on a Windows based server
http://blogs.isaserver.org/pouseele/2006/09/22/an-ipsec-tunnel-mode-connection-is-not-implemented-as-a-routable-interface-on-a-windows-based-server/

Debunking Blue Coat Myth #6890 — Application Layer Inspection of SSL Tunnels
http://blogs.isaserver.org/shinder/2006/09/20/debunking-blue-coat-myth-6890-application-layer-inspection-of-ssl-tunnels/

Redirecting HTTP Requests to SSL Requests using the 2006 ISA Firewall
http://blogs.isaserver.org/shinder/2006/09/21/redirecting-http-requests-to-ssl-requests-using-the-2006-isa-firewall/

7. Ask Dr. Tom

QUESTION: Hey Tom! I noticed that with the new ISA Firewall (2006) I can't use your trick adding /Exchange\ in the path of my OWA Web Publishing Rule to support users who forget to enter /exchange in the path. Any idea of how I can do this with the new ISA Firewall? Thanks! -Peter.

ANSWER: Hey Peter! Yes, you can do this with the new ISA Firewall. However, you don't need to use my trick. Instead, the new ISA Firewall allows you to configure a redirect on a deny Web Publishing Rule, in the same way that you can create a redirect when you deny outbound connection to Web sites. This feature wasn't available in the 2004 ISA firewall.

Here's what you do:

• Create a DENY Web Publishing Rule for https://owa.domain.com Then in the Properties dialog box of that rule, create a redirect to https://owa.domain.com
• Create an ALLOW Web Publishing Rule that allows connections to https://owa.domain.com/exchange

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.