ISAserver.org Monthly Newsletter of September 2007 Sponsored by: Collective Software LLC

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. ISA Firewall News Bits

This month the IAG 2007 received a new service pack. If you're not aware of the IAG 2007, it's Microsoft's SSL VPN gateway based on the Whale SSL VPN product. Service Pack 1 includes a number of functionality and stability updates that will make this SSL VPN gateway the best in the business, if you judge "best" by being the most secure SSL VPN gateway.

The ISA Firewall Supportability Update has been released since the last time this newsletter went out. What you'll get is an update to your ISA 2006 Firewall so that it looks and acts like an ISA 2004 SP3 Firewall. Now ISA 2006 Firewall admins can have the advanced logging and troubleshooting features that the ISA 2004 Firewall admins have. You'll find a download link further down this newsletter.

On a more personal note, I'm glad to tell you that since the last newsletter I went over the 45,000 mark on the number of posts on the ISAserver.org message boards. It sort of snuck up on me, as I had no idea I was getting that close to 50,000. I think when I hit 50,000 posts, I'll change careers and become a long haul truck driver.

One last thing before I go. Jim Harrison reported this month that we had a minor victory on the ISA Firewall configuration front. For years we've been telling people here on ISAserver.org that putting the ISA Firewall on a domain controller is not supported, except when the ISA Firewall is integrated on SBS.

Of course, a good number of people who wanted to do this tried to figure it out on their own because there was no official statement from Microsoft that putting the ISA Firewall on a DC isn't supported. Well, now it's official. Microsoft has put ISA on DC on their list of unsupported configurations. Sometimes the good guys win!

That's all for now! If you have any questions or comments, you're always welcome to send them to me at tshinder@isaserver.org

Thanks!

Tom

=======================

Quote of the Month - "More often than not, it's not"

-- Thomas W Shinder MD commenting on how often network problems are due to the ISA Firewall

=======================

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• bt-LogAnalyzer Voted ISAserver.org Readers' Choice Award Winner - Reporting
• On Web Listeners and Web Publishing Rules
• Win a Copy of Collective Software's ClearTunnel or a 3CX Phone System!
• Publishing Exchange 2007 Outlook Autodiscover with 2006 ISA Firewalls
• Product Review: Collective Software's ClearTunnel

4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

• Blank page or page cannot be displayed when you view SSL sites through ISA Server
• Cannot Perform Load Balancing with Network Load Balancing and Server Publishing Enabled
• Web Proxy clients do not directly access a Web site that you enter in the "Directly access these servers or domains" list in ISA Server 2004 SP2
• RPC clients cannot use Kerberos authentication to authenticate with a server that you publish behind ISA Server 2004, Enterprise Edition
• Service overview and network port requirements for the Windows Server system
• Description of the Internet Security and Acceleration (ISA) Server 2006 Supportability Update package
• Error message when you access a Web site through ISA Server 2006: "HTTP 400 - Bad Request"
• A Web client may receive incorrect responses from a Web site that is published in ISA Server 2006 when multiple Web clients access the published Web site
• An ISA Server 2006 Web Proxy client receives error code 502 when a user tries to visit certain Web sites

5. Tips of the Month

Need to get host names in the ISA Firewall logs for SecureNET clients? Then check out this tip from Tarek.

Having a hard time troubleshooting a possible problem with a service on the ISA Firewall? Then check out the debugging tool mentioned in this thread.

Want to increase your ISA Firewall's performance? Check out this tip on PMTU Blackhole setting.

6. ISA Firewall Links of the Month

A great review of GFI WebMonitor 4.0

http://www.elmajdal.net/isaserver/Product_Review_GFI_Web_Monitor_4.aspx

ISA Firewall Quick Tip : Assigning the Same Static IP for a VPN Client

http://www.elmajdal.net/isaserver/Assigning_the_Same_Static_IP_for_a_VPN_Client.aspx

Information about the ISA Firewall Supportability Update

https://blogs.technet.com/isablog/archive/2007/09/17/isa-server-2006-supportability-update.aspx

Learn about SANs and how the ISA Firewall works with them

https://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

Find out about the diagnostic improvements in ISA 2004 SP3

https://blogs.technet.com/isablog/archive/2007/08/26/diagnostic-improvements-in-isa-server-2004-service-pack-3.aspx

Find out how to get the password change feature to work in ISA 2006 Web Publishing of OWA sites

https://blogs.technet.com/isablog/archive/2007/08/23/password-change-with-fba.aspx

Excellent ISA Firewall and IAG 2007 blog by Shijaz Abdulla

http://blog.shijaz.com/

7. Blog Posts

• Microsoft Internet Security and Acceleration (ISA) Server 2006 Supportability Update
• ISA Firewall Freedom Day Declared
• GFI WebMonitor Competition on ISAserver.org
• How to Enable Integrated Authentication for Outlook RPC/HTTP Clients to Prevent Authentication Prompts with 2006 ISA Firewalls
• Get Hotfixes from PSS without using the Phone
• Observations from the Realm of the Mush-Mouthed Media

8. Ask Dr. Tom

QUESTION: Hey Tom

I've gone through ALL configs over and over again including RPC/HTTP troubleshooting checklist at http://blogs.isaserver.org/shinder/2007/06/27/basic-troubleshooting-for-rpchttp-publishing-exchange-2003/ All is OK. HTTPS connections work fine internally. As soon as I test from outside...nothing. Eventually, all connections fail and Outlook goes offline. I have set this up using your tutorial for single exchange publishing (identical!) as well as similar referrals to technet, petri, and others. This is Outlook Anywhere only, not OWA (OWA works when I set it up to test but then remove the policy to focus on RPC/HTTPS). The log shows a failed connection attempt for the RPC/HTTP rule with an HTTP status code of 0x80004005. I've searched everywhere and can only find cryptic info about this and even less as it applies to ISA. Please refer this to an appropriate post if needed. Please help...I'm at wits end. Thank you -Bpatlen

ANSWER: Usually these very difficult to troubleshoot issues are due to certificates, typos, and authentication problems. Check the common names on the certificates, make sure they match what you've done in the Web Publishing Rule. Make sure there are no typos in the certificate names and in the ISA Firewall's Web Publishing Rule. If there is a device in front of the ISA Firewall, make sure it isn't changing the nature of the connection to the ISA Firewall. Make sure the ISA Firewall is a domain member. Consider implementing an integrated or parallel split DNS infrastructure. Finally, make sure the Outlook client has the CA certificate of the issuing CA in its Trust Root Certification Authorities store. And one more thing - make sure the Certificate bound to the Web Listener has a private key.

QUESTION: Hi Tom,

First I want to thank you for a great blog and some invaluable help through this website and your books :)

I'm experiencing the described problem. When browsing websites with Windows Media Player video content, Windows Media Player will prompt for credentials. I installed the Firewall Client without any effect. As far as I can see Windows Media Player is still acting as a web proxy client.

How would you ensure that Windows Media Player (or any other program) is actually using the Firewall Client? I've solved the credentials problem by allowing unauthenticated access to html video content. But I would prefer to have all web browsing authenticated. Regards --Eske

ANSWER: This is sometimes caused by setting content type restrictions on an Access Rule. If you have any Access Rules configured to control by content type, you might want to change those so that no content type filtering is done. Also, try enabling the Enable Integrated Windows Authentication (requires restart) option in the Internet Options in Internet Explorer.

QUESTION: Hi Tom,

Hoping you might be able to provide insight? I'm still looking through the Forums but to summarize here is what's happening.

Running Windows 2003 Enterprise R2 with SP2 and ISA 2006 with multiple nics for Internal, DMZ, WAN and VPN. On Aug 13, installed the MS updates and patches and lost VPN, All other services seem to work including Rule of PcAnywhere to a specific internal PC (I know not safe). Seems the Wan Miniport (PPTP) is gone... Microsoft says uninstall, shutdown, restart and use wizard to reinstall, still no joy, tried 3 times, also uninstalled suggested patches and even tweaked registry with MS support on line. Still after 15 days, no VPN. Microsoft has no knowledge base for errors and is now starting to create a virtual server with our build to troubleshoot.

Thanks! Dandersen

ANSWER: The most likely reason for this kind of mysterious behavior on the ISA Firewall is Windows Server 2003 SP2. This service pack introduced a bug that can stop the ISA Firewall from passing certain types of traffic. For more details, check out http://blogs.isaserver.org/shinder/2007/08/16/windows-server-2003-sp2-rrs-bug-biting-all-over/

QUESTION: I read your article about the SSL Security Hole and how ClearTunnel solves the problem. I'm using WebMonitor 4.0 to block downloads of various file types. Right now users are able to download blocked file types over an SSL connection. Will ClearTunnel allow the WebMonitor 4.0 to catch and block these files? We were thinking of using Blue Coat but the prices they charge are insane! Thanks! -Zeke.

ANSWER: Yes! ClearTunnel (www.collectivesoftware.com) closes the SSL Security Hole and allows all of your add-ons to perform application layer inspection of SSL sessions. ClearTunnel is very flexible and extremely easy to configure. If you compare it to Blue Coat, I think you'll find ClearTunnel is less expensive, easier to configure, and provides higher performance per dollar than Blue Coat. You can get details on ClearTunnel from my review at http://isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.