ISAserver.org Monthly Newsletter of September 2008 Sponsored by: GFI

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Putting Your ISA Firewall to Work

I had the chance to go through the network security review for a company on the West coast of the US last week. One of the components of the review was the configuration of the ISA firewall and plans going forward to how to put the ISA firewall to best use. Essentially what they wanted to do was to put their "ISA firewall to work".

I thought this was a great way to approach their ISA firewall. They were currently using the ISA firewall to publish OWA and SharePoint, and they were also using it to provide outbound access to the Internet. However, they knew that they were only scraping the surface of what the ISA firewall could provide. They wanted to take full advantage of their firewall purchase and bring their network security configuration "up to code".

As you know, the ISA firewall can do a number of things. We often call it the "swiss army knife of firewalls" because it fits into so many different deployment scenarios. The ISA firewall can be a network firewall, a Web proxy server, a remote access VPN server and a site to site VPN gateway. You can deploy multiple ISA firewalls so that they can be dedicated to each of these duties, or you can combine multiple roles on the same ISA firewall. The key decision point is determining what the firm's requirements are and then deploying and configuring the ISA firewall to meet those requirements.

We came up with the following requirements:

• Users need remote access to Exchange mail services and Exchange ActiveSync
• Users need remote access to the corporate SharePoint site
• Users need access to files contained on file servers from remote locations
• Users need access to applications located on their desktop computers from remote locations
• Users need to be protected from dangerous Web sites 
• Users need to be authenticated before being allowed access to the Internet
• Users need access to all protocols for outbound access
• Logging information is required so that IT can determine Internet usage patterns and compliance with Internet use policy

In order to provide remote access to file servers and applications, they were allowing users to have remote access over a remote access VPN connection. I let them know that while we could configure the ISA firewall to restrict user activity over the VPN connection, there may be lower overhead solutions that are easier to manage and support, since PPTP and L2TP/IPsec are sometimes problematic, due to NAT traversal issues.

Based on this customer's requirements, some of my recommendations included:

• Deploy two ISA firewalls - one for inbound access and one for outbound access. You will find that you will get better overall performance by separating your inbound and outbound access firewalls, and policies will be easier to manage
• On the inbound ISA firewall, create a Web Publishing Rule for SharePoint
• On the inbound ISA firewall, create a Web Publishing Rule for OWA,
• On the inbound ISA firewall, create a Web Publishing Rule for Exchange ActiveSync
• Configure the HTTP Security Filter to secure the inbound connections to the published services
• Configure the inbound ISA firewall to pre-authenticate the connections before allowing the connections to be passed to the published servers.
• Deploy Terminal Services Gateway and configure Terminal Services RemoteApp to provide the applications remote users need access to, including the Windows Explorer that will provide the users remote file access
• On the inbound ISA firewall, create a Web Publishing Rule for Terminal Services Gateway
• On the outbound ISA firewall, create an "all open" rule for authenticated users
• All user computers are to be configured as Firewall and Web Proxy clients
• A third party application was recommended to plug into the ISA firewall to perform Web filtering
• Remote Access VPN rights should be removed from all users except for IT
• Deploy a Windows Server 2008 SSTP VPN server behind the ISA firewall and publish that SSTP VPN server using the ISA firewall

There were a number of other recommendations I made, and of course, included the details of configuration and authentication methods they should use. The point is that this firm was using only a tiny portion of the ISA firewall's security features. But after implementing my recommendations, they'll use many more of the features that they paid for and will see a significant increase in the level of their network security.

How about you? Are you getting the most out of your ISA firewall? Are you just using your ISA firewall to publish OWA? Publish SharePoint? Support anonymous outbound access for SecureNAT clients? If so, then it's time to put your ISA firewall to work! You paid for the firewall, you should get the most out of it. Take some time to figure out what your requirements are, and consider how the ISA firewall's security feature set can help you meet those requirements to bolster your network security.

And if you need help, you know that you can always come to ISAserver.org to get the information you need. Check out the articles and the blog posts, and then head on over to the Web boards at http://forums.isaserver.org and ask questions. We have a great community and there's sure to be someone who can give you a hand.

Until next month - Tom.

Before leaving you this month, I want to thank all of you for the kind notes of congratulations regarding my joining Prowess Consulting. We have a great team there, and if you're interested in more complex ISA firewall consulting, we have a great team who is happy to help you with design, deployment, configuration and management of your ISA firewalls. Also, if you're interested in ISA firewall managed services, we can help you with that too. Fire me a note at shinder@prowessconsulting.com and we'll get the wheels in motion. We can also help you with deploying any of the Forefront products, including ISA.

=====================
Quote of the Month - "As scarce as the truth is, the supply has always been in excess of the demand". - Josh Billings
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• How to Publish Microsoft Sharepoint Services with ISA Server 2006
  
• Understanding Web Caching Concepts for the ISA Firewall
  
• ProxyInspector Voted ISAserver.org Readers' Choice Award Winner - Reporting
  
• Authenticate Guest Users With Collective Software's Captivate (Part 2)
  
• How to Determine the Correct ISA Server SE Version and Service Pack Information
  
• Authenticate Guest Users With Collective Software's Captivate (Part 1)
  
• Product Review: Winfrasoft's Backup for ISA Server - Filling an Important Gap
  

4. KB Articles of the Month

• When an Internet Security and Acceleration Server 2004 or Internet Security and Acceleration Server 2006 client performs an action that uses the HTTP POST method, the action may be performed multiple times
  
• Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication
  
• The Firewall service (Wspsrv.exe) may crash intermittently after you apply ISA Server 2006 Service Pack 1
  
• An Outlook Anywhere client continually uses the wrong credentials every time that it tries to authenticate itself on an Exchange server after you install ISA Server 2006 Service Pack 1
  
• A request fails from a VPN client if the user who is dialed in belongs to a remote domain that has one-way trust in ISA Server 2006
  
• The compression and caching functionalities of ISA Server 2004 and ISA Server 2006 may cause file corruption in files that are larger than 64 KB
  

5. Tip of the Month

Have you seen this error?

Description: ISA Server detected routes through the network adapter WAN that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: [x.255.255.255]. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Sure you have! Check out this link to find a good discussion of the problem and a solution.

6. ISA Firewall Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org 

• ISA Firewall Quick Tip: Internal DNS Forwarding Through ISA Server 2004/2006
  
• ISA Firewall Quick Tip: Assigning the Same Static IP for a VPN Client
  
• Security Considerations with Forefront Edge Virtual Deployments
  
• ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller
  

7. Blog Posts

• ISA Administrative Roles - NTFS and Registry Permissions
• ISA & TMG NAT behavior And MS08-037
• ISA Server 2006 SP1 - New Perfmon Counter
• Enabling Network Load Balancing (NLB) Multicast Mode with ISA Server 2006 Enterprise Edition
• Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Web Access Including Document Access
• Vista Problem Accessing Office Documents from SharePoint Document Libraries That Are Published Using ISA Server 2006
• Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication

8. Ask Dr. Tom

QUESTION:

Hi Tom,

I have been running ISA 2006 in my network for quite some time, without issue. However, that has all changed. I now get the following error on all of my clients when trying to get out the internet via this server.

Error Code: 407 Proxy Authentication Required. The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. (12209 )

Just firewall supportive messenger opened like Yahoo but not go into the its chatrooms and some time client access the any website without 407 error but after 5 min problem still again.
What could be the problem?

Thanks! Intasar

ANSWER:

The most common cause for this problem is that you have enabled the Require all users to authenticate option on the outbound Web Proxy listener for the ISA firewall Network from which the clients are connecting. Disable that option and enforce authentication in your Access Rules.

QUESTION:

Hi Dr.Shinder,

I was wondering if you had an article on making ISA server 2006 the default access to the outside world, I created a sub domain within our charity.org, so its abc.charity.org also installed CA root certificates with your articles and configured OWA. But I can't seem to control the access and make sure everyone accesses the Internet via the ISA firewall. I am a newbie in this field. I thank you for your hard work and articles. I would be grateful if you could point me to the right direction. Do I need to install the firewall client ? I tried proxy but I get the network error message all the time. Should I be using the DNS to point or divert the traffic to ISA? I wouldnt mind if its an old article as long as I get a clear idea/understanding. 

With Regards, Polat.

ANSWER:

Hi Polat,

I think the best place for you to start is to learn about the ISA client types. There are three ISA clients types: SecureNAT client, Web Proxy client and Firewall client. The SecureNAT client doesn't require any software installation, you just need to configure it with a default gateway that will provide a path to the Internet. The Web Proxy client requires that you configure the Web browser to use the ISA firewall as its Web Proxy server. The Firewall client requires that you install the Firewall client software and configure the ISA firewall to support the Firewall client configuration.

Check out this link for an excellent review of the ISA client types. Focus on the client type configuration before you get into more complex concepts, such as publishing OWA servers. When you’re ready, you can go here to find a number of useful articles on how to publish OWA.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.