• The ISA 2004 Firewall's Dirty Dozen
• Tom and Deb Shinder's Configuring ISA Server 2004 -- Pre-order Today!
• ISAserver.org Learning Zone articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Server Links of the Month
• Ask Dr. Tom

1. The ISA 2004 Firewall's Dirty Dozen

1.  I want to have multiple external interfaces on my ISA 2004 firewall. How do I set this up?

The ISA 2004 firewall can support multiple external interfaces. However, only one of those interfaces can be configured with a default gateway. Any other external interface will need to use information in the ISA 2004 firewall's routing table to reach remote locations. If you want to use multiple Internet interfaces on the ISA 2004 firewall, then check out an excellent product from Rainfinity named RainConnect. The RainConnect software allows you to have as many Internet connections you like. In addition, RainConnect will allow you to publish servers using multiple Internet connections - something not possible with cheap NAT router solutions that allow multiple Internet connections.

2.  My Yahoo/AOL/MSN/Windows Messenger isn't working. How do I fix this?

Instant messaging software represents a significant risk to your network. Files can be transferred through the IM channels, and even if files aren't transported, a significant amount of proprietary information can traverse the IM channel without you being able to detect or block it. One solution to this problem is to use a product like the Akonix L7. Using L7, you can control which users can access IM channels and also block peer to peer applications. But to answer the question, the instant messengers all require there own protocols and they are included with the default protocol list included with the ISA 2004 firewall. Although most of the IMers allow you to use the Web proxy component of the ISA 2004 firewall to access the Internet, you should not configure them to use the Web proxy. Instead, use strong user/group authentication using the Firewall client. For information on how to use the MSN Instant Messenger, check out http://www.microsoft.com/technet/prodtechnol/isa/maintain/isaimsec.mspx. For Yahoo and AOL IMers, make sure the client is a Firewall client and configure an Access Rule allowing connections to the IMer's port.

3.  I put Exchange on my ISA 2004 firewall and OWA/SMTP/POP3/IMAP4/NNTP isn't sending/receiving? How do I fix this?

I can't emphasize strongly enough that you should NOT put extraneous software on the ISA 2004 firewall machine. Applications and services such as Microsoft Office, Microsoft SQL Server, Microsoft Exchange, Microsoft SharePoint Portal Server, Microsoft Systems Management Server and any other service or application should not be installed on, and should not be run on, the ISA 2004 firewall machine. This recommendation includes not running the Web browser on the ISA 2004 firewall machine. The firewall is the focal point of your network security. You do not want to jeopardize network security by compromising the firewall by significantly increasing its attack surface. Put Exchange on an internal network server and publish the OWA/SMTP/POP3/IMAP4 and NNTP services using Web and Server Publishing Rules.

4.  My Secure Exchange RPC Server Publishing rule and/or my Exchange RPC over HTTP Web publishing rule isn't working. I did every you mentioned in the ISA/Exchange Kit. What's wrong?

Secure Exchange RPC publishing and Exchange RPC over HTTP publishing suffers from a similar problem: the absolutely lack of guidance from the Microsoft Exchange team on how to correctly configure a name resolution infrastructure to support these remote access solutions. Have you ever wondered how the Outlook client resolves the name of the Exchange Server? Does it use only the NetBIOS name? Does it use the FQDN? Does it sometimes use the NetBIOS name and sometimes use the FQDN? Do different versions of Outlook resolve the Exchange Server's name differently? Can you find this information anywhere on the Microsoft Exchange Web site? Does information in this KB article actually help you -- http://support.microsoft.com/default.aspx?scid=kb;en-us;q155048. How about this one? http://support.microsoft.com/default.aspx?scid=kb;en-us;837391.

The best solution to your secure Exchange RPC publishing and RPC over HTTP publishing problems is the split DNS. The split DNS allows you to use the same names on the internal network and from remote locations. You can find more information on configuring a split DNS and how to configure the Outlook client by reading You Need a Split DNS at http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html and the ISA 2000/Exchange Kit at http://www.isaserver.org/news/exchangekit.html.

5.  My Firewall client shows a red arrow on it and can't contact the ISA firewall. What's up with that?

There are a number of reasons why the Firewall client will not connect to the ISA 2004 firewall. The most common reason is that the name can't be resolved. By default, the Firewall client configuration on the ISA 2004 firewall uses the NetBIOS name of the ISA 2004 firewall and sets the Firewall client machine to use this name. If the client machine can correctly fully qualify this name, then the connection will succeed. If the Firewall client cannot correctly fully qualify this name, then the connection may not succeed, depending on whether the ISA 2004 firewall is a WINS client and the Firewall client machine is configured to query the correct WINS server. In most cases, the ISA 2004 firewall and the Firewall client machine will belong to the same domain, so the client system will be able to correctly fully qualify the ISA 2004 firewall's name. However, there are circumstances when you do not join the ISA 2004 firewall to the domain and configure user accounts on the ISA 2004 firewall itself. In that case, the Firewall client systems will not, by default, be able to correctly fully qualify the NetBIOS name of the ISA 2004 firewall and the Firewall client connection will fail. In this case, you need to configure the Firewall client machine with a Primary Domain Name Suffix that will allow the NetBIOS name of the ISA 2004 firewall to be correctly fully qualified, and this name must resolve to the IP address on the internal interface of the ISA 2004 firewall. The alternative is to have an functional WINS infrastructure in place.

6.  I need user names in the log files and I need to control access based on user/group account. I don't want to install the Firewall Client or configure the browsers as Web Proxy clients. What's the next step?

There is no next step. In order to control access based on user/group and to get user names in the Firewall and Web proxy log files, you must configure the clients as Firewall and/or Web proxy clients. A Web proxy client is any machine that has its browser configured to use the ISA 2004 firewall as its Web proxy server. You do not need to touch the client machines to make them Web proxy clients. The default configuration in Internet Explorer is to use autodiscovery. When configured to use autodiscovery, the Internet Explorer browser will automatically search for wpad entries in DNS and/or DHCP and configure itself. The Web proxy client will authenticate when required when connecting to resources via the HTTP, HTTPS and HTTP tunneled FTP (Web proxy client) connections. A Firewall client is any Windows machine that has the Firewall client software installed. Like the Web proxy client configuration, you do not need to touch the machines to install and configure the Firewall client. You can transparently install the Firewall client software using SMS or Group Policy. The Firewall client also can use wpad entries to automatically find the ISA 2004 firewall and configure itself. Firewall clients will send user name information to the ISA 2004 firewall whenever a Winsock TCP or UDP request to made to the Internet. For details on automatically Web Proxy and Firewall client configuration, check out the ISA Server 2000 in Education Kit at http://isaserver.org/tutorials/isaedukit.html.

7.  I want to put my ISA Server between two "firewalls" and put a single NIC in the ISA firewall. I need all the features of available in ISA 2004, including Firewall client support. How do I do this?

While this is possible, it's not a supported configuration. The single NIC configuration is never supported for the Firewall client. However, it is possible to put a single NIC ISA 2004 firewall in the DMZ and perform both Web and Server Publishing using what I call the "ISP co-lo Configuration". This configuration will allow you to publish all protocols using Web and Server Publishing Rules. However, I highly recommend that you reconsider your configuration. The ISA 2004 firewall is a true network firewall and provides a higher level of security and access control than most of the firewalls on the market today. To get the most out of the ISA 2004 firewall, you should remove the back-end packet filtering firewall and replace it with the ISA 2004 firewall. Another alternative is to put the ISA 2004 firewall in parallel with the current firewall, and put your more secure network assets behind the ISA 2004 firewall and publicly accessible sites behind the packet filtering firewall. This topology allows you to leave the current front-end firewall in place while fully enabling the security and access control features in the ISA 2004 firewall on the back end. Stay tuned to www.isaserver.org for an article on how to configure the ISA 2004 co-lo configuration. I should have it complete within a week.

8.  I want to run a Web/FTP/NNTP/Quake/Kazaa/Morpheus server on my ISA firewall. I've created the right Access Rules, but it doesn't work. Why?

I strongly recommend that you do not install any extraneous software on the firewall. While it's fine to install additional software on the ISA 2004 firewall to enhance the firewall's feature set, it is not appropriate to install Web servers, FTP servers, news servers, Quake servers, Kaaza servers or clients or any other non-firewall related software on the ISA 2004 firewall machine. Remember, the ISA 2004 firewall is the focal point for perimeter network security and each application or service you install on the ISA firewall increases the attack surface on the firewall. You do not want to increase the attack surface on the firewall as this increases the probability that the firewall can either be compromised or overcome.

9.  How do I get Internet Explorer/Outlook Express/Hello Kitty working on the ISA firewall? I tried to create packet filters, but the ISA 2004 firewall doesn't have a packet filter feature.

The ISA 2004 firewall does not have an explicit packet filter configuration interface because stateful filtering is inherent in all the ISA 2004 firewall Access Rules. You need to create Access Rules to control inbound and outbound access to and from the ISA 2004 firewall machine itself. For example, if you need to allow outbound SMTP from the ISA 2004 firewall, you can create an SMTP Access Rule from the Local Host Network to the External network; this type of rule would be required if you wanted to use the ISA 2004 firewall as an outbound SMTP relay. I strongly recommend that you do not run Outlook Express or Hello Kitty on the ISA 2004 firewall itself.

10.  I can't get POP3 and/or FTP working. I don't want to install the firewall client. How do I get mail and FTP files?

You don't need to install the Firewall client to access POP3 or FTP sites on the Internet. The only requirement is that the client is able to resolve the name of the server it needs to connect to and that there is an access rule that enables name resolution and access to the POP3 and/or FTP protocols. Name resolution is often a problem because its handled differently for SecureNAT, Web proxy and Firewall clients. POP3 is a simple protocol requiring a single connection on TCP port 110. In contrast, the FTP protocol is a complex protocol requiring secondary connections to be made inbound from the FTP server. In this case, you either need to install the Firewall client, or use the FTP Access application filter included with the ISA 2004 firewall. The SecureNAT clients can use the FTP Access application filter to support the secondary connections. If you're running into problems with FTP, make sure the FTP Access application filter is enabled.

11.  How do I see the files in the cache? Also, how to I prevent sites from being cached? Oh, and one more question, how do I clear the cache?

At this time you cannot view the files in the ISA 2004 firewall's Web proxy cache. The cachedir.exe tool included with ISA Server 2000 firewalls is not included with ISA 2004.

12.  Tech Support told me to "open ports X, Y and Z". How do I do this?

This is one of the most common issues we encounter. The term "open a port" means nothing and it implies that firewalls are akin to "peg-boards" (http://www.morleyathletic.com/images/M13392.jpg) where you "poke holes" in the firewall/peg-board and let "stuff" through. The TCP/IP protocol suite does not work like this and that's the reason why you've never seen a firewall with an "open port" button. In order to allow traffic through the ISA 2004 firewall (or any firewall), you need to know what protocols are required, the direction of the protocol, and what protocols are used for primary and secondary connections. For example, when you use the FTP in Port (Standard) mode, the primary connection is made outbound from the FTP client to the FTP server on TCP port 21. Then the FTP server establishes a new secondary connection to the client from its own TCP port 20 to a high number port on the external interface of the ISA 2004 firewall. If you were to ask tech support what ports to open for FTP, would they say "open ports 21 and 20"? Maybe, but who knows, since "open a port" doesn't mean anything. It's the Internet application vendor's responsibility to provide this information to you. Otherwise, you will need to use a network analyzer (like Network Monitor or Ethereal) and figure out what protocols, directions, primary and secondary connections are required. Make sure to bill the application vendor for the time you spend on trying to figure out their application!

2. Tom and Deb Shinder's Configuring ISA Server 2004 - Pre-order Today!

By Thomas W Shinder Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder are preparing for you their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logging literally 1000's of flight hours with ISA Server 2004 and they'll be sharing the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall. While the ISA Server 2000 books were good, Configuring ISA Server 2004 is going to be even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Pre-order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today

3. ISAserver.org Learning Zone articles of Interest

• Using ISA 2004 Firewalls to Block Worm Attacks (v1.2)
• Real Time Web Monitoring with GFI's WebMonitor 2 for ISA Firewalls
• ISA Firewall Fairy Tales - What Hardware Firewall Vendors Don't Want You to Know (v1.02)
• Using ISA 2004 Firewall Domain Name Sets to Control Internet Access
• Publishing Servers on a ISA Server 2004 Firewall Public Address DMZ Segment (v1.01)
• Renaming ISA Server 2000 and ISA Server 2004 Firewalls
• Publishing Multiple Web Sites using a Wildcard Certificate in ISA Server 2004

4. KB Articles of the Month

• You receive a "The target principal name is incorrect" error message when you connect to a Web site that was published by using ISA Server 2000 Web publishing
• How to configure Exchange 2000 Conferencing Server and ISA Server to send and receive audio and video
• Firewall client conflict with third-party layered service providers causes connectivity problems
• How To Configure the Simple Network Time Protocol (SNTP) on ISA Server
• XWEB: Outlook Web Access Prompts You for Logon Credentials Multiple Times Before Inbox Appears
• How to enable a Cisco IPSec VPN client to connect to a Cisco VPN concentrator through ISA Server 2000
• You receive a "Web Proxy service failed to bind its socket" event message when you use both IIS and ISA Server 2000
• Event ID 14163 is logged and you cannot receive inbound e-mail through your ISA Server 2000 computer
• The IP Spoof Detection feature in ISA Server 2000 may drop legal packets on systems that have multiple external interfaces
• Attempts to access published resources are logged as spoof attacks with event ID 15108 in ISA Server 2000
• XCCC: Macintosh Clients Who Use MAPI Cannot Connect to Exchange 2000 with ISA Server

5. Post of the Month

"To add to the previous (and excellent) points of Shawn and The Good Doctor, I would *highly* recommend considering populating the DMZ with it's own SQL server (with proper licensing, or course.)

Any leveraging of SQL injection-type attacks would afford an attacker the luxury of executing code on a box within your internal network. Further, from an authentication standpoint, I would imagine that your internal SQL box (assuming MS SQL) would have to be configured to accept Mixed-mode authentication (with the ADODB connection strings containing user credentials) -- a far weaker authentication model than NT-based authentication -- that or (heaven forbid) you've got shared domain membership between the DMZ web server's IUSR account for the internal SQL box to accommodate authentication of the web application's requests for data. In either case, a compromise of the web server would give an attacker credentials that could be used on your internal network, as well as a direct path (1433) into your network.

A DMZ-based SQL box could be locked down, and the internal box could utilize one-way transactional replication to the DMZ. In this model, there is no static port open to the internal network, there are no shared credentials (the internal box's replication push would use creds on the DMZ box and not the other way around) and any compromise would leave the attacker in the DMZ. Further, the available data on the DMZ box would be limited to that required by the application. My bet is that your internal SQL box has data above and beyond that required by the web app."

6. ISA Server Links of the Month

7. Ask Dr. Tom