THE OFFICIAL BLOG OF THE SBS "DIVA"

Well, unfortunately I have had to halt my deployment of SBS 2003 for a while. I really don't WANT to, but I seem to have pushed SBS to its limit in regards to my particular needs. To be honest, the limitation isn't actually in SBS, but in ISA 2000. Let me give you some background so you can see what I have come up against. As you may have previously read, I have a need for a SBS 2003 machine that is hosting Outlook Web Access (OWA) and Outlook Mobile Access (OMA) for external parties, clients and virtual employees around the Net. The idea is that I can create a virtual office in our DMZ without having to expose critical business resources not needed by these users to the outside. SBS 2003 looked like a perfect solution, and I went hunting. To reduce the attack surface of the machine while ensuring strong audit trails, I require that ALL connections coming into these services (actually ALL services except incoming SMTP) be authenticated to Active Directory. My goal is to eliminate the potential compromise of unknown threats that may be exposed from vulnerable code or services that may exist along the code execution path between the OWA front end with IIS to the Exchange backend. It also reduces the risks of poorly configured or unknown services that may be running when they shouldn't be. Since the circle of trust for this group of users is quite small, I have a relative level of assurance that I can mitigate most risks by simply removing the ability to connect to the server anonymously and do bad things that they shouldn't. Be removing the ability for an adversary to even throw a connection request to the IIS box without authenticating, I get that assurance level. Anyways, I have had the opportunity to discuss with Microsoft my needs, my concerns, and my deployment requirements. What I found out was that there is a design limitation in ISA 2000 that prevents this from working correctly. *sigh* I am told that the ISA dev team is already aware of this and they made big changes in ISA 2004 to address this. This enhances the security for remote access to OWA by preventing unauthenticated users from contacting the OWA server at all. Knowledgebase article 838704 discusses how this now works in ISA 2004. So, looks like I am out of luck until ISA 2004 is freely available to work properly with SBS 2003. The GREAT news is that as Susan has reported from her findings at SMB Nation, ISA 2004 will be available FOR FREE with SBS 2003 SP1, and will include new wizards to support it. Only issue is that the roadmap has the availability of SP1 in the beginning of next year. So what do I do now? Well, knowing Microsoft's normal roadmap delays, I simply cannot wait until then for this project. Chances are thats a year away. (Go ahead and debate the roadmap all you like... I am STILL waiting for W2K SP5 that was supposed to be delivered at the beginning of the year, which includes the new filter manager code) As such, I am going to look at the impact of manually rolling ISA 2004 onto SBS 2003. This has the potential of breaking some security policies on SBS, so I will need some time to reflect on the impact of this. I notice all the SBS sites warn that running ISA 2004 on SBS is "unsupported", but no one says it can't be done. Guess we will see what happens....