April 2004 - Posts
ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall's “killer app”.
However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don't have time to make the ISA 2004 firewall their avocation. They need to handle WinXP/Win9x/Win2000 clients, WinNT4/Win2003/Win2003 servers, SQL Servers, Exchange Servers, SharePoint Servers, Certificate Servers, RRAS Servers, IIS Servers, and lots more. There are only so many hours in a day, and the attraction to a firewall like ISA 2004 is that it appears easy to configure. And, on the whole, they would be right.
However, while the HTTP Security filter has a powerful and easy to use interface, the documentation of the feature is abysmal. What do I mean by “abysmal“? Search your dictionary for “tautology“ and then read the Help file and any other MS docs on this subject you might find.
Most firewall admins who opt for ISA 2004 firewalls do so because they want to take advantage of the unique protection provided by ISA 2004, especially for the ISA 2004 firewall's one of a kind VPN and Exchange security features. This level of protection can be made even better if MS would actually explain and define the various components of this filter and how it works. Otherwise, the HTTP Security Fitler's power and utility will end up in the dustbin of history like the H.323 Gatekeeper and possibly the VPN-Q feature (I'll moan about VPN-Q in a future posting).
So the celebrity challange for MS is to come up with clear (not concise! concise usually means “I don't have the time or inclination to fully explain the subject and explore implications), complete and useful documentation on the HTTP filter. This is how ISA 2004 firewalls can displace Checkpoint and PIX, and prevent users from adopting a Linux based solutution. After all, if I'm going to have to spend hours, days or weeks figuring out how to configure a key piece of a firewall, I don't have to pay for it, I'll just use Linux! :-)
So, MS docs team -- belly up to the bar and give the ISA 2004 firewall community what it needs, not what you think they need.
Thanks!
Tom
Spoof detection in ISA 2004 firewalls is a handy feature that helps protect the firewall from spoof attacks. However, there are some circumstances that generate spurious spoofs , such as when implementing NLB. No problem! Here's the fix, courtesy of our good friend, Barclay Neira:
284811 HOW TO: Disable the IP Spoofing Detection Feature in Internet Security and Acceleration Server
http://support.microsoft.com/?id=284811
Here is the location you would need to update. All other information is the same:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters
Thanks Barclay!
One of the most common problems seen on the Web boards and mailing lists are Instant Messenger related issues. How do you get them to work? How do you make them stop working? My solution is to remove the dreaded IM'ers from the users machines :-)
However, if you want more information on how to get these things to work, check out:
Microsoft ISA Server Message Boards: Tips for msn,yahoo,kazaa: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000096
Lots of very useful tips and tricks there.
HTH,
Tom
A frequent request on the ISA boards is a script or other free method that you can use to fail over and fail back if you have multiple external interfaces. Custler, a frequently posted on the http://forums.isaserver.org message boards has posted a very nice script to get you started. Jim Harrison may jump in with a fix that will help it work in Windows 2000.
Check it out here:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000012#000011
Thanks guys!
Tom
I wrote to Jerry Bryant about putting some beta newsgroups for ISA 2004 on the msnews.microsoft.com Web site. Silly me, there were already ISA 2004 beta 2 newsgroups. The problem is that they're very effectively hidden from public view! This explains why the level of activity in the “public” newsgroups for ISA 2004 is so much less than what I saw during the ISA 2000 beta.
Anyhow, if you're interested in getting invovled with the public ISA 2004 Beta 2 newsgroups, here's the secret sauce:
Viewing these Newsgroups with an NNTP Newsreader
Since these are private newsgroups, your server will require you to logon using the following information:
- Server: privatenews.microsoft.com
- Account name: privatenews\ISA2004
- Password: BetaPassword
- Note that the password is case-sensitive.
Viewing these Newsgroups through Outlook Express
- Launch Outlook Express
- Select Tools - Accounts
- Select Add & click News
- Enter Your Name
- Enter an alias (you may want to consider avoiding posting with your real e-mail alias, as these newsgroups are exposed publicly through the web interface. More about e-mail aliases and privacy.)
- Internet News Server Name Page - enter privatenews.microsoft.com and check "My news server requires me to log on". Click "Next".
- Enter Account name - privatenews\ISA2004
- Enter password (case-sensitive): BetaPassword
- Click Next & Finish
- Close and download the newsgroups.
Of course, you can go to http://forums.isaserver.org and we have a very active discussion going on regarding ISA 2004 firewalls.
HTH,
Tom
Microsoft has posted some video presentations that you can download and view at your leisure. Do what I do -- burn these guys to a DVD and play them while flying from one gig to another. You can watch Martin Sargent reruns only so many times :-)
With ISA Server 2004 now not that far away, Microsoft have released a bunch of ISA 2000 Presentations.
Internet Security and Acceleration Server Network Design for Microsoft .NET Applications
In this presentation you will learn how to design a network for multi-tiered Microsoft .NET applications. The session introduces each element of the architecture and explains how to use ISA Server in different places throughout the network.
Microsoft® Internet Security and Acceleration Server Best Practices and Troubleshooting
In this presentation you will get the best practices for installing and administering Microsoft Internet Security and Acceleration Server.
Microsoft® Internet Security and Acceleration Server Deployment Techniques
In this presentation see how to deploy Microsoft Internet Security and Acceleration Server to provide caching and firewall functions. Learn about planning issues, guidance on client types, and the design of ISA Server policies.
How to Protect Your Network Using Microsoft® Internet Security and Acceleration Server 2000
In this presentation see how Microsoft Internet Security and Acceleration Server 2000 can be used to provide both proxy, caching and firewall security for your network, and more.
HTH,
Tom
If you're planning on attending TechEd this year in San Diego, then you might be interested in another session that I'm doing. Here's the info:
Date: May 25
Time: 5:00PM -- 6:15PM
Code: SECC04
Description: ISA Server 2004 Enhanced Microsoft Exchange and VPN Services Support: How ISA Server Provides Enhanced Security for MS Exchange and VPN
Speaker Name: Tom Shinder -- ISAServer.org
Code: Canbana4
Reg Type: COMM
I'll talk about what's new, what cool, and what's unique about ISA 2004's VPN and Exchange Server protection features.
Hope to see you there!
Thanks!
Tom
If you're an ISA firewall fan, and want to get together with other ISA afficianados, then check out the Birds of a Feather (BOF) session we're putting together for TechEd. A number of ISA gurus (and me too) will be there! Here's the run down so far:
Application layer firewalls are the present and future of secure network computing, and ISA firewalls set the standard. ISAserver.org gurus and MVPs Tom Shinder, Chris Gregory, Jason Ballard and Jim Harrison crack open the case on ISA Server firewall placement and config. Bring your config and design questions to this interactive and info-packed session.
If you're going to TechEd and haven't voted on this session yet, then do! Head on over to http://www.ineta.org/bof/Default.aspx and vote for our session. Only sessions that get enough votes will be given space.
Thanks!
Tom
If you didn't already know, ISA firewall's are the firewalls for protecting Microsoft Exchange Servers. One of the things the hampers adoption is the belief by many firewall and network admins that they need to change up their current network topologies in a big way to support a new ISA firewall. Not true! Check out this article I posted today to see how easy it is to get ISA firewall protection without having to re-jigger your entire network infrastructure to support it.
http://www.msexchange.org/articles/2004protectexch.html
Thanks!
Tom
The ISA firewall's SMTP Message Screener is pretty cool. Its not a full-fleged spam whacker, but it provides a nice first line of defense against unwanted email. One thing that was a bit problematic with the ISA 2000 firewall's SMTP Message Screener was that it depended on DCOM messages being passed between the SMTP relay with the SMTP Message Screener installed and the ISA firewall machine. You don't see this problem if the SMTP Message Screener is on the ISA firewall itself, but you do see it if it's on another machine.
If you see an error that looks some like this:
DCOM got error "General access denied error " from the computer proxy
when attempting to activate the server:
{0820D243-0B18-4B0A-88F0-D857F0C91E62}
Then you'll benefit from this cool fix from Jim Harrison:
That GUID represents the VendorParametersSet processing DLL in ISA.
Try this:
1 - open a cmd window and navigate to your ISA installation folder.
2. type (no quotes): "regsvr32 vps2.dll"
3. say "OK" to the next to popups
4. type (no quotes): "net stop isactrl /y"
5. wait until all the services are stopped
6. type (no quotes): "net start w3proxy"
7. wait until the web proxy service starts
8. If you'e running Integrated or Firewall mode, type (no quotes): "net start fwsrv"
9. If you're running RRAS on the ISA, type (no quotes): "net start remoteaccess"
10. if you're running Cache or Integrated mode, type (no quotes): "net start w3schdwn"
As always, Jim dredges up the best fixes in the biz!
Thanks!
Tom
The ISA firewall's Firewall Client app is really the killer app of the ISA 2000 and ISA 2004 firewall. It's a real shame that so many people shy away from it, because its a key component to a strong outbound access control scheme. Without strong outbound access control, you might as well run a dumb packet filter router like a PIX!
Anyhow, the Firewall client from ISA 2004 can get a bit flakey. The reason for this is that it uses an encrypted connection between the Firewall client machine and the ISA 2004 firewall. The ISA 2004 firewall client can whack out when trying to connect to ISA 2000 and Proxy 2.0 machines because it uses only the TCP channel (TCP 1745) when connecting to the firewall. Proxy 2.0 expects to be able to use the UDP control channel, and at times ISA 2000 will want to use one too. You can fix this problem by adding the following Registry key on the Firewall client machines:
HKEY_LOCAL_MACHINE\Software\Microsoft\Firewall Client 2004\EnableUdpControlChannel = 1
That's your fact for the day. Now on to documenting for the ISA 2004/Exchange Kit the procedures required for putting together a unihomed ISA 2004 box to support reverse proxy for OWA and RPC/HTTP connections.
Laterz,
Tom
I finally finished the ISA 2004/Exchange Deployment Kit doc on the FE/BE Exchange config where the front-end is in a trihomed DMZ segment. What a pain! Actually, the ISA config is easy, but there are so many steps in configuring the Exchange Servers, Exchange Services, Email clients and certificate management, its easy to miss a step. On top of that, add in the vargaries of spazzing out virtual machines. Not sleeping for over 24 probably doesn't help either :-)
However, the final doc is a real work of art. I know that everyone has been wanting support for the FE in the DMZ, and now with ISA 2004 is works.
I hope I'll be able to demo the config for you at TechEd. Maybe if I get really motivated, I'll do some .avi movies of the config and put them on CD for you to take home. If only I could buy more hours in day. I'm getting up before going to bed these days!
Thanks!
Tom
I really like using the Certificates MMC snap-in because it greatly simplifies issuing certificates to domain members when using an enterprise CA. Sadly enough, the ISA 2004 RPC filter kills the Certificates snap-in, and also the Certificate Request Wizard used to issue certificates to IIS and Exchange Services. Bummer.
The solution is to disable the RPC filter in the Add-ins node and then create an Access Rule that allows all IP traffic between the communicating hosts. Just make sure to remember to disable this rule and re-enable the RPC filter after you've issued the certificates!
If you don't want to go through that hassle, you can always use the Web enrollment site, or create a file for an offline request.
HTH,
Tom
This is the first post for ISA Server. I'll talk about 2000 and 2004.
Thanks!
Tom