ISA in SBS - yes, it's secure

This Is The Last Post

2007-09-26T09:31:00.001-04:00

This is the last post for this particular blog.

Don't panic! I've created a new blog. The new blog will have a much broader focus and cover not only ISA but the full range of security challenges encountered by small businesses every day. It will include technical how to, as well as opinion, commentary and product reviews.

The new blog location is http://securesmb.harborcomputerservices.net/

I will keep this blog online for some period as an archive.

ISA SP3 Logging Improvements

2007-08-27T15:31:00.000-04:00

I've been so busy lately that I haven't had a chance to blog much. Thank goodness that the official ISA blog has picked up the slack. :) They've put out some great posts lately including todays: Logging Diasgnostic Improvements in SP3. You definately need to check it out.

http://blogs.technet.com/isablog/archive/2007/08/26/diagnostic-improvements-in-isa-server-2004-service-pack-3.aspx

ISA @ SMBNation

2007-08-27T11:47:00.000-04:00

ISA will be featured in the technical track at SMB Nation this year. My presentation back in March at SMBTN was well received. I'll be building on that presentation. I will demonstrate several configurations that are in demand for SMB consultants:

Spam and Flood protection
Limiting Internet Access: Integration with AD and Group Policy
Logging and Reporting
Backup and Recovery

So be there. Dana Epp, Security MVP has organized top drawer technical content for this conference. It's September 29 - October 1. http://www.smbnation.com

Also, a heads up. I'll be presenting at SMB Focus in Sydney Australia in November as well. Plan now and I'll see you there.

Thoughts on what it means to not have an edge SBS

2007-07-17T14:55:00.000-04:00

Situating SBS on the edge of the small business network has always been a controversial topic. A network in a box for small companies has to include some kind of firewall doesn't it? So through the years it was RRAS, Proxy 2.0, ISA 2000 and ISA 2004. With word out that SBS will no longer be supported on the edge that means that ISA on that box and RRAS are both out of the picture. Considering that most SBS servers are currently protected by RRAS that's significant.

Having worked in the small business market for a number of years I can tell you with certainty that this will leave the vast majority of SBS customers with networks protected by their DSL router. A DSL router just isn't sufficient to protect against today's application targeted attacks. Neither is it sophisticated enough to serve the publishing needs of Exchange 2007 without leaving gaping holes to exploit.

Microsoft knows best how to protect Microsoft software. SBS is jammed packed with Microsoft software as are most small business desktops. What then will be the official "best practice" recommended by Microsoft to protect their software that these customers are so dependant upon?

The Skinny on ISA in SBS 2008

2007-07-17T14:48:00.000-04:00

The official word:

"With respect to ISA, here's what we're public on:

- SBS no longer will support being the edge box. You'll need SBS to be behind a network firewall of some sort -- could be a hardware firewall, could be a software firewall, such as ISA.

- ISA, itself, will no longer support running on the SBS server itself -- this is really related to #1. We're building the SBS tools in the next rev assuming that the network firewall is elsewhere."

I wish I was allowed to say more about what's going on in the next version of SBS but I'm not. So from the official statement above it doesn't take a rocket scientist to notice that you're going to have to place your ISA server in front of SBS next time around on a seperate server. Unfortunately there's no public statement about what this means the product list is for SBS Premium because obviously we're going to need another license of Windows for that second server. We'll have to wait and see.

News: Microsoft soft unveils Stirling

2007-06-06T10:17:00.000-04:00

Microsoft unveiled a new product, code name Stirling, yesterday at Tech-Ed. For those wondering where ISA is going in the future. Here's a hint. There is also another product under development under a different code name that non-enterprise businesses will also be interested in.

See the full article here.

ISA 2004 SP3 Released

2007-05-02T09:32:00.000-04:00

ISA 2004 SP3 is here.

ISA Server 2004 SP3 includes the following new features and improved functionality:
•
Improvements to the ISA Server Management console with the addition of a new Troubleshooting node
•
Enhanced log viewing functionality
•
Additional log filtering functionality
•
Diagnostic logging, including over 200 new diagnostic logging events
•
Integration with the Microsoft ISA Server Best Practices Analyzer Tool
•
Support for publishing Microsoft Exchange Server 2007 with ISA Server 2004

Vista might not connect immediately

2007-05-02T09:24:00.000-04:00

Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista

Read all about it in TechNet. Vista contains a feature which uses DNS to locate and connect to a pre-defined website. This is part of the new network identification feature. So when Vista detects a new network and pops up the box for you to select how much you trust this newly connected network, this article explains what has happened in the background.

The key issues are:

1. Vista clients behind ISA may not immediately recognize that they are connected to the Internet via a firewall
2. ISA logs will contain denied DNS traffic destined for 131.107.255.255 (yes, this is a valid IP address)

And don't panic.

Publishing AuthAnvil Self Service Token Enrollment

2007-04-25T10:38:00.000-04:00

In using AuthAnvil to create a secure two-factor remote access for the SBS servers we manage it was decided that we'd like to allow users to Enroll the Cryptocard token we've provided themselve. AuthAnvil allows this through a self service token enroll website located on IIS. We'll use SSL to publish this site.

Click Publish a Web Server. Call it AuthAnvil Token Enroll.
Click Next, Choose Allow, Click Next.
The server name will be publishing.yourinternaldomain.local. Check Forward the orginal host header. The path will be /AuthEnroll/* The public name is the DNS name of your server, for example: mail.domain.com. Click Next.
Choose the SBS Web Listener. Click Next.
Leave All Users. Click Next.
Click Next, until done. Then Click Finish.
Make sure your rule is at the bottom of the other publishing rules in your server. This will make it rule 6 or so.
Right click on it and select Properties
On the Bridging tab make sure SSL is checked
On the To tab check to make sure your server name is correct, the check box is checked and the radio button for requests appear to come from the ISA server is selected.
On the Public Name tab make sure the public DNS name of your server is listed and is correct.
Click OK.
Press the Apply button for this rule to take effect.

Multi-Core Processors: Another reason for SP2

2007-04-17T12:15:00.000-04:00

While loading an ISA2004 onto new hardware I ran into a problem where the firewall service would not run. When something like that happens on a new install you get that sinking feeling that it's going to be a long night.

Fortunately a quick search came up with the solution. Install ISA 2004 SP2. ISA 2004 SP2 corrects an issue where ISA misidentifies the number of processors in the system. This can happen for a variety of reasons, one of which is multi-core processors.

Here's the kb reference

Vista 64-Bit Can't Join Domain

2007-04-03T10:58:00.000-04:00

Found a kb article that resolved a perplexing problem for us today. A Vista 64-Bit Ultimate edition PC was unable to join the domain. The error message stated a problem with RPC. This usually points to the local firewall but in this case it was ISA and a hotfix is needed to resolve it. This hotfix is available from the download center. No call to PSS required!

The kb article id is 917903; last updated March 15, 2007.

You cannot join a computer that is running a 64-bit version of Windows Vista to a Windows domain on which ISA Server 2004 is configured as a firewall

SYMPTOMS

Consider the following scenario. You have a Windows domain on which Microsoft Internet Security and Acceleration (ISA) Server 2004 is configured as a firewall. You try to add to the domain a client computer that is running a 64-bit version of Windows Vista. However, you receive an "RPC Server unavailable" error message on the client computer. Additionally, the computer is not added to the domain.Note This problem occurs primarily in a Microsoft Windows Small Business Server 2003 (Windows SBS) domain.

CAUSE

This problem occurs because 64-bit Windows Vista client computers add a third context element structure to a remote procedure call (RPC) bind call. However, the ISA Server RPC application filter drops this bind call as an incorrect RPC bind packet.

ISA and Windows 2003 SP2

2007-03-29T09:50:00.000-04:00

The ISA team has blogged about some issues affecting ISA after an installation of Windows 2003 SP2. The original post is here.

ISA Server and Windows Server 2003 Service Pack 2

Recently Microsoft released Service Pack (SP) 2 for Windows Server 2003 (http://www.microsoft.com/technet/windowsserver/sp2.mspx). We tested ISA Server with the Windows service pack quite extensively. Unfortunately we discovered after the release of the Windows service pack that there are several issues that have potential ill-effects on ISA Server. This blog summarizes the currently known issues, and suggestions on how to mitigate those issues.

1. If you run ISA Server 2004 Enterprise Edition with or without the ISA Server SP2, you must install ADAM SP1 on the ISA Server Configuration Storage Server prior to installing the Windows Server 2003 SP2. ADAM SP1 can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en. If you install Windows Server 2003 SP2 without first installing the ADAM SP1, ISA Server will not start after the installation, and you will have to uninstall Windows Server 2003 SP2. Further information is available in the Windows Server 2003 SP2 release notes, at http://technet2.microsoft.com/WindowsServer/en/library/ed5382af-e819-4d33-ace0-225d31b7ab751033.mspx?mfr=true .

2. If you run ISA Server 2000, 2004 or 2006 Standard or Enterprise editions on a multi-core / multi-processor 32-bit computer, and the CPU is heavily utilized, you might experience performance degradation in certain deployment scenarios after installing Windows Server 2003 SP2. The issue stems from a change in interrupt handling introduced in SP2.To correct the issue you must download and run the Interrupt Affinity Tool (intfiltr) available in Windows Server 2003 resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en). You can read about installation and usage of intfiltr.exe in http://support.microsoft.com/kb/252867.

3. If your network adaptors (NICs) support receive-side scaling (RSS), then in certain NAT scenarios ISA Server 2000, 2004 or 2006 Standard or Enterprise editions might not transfer packets from one NIC to the other after installation of Windows Server 2003 SP2.To correct the issue you must disable RSS support - follow the instructions in http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695.

Neta Amit
Program manager
ISA Server Sustained Engineering Team

ISA 2008 Needs Your Help

2007-02-27T08:19:00.000-05:00

The Microsoft ISA Product Team is working on the next version of ISA. As part of the work, the team is currently recruiting customers for its internal customer programs namely TAP (Technology Adoption Program) and the Advisory Group). Interested customers, consultants, solution provides and others can contact ngtprcrt@microsoft.com to start the nomination process.
Please note:
- The information about these specific programs is Microsoft-confidential. Therefore, nomination to these programs requires the nominees to already have or sign a non-disclosure-agreement (NDA) with Microsoft.
- Nominees who wish to participate (after they are accepted to the program) in the TAP kickoff event on April 16-18, are advised to follow-up immediately.

SMBTN Conference ISA Session

2007-02-14T21:19:00.000-05:00

There's a great conference coming up March 15-18th. It's the SMB Summit, the 3rd annual SMB Technology Network conference. It's being held at Disneyland. Have a look at the sessions and the speakers. If you are a small IT firm looking to grow, this is the place to be.

I'll be presenting a technical session on using ISA to build your security practice. I'll show off wireless network security, advanced DMZ controls and monitoring and reporting, then we'll open it up for discussion on adding security services to your standard service offerings.

Hope to see you there!

Update: iTunes ISA 2004 SP2

2007-02-05T10:27:00.000-05:00

In a previous blogpost I pointed you to the ISA Product Team blog for instructions on how to allow iTunes through ISA. I've got a little personal experience with this now and some new information for you.

If you're having problems visiting the iTunes site, you'll notice in the ISA logs that the packets are being rejected because ISA wasn't expecting compressed content but the iTunes responds with compressed content. I think this is a web development issue. The tighter we make our firewall configurations the more we expect development to follow the rules. Repsonding with compressed content when it wasn't requested is a no-no and the packet will be handled according to the settings under General, Define HTTP Compression Preferences. You'll notice that by default any packets trying to send compressed content that you didn't ask for will be dropped.

Following the instructions in the previous blog you'll need to provide a "site" for the exception to our compressed content restrictions. By "site" what is really meant is computer set. So create one and let's call it iTunes. Add the following IP addresses to this set.

89.149.169.80-.89.149.169.97
194.109.192.22
194.109.192.7
17.250.236.65
69.44.123.19
69.44.123.26

Once you have your "site" created check the box Request Compressed HTTP Content from Servers.

You'll be able to speak to the iTunes servers now.

Strong Authentication for SBS

2007-02-01T14:26:00.000-05:00

Good news! Today is the official release day for AuthAnvil. This is an excellent addition to the RWW Guard product that Scorpion Software also offers. I've seen it in action. This is a must have for IT firms servicing multiple clients and for all small businesses taking advantage of the many remote access features of SBS. There's nothing like knowing for certain who is logging into your server.

Scorpion Software releases AuthAnvil Strong Authentication System (SAS) for Small Business
Chilliwack, BC: February 1, 2007 - Scorpion Software Corp. today announced the general availability of version 1.0 of AuthAnvil, a strong authentication system (SAS) to protect small businesses and enhance their remote access security with the introduction of two-factor authentication server software for Microsoft's Small Business Server (SBS) 2003 and Windows Server 2003 platforms. AuthAnvil enhances online trust and enables secure remote access to protected information assets by offering the ability to reliably prove user identities through the use of strong authentication. More information about AuthAnvil is available at http://www.scorpionsoft.com/products/authanvil/.

"AuthAnvil is our second and most crucial piece to our strong authentication solution for small business. It helps to eliminate the insecurities and weaknesses in static reusable passwords by offering more perfected one time passwords that can be easily deployed and managed." says Dana Epp, Scorpion Software's President and Computer Security Software Architect. "In combination with our RWW-Guard product we can now offer a complete solution to help protect the remote access to critical information assets in small businesses who leverage Microsoft server technology like SBS 2003 and Remote Web Workplace."

About Scorpion Software Corp.
Scorpion Software Corp provides the premium solution for SMBs to reduce the risks associated with the use of weak static reusable passwords and provide a higher level of confidence that only authorized users can access their company's most important business assets - their proprietary information. Headquartered in British Columbia, Canada, Scorpion Software helps small businesses manage online risk while offering unprecedented password protection. More information about the company is available at www.scorpionsoft.com.

2 1/2 Conferences

2007-01-11T12:53:00.000-05:00

I'll be attending the SMBSummit a Disneyland from March 15-17. This conference is organized by the SMB Technology Network. If you are looking for good technical information on SBS and good business information on running a small consulting firm this is the place to be.

http://www.smbsummit.com

I am also hoping to attend Jeff Middleton's Small Business IT Disaster Recovery and Crises Recovery conference from May 26th - June 2nd. Jeff's conference is the 1 1/2 part in the title of this post. The first two days are land based in New Orleans. The remaining 5 are on a Cruiseship leaving New Orleans headed for Mexico. You can attend the first part, the second part or both. It's a round table discussion type conference with leaders rather than speakers happening for the majority of it. Great concept. Should also be a great time. There's plenty of fun time built into this one.

http://conference2007.sbsmigration.com

Hope to meet you there!

Creating a Visited Websites Report by User

2007-01-11T12:49:00.000-05:00

Many admins learned how to create reports by opening up the log files in ISA 2000 and using Excel features to organize the data in a meaningful way. Contrary to popular opinion, you can use Excel to generate a report using ISA 2004 with MSDE logging much easier than in ISA 2000 flat files.

Start by trimming out what you don't want to see, right in ISA.

In the monitoring tab create a query with the information you want to view.

Logging last 7 days
Protocol HTTP
Action Allowed Connection
Rule SBS Internet Access Rule
Client Username Not Equal Annonymous

This will display in the monitoring viewer a list of packets going to websites. Press the Copy to Clipboard and then paste into Excel to start organizating the data into a report.

How ISA MSDE Logging Works

2007-01-11T09:30:00.000-05:00

Recently on a mailing list a question was asked for someone to explain how ISA does logging to MSDE and why you sometimes see a lot of log files for the same day. Dana Epp, of Scorpion Software, quickly responded with a very concise and clear response.

When using MSDE, ISA stores the logs in daily database files. If you make any policy changes to the firewall, it stops the instance and restarts it with a new name. As an example for today the database would be called ISALOG_20070110_FWS_000. (That is the format YYYYMMDD in case you missed it). If you stopped and restarted ISA, it would then be ISALOG_20070110_FWS_001. You would need to function concat() { [native code]}the 000 and the 001 to get the complete set of log events for the day. For the web proxy, its "_WEB_" instead of of "_FWS_". Microsoft does this to apparently prevent data corruption, although I have yet to see how that matters in this regard. There is no reason it couldn't be merged. (IMNSHO). I think they do it to prevent the DB size limitation for MSDN databases.

Depending on your audit log retention policy, you might have up to a month or two of these hanging around. What Firewall Dashboard (Dana's ISA add-on) does is merge all the data together, consolidate all the events down to remove log events not helpful in analysis, and import them into the FWDB database instance. Thats how we can literally go from a few hundred thousand events down to a few hundred, depending on the scenario.

The actual table structure for the whole lot is stored under the ISA directory. If you wish to see the structure of the data, its in *.sql scripts in the base dir of ISA.

If you are finding that the files are hanging around past the date you want, you can freely delete them... with one caveat. If you are consolidating the data with the ISA reporting engine, make sure you aren't deleting the summary/archive data.

There is a KB on configuring logging for ISA. Not sure if you would find that useful or not. You can see it at: http://support.microsoft.com/?id=302372

New RSS Feed

2007-01-03T19:25:00.000-05:00

Google converted my blog over to the new format and because of this the RSS feed address changed. Here's the new one: http://isainsbs.blogspot.com/feeds/posts/default?alt=rss

The old one was so much simpler.

MVP Awarded

2007-01-03T10:00:00.000-05:00

For the second year I have been awarded an MVP for ISA. This recognition means more to me than any certification because it is a peer nominated award for my participation and contribution to the ISA community. A lot of amazing people are MVP's and I'm honored to be in their company.

Thank you!

2007-01-02T12:22:00.000-05:00

I'd like to put in a big thank you to several people that made a difference in the world of ISA support in 2006.

Jim Harrison - Without Jim there would be no ISA community. He's a man of infinite patience and belief in community. We only managed to push him over the edge twice this year and given how many buttons were pushed, only twice says a lot for his character and ability to see beyond the surface bull to the real issues.

Susan Bradley - The World News, the Great Library of Susan, the ever helpful and passionate about community nearly to a fault Susan. If you haven't heard the name then you must live underwater someplace. No one can read Susan and always agree with her but that's part of what makes her voice invaluable. Susan isn't afraid to ask the difficult, the unsaid, or to point out the elephant in the room and when you need her support she's right there. I love that.

Tom Shinder - Given Tom's opinions about SBS some will question my sanity for mentioning him here, but just as many will question my mention of Susan above. Truth be told the combined passion that these two have for their respective communities, if harnessed, could resolve the west coast summer power problems. Tom's dedication to ISA and community through his articles and forum support surpasses the rest of us combined. His comments can be harshly worded but I value them even so. Besides, I think we have an understanding.

Andy Goodman - Andy will probably fall off his chair if he's sees this but Andy has done some excellent work detailing what needs to be done to stop CRM and ISA from trying to kill one another and CRM works as an SSL site to boot. Since Microsoft put out the SBS version of CRM and didn't include instructions that made any sense, they owe him some thanks as well. But since that probably isn't coming Andy, you'll have to get by with just mine.

Eriq Neale - Because he said after reading the chapters I wrote for his book that he's converting his clients over to ISA. When your boss says that, well, you've got to say thank you.

Thanks also to the readers. Most of you find this blog through Google or links from other blogs. I get a couple of comments every week usually direct to my mailbox. Thanks for those; they mean a lot.

Adding Exchange Defender for SMTP Security

2007-01-02T11:56:00.000-05:00

A price we pay for putting ISA on the same physical box as our Exchange server in SBS 2003 is that we're unable to make use of the SMTP features in ISA. You can however use Exchange Defender, a third party SMTP filtering service, to reduce incoming spam. (among other nice features) If you are planning to implement Exchange Defender you'll want to have a look at Susan Bradley's article on how to configure ISA to work with it. You can find it here. I'll add this reference to the App section on the blog website as well.

ISA 2004 Installation Fails Creating Sotrage

2006-12-20T13:26:00.000-05:00

ISA in SBS - yes, it's secure

This response by Mark Stanfill saved me last night. (Thank you Mark) The only additional thing I would add is that this installation method also does not create a share to hold the firewall client for you. So after you have sucessfully installed ISA go into add/remove programs, Choose ISA, select Modify and select the Firewall Client Share item.

Note: The original question came from a person with a HP Server. My problem machine was also an HP.

Dave,

We've seen a few instances of this, usually related to MSDE install errors.
Please try the following:

1. Launch the ISA 2004 MSI package manually and install ISA manually from
CD #6:

:\ISA2004\FPC\MS_FPC_SERVER.MSI

2. The installation should be successful but this only installs the
console. The
MSDE instance has not yet been installed. Go ahead and run the Setup.EXE
for ISA
2004 so that all the additional components will install.

3. If the installation of MS_FPC_SERVER.MSI is NOT installed successfully,
then run
it with the following command to create a LOG file of the installation:

msiexec.exe /i D:\ISA2004\FPC\MS_FPC_SERVER.msi /l* c:\isa.txt

4. The log file will be located on C:\isa.txt

The verbose log file will help us in the next step of troubleshooting.

Regards,
__
Mark Stanfill, MCSE+I, MCSE 2000, MCDBA, MCSA
Microsoft Corporation

Vista Firewall Client

2006-12-19T10:01:00.000-05:00

How to obtain the version of Firewall Client for ISA Server (December 2006) that includes Windows Vista support

This KB article will take you to the page that lists the new features of the client as well as a link on where to download it. According to this KB the correct version is 1.0.

New features

The following features are new in this version of Firewall Client for ISA Server:

• Support for client computers that are running Windows Vista
• Software updates that improve the security and stability of Firewall Client for ISA Server

Protecting Wireless Networks - 3 Ways

2006-12-01T10:13:00.000-05:00

Recently there's been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won't be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:

1. Install a 3rd NIC into your server. Create a network for this NIC corresponding to your wireless network and assign rules accordingly. Keep in mind, that if this is an SBS server, this is an unsupported option. The reason it is unsupported is that the Connect to the Internet Wizard will choke on the extra NIC. It was written to expect only 2 NICs. To work around this problem you should disable your 3rd NIC and the rules associated with it before running that wizard.

2. Use a different public IP for your wireless router and create an entirely seperate network for wireless. Most of the time an ISP will provide 5 IP addresses to business accounts. Most businesses are only using one of those. Plug the wireless router directly into the router provided by your ISP and assign the wireless router one of your unused IP address. Configure the wireless router as needed.

3. Connect the wireless router to your internal network and give it a static IP address. Set it up to assign DHCP addresses to the wireless guests that are on a seperate network. For example, if your internal network is 192.168.16 then setup the wireless router's built-in DHCP server to pass out 192.168.17 addresses. Assign rules to keep the wireless router away from everything but the Internet.

Here's what option 3 looks like in practice:

1. Create a DHCP reservation for your wireless router.
2. In ISA, create an Address Range Object for the wireless router.
3. In ISA, create a new Access Rule. From Wireless Router, To External, Specified Protocols: HTTP, HTTPS. Other protocols your guests might need include FTP, ICA and SMTP but keep the list as short as possible. Place this rule above the SBS Protected Networks Access Rule.
4. In ISA, create a new Acces Rule. From Wireless Router, to LocalHost, Specified Protocols: DNS. This will allow the wireless router to resolve addresses. Place this rule above the one you just created.

DHCP Not Working After Applying ISA 2004 SP2?

2006-10-20T14:48:00.000-04:00

I've come across reports of 7 seperate servers where after installing ISA 2004 SP2, the DHCP server does not work as expected. Reports are that the DHCP receive/request rules are in place but not functioning. The current resolution is to create a new set of DHCP receive/request rules.

Follow this article to create the rules, if you are having this problem. Hopefully later, I'll be able to post more on why the system rules are broken.

Troubleshooting ISA Performance

2006-10-16T11:19:00.000-04:00

The configuration of your NICs can have a significant and difficult to diagnose effect upon your ISA server. If you are using auto negotiation on your NICs and Switches it may slow down the performance of your server while under load. Read the article below for an explanation and considerations.

ISA Server Troubleshooting; Layer 1

ISAtools.org Make Over

2006-10-09T09:46:00.000-04:00

ISATools.org has gotten a make over and it looks great. The site is much easier to navigate now.

Mailbag: To Firewall or not?

2006-10-06T17:36:00.000-04:00

I received this question in my mailbox the other day. It wasn't the first time. Thought I may as well post the answer too.

Amy, I've heard you on the SBS Show and read your comments in the Yahoo
groups and on your own blog. I recently ran across Thomas Shinder's
blog post called "Why SBS is Insecure by Design and Not Even an ISA
Firewall can Fix the Problem" which can be found here:

http://blogs.isaserver.org/shinder/2006/09/03/why-sbs-is-insecure-by-des
ign-and-not-even-an-isa-firewall-can-fix-the-problem/

I wanted to get your opinion on a specific statement Mr. Shinder makes
in this post:

"The SBS 2003 SP1/ISA firewall box with a "hardware" firewall or NAT
device in front of it is no more secure than the SBS 2003 SP1 box
without the "hardware" firewall or NAT device in front of it. Putting a
"hardware" firewall in front of the SBS box is psychological exercise in
futility, and the money spent on the PIX 501 would be much better spent
on a couple hours of psychotherapy or a few bottles of Dom P. Whether
you choose the PIX, the shrink or the Dom, you'll end up with the same
level of security."

Do you think a hardware firewall in front of an SBS box is no more
secure then an SBS box without a hardware firewall in front of it? Do
the companies you consult for usually have a hardware firewall in front
of the SBS box, regardless of whether or not they are running ISA on
SBS?

Your opinion on this would be greatly appreciated!

______________________________________________________________________

Dear Reader,

Security is not an absolute. Most people agree that it is about risk mitigation. As a small business consultant I can say with certainty that SBS does make small business more functional and more secure. Without exception when I make first contact with a small business they are operating their business without backup, with expired anti-virus software, with a high speed Internet connection and without a firewall. After we install SBS, provide for backup, subscribe and deploy an anti-virus solution, configure monitoring and patching and deploy a firewall the business is more secure than before we started. Are they as secure as an enterprise that has embraced least privilege and separation of duties? No, but at least they are now on the right path.

You should always deploy a firewall. I only use SBS Premium in my practice because I believe that ISA can protect Microsoft products better than the competition and I've got a lot of Microsoft products running on SBS. Now, is a hardware firewall necessary in front of ISA? No, this will not make you anymore secure. If my clients have an ISP supplied router with some firewall capabilities built-in, then I enable that only because they already have it. I would never recommend that they go out and purchase one.

If you are using SBS standard, then you had better go out and purchase the best firewall that money can buy to protect it. You've got a lot of eggs in your basket to protect.

Amy Babinchak

Updated Firewall Client Available

2006-10-03T08:19:00.000-04:00

The new firewall client is available for download and should be installed on all workstations. This new firewall client supports 64-bit OS and resolves a conflict with Defender. All versions of ISA are supported.

Publishing Project Server Portal

2006-10-02T07:43:00.000-04:00

Over at SmallBizServer.net a new article has been published on how to publish a Microsoft Project Server portal through ISA 2004. You can read the article here.

Many of the articles from SmallBizServer.net require a subscription. This one doesn't seem to, so get it while it's available. My only comment is that in Step 1 under ISA, it says Create a New Rule. Since we have 3 types of rules to choose from in ISA, this really ought to read Create a New Web Publishing rule.

They are doing some great work over at SmallBizServer.net so if you aren't familar with them it would be a good idea to check out the entire site.

Replacing the SBS self-signed SSL certificate with an 'el cheapo one from GoDaddy

2006-10-01T10:19:00.000-04:00

Jeff at ABC Solutions has created a PDF file documeting how to replace the self-signed SSL certificate that the SBS wizard creates for you with a certificate from GoDaddy. Since this involves both IIS and ISA I wanted to call it to your attention. Good job Jeff and nice work on the PDF too. You can download the PFD here.

ISA in SBS Blog Website Updated

2006-10-01T09:55:00.000-04:00

Finally getting a few moments to update the blog and accompanying website. What else are Sunday mornings for?

The website for this blog has been updated.

Changes:

RSS Feed Link
4 new Amy's Voice Links added

RSS Feed Now Available

2006-10-01T09:42:00.000-04:00

Thank you Susan Bradley for pointing out that Blogger now, finally, supports RSS. Effective immediately the RSS address is: http://isainsbs.blogspot.com/rss.xml

Deciding Where to put the rule you just created

2006-10-01T09:35:00.000-04:00

Lately I've seen too many ISA Firewall Policies with all of the custom created rules sitting at the top of the firewall policy. At the top isn't always the best place for a new rule. New rules should be placed according to function. There is a great TechNet article that explains how to determine where to place your new rule.

The article starts like this and then goes into further detail about how to order the rules within these categories:

Ordering the rule base
We recommend that you organize your access rules in this order:

1.
Global deny rules. Rules that deny specific access to all users. These rules should use the rule elements that require simple networking information. An example of such a rule would be a rule that denies all users access from anywhere to anywhere on protocols used for peer-to-peer file sharing.

2.
Global allow rules. Rules that allow specific access to all users. These rules should use the rule elements that require simple networking information. An example of this would be a rule allowing access on the Domain Name System (DNS) protocol from the Internal network to the External network.

3.
Rules for specific computers. Rules that allow or deny access for specific computers, for example, a rule allowing UNIX computers access to the Internet.

4.
Rules for specific users, URLs, and MIME types, and also publishing rules. Rules that contain rule elements that require additional networking information, and that enforce policy for specific users, or for specific Uniform Resource Locators (URLs) or Multipurpose Internet Mail Extensions (MIME) types. Publishing rules should also occur at this point in the rule order.

5.
Other allow rules. Rules that handle traffic that does not match rules that occur previously in the list of rules, assuming the traffic is allowed by your corporate policy. For example, a rule allowing all traffic from the Internal network to the Internet.

Filter the Internet?

2006-10-01T09:09:00.000-04:00

Occasionally I get requests for Internet Filtering. My answer is always the same. "If you need to filter the Internet you have an HR problem, not an IT problem." Once I get that out I back peddle a bit and let them know that we can create a list of allowed websites provided it isn't too long. If you would like to know how to do this then download the instructions under Amy's How To Articles at ISAinSBS. Then I back up a little bit further and let the client know that they can subscribe to a service like Surf Control or Web Sense and they'll let you slice, dice and filter the Internet in a huge variety of ways; but they're not cheap. The Internet landscape is constantly changing and these companies have poor souls whose job it is to view possible objectionable websites and assign them a filter category.

Then there's Steve. Some people make a hobby out of creating destination sets for ISA. Steve either is one of these people or he knows a lot of them. The destination sets can be had for free over at Steve's site.

Now if you decide to use one of these destination sets be sure to place the deny rule in position just above your SBS Internet Access rule. Why not put it at the top of your firewall policy? Well think about what you're asking ISA to do. For example, the sex site destination set contains 169,299 URL's, the porn URL set 214,835; the porn domains 469,759. Every time a request hits that rule, ISA will look through each of those URL's and/or Domain names to see if the request should be blocked. The potential to bog down your Internet access is real.

Secure FTP through ISA 2004

2006-10-01T08:34:00.000-04:00

At first I thought they were joking...FTPS...Never heard of it...you can't secure FTP without an application filtering firewall like ISA...that's right an FTP application filter. But twice recently something called FTPS has come to my attention and finally I had a situation where a client needed to access an FTPS server but couldn't.

ISA 2004 has an FTP Application Filter that inspects FTP traffic as it passes through. It also dynamically opens the high port required for the connection. There is an excellent article by Stefaan Pouseele called How the FTP Protocol Challenges Firewall Security over on the ISAserver.org website. In it Stefaan explains why FTP is insecure by design, how ISA can secure FTP for you and all of the details in between. It is an excellent article.

FTPS creates an interesting challenge though. FTPS was developed in an attempt to secure FTP transmission. It's FTP with SSL encrypted information running inside. The owners of an FTPS website assume that you are using a simple packet filtering 'el cheapo firewall and can't secure your own network. FTPS proposes to do this for you using SSL. But if you are using a quality application filtering firewall with an FTP filter like ISA 2004 then you'll run into a problem because the FTP application filter can't see into the SSL encrypted packets and will therefore deny them.

Solution 1: Disable the FTP Application filter. This will work IF FTPS is the only kind of FTP site you will ever need to connect to. If you disable the FTP filter all "normal" FTP traffic will be denied.

Solution 2: Create a new Access Rule for FTP for traffic going from your network to the FTPS destination that does not use the FTP filter.

Here's what your rule should look like:

Allow -- Selected Protocols, FTP. Highlight FTP, Press Edit, Uncheck the FTP Access Filter -- Traffic from your Internal Network --- Traffic to New, Address Range, Enter IP address of the FTPS server you need to reach -- SBS Internet Users or User group of your choice.

FTPS will now work to that destination for all but SecureNat clients. So make sure you've got the Firewall Client installed on all of your workstations.

Blocking the zero day VML vuln...

2006-09-24T11:34:00.000-04:00

The patch for this vulernability is scheduled to be released in October. Meanwhile if you are concerned and would like to prevent this attack sooner, Microsoft has released instructions for configuring your ISA to block it. The TechNet article is Learn How Your ISA Server Helps Block VML Vulnerability Traffic.

You may also be interested in what Jesper Johnansson has to say about VML attack and how to prevent it.

Block-VML-Zero_2D00_Day-Vuln-on-a-domain

More-options-on-protecting-against-the-VML-vulnerability-on-a-domain

Security is a personal decision. For my users I'm reasonably certain that they will not come into contact with this vuln before the patch is deployed. This one is starting to spread but it's spreading slowly for now and in obsecure places.

PPTP Out Disabled by Default

2006-09-15T09:57:00.000-04:00

The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1

This is one of those by design things that the SBS team saddled us with. The KB will walk you through the official way to add PPTP outbound to your rule set.

Going to SMBNation Redmond

2006-08-22T08:46:00.000-04:00

I'll be attending the SMBNation in Redmond from September 7th - 11th. If you'll also be there look up me. It's always good to put a face with the comments!

Request For Post Ideas

2006-08-21T19:27:00.000-04:00

It's been a slow summer blog wise because it's been an unusually busy summer business wise. I promise to get back on schedule. If you have an idea for a blog post, please submit it to the comments. Thanks! Amy

Walking the Line - A New Blog

2006-06-21T08:36:00.000-04:00

Walking the Line is my new blog on small business security. While this blog is exclusively about configuring ISA, the other blog will cover a wide variety of security topics. It also won't be purely technical but will contain opinion. I'm a small business consultant out there in the field with my techs maintaining real life small business networks. If you're into keeping it real and want to know what happens to your clients when you implement "best practices", then this blog will be the place to be. I also plan to call out security screw ups by vendors. Yep, sometimes I'll rant a bit.

I expect to post to Walking the Line a couple of times a month. So please check it out and subscribe.

Enable this App: Lacerte

2006-06-21T07:44:00.000-04:00

How to Allow Lacerte. This information comes from Jim Page. My comments are in italics. However, take my comments with a grain of salt because I have no clients using Lacerte to test them.

Basically create an "New Access Rule", "ALLOW", "PROTOCOLS" create OUTBOUND TCP for 10010,10020,10030,10040,10050-10052,10060,10070,10099, and I did 1275,1277,1278 (was in the MS 839503 article. Not sure if it's needed) Workstations running the Firewall client should be able to request use of any outbound protocol. So this step should not be necessary if you have installed the Firewall Client.
FROM="All Protected Networks"
TO= Created two sets, 1 is range 198.31.208.130-198.31.208.145 the other is just 208.240.240.200

Users= "All users" Can't get it to work if I pick anything else. This means that Lacerte doesn't authenticate to the server when it requests access to the Internet.

Schedule="Always"

Content Types="All content types"

Now I have seen that Lacerte is using other ports to communicate to 208.240.240.200, and ISA denies access. These ports so far are 3106,3130,3132, and some in the 8000 range (didn't right them all down) I have a call into Lacerte to see if they do anything.

The mistakes that I have seen in other articles: They say to setup INBOUND and that the FROM and TO objects were incorrect.

Update to SBS WPAD available

2006-05-30T08:33:00.000-04:00

From Jim Harrison:

http://isatools.org/sbs_wpad_3.zip

Thanx to Jonathon Howey for a bug report in the _2 version to the isaserver.org list and playing guinea pig for my troubleshooting.

Short story: WinHTTP proxy configuration (or auto-proxy behavior) can cause the script to make the wpad request as a CERN proxy request instead of a direct request.
Needless to say, this causes the mechanism to fail.

I've fixed this and stashed it as http://isatools.org/sbs_wpad_3.zip.

I'll post this update into the original WPAD blog entry as well.

Force Reboot, Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

2006-05-16T16:05:00.000-04:00

From the SBS Product Team blog.

We've seen a few cases now where ISA Hotfix 916106 does not prompt for a reboot, as the hotfix indicates it should. The hotfix does, however, successfully install. In addition, after the hotfix is installed the following services will be in a stopped state:

Microsoft Firewall
Exchange Routing Engine
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing Service

The Microsoft Firewall service not restarting will throw ISA in to lockdown mode, which can potentially prevent remote administrators from being able to connect to manually reboot the server. In either case, the server should be rebooted.

A knowledgebase article is now available.

If you use a computer that is running Microsoft Small Business Server
2003 Premium Edition with ISA 2004, you may not be prompted for reboot.

See the rest of the knowledgebase article for a suggested solution.

DMZ - SBS special considerations

2006-05-12T20:00:00.000-04:00

So you'd like to create a DMZ? It's easy to do with ISA 2004 but don't forget that you've got pre-defined rules in SBS that are going to open up your DMZ to more that you might want.

Step 1: Create the DMZ. To do this use this article but start at the section titled Create The Anonymous DMZ and continue through the section titled Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network, then stop.

If this were a non-SBS implementation of ISA you'd have a DMZ with no rules defining access to it. But we live in a pre-configured world so the next step is to add a new rule to the ISA 2004 Firewall Policy to exclude the DMZ network from our pre-existing rule set.

Step 2: Open up the ISA 2004 management console and expand Configuration. Click on Networks. Move to the Network Sets tab. Click on Create new Network Set. Call it something like All Protected, Except DMZ. Make this network set look just like All Protected Networks except add your DMZ network to the exclusions list.

Step 3: Move to the Firewall Policy and edit the SBS Protected Networks Access Rule. Move to the From tab and replace All Protected Networks with the network set that you just created. This will prevent all traffic from the DMZ reaching your internal network. Now you've isolated the DMZ from your Internal network.

Step 4: Create a Rule so that the server in the DMZ can communicate with the other servers in your network. (this assumes that the server in the DMZ is a member server) Open up the ISA 2004 management console and click on Firewall Policy. Scroll down to the bottom. Highlight the SBS Protected Networks Access Rule. In the taskpad click New Access Rule. Call it something like DMZ Server Communications. Allow traffic from the DMZ to Internal Network with the following protocols: DNA, Kerberos-Sec (UDP), Kerberos - Sec (TCP), LDAP, Microsoft CIFS (TCP) Netbios Datagram, Netbios Name Service, Netbios Session, RPC (all interfaces), LDAP (UDP), Kerberos-ADM, ping and NTP. Make sure that this rule is placed just ahead of the SBS Protected Networks Rule.

Step 4: Create a Rule for any additional ports that the application running on the server in the DMZ requires. Place this rule above the SBS Protected Networks Rule as well.

DNS Related Performace Problems for ISA

2006-05-08T21:25:00.000-04:00

Tom Shinder has a nice little blog post on DNS related performance problems for ISA. If your Internet access seems slower than it should be, check your DNS server configuration first.

KB: How to configure ISA Server 2004 after you add a new network adapter or you replace a network adapter

2006-04-28T09:29:00.000-04:00

How to configure ISA Server 2004 after you add a new network adapter or you replace a network adapter is handy kb article but it needs a little modification for SBS.

Be sure to interpret step 7. Configure the TCP/IP configuration as configure the new Network card TCP/IP settings exactly as they were on the old Network card.

and step 9 c. Manually configure the network and add any rules, or select a network template from the right pane to specify your new configuration as run the Connect to the Internet Wizard.

ISA SP2 Update Released

2006-04-24T18:46:00.000-04:00

ISA in SBS - yes, it's secure: Information on SP2

How off the press! ISA SP2 update has been released. This update replaces the previous hotfix for these issues:

This update addresses the following HTTP issues for ISA Server 2004 Standard and Enterprise Editions with Service Pack 2 (SP2):

• KB 915045: Error 502 "The HTTP request includes a non-supported Header" when accessing certain web servers. This occurs when accessing certain Web servers that return headers that are incompatible with each other.

• KB 915421: Errors 11001 or 400 when accessing certain web servers. This is caused by a misinterpretation of spaces in headers provided by ISA Server, and results in a corrupted URL and failure to load the Web page.

• KB 915422: Event ID 23004 when accessing web sites that respond with compressed content. Some Web servers always return compressed content, which is denied by ISA Server when it did not request compressed content.

• KB 916573: Error 500 (Internal Server Error. Not implemented (-2147467263)) when trying to download zip attachments from an Outlook Web Access server. The header returned by Outlook Web Access causes ISA Server to deny the response.

• KB 917134: Grayed out checkbox “Enable caching of content received through the BITS service”

System Requirements
Supported Operating Systems: Windows Server 2003
• ISA Server 2004 Standard Edition with Service Pack 2

You can download it here or it's available in WSUS.

Install CRM SBE on SBS 2003 Premium with ISA 2004

2006-04-18T10:56:00.000-04:00

Handy Andy over at SBS Rocks has written a step by step how to titled Install CRM SBE on SBS 2003 Premium with ISA 2004. I have not used it myself but after watching a live install during our last SBS user group meeting and reading Andy's article I now feel ready to give it a go. Check out his article if you'll be installing CRM.

There's couple of tweaks you need to make and the unmake after the installation. Be sure to also read the manual on this one. CRM is going to put its hooks into every nook and cranny of your SBS server and you'll need to be aware of what's going on.

Internet Proxies can by-pass your ISA settings

2006-04-13T11:21:00.000-04:00

Today I learned from Steve Moffat about Internet Proxies. The type of proxy we're talking about here are websites that filter the Internet for you. Traditionally these were used by schools to filter the Internet in a manner appropriate for children. When I was in the educational tech support business most schools subscribed to a service to filter the Internet for them. On the tech end we'd redirect all Internet requests to the site we subscribed to and simply didn't allow any other sites. Worked great.

Of course, someone figured out, and about 700 or so people copied the idea, that they could put up an Internet proxy that does no filtering. Why? To get around the URL blocking that you've put in place of course. Say you're blocking users from getting to yahoo mail, if the user can get to the proxy site they can enter mail.yahoo.com and bring up yahoo mail and your URL blocker is none the wiser because the mail site is being viewed from within the proxy site. Fun!

The solution is to get Steve's proxy site block list.

SP2 hot fix is now available

2006-04-10T19:20:00.000-04:00

I've updated the original post on ISA SP2 to include the hotfix URL for the issues raised by SP2. If you have to access non-RFC compliant websites, then this hotfix might be for you. Be sure to read the details carefully. The hotfix will turn off certain security feature updates that the service pack made so be aware of what you're asking for.

By Popular Request

2006-04-10T16:05:00.000-04:00

By popular request, I finally managed to get a photo of myself on the blog site and also on the MVP awardees site. If you read the book, (SBS Unleashed) then you know that without the boat I'd shrivel up and die. This photo is scanned and cropped out of picture of me on the boat.

Blocking URL's using Destination Sets

2006-04-03T13:07:00.000-04:00

ISA in SBS - yes, it's secure

Steve has updated his destination sets for blocking Porn, Sex, Advertising, Online Dating, Chat, Gambling and MSN Messenger Advertising sites.

Get 'em here.

I'll soon post a How To for using the destination sets.

Enable Reynolds & Reynolds SDC Server

2006-03-31T13:16:00.001-05:00

Here's the information that you'll need to enable a Reynolds & Reynolds Linux server to communicate through your ISA 2004 Server. If you support auto dealerships, you know what I'm talking about. Ignore the comment that you've probably gotten from R&R that they can't work behind an ISA server.

First, make the R&R server a SecureNat client buy assigning it a static IP address and setting its gateway and DNS to the Internal NIC address of your SBS server. Create an access rule and place it above the SBS Internet Users rule. Create the rule such that traffic will flow from the R&R server to External allowing only the protocols listed below. Then, apply the rule and have R&R test. Everything should work flawlessly.

· TCP port 80 HTTP

· TCP port 443 HTTPS

· TCP port 53 DNS

· TCP port 20 / 21 FTP

· TCP port 23 TELNET

· TCP port 25 SMTP

· TCP port 110 POP3

· UDP port 123 NTP (National time protocol; this should be set up for both outbound and inbound)

Enable iTunes after ISA 2004 SP2

2006-03-31T13:12:00.000-05:00

A useful snippet from the ISA Server team blog.

You can configure ISA Server so that ITunes will work. Here’s how:

1. On the General node, click Define HTTP Compression Preferences.

2. On the Settings tab, add the site to the list.

3. Select the site and click Set Compression.

4. Enable Request compressed HTTP content from servers.

The new Firewall Dashboard is Here!

2006-03-22T19:07:00.000-05:00

ISA in SBS - yes, it's secure

Fellow MVP Dana Epp has created a useful add-on tool for ISA. It's a Firewall Dashboard application that takes the ISA logs and presents the information in an easy to use graphic format. You can also configure it to send you a report on your firewall activity daily. It's a nice addition to the native monitoring tools built into ISA. I've been using the Beta and have found it easy to install and the reports easy to configure and understand. You'll learn things you never knew about your firewall. Why didn't you know? Because you weren't looking. Scorpion Software's Firewall Dashboard makes it easy to look.

Click here to go to Scorpion Software

How To Doc: Limit Internet Access to a Few URL's using ISA 2004 and Group Policy

2006-03-22T18:10:00.000-05:00

The first document to populate the new Amy's How To document space on the blog is on Limiting Internet Access to a Few URL's using ISA 2004 and Group Policy. It is available for download from the link in the right hand column.

This document is handy when you want to limit internet access to a select few URL's. I use a combination of ISA and Group Policy to achieve Internet Access control bliss. ISA controls where users can go and group policy pre-populates the Favorites list in IE with the allowed destinations. This prevents users from having to guess which sites they are allowed to visit.

I hope that you will find this article useful.

New: Blog Feature, How-to Docs available

2006-03-22T17:53:00.000-05:00

By popular demand I'm now going to be posting how-to documents on this blog. Look in the right hand column for Amy's How To Docs. Click on the link to download the pdf.

Information on SP2

2006-03-07T09:39:00.000-05:00

As you know, there has been a flurry of information on whether or not to install ISA 2004 SP2 and what happens afterwards.

Here's the situation, SP2 contains some new features which add to the security that ISA can provide to our networks. Therefore after you install SP2 you might come across a few websites that will error out. While it might look like it's SP2 causing the problem it's actually the website causing the problem by not following the rules.

There are two things that are causing headaches for those that rushed to install SP2, compression filtering and HTTP Request Smuggling. The new compression filter is "on" by default under SP2. If you access a website that attempts to place a compressed file on your box using anything other than gzip encoding, it will fail. Most, but not all websites use gzip encoding. If you need to use a website that doesn't you'll have to disable compression filtering. For an explanation of HTTP Request Smuggling protection, we turn now to our guru, Jim Harrison...

Disabling filters may not help with www.delta.com, www.sun.com or any
site that causes ISA 2004 SP2 to generate the following message:

Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)

The reason for the behavior youre seeing is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling The process for this attack is a bit involved but the short story is that HRS depends on sending response headers that include both Content-length: and transfer-encoding: chunked.

A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx

RFC-2616 defines those two headers for the purpose of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response.

If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body.

This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfcompletedeted. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses out of hand. Since RFC-2616 clearly states don't combine those headers and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.

As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.

PSS will have a public fix available shortly.
Jim

There's going to be a hotfix. Not because ISA did anything wrong but because there are enough sites out there causing pain for MS customers, that they are going to change things accommodate them.

I for one, am not disappointed by SP2. The security improvements are significant, I just wish we didn't have to dilute security to accommodate a few sites not playing by the rules. It's really the same thing we do for Java apps that won't authenticate or workstation apps that won't run as anything but local admin. It's a compromise and it's one we should be complaining about loudly. This time, not at Microsoft but at the legions of others not playing by the rules.

UPDATE: Click here for the hotfix.

Blocking MSN Messenger for some users

2006-03-07T08:55:00.000-05:00

ISA in SBS - yes, it's secure

Tom Shinder has published an article that will be of interest to SBS users. It's called
ISA Firewall Quick Tip: Blocking MSN Messenger Access through the ISA Firewall while Enabling Access to Some Users.

Besides providing information on how to do this, it will also introduce you to HTTP filtering.

ISA Team Blog on Http Filtering

2006-02-23T09:10:00.000-05:00

The ISA team has started blogging and today's post inparticulr is an interesting one. ISA Server Product Team Blog Because it's a short post I've copied it below but do be sure to check out their blog directly as well. What I like about this post is it describes how easy it is to use one of the most over looked features of ISA, Http Filtering. Http Filtering lets you block unwanted applications. You simply add the applications signature to the filter and you'll never see that app again on your network. It works for file types to as several people pointed out during the .WMF scare.

Application Signatures for HTTP Filtering
You allow your internal clients to access the Internet, but want to limit their use of some applications. You can block their use of applications that run over HTTP by using the HTTP filtering capability of ISA Server 2004. But to block the application, you need the application signature. Here's how you find the signature:

Use a network traffic capturing utility, such as Network Monitor (known affectionately in some circles as NetMon). Install the utility on ISA Server. Best to do this sort of thing in a lab, unless you're completely comfortable about the security effects of the utility you use. Configure the utility to capture packets from a specific client.

On that client, access the application you're interested in. In the monitoring utility, find the HTTP request packet from the client (usually follows handshake packets) and look for a signature in the packet. A little finesse is needed, because you want to pick a signature that is general enough to always block the application, but not so specific that it blocks everything. For example, the signature "a" is a little too generic.

Once you've located a signature, you can add it to the Signatures tab of the HTTP policy for the access rule, and test it in production.

You can read more about this in the document "HTTP Filtering in ISA Server 2004", at White Paper

Nathan Bigman, ISA Server Product Team

Enable This App

2006-02-21T16:35:00.000-05:00

I've created a new section of links on the blog site called Enable This App. It's a simple list of applications that you can click and go directly to instructions for configuring ISA to work with that particular application.

Thought you might find it a handy reference. I know I will.

There's a New ISA website in town

2006-02-21T16:18:00.000-05:00

ISA in SBS - yes, it's secure

Steve Moffat

You've seen him on the sbs2k yahoo site. He also hangs out on the isaserver.org site. Add it to your favorites.

Allowing NOAH

2006-02-21T16:09:00.000-05:00

ISA in SBS - yes, it's secure

NOAH is a client server application used in medical facilities. It uses DCOM to communicate from client to server. New in ISA 2004 is a system policy that requires strict RPC compliance. You'll quickly find out which application comply and which ones don't now that this is by default requirement in ISA 2004.

To enable NOAH to communicate we need to not require it to adhere to strict RPC compliance.

1. Open ISA 2004 Management and select Firewall Policy.
2. Click on View and select Show System Policy Rules.

System Policy Rules detemine how traffic is allowed to get to the ISA server. We need to change what kind of traffic is allow to speak to the ISA server.

3. Right click on Allow RPC from ISA Server to trusted servers and select Edit System Policy.
4. Uncheck Enforce Strict RPC Compliance.
5. Click OK.

Press the Apply button to have your changes take effect.

Allowing MetaGraph

2006-02-21T15:58:00.000-05:00

ISA in SBS - yes, it's secure

MetaGraph is a client server medical billing application. It FTP's files out of your server AND client workstations as part of it's licensing verification. By default this behavior is not allowed in ISA 2004. Here's how to configure ISA to allow this application through your ISA server.

1. Open ISA Management and click on Firewall Policy.
2. Right click on the SBS Internet Access rule and select Configure FTP.
3. Uncheck the Read Only box. Click OK.

Follow the same procedure for the SBS FTP Outbound Access Rule. This rule change is needed for the client setup portion.

The server and workstation appear to always be connecting to the same destination server (204.11.215.162). You may wish to undo these rule changes after initial setup of the application is complete or create a new FTP rule only allowing FTP out to the above IP address.

Commentary: With all of the new HIPPA regulations that medical institutions must comply with a software package that is FTPing anything out of the server and workstations is just asking for trouble.

Articles: Troubleshooting, Connection Limits, Logging

2006-01-31T14:17:00.000-05:00

Articles of Interest to SBS.

Troubleshooting Unsupported Configurations
(http://www.microsoft.com/technet/prodtechnol/isa
/2004/plan/unsupportedconfigs.mspx).
This article provides a quick look-up resource for some common unsupported
configuration scenarios that customers may encounter.

Deployment Recommendations for Connection Limits in ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/
plan/connectionlimits.mspx).
This paper explains the connection limit quota mechanism, and how to define
custom limits. It also includes information on troubleshooting connection
limits.

Logging Best Practices
(http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/logging-best-practices.mspx).
This article provides tips for configuring ISA Server 2004 logging. It
includes recommendations for logging formats, and capacity guidelines.

What we do after installing ISA 2004

2006-01-29T09:11:00.000-05:00

Configuring ISA 2004 To Do List

1. Increase Client Connection Limits to 160 for everyone. Adjust for individual workstations upward if necessary.

2. Enable Intrusion Detection and DNS Attack Detection, except DNS Zone Transfer.

3. Change Web Proxy and Firewall Logging limits to 4 GB, retain for 30 days, minimum disk space 512MB, maximum log size 4GB and convert to MSDE. Double check that the log files are stored on the data drive.

4. Configure Report, publish report to folder

5. Adjust Cache Size. Add 1MB per user and round up.

6. Turn off Logging on System Policy #19, Allow Access from Trusted Computer to the Firewall Client Installation share on the ISA Server.

7. Change Alert for Log Failure to stop Firewall Service

8. Change Alert for Connection Limit Exceeded to Immediately.

The best explanation of why ISA Logs always contain Anonymous connections

2006-01-28T19:11:00.000-05:00

Jim Harrison does it again! This is by far the best explanation of why the ISA logs always contain anonymous entries even when our SBS ISA is configured by default to require authenticated access.

Tom Shinder beat me to posting it so click .here to read Jim's excellent explanation

Allowing Lacerte

2006-01-28T18:33:00.000-05:00

There's a kb article out there that appears to be providing incorrect information as to how to allow Lacerte to work with ISA. It's KB 839503. In fairness it is written for ISA 2000, but even when translated into ISA 2004 lanuage it still appears incorrect. Jim Barr found a rule that works. Here's how to create it.

1. Click Create New Access Rule, call it Lacerte Outbound and make it an Allow rule.

2. Apply the rule to All Outbound traffic.

3. Traffic will be from the Internal Network Set.

4. The rule applies to traffic to these two Address Sets: 198.31.208.130-140 and 208.240.240.200.

5. This rules applies to all users.

Click on Apply to let the rule take effect.

Allowing ADP through ISA 2004

2006-01-27T00:38:00.000-05:00

Using ADP for payroll and need to allow it to communicate out of your network with the ADP servers? Here's how:

1. Open the ISA 2004 Management Console (start->programs->Microsoft ISA Serer->ISA Server Management)
2. Expand the node and select the “Firewall Policy” tab.
3. Select the Tasks tab on the right side of the console.
4. Select Create New Access Rule.
5. Name: ADP. Pick next.
6. Allow rule. Click next.
7. Chose Selected Protocols form the applies to box and click Add.
a. Expand ‘Web’
b. Select ‘HTTP’ and click add.
c. Select ‘HTTPS’ and click add.
d. Click close.
8. In the ‘rule applies to traffic from these sources’ click add.
a. Expand network sets.
b. Select All Protected Networks and click add.
c. Click close.
d. Click next.
9. In the ‘rule applies to traffic sent to these destinations’ click add.
a. Select New from the top menu and select ‘Domain Name Set’
1. Name: ADP
2. Click New and enter: *.adp.com
3. Click Ok.
b. Expand Domain Name Sets and click ADP. Click Add.
c. Click Close.
d. Click next.
10. Leave the setting for All Users and click next.
11. Click Finish.
12. Click apply in the ISA management snapin.

How to Allow Schwab Portfolio Center

2006-01-23T16:20:00.000-05:00

There are two components to making Schwab Performance Technologies Portfolio Center work with ISA 2004, 1 workstation and 1 server. Portfolio Center uses DCOM to communicate between the clients and the server. DCOM must be allowed on both ends for it to work. This means changing the firewall configuration on both the workstation and the server.

On the workstation you need to allow DCOM through the XP SP2 firewall. Schwab has created a little utility that you can download from the support tools site on their website here. You'll need your customer ID.

On the server, we've also got to allow DCOM communications. By default ISA 2004 is configured with strict RPC compliance in the system policy. This will have to be turned off. Open the ISA Management MMC, Click on Firewall Policy. Click View, System Policy. The System Policy will be displayed above the Firewall Policy. Look for the system policy item called Allow RPC from ISA to Trusted Servers. Right click on it and select edit System Policy. Uncheck Enforce Strict RPC Compliance. This will allow the DCOM communications between the workstations and the server that Portfolio Center requires.

Free Securing SBS with ISA Training

2006-01-18T09:50:00.000-05:00

I have not taken this course myself so I can't speak as to how well the content is delivered but the description sounds good.

Securing Small Business Server 2003 using ISA Server 2004

Event Date:
1/24/2006

Presenter:
Beatrice Mulzer

Event Time:
11:00 AM Pacific, USA & Canada (DST) = GMT - 08:00

Duration:
90 minutes

Description:
The course material will consist of advanced features of Small Business Server (SBS) 2003 that are of interest to Microsoft partners. You will receive a first look at utilizing Small Business Server Service Pack 1 Premium Edition featuring ISA Server 2004 to secure your network and to provide secure access to Exchange Server 2003 and Web resources. At the conclusion of the series, attendees will have a better understanding of how to secure Web applications, business applications, and remote access on SBS 2003 using ISA Server 2004.

Access Policy or Server Policy? Which one do I use?

2006-01-17T08:30:00.000-05:00

The ISA Product Team put out a nice blog entry titled Access Rules vs Server Publishing Rules. The article is written in an easy to read numbered list format. I think this take some of the sting out of a subject that has caused so much confusion. Most firewalls don't make a distinction between different types of rules (because most of them don't offer different type of rules) and the reasons for this distinction are well explained by the product guys in this blog entry.

For what it's worth, I use this rule of thumb (which of course has exceptions):

If I need to grant access out of my network use Access Rules.
If I need to grant access into my network use Server or Web Publishing rules.

That latter statement particularily refers to allowing users on the outside of your network access to websites or applications hosted on your non-SBS server sitting next to your SBS. For example an SQL, Web, or Video server.

All Port Scan False Positives Explained

2006-01-12T11:43:00.000-05:00

The security column of the month has produced a whammy of an article on Technet titled
ISA Server Port Scan Alerts. Not a catchy title but it is a must read. Here's a little snip from the beginning of the article:

"Overview
Since the dawn of ISA Server time (2000, if you haven’t been watching), ISA Server administrators have received practical but often confusing notifications of “all port scan” and “port scan” intrusion attempt alerts.

Although the ability to notify administrators when potentially malicious traffic is detected is a useful feature of any firewall, these alerts in particular seem to cause more confusion than do other ISA Server alerts. It’s this confusion that we’ll try to eliminate today.

To keep things simple (and short), we’ll limit our examples to ISA Server 2004. The same general principles apply to ISA Server 2000, but the ISA Server user interface and log review examples differ greatly."

NEW ISA MVP's Awarded

2006-01-12T09:47:00.000-05:00

Tom Shinder blogs that several new ISA Server MVP's have been awarded. Here's reprinter of his blog entry.

Hey folks,

I had no idea until today how many new ISA firewall MVPs we have! Check
this out:

Amy Babinchak -- Amy enters the ISA firewall space via SBS 2003 SP1. Amy is the leading contributor of ISA firewall information on the SBS platform over at www.isaserver.org

Jason Fossen -- new MVP and he's located here in my neck of the woods -- Dallas, Texas. Jason runs the ISA firewall scripting Web site www.isascripts.org

Moez Mezghani -- new MVP from North Africa

Martin Pavlis -- MVP from the Czech Republic

Alessandro Perilli -- MVP from Italy and the genius who taught me how to support four NICs in a VMware virtual machine :))

Meibo Zhang -- a friend of mine from China who has a tremendous Chinese language ISA firewall site at www.isacn.org

Hong Zhi Zhu -- another new MVP from China, Chong Qing. He's active in the Windows IT Pro magazine web boards and has written a number of articles on the ISA firewall

Hopefully one day all the ISA firewall MVPs will be able to get together at the same time in the Redmond world wide MVP conference.

Welcome them to the club!

DISCUSS THIS POST AT: http://forums.isaserver.org/Roll_up_discussion_link_for_posts_up_to_01-14-2006/m_2002002974/tm.htm

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

ISA Product Team Blog

2006-01-04T15:43:00.000-05:00

The ISA Product Team has finally started blogging. We should see some interesting posts once they get rolling. Those of us running ISA as an SBS component this blog offers special opportunity to get to the heart of ISA and make sure our voices are heard when it comes to improving ISA's support on SBS. Keep them honest. SBS sales of ISA make up a large portion of the total ISA deployments in the market.

ISA Product Team

Authentication Problems

2006-01-03T09:53:00.001-05:00

Microsoft has addressed the most common question about ISA Server. "Why won't my ________ app go through ISA?" Because it won't authenticate and our SBS installations of ISA are setup to require authentication to get access to the Internet. If someone or something is using your Internet access, you want to know who and from where.

Check out this TechNet article:

Troubleshooting Client Authentication on Access Rules in ISA Server 2004

Article: Basic ISA 2004 Troubleshooting

2005-12-08T10:06:00.000-05:00

I've written a new article for ISAServer.org titled Basic ISA 2004 Troubleshooting. It's an introduction to configuring ISA logs and using the log information to determine whether or not ISA is blocking traffic that you might need to allow.

Enjoy! Feedback on the article can be posted on the ISA 2004 SBS forum.

Interesting PodCasts

2005-12-07T17:54:00.000-05:00

Here are a couple of interesting podcasts:

Eriq Neale knows how to run a show. Each is less than 15 minutes long, very professional sound, just plain excellent.

What it's like to write a technical book (specifically SBS 2003 Unleashed)
Part 1
Part 2

SBS CSS Team will Podcast on ISA 2004 on Friday. The podcast will be here once recorded. Unlike Eriq's, these podcasts are rough through and through and will soak you for an hour of your time. Still there's bound to be good content from the guru's at CSS.

ISA2004 Recorded Live Meeting Available

2005-11-20T13:40:00.000-05:00

On Saturday morning I gave a presentation via Live Meeting to the San Antonio geeks. These guys have been getting together for years on Saturday morning to each tacos, study for exams or just plain IT knowledge and eat more tacos. Pretty cool concept. We all need time to just sit and learn something new and having a group of friends/collegues that you can do it with would make it all the more fun. So they've been studying ISA 2004 for a few months now and asked if I would do a presentation for them. So I did; lingering cold and all.

My presentation was recorded for your viewing pleasure. It can be accessed by the public for the next month or so here. After that it'll only be available to SBS User Group Leads for use at the local SBS User Group Meetings.

It's not exactly an introduction. It's not exactly advanced. I'd put it somewhere in the middle. It assumes that you've at least seen the Management console and have been poking around in a bit.

As this is the first live meeting recording done for the user groups, the beginning is a little rough and sometimes the sounds isn't the best. But I listened to it and it works. Enjoy!

MSDE Loggging Memory Use KB

2005-11-15T09:27:00.000-05:00

You may experience high memory usage on an ISA Server 2004-based computer that logs messages to an MSDE database

This information has been around for a while in the newsgroups. Now it's available as a knowledgebase article. Interestingly of all of the ISA servers that I manage, only 1 has come down with this problem. I be interested to know what triggers it.

Allowing the HP Indigo Press to Phone Home

2005-11-14T13:03:00.000-05:00

Clients that own the HP Indigo printing press are billed by Hewlett Packard on a per page basis. Maintenance costs and print costs are based on usage. To get this information up to HP so they can bill the client a software package runs several times a day and phones (or rather Internets) home how much the press has printed. This traffic occurs on a specific range of ports. Fortunately for me, HP provided good documentation on which ports their software requires.

Ports Required: 40000-40199 out and 6055 out.

Before beginning I started live logging on ISA and watched the packets get denied. I really didn't want to enable such a large grouping of ports so I watched to see what the software was actually trying to do. As it turns out the software sends a small packet of information over a large number of ports simultaneously.

We have a limitation in that the HP press can't join the domain and it won't authenticate. The HP tech set it up as a SecureNat client on the network, in a workgroup called workgroup. Being a SecureNat client really limits our ability to control access. Since the HP press isn't capable of telling us who it is, we'll have to allow these ports out for everyone. At least we don't have to allow access to any additional ports in to make this work.

Here's how I did it. Open ISA Management. Click on Firewall Policy. Click Create New Access Rule. Name the rule HP Indigo 40000-41999. Click Next. Choose Allow. Click Next. Leave This Rule Applies to Outbound Traffic and click the Ports button. Click on Limit Traffic to This range of Source Ports and enter 40000 in the From box and 40199 in the To box. Click OK. Click Next. Click the Add button, expand Networks and choose Internal. Click Close. Click Next. Leave this rule applies to All Users and click Next. Click Finish. Follow the same procedure to allow outbound traffic over port 6055.

Apply the rule and fire up live logging and have the press operator send data to HP. You should now see only successful packets in the log.

Silent Install of ISA2004 Firewall Client

2005-11-09T08:33:00.000-05:00

In his blog, Tom Shinder makes note of and expands upon an excellent isaserver.org Member Board post from Ben on how to install the ISA2004 Firewall Client without user interaction. Pair this with WPAD and you've got a real nice way to automatically deploy and configure the Firewall Client on all of your workstations.

Tom's Blog

ISA2004 and Macintosh Computers

2005-11-07T15:51:00.000-05:00

Eriq Neale has written a couple of nice blog entries recently on issues involved in connecting MAC's through ISA2004.

Instructions on how to allow Macintosh computers to work through ISA2004 as securenat clients. A securenat client is a non-Windows operating system client computer that wishes to access the Internet while not having ISA 2004 act as a Proxy for them.

Internet Access for Macintoshes behind ISA 2004

Comment: I'd prefer that the Macintosh computers be configured as Web Proxy Clients and use a browser that supports proxy settings. Any other apps on the Mac that do not support proxy can be handled as any non-authenticating application.

How to Publish Timbuktu to one Internal Client:
Publishing Timbuktu through ISA 2004

The missing xml password has been found!

2005-10-26T09:24:00.000-04:00

The post titled ISA2004 Installation Fails during SBS 2003 SP1 Install has been amended to include the solution to the missing password. Thanks once again to Jim Harrison for digging this information up, when PSS was unable to.

..and the answer is:

%programfiles%\microsoft windows small business server\support\sbsisa2k4setuplog.txt

..has the password embedded in it.

ISA2004 Installation Fails during SBS 2003 SP1 Install

2005-10-25T13:00:00.000-04:00

Subtitle: In which Amy spends 5+ hours on the phone with PSS on a Service Pack installation problem and the issue doesn't get resolved. Or, in which after 3 days and 5 different support specialists the problem is mostly resolved.

Here's the situation:

It was a dark but otherwise lovely week night evening and the SBS 2003 SP1 installation was humming along. I was only 3 hours into the installation and ready to install ISA2004. Record time! 27 PC's already had the old ISA2000 client removed and were awaiting the new client. Then it happened.

"The wizard cannot install ISA Server 2004. Try to install it again by restarting this wizard. If the problem persists, see http://www.microsoft.com/windowsserver2003/sbs/support for additional help and support."

From the sbsisa2k log:

SBSISA2K4SETUP: CreateProcess returned OK
SBSISA2K4SETUP: ISA2k4 setup completed before post config
SBSISA2K4SETUP: *** WaitingForMultipleObjects returned ERROR 0x80004005
SBSISA2K4SETUP: *** LaunchISA2k4NativeSetup returned ERROR 0x80004005
SBSISA2K4SETUP: *** Running ISA2k4 setup unattended returned ERROR 0x80004005
SBSISA2K4SETUP: Entering IsISA2k4Installed
IsISA2k4Installed returned FALSE
SBSISA2K4SETUP: ISA2k4 is NOT installed
SBSISA2K4SETUP: *** CSbsIsa2k4SetupCommit::CommitEx returned ERROR 0x80004005
SBSISA2K4SETUP: *** CommitEx returned ERROR 0x80004005
SBSISA2K4SETUP: Committer failed
SBSISA2K4SETUP: (error message is generic.)
SBSISA2K4SETUP: *** Commit returned ERROR 0x80004005
SBSISA2K4SETUP: *** Commit returned ERROR 0x80004005
SBSISA2K4SETUP: Setting the event to signal post setup
SBSISA2K4SETUP: *** InstallISA2k4 returned ERROR 0x80004005
SBSISA2K4SETUP: *** Installing ISA2k4 returned ERROR 0x80004005
SBSISA2K4SETUP: Exiting

This story could go on and on for about 3 days but I'll keep it short and to the point. The problem was that the ISA setup couldn't load the performace monitor counters. This resulted in MSDE not be able to load and although the base of ISA installed the failures were noted and the install rolled back and rebooted the server with having removed ISA2000 but failed to install ISA2004. When this happened I thought, oh no, my ISA2000 settings! I wasn't smart enough to have made a backup of ISA2000 first. The complancy of many successful upgrades had gotten the best of me. So PSS directed me to go to C:\program files\Microsoft Small Business Server\Support\Premium and save the .xml file that the upgrade process had created of my ISA2000 settings. This particular client had a few that I didn't want to have to recreate. The thought was that we could import this xml file later.

This is where the first 2 support specialists left me. The next day I emailed the most helpful Jim Harrison and he said what do the ISA detailed install logs say? Where are they, says I? The detail ISA install logs live in C:\windows\temp and are called ISAWRAP_number.log, ISAMDSE_number.og and ISAFWSV_number.log. The installation process uses verbose logging so there are a lot of log files with a lot of text in them. I pulled out this error message: Setup failed. Error returned: 0x643
MSDE Installation failed, hr=80070643 and then emailed it to the support technician. He passed it on to yet another technician who got an MSDE support specialist on the line and he solved the problem.

Here's how to resolve this problem. If you are getting this error message, open up Performance Monitor on the server. Click the + sign to add a new counter. If your counters are numbers rather than friendly descriptions, then you have corrupt performance counters, just like this server did.

Open a command prompt and running the following:

lodctr /r:perfstringbackup.ini

Now go back into Performance Monitor and verify that the counters have friendly names and descriptions. Commence to install ISA2004.

Unfortunately this story has no ending as I've not yet been able to import the xml file with my ISA2000 settings in it. Apparently the unattended install of ISA2004 uses a password to protect this file and no one has been able to tell me what that password is.

Good news: ISA2004 is installed and working.
Bad news: My ISA2000 settings are locked in a password protected file...

A solution to the missing password has been found! Thanks, yet again to Jim Harrison and the SBS Team.

..and the answer is:

%programfiles%\microsoft windows small business server\support\sbsisa2k4setuplog.txt

..has the password embedded in it.

This log file and it's associated XML file give anyone a complete view of your Firewall configuration. Leaving this information exposed for anyone to view is not recommended. Take care not to change any of the security settings on these files. The SBS team as protected this information by setting the ACLs on this resource to admin / system by default. Be sure to keep it that way.

Yes, but why don't the new alerts show up right away?

2005-10-10T22:57:00.000-04:00

I learned something new today about ISA 2004 in SBS support podcast #2. I wasn't expecting to. If you haven't checked out the podcasts yet, do. They're great.

Here's what I learned. The alerts don't update continuously. Just because you don't see a new alert doesn't mean that an alert condition didn't occur. You may not see a new alert, if an existing alert of the same type is already there. So if you applied a fix that is supposed to keep your ISA2004 server happy and not throwing alerts you might falsely think that your solution worked because a new alert didn't appear right away.

The solution given by the guys was to acknowledge all of your alerts before running your test to see if the fix you applied has worked.

This will work but it left me wondering why the alerts weren't showing up. So I dug...

Open up ISA 2004 Management, go to Monitoring, select the alerts tab. There are several things here that will effect how often new alerts are triggered. In the tasks pane notice that there's a box where you can choose how often this page is refreshed. You choices are None, Low, Medium or High. Medium is the default setting. This will effect how quickly you'll get to see new alerts messages. If you want to be alerted sooner bump it up to high. Now click on the Configure Alert Definitions link. This will open up the Alerts Properties box. Continuing with the podcast theme, select the Connection Limits alert definition and press the Edit button. The Connection Limit Exceeded alert definition properties box will open. Move to the Events tab. On this tab you get to set how often this alert will be triggered. The default is "only if the alert was manually reset". This explains why if you're having trouble with an SSL website because your connections limits are too low you won't see a new alert about it until you acknowledge the old alert.

If I were PSS and troubleshooting this type of problem I'd bump up the alert frequency to Immediately. Kind of like when you are troubleshooting an Exchange issue, first thing you do is bump up the monitoring so you can see more of what's going on. Bonus, you don't have to keep acknowledging alerts during the troubleshooting process. Just let them flow.

I feel better knowing why.

If you haven't listened to the podcasts I highly recommend them.

Troubleshoot Using Live Logging

2005-10-10T10:06:00.000-04:00

I'm a little embarrassed that it has taken so log to introduce you to my best friend, Live Logging. We've been best friends since the day we met when I opened up the new ISA management console, there she was hiding behind the Start Query button.

Live Logging is the best troubleshooting tool we've got in ISA. Remember how difficult the logs were to read in ISA2000? Now, you can not only read them, but query them and copy them out to Excel.

Let's take a quick look.

Open up ISA Management, Click on Monitoring. At the top of the page are your Log Query Filters. To see everything you should have the following filters configured: Log Record Type = Firewall Or Web Proxy Filter. Log Time = Live. Action not equal to Connection Status. These will give you high quality output.

Next Click the Start Query link. You'll get a little message that says Fetching Results, then the log information will start flowing. It's a beautiful thing.

Once you have a few items in your list click on the Stop Query link. Here's where the fun begins.

Right click on the column name and select add/remove columns. Here you can not only add or remove columns of information to view but it will take effect immediately on that data that you've already collected! Try it. Add a column, remove a column, reorder a column. You get the manipulate what's on the screen, even for the now historical data.

Next, select a group of log items by either clicking on the top item and shift-clicking on the last one you want to select or by crtl-clicking individual log items that you want to select until you have a few. Now that they're highlighted, click the copy to clipboard link in the tasks pane on the far right. Open Excel and paste. You get little more than you bargained for as you get all possible columns of information and you also get a line of column headings. Sweet. Now you've got your ISA log selections into Excel making them easy to save and ponder over, send to someone, while you're troubleshooting ISA.

How will you use this Live Logging feature to troubleshoot ISA. Here's how I do it. Open up the ISA management console. Start the query. Have the person that can't do what ever it is, say open an SSL page, do it, while you are watching the logs. When you see the traffic generated by this attempt go by, stop the query. Then review the denied connection items for that persons name or IP address. If need be remove or add the columns of information that you need. I like to get it down to just the relevant information and get rid of the columns I don't need to see, like the empty ones. I find them distracting. Now you should be able to see what is stopping the user from getting to that SSL page. Once you have the what, you're well on your way to a solution. If you need to save this information for later, or you need to send it to someone to help you resolve the problem, then copy and paste only the relevent columns into Excel.

Once you get the hang of it, Live Logging will be your new best friend too.

Finally Categories, sort of

2005-10-05T19:37:00.000-04:00

I recently discovered the power of Blogger Search and have implemented it on this site. Finally you and I will be able to search the blog and locate the information that we're looking for. I've added two things. The first is a Search This Blog link. This will take you to the Blogger Search page for this blog. Once there Just add your search term into the box like this blogurl:isainsbs.blogspot.com firewall client, where firewall client is the search term that I added to the end of the search string.

The second thing I added are category links. These are pre-defined search terms. Just click the link you like and blogger search will bring up the relevant posts.

The only snafu I've run into with this so far is that it won't search back farther than March 2005. What's up with that? Even so, this feature makes the blog so much more useful that I'm going to live with it for now. Enjoy!

From Jim Harrison - Add this to your ISA TO DO List

2005-10-03T14:10:00.000-04:00

Jim Harrison posted are very useful email on several lists in which he outlines 2 quick registry changes that you'll want to make to improve the performance of your ISA 2004 Server. Here's his text unedited:

- Tired of the ISA sending NetBT broadcasts when DNS lookups fail?

This setting:

HKLM\SystemCurrentControlSet\Services\NetBT\Parameters NodeType, DWORD, 0x2

..will cure that.

By setting this to a value of 2, You’re telling Windows to limit its name lookup efforts to defined DNS and WINS servers.

As a result, Windows will no longer wait for NetBT broadcasts to fail before reporting a name lookup failure.

Can you say “faster lookup responses and therefore faster connections (or failures)”, boys and girls?

- MS05-019 fixed an ICMP MTU vulnerability that existed in Windows.

Because the ISA team was aware of this issue before ISA 2004 shipped, they opted to give you a “safe by default” configuration since they had no idea if or when the Windows issue might be fixed.

Unfortunately, it also has the unfortunate side effect of limiting Windows to 576-byte packets on all interfaces, reducing network efficiency

This setting:

HKLM\SystemCurrentControlSet\Services\Tcpip\Parameters EnablePMTUDiscovery, DWORD, 0x0

..is what the ISA installer creates.

This setting:

HKLM\SystemCurrentControlSet\Services\Tcpip\Parameters EnablePMTUDiscovery, DWORD, 0x1

..is what will remove this protection (or you can delete the “EnablePMTUDiscovery” value).

Both settings require a machine reboot to take effect.

Both settings will clean up your network traffic a bit.

Spammers Be gone

2005-10-02T11:44:00.000-04:00

I didn't want to do it but I had to. The comment section of this blog got spammed. You'll now be required to enter word verification in order to post. Sorry about that.

Sometimes VOIP w/SIP works with ISA

2005-09-18T11:54:00.000-04:00

...other times it doesn't. The determination depends completely upon who wrote the software for the VOIP system.

System types that work include those that come with their own router and those that encapsulate SIP. For example I use Lingo. Lingo comes with its own router and uses regular phones. This router ends up as the only device with an IP on your network and it handles all of the SIP stuff internally. It's managed from Lingo's website. On my network I put the device on the outside because I don't know enough about the internal workings of the router to trust it. On the flip side, I know someone else that put it on the inside of the network for the exact same reason. The point is because it doesn't ask ISA to handle SIP for it, it works.

I also recently worked on getting a SIP CRM application through ISA. This app by five9.com has two java apps that have to work together. One app handles the phone call and the other app handles the CRM and pops up the contact info when a call comes in. It's a slick distributed call center. It worked with ISA because the SIP was actually being handled on the host end with the results being passed through a java client to the end user. So what on the surface appeared to be a SIP VOIP application was really just 2 java apps and an SSL website.

The difficult part of implementing these solutions for clients is working your way through the documentation provided by the vendor. Here's what we got from five9 when we asked what ports were required:
1) IP (local machine)/ Port 8443 (HTTPS)
2) IP 64.69.76.10 / Port 80 (HTTP)
3) Port 5060 UDP (SIP)
4) Port 8000 UDP (RTP)
5) Port 8001 UDP (RTCP)
6) Port 3478 UDP (STUN)
6) Allow incoming TCP traffic from IP addresses ranges
207.218.174.65 - 207.218.174.95
206.132.222.224 - 206.132.222.254
208.49.229.64 - 208.49.229.124

If you have personal firewall installed on the PC, please also make sure the following ports are opened for the loopback (127.0.0.1)
traffic:

1) Port 1196
2) Port 1197

Outgoing traffic to UDP Port 5060.

Full access to these URL:
http://apps.five9.com

All incoming traffic to these IP address:
207.218.174.70
or
All Incoming traffic to this IP range:
207.218.174.65 to 207.218.174.95

My reaction to any request that has this many open port requirements is no and that’s what I would have advised my client. In this case the situation came to me after the money had already been spent.

Now don't get me wrong I'd rather have vendors fess up than deny that they require anything out of the ordinary. I just get a little bent when a single app requires many ports.

The first thing I did was load up the application without making any ISA changes, I then watched the logs for what happened when I ran the app. Next I added 8443 to the SSL range, then I ran the app and let the logs tell me what happened. The next thing I did was wonder if I had the right set of instructions from the vendor because what I saw in the logs had very little in common with the instructions I received.

Vendors take note: in this case the app is very cool and it works. But at this time it appears you are going to loose the customer because you dragged them through a month of unnecessary ugliness that finally resulted in them giving up on your support and hiring outside help at their own expense. Vendors if you don’t know ISA, then you’d better contract with someone who does or you’ll probably loose the client. If you are to promise full configuration services then you’d better make sure you can deliver.

As it happens all we needed to do to get this VOIP app to work through ISA was make sure that the java apps could get through ISA using direct access, add to our tunnel port range and make sure everyone using the app was running the latest version of the firewall client.

The moral of the story is that you can’t trust vendor instructions when it comes to ISA. Do your own DD (due diligence) and use the ISA logs to determine what steps you need to take. The firewall client is your friend. It’ll handle a lot of port availability issues for your clients on the fly without admin intervention.

Update to WPAD post made

2005-09-13T13:15:00.000-04:00

I updated the wpad post to reflect the latest beta version on the file and instructions. Also, note that I've been told that the final version will appear on the Microsoft ISA downloads page.

SBS 2003 Unleashed Discount Offered

2005-09-07T09:25:00.000-04:00

Eriq blogs that a discount is being offered for early orders of the SBS Unleashed book. Order now to save a few bucks.

See the post at On Q.

SBS2003 Unleashed Coming Soon - 2 ISA2004 Chapters

2005-08-18T09:06:00.000-04:00

I was recently privileged to write 2 chapters on ISA2004 for the soon to be released SBS 2003 Unleashed book by SAMS. The first announcement that I've seen is available
at Amazon.

The book is meant as a more advanced look at SBS post SP1.

The lead author is Eriq Neale. I am merely the author of 2 of the books 27 chapters. Great care has gone into making this book full of real how-to examples and troubleshooting by individuals with expertise in the specific area. If you are looking to learn more about ISA and SBS2003 SP1 this is going to be the book to get. Expected availability is November 22.

Interesting ISA2004 KB's

2005-08-16T15:12:00.000-04:00

ISA in SBS - yes, it's secure

ISA Server 2004 may stop responding when IP addresses from multiple subnets are bound to the same adaptor

The daily summary and the log report do not contain details of network traffic that passes through an ISA Server 2004 computer

New ISA Scripts Website

2005-08-16T12:53:00.000-04:00

ISA in SBS - yes, it's secure

In his own words:

My name is Jason Fossen and I'm a consultant specializing in Microsoft Windows security. I regularly teach a six-day course on Windows security for the SANS Institute, including a course on ISA Server. This web site is where I share materials with my conference attendees, consulting clients, and anyone interested in Windows network security. isascripts.org

The scripts come packaged in a single zip file and admittedly most won't be of use to SBS admins but a few of them will be, like these:

ISA_Server_2004_Error_Codes.xls
Spreadsheet of names, descriptions and hex numbers of ISA Server 2004 error, cache and response codes.

ISA_Manage_SSL_Ports.vbs
View and edit permitted outbound HTTPS ports (see KB283284).

Download and be careful.

Top Issues After SBS SP1 Upgrade

2005-08-11T11:32:00.000-04:00

ISA in SBS - yes, it's secure

Check out Susan Bradley's Blog entry on SBS SP1. She lists the most common issues and a couple could apply to your upgrade from ISA2000 to ISA2004.