This blog will be removed in a couple of months. I encourage everyone to follow me on my new blog at http://www.thirdtier.net/blog
thanks for reading...Amy
A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.
This blog will be removed in a couple of months. I encourage everyone to follow me on my new blog at http://www.thirdtier.net/blog
This is the last post for this particular blog.
I've been so busy lately that I haven't had a chance to blog much. Thank goodness that the official ISA blog has picked up the slack. :) They've put out some great posts lately including todays: Logging Diasgnostic Improvements in SP3. You definately need to check it out.
ISA will be featured in the technical track at SMB Nation this year. My presentation back in March at SMBTN was well received. I'll be building on that presentation. I will demonstrate several configurations that are in demand for SMB consultants:
Situating SBS on the edge of the small business network has always been a controversial topic. A network in a box for small companies has to include some kind of firewall doesn't it? So through the years it was RRAS, Proxy 2.0, ISA 2000 and ISA 2004. With word out that SBS will no longer be supported on the edge that means that ISA on that box and RRAS are both out of the picture. Considering that most SBS servers are currently protected by RRAS that's significant.
The official word:
Microsoft unveiled a new product, code name Stirling, yesterday at Tech-Ed. For those wondering where ISA is going in the future. Here's a hint. There is also another product under development under a different code name that non-enterprise businesses will also be interested in.
ISA 2004 SP3 is here.
Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista
In using AuthAnvil to create a secure two-factor remote access for the SBS servers we manage it was decided that we'd like to allow users to Enroll the Cryptocard token we've provided themselve. AuthAnvil allows this through a self service token enroll website located on IIS. We'll use SSL to publish this site.
While loading an ISA2004 onto new hardware I ran into a problem where the firewall service would not run. When something like that happens on a new install you get that sinking feeling that it's going to be a long night.
Found a kb article that resolved a perplexing problem for us today. A Vista 64-Bit Ultimate edition PC was unable to join the domain. The error message stated a problem with RPC. This usually points to the local firewall but in this case it was ISA and a hotfix is needed to resolve it. This hotfix is available from the download center. No call to PSS required!
The ISA team has blogged about some issues affecting ISA after an installation of Windows 2003 SP2. The original post is here.
The Microsoft ISA Product Team is working on the next version of ISA. As part of the work, the team is currently recruiting customers for its internal customer programs namely TAP (Technology Adoption Program) and the Advisory Group). Interested customers, consultants, solution provides and others can contact ngtprcrt@microsoft.com to start the nomination process.
There's a great conference coming up March 15-18th. It's the SMB Summit, the 3rd annual SMB Technology Network conference. It's being held at Disneyland. Have a look at the sessions and the speakers. If you are a small IT firm looking to grow, this is the place to be.
In a previous blogpost I pointed you to the ISA Product Team blog for instructions on how to allow iTunes through ISA. I've got a little personal experience with this now and some new information for you.
Once you have your "site" created check the box Request Compressed HTTP Content from Servers.
You'll be able to speak to the iTunes servers now.
Good news! Today is the official release day for AuthAnvil. This is an excellent addition to the RWW Guard product that Scorpion Software also offers. I've seen it in action. This is a must have for IT firms servicing multiple clients and for all small businesses taking advantage of the many remote access features of SBS. There's nothing like knowing for certain who is logging into your server.
I'll be attending the SMBSummit a Disneyland from March 15-17. This conference is organized by the SMB Technology Network. If you are looking for good technical information on SBS and good business information on running a small consulting firm this is the place to be.
Many admins learned how to create reports by opening up the log files in ISA 2000 and using Excel features to organize the data in a meaningful way. Contrary to popular opinion, you can use Excel to generate a report using ISA 2004 with MSDE logging much easier than in ISA 2000 flat files.
Recently on a mailing list a question was asked for someone to explain how ISA does logging to MSDE and why you sometimes see a lot of log files for the same day. Dana Epp, of Scorpion Software, quickly responded with a very concise and clear response.
Labels: Logging
Google converted my blog over to the new format and because of this the RSS feed address changed. Here's the new one: http://isainsbs.blogspot.com/feeds/posts/default?alt=rss
For the second year I have been awarded an MVP for ISA. This recognition means more to me than any certification because it is a peer nominated award for my participation and contribution to the ISA community. A lot of amazing people are MVP's and I'm honored to be in their company.
I'd like to put in a big thank you to several people that made a difference in the world of ISA support in 2006.
A price we pay for putting ISA on the same physical box as our Exchange server in SBS 2003 is that we're unable to make use of the SMTP features in ISA. You can however use Exchange Defender, a third party SMTP filtering service, to reduce incoming spam. (among other nice features) If you are planning to implement Exchange Defender you'll want to have a look at Susan Bradley's article on how to configure ISA to work with it. You can find it here. I'll add this reference to the App section on the blog website as well.
ISA in SBS - yes, it's secure
How to obtain the version of Firewall Client for ISA Server (December 2006) that includes Windows Vista support
Recently there's been a rash of clients needing to setup open wireless access for visitors. For the record, I hate open wireless. But some clients won't be convinced. Since this is the real world we do what we can do to protect them. Depending on the circumstances there are 3 options:
I've come across reports of 7 seperate servers where after installing ISA 2004 SP2, the DHCP server does not work as expected. Reports are that the DHCP receive/request rules are in place but not functioning. The current resolution is to create a new set of DHCP receive/request rules.
The configuration of your NICs can have a significant and difficult to diagnose effect upon your ISA server. If you are using auto negotiation on your NICs and Switches it may slow down the performance of your server while under load. Read the article below for an explanation and considerations.
ISATools.org has gotten a make over and it looks great. The site is much easier to navigate now.
I received this question in my mailbox the other day. It wasn't the first time. Thought I may as well post the answer too.
The new firewall client is available for download and should be installed on all workstations. This new firewall client supports 64-bit OS and resolves a conflict with Defender. All versions of ISA are supported.
Over at SmallBizServer.net a new article has been published on how to publish a Microsoft Project Server portal through ISA 2004. You can read the article here.
Jeff at ABC Solutions has created a PDF file documeting how to replace the self-signed SSL certificate that the SBS wizard creates for you with a certificate from GoDaddy. Since this involves both IIS and ISA I wanted to call it to your attention. Good job Jeff and nice work on the PDF too. You can download the PFD here.
Finally getting a few moments to update the blog and accompanying website. What else are Sunday mornings for?
Thank you Susan Bradley for pointing out that Blogger now, finally, supports RSS. Effective immediately the RSS address is: http://isainsbs.blogspot.com/rss.xml
Lately I've seen too many ISA Firewall Policies with all of the custom created rules sitting at the top of the firewall policy. At the top isn't always the best place for a new rule. New rules should be placed according to function. There is a great TechNet article that explains how to determine where to place your new rule.
Occasionally I get requests for Internet Filtering. My answer is always the same. "If you need to filter the Internet you have an HR problem, not an IT problem." Once I get that out I back peddle a bit and let them know that we can create a list of allowed websites provided it isn't too long. If you would like to know how to do this then download the instructions under Amy's How To Articles at ISAinSBS. Then I back up a little bit further and let the client know that they can subscribe to a service like Surf Control or Web Sense and they'll let you slice, dice and filter the Internet in a huge variety of ways; but they're not cheap. The Internet landscape is constantly changing and these companies have poor souls whose job it is to view possible objectionable websites and assign them a filter category.
At first I thought they were joking...FTPS...Never heard of it...you can't secure FTP without an application filtering firewall like ISA...that's right an FTP application filter. But twice recently something called FTPS has come to my attention and finally I had a situation where a client needed to access an FTPS server but couldn't.
The patch for this vulernability is scheduled to be released in October. Meanwhile if you are concerned and would like to prevent this attack sooner, Microsoft has released instructions for configuring your ISA to block it. The TechNet article is Learn How Your ISA Server Helps Block VML Vulnerability Traffic.
The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1
I'll be attending the SMBNation in Redmond from September 7th - 11th. If you'll also be there look up me. It's always good to put a face with the comments!