Search This Blog

Wednesday, September 26, 2007

ISAserver.org - September 2007 Newsletter

ISAserver.org Newsletter of September 2007
Sponsored by: Collective Software LLC
------------------------------------------------------------------------------
In this issue:
ISA Firewall News Bits
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Blog Posts
Ask Dr. Tom


Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://collectivesoftware.com/Products/#ClearTunnel
)Question: My web filters and anti-virus can't stop users from connecting to secret proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better-- now with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://collectivesoftware.com/Products/#ClearTunnel
)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. ISA Firewall News Bits
By Thomas W Shinder MD, MVP

This month the IAG 2007 received a new service pack. If you're not aware of the IAG 2007, it's Microsoft's SSL VPN gateway based on the Whale SSL VPN product. Service Pack 1 includes a number of functionality and stability updates that will make this SSL VPN gateway the best in the business, if you judge "best" by being the most secure SSL VPN gateway.

The ISA Firewall Supportability Update has been released since the last time this newsletter went out. What you'll get is an update to your ISA 2006 Firewall so that it looks and acts like an ISA 2004 SP3 Firewall. Now ISA 2006 Firewall admins can have the advanced logging and troubleshooting features that the ISA 2004 Firewall admins have. You'll find a download link further down this newsletter.

On a more personal note, I'm glad to tell you that since the last newsletter I went over the 45,000 mark on the number of posts on the ISAserver.org message boards. It sort of snuck up on me, as I had no idea I was getting that close to 50,000. I think when I hit 50,000 posts, I'll change careers and become a long haul truck driver.

One last thing before I go. Jim Harrison reported this month that we had a minor victory on the ISA Firewall configuration front. For years we've been telling people here on ISAserver.org that putting the ISA Firewall on a domain controller is not supported, except when the ISA Firewall is integrated on SBS.

Of course, a good number of people who wanted to do this tried to figure it out on their own because there was no official statement from Microsoft that putting the ISA Firewall on a DC isn't supported. Well, now it's official. Microsoft has put ISA on DC on their list of unsupported configurations. Sometimes the good guys win!

That's all for now! If you have any questions or comments, you're always welcome to send them to me at tshinder@isaserver.org(mailto: tshinder@isaserver.org)

Thanks!

Tom

=======================

Quote of the Month - "More often than not, it's not"

-- Thomas W Shinder MD commenting on how often network problems are due to the ISA Firewall

=======================

------------------------------------------------------------------------------

2. Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
By Thomas W Shinder

Tom and Deb Shinder's best selling books on ISA Server 2000 were the "ISA Server Bibles" for thousands of ISA Server 2000 network administrators. Tom and Deb Shinder present you with their next ISA Server book, Configuring ISA Server 2004. This book leverages the over two years of pre-release experience Tom and Deb have had with ISA Server 2004, from pre-alpha to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA Server 2004 and they have shared the Good, the Great, the Bad and the Ugly of ISA Server 2004 with their no holds barred coverage of Microsoft's new one of a kind application layer inspection firewall.

While the ISA Server 2000 books were good, Configuring ISA Server 2004 is even better. Tom and Deb bring their unique "insider's perspective" to provide you with information that isn't and won't be available anywhere else! Order your copy of Configuring ISA Server 2004 by clicking the link. You'll be glad you did.

Click here to Order your copy today: http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver1-20/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://collectivesoftware.com/Products/#ClearTunnel
)Question: My web filters and anti-virus can't stop users from connecting to secret proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better-- now with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://collectivesoftware.com/Products/#ClearTunnel
)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

bt-LogAnalyzer Voted ISAserver.org Readers' Choice Award Winner - Reporting
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-bt-LogAnalyzer-Jun07.html

On Web Listeners and Web Publishing Rules
http://www.isaserver.org/tutorials/Web-Listeners-Web-Publishing-Rules.html

Win a Copy of Collective Software's ClearTunnel or a 3CX Phone System!
http://www.isaserver.org/news/ISAserver-Site-Survey-2007.html

Publishing Exchange 2007 Outlook Autodiscover with 2006 ISA Firewalls
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html

Product Review: Collective Software's ClearTunnel
http://www.isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Here are some interesting and useful ISA Server related articles posted by Microsoft in the last month:

Blank page or page cannot be displayed when you view SSL sites through ISA Server
http://support.microsoft.com/kb/283284/en-us

Cannot Perform Load Balancing with Network Load Balancing and Server Publishing Enabled
http://support.microsoft.com/kb/288574/en-us

Web Proxy clients do not directly access a Web site that you enter in the "Directly access these servers or domains" list in ISA Server 2004 SP2
http://support.microsoft.com/kb/920715/en-us

RPC clients cannot use Kerberos authentication to authenticate with a server that you publish behind ISA Server 2004, Enterprise Edition
http://support.microsoft.com/kb/917145/en-us

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017/en-us

Description of the Internet Security and Acceleration (ISA) Server 2006 Supportability Update package
http://support.microsoft.com/kb/939455/en-us

Error message when you access a Web site through ISA Server 2006: "HTTP 400 - Bad Request"
http://support.microsoft.com/kb/941293/en-us

A Web client may receive incorrect responses from a Web site that is published in ISA Server 2006 when multiple Web clients access the published Web site
http://support.microsoft.com/kb/937451/en-us

An ISA Server 2006 Web Proxy client receives error code 502 when a user tries to visit certain Web sites
http://support.microsoft.com/kb/935693/en-us

------------------------------------------------------------------------------
5. Tips of the Month

Need to get host names in the ISA Firewall logs for SecureNET clients? Then check out <A href="http://forums.isaserver.org/m_2002052804/mpage_1/key_/tm.htm#2002053312"> this tip</A> from Tarek.

Having a hard time troubleshooting a possible problem with a service on the ISA Firewall? Then check out the debugging tool mentioned in <A href="http://forums.isaserver.org/m_2002052942/mpage_1/key_/tm.htm#2002053311">this thread</A>.

Want to increase your ISA Firewall's performance? Check out <A href="http://forums.isaserver.org/m_2002048052/mpage_1/key_/tm.htm#2002052830">this tip </A>on PMTU Blackhole setting.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://collectivesoftware.com/Products/#ClearTunnel
)Question: My web filters and anti-virus can't stop users from connecting to secret proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better-- now with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://collectivesoftware.com/Products/#ClearTunnel
)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

A great review of GFI WebMonitor 4.0

http://www.elmajdal.net/isaserver/Product_Review_GFI_Web_Monitor_4.aspx

ISA Firewall Quick Tip : Assigning the Same Static IP for a VPN Client

http://www.elmajdal.net/isaserver/Assigning_the_Same_Static_IP_for_a_VPN_Client.aspx

Information about the ISA Firewall Supportability Update

https://blogs.technet.com/isablog/archive/2007/09/17/isa-server-2006-supportability-update.aspx

Learn about SANs and how the ISA Firewall works with them

https://blogs.technet.com/isablog/archive/2007/08/29/certificates-with-multiple-san-entries-may-break-isa-server-web-publishing.aspx

Find out about the diagnostic improvements in ISA 2004 SP3

https://blogs.technet.com/isablog/archive/2007/08/26/diagnostic-improvements-in-isa-server-2004-service-pack-3.aspx

Find out how to get the password change feature to work in ISA 2006 Web Publishing of OWA sites

https://blogs.technet.com/isablog/archive/2007/08/23/password-change-with-fba.aspx

Excellent ISA Firewall and IAG 2007 blog by Shijaz Abdulla

http://blog.shijaz.com/

------------------------------------------------------------------------------
7. Blog Posts

Microsoft Internet Security and Acceleration (ISA) Server 2006 Supportability Update
http://blogs.isaserver.org/shinder/2007/09/12/microsoft-internet-security-and-acceleration-isa-server-2006-supportability-update/

ISA Firewall Freedom Day Declared
http://blogs.isaserver.org/shinder/2007/09/09/isa-firewall-freedom-day-declared/

GFI WebMonitor Competition on ISAserver.org
http://blogs.isaserver.org/shinder/2007/09/09/gfi-webmonitor-competition-on-isaserverorg/

How to Enable Integrated Authentication for Outlook RPC/HTTP Clients to Prevent Authentication Prompts with 2006 ISA Firewalls
http://blogs.isaserver.org/shinder/2007/09/06/how-to-enable-integrated-authentication-for-outlook-rpchttp-clients-to-prevent-authentication-prompts-with-2006-isa-firewalls/

Get Hotfixes from PSS without using the Phone
http://blogs.isaserver.org/shinder/2007/09/01/get-hotfixes-from-pss-without-using-the-phone/

Observations from the Realm of the Mush-Mouthed Media
http://blogs.isaserver.org/shinder/2007/09/01/observations-of-the-realm-of-mush-mouthed-media/

------------------------------------------------------------------------------

8. Ask Dr. Tom

QUESTION: Hey Tom<BR><BR>I've gone through ALL configs over and over again including RPC/HTTP troubleshooting checklist at <A href="http://blogs.isaserver.org/shinder/2007/06/27/basic-troubleshooting-for-rpchttp-publishing-exchange-2003/">http://blogs.isaserver.org/shinder/2007/06/27/basic-troubleshooting-for-rpchttp-publishing-exchange-2003/ All is OK. HTTPS connections work fine internally. As soon as I test from outside...nothing. Eventually, all connections fail and Outlook goes offline. I have set this up using your tutorial for single exchange publishing (identical!) as well as similar referrals to technet, petri, and others. This is Outlook Anywhere only, not OWA (OWA works when I set it up to test but then remove the policy to focus on RPC/HTTPS). The log shows a failed connection attempt for the RPC/HTTP rule with an HTTP status code of 0x80004005. I've searched everywhere and can only find cryptic info about this and even less as it applies to ISA. Please refer this to an appropriate post if needed. Please help...I'm at wits end. Thank you -Bpatlen

ANSWER: Usually these very difficult to troubleshoot issues are due to certificates, typos, and authentication problems. Check the common names on the certificates, make sure they match what you've done in the Web Publishing Rule. Make sure there are no typos in the certificate names and in the ISA Firewall's Web Publishing Rule. If there is a device in front of the ISA Firewall, make sure it isn't changing the nature of the connection to the ISA Firewall. Make sure the ISA Firewall is a domain member. Consider implementing an integrated or parallel split DNS infrastructure. Finally, make sure the Outlook client has the CA certificate of the issuing CA in its Trust Root Certification Authorities store. And one more thing - make sure the Certificate bound to the Web Listener has a private key.

QUESTION: Hi Tom,<BR><BR>First I want to thank you for a great blog and some invaluable help through this website and your books :) <BR><BR>I'm experiencing the described problem. When browsing websites with Windows Media Player video content, Windows Media Player will prompt for credentials. I installed the Firewall Client without any effect. As far as I can see Windows Media Player is still acting as a web proxy client.<BR><BR>How would you ensure that Windows Media Player (or any other program) is actually using the Firewall Client? I've solved the credentials problem by allowing unauthenticated access to html video content. But I would prefer to have all web browsing authenticated. Regards --Eske

ANSWER: This is sometimes caused by setting content type restrictions on an Access Rule. If you have any Access Rules configured to control by content type, you might want to change those so that no content type filtering is done. Also, try enabling the Enable Integrated Windows Authentication (requires restart) option in the Internet Options in Internet Explorer.

QUESTION: Hi Tom,<BR><BR>
Hoping you might be able to provide insight? I'm still looking through the Forums but to summarize here is what's happening.<BR><BR>
Running Windows 2003 Enterprise R2 with SP2 and ISA 2006 with multiple nics for Internal, DMZ, WAN and VPN. On Aug 13, installed the MS updates and patches and lost VPN, All other services seem to work including Rule of PcAnywhere to a specific internal PC (I know not safe).
Seems the Wan Miniport (PPTP) is gone... Microsoft says uninstall, shutdown, restart and use wizard to reinstall, still no joy, tried 3 times, also uninstalled suggested patches and even tweaked registry with MS support on line. Still after 15 days, no VPN. Microsoft has no knowledge base for errors and is now starting to create a virtual server with our build to troubleshoot.<BR><BR> Thanks! Dandersen

ANSWER: The most likely reason for this kind of mysterious behavior on the ISA Firewall is Windows Server 2003 SP2. This service pack introduced a bug that can stop the ISA Firewall from passing certain types of traffic. For more details, check out <A href="http://blogs.isaserver.org/shinder/2007/08/16/windows-server-2003-sp2-rrs-bug-biting-all-over/">http://blogs.isaserver.org/shinder/2007/08/16/windows-server-2003-sp2-rrs-bug-biting-all-over/

QUESTION: I read your article about the SSL Security Hole and how ClearTunnel solves the problem. I'm using WebMonitor 4.0 to block downloads of various file types. Right now users are able to download blocked file types over an SSL connection. Will ClearTunnel allow the WebMonitor 4.0 to catch and block these files? We were thinking of using Blue Coat but the prices they charge are insane! Thanks! -Zeke.

ANSWER: Yes! ClearTunnel (<A href="www.collectivesoftware.com">www.collectivesoftware.com) closes the SSL Security Hole and allows all of your add-ons to perform application layer inspection of SSL sessions. ClearTunnel is very flexible and extremely easy to configure. If you compare it to Blue Coat, I think you'll find ClearTunnel is less expensive, easier to configure, and provides higher performance per dollar than Blue Coat. You can get details on ClearTunnel from my review at <A href="http://isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html">http://isaserver.org/tutorials/Product-Review-Collective-Software-ClearTunnel.html

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://collectivesoftware.com/Products/#ClearTunnel
)Question: My web filters and anti-virus can't stop users from connecting to secret proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better-- now with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://collectivesoftware.com/Products/#ClearTunnel
)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://collectivesoftware.com/Products/#ClearTunnel
)Question: My web filters and anti-virus can't stop users from connecting to secret proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better-- now with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://collectivesoftware.com/Products/#ClearTunnel
)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2007. All rights reserved.

No comments: