Search This Blog

Wednesday, December 19, 2007

ISAserver.org - December 2007 Newsletter

ISAserver.org Newsletter of December 2007
Sponsored by: Collective Software
------------------------------------------------------------------------------
In this issue:
Is 2008 the Year of "Re-perimeterization"?
Tom and Deb Shinder's Configuring ISA Server 2004 -- Order Today!
ISAserver.org Learning Zone Articles of Interest
KB Articles of the Month
Tip of the Month
ISA Firewall Links of the Month
Blog Posts
Ask Dr. Tom


Welcome to the ISAserver.org newsletter! Each month we will bring you interesting and helpful information on ISA Server. We want to know

what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://www.collectivesoftware.com/NewsletterLink.shtml)Question: My web filters and anti-virus can't stop users from connecting to secret

proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better - now

with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next

trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://www.collectivesoftware.com/NewsletterLink.shtml)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

1. Is 2008 the Year of "Re-perimeterization"?
By Thomas W Shinder MD, MVP

Ever since the release of the ISA 2004 firewall, I made it a point in many of my articles to discuss the importance of categorizing your

computing assets and assigning them to security zones that are physically or logically isolated from one another. My main motivation for

pushing this security philosophy is that the ISA 2004 and ISA 2006 firewalls are the ideal solution for providing for this kind of

segregation of computing assets based on security zones.

It's been a hard struggle to get this message across. At the same time that I've been pushing for strong access control based on security

zones and ISA firewall segregation of those security zones, another camp has been pushing the concept of "death of the DMZ" and "there are

no more perimeters" - giving readers the impression that there is no need for security zones and segmentation based on those zones.

While I haven't given up fighting the good fight of "least privilege" for network communications, it has seemed that the uphill battle was

getting steeper and steeper. People who I would otherwise consider strong advocates of least privilege were saying to me "the solutions are

so complex that the relative security advantages might be lost in the complexity and increased risk of firewall misconfiguration". This is

especially frustrating, because these kinds of comments come from people who understand the ISA Firewall and security zoning very well, but

believe that perimeterization just isn't worth the effort.

Given all this, you can imagine my surprise when I had a discussion with someone within Microsoft about the future of "re-perimeterization"!

While I had never heard of the term "re-perimeterization", I found out that what they meant by that term was security zone-based network

segmentation! I've been blowing the horn for this for years and getting pushback even from those within Microsoft. But now, it seems someone

on the inside appreciates the security value provided by security zone based network segmentation.

Their idea of "re-perimeterization" is that core network infrastructure services should be placed behind a network security device in order

to protect them from other hosts and workstations on the network. For example, the Exchange Server, the SQL Server, the SharePoint Server,

the domain controllers and the Web servers should be segregated from the users by putting them on a network services segment. Yes! Someone

finally heard that security zones and perimeterization is not only not dead, but a key requirement for secure network design and regulatory

compliance.

What do you think? Could 2008 be the year of "re-perimeterization?" Are you ready to redesign your networks so that you segregate your core

infrastructure assets from the workstations? Do you think there is any value to have strong access control, monitoring and reporting of all

connections made to these assets? Do you think there are better ways of doing this, such as NAP or IPSec server and domain isolation? Let me

know! I'll include your opinions and observations in the next newsletter. Just send me a note at tshinder@isaserver.org(mailto:

tshinder@isaserver.org)

Finally, this is the last ISAserver.org newsletter for the year. I hope that 2007 was a good year for all of you and that all your wishes

for a happy holiday season for you and yours comes true. I'm looking forward to some good things happening on the ISA Firewall and IAG 2007

front in 2008, and I'll be sharing that information with you each month in the newsletter and the ISAserver.org Web site.

Thanks!

Tom

=======================

Quote of the Month - "Why did they break the Microsoft advanced KB search?"

Thousands of Admins trying to find the latest KB articles for the products they manage

=======================

------------------------------------------------------------------------------

2. ISA Server 2006 Migration Guide - Order Today!
By Thomas W Shinder

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall

administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book

leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the

versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the

Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer

inspection firewall.

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did. Order it here:

http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://www.collectivesoftware.com/NewsletterLink.shtml)Question: My web filters and anti-virus can't stop users from connecting to secret

proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better - now

with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next

trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://www.collectivesoftware.com/NewsletterLink.shtml)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

3. ISAserver.org Learning Zone Articles of Interest

More on Exporting ISA objects to and from 2000, 2004, 2006
http://www.isaserver.org/tutorials/Exporting-ISA-objects-2000-2004-2006.html

Creating a Custom VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 1)
http://www.isaserver.org/tutorials/Creating-Custom-VPN-Client-Access-Policy-Connect-Outlook-MAPI-Clients-Microsoft-Exchange-Part1.html

Creating a Customer VPN Client Access Policy to Connect Outlook MAPI Clients to Microsoft Exchange (Part 2)
http://www.isaserver.org/tutorials/Creating-Customer-VPN-Client-Access-Policy-Connect-Outlook-MAPI-Clients-Microsoft-Exchange-Part2.html

Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 1)
http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZPart1.html

Allowing Inbound L2TP/IPSec NAT Traversal Connections through a Back to Back ISA Server Firewall DMZ (Part 2)
http://www.isaserver.org/tutorials/Allowing-Inbound-L2TPIPSec-NAT-Traversal-Connections-through-Back-Back-ISA-Server-Firewall-DMZ-Part2.html

------------------------------------------------------------------------------
4. KB Articles of the Month

Each month for the last several years we've included the most recent KB articles regarding the ISA Firewall. In order to provide this

service, I used the advanced search feature on the Microsoft Web site, located at http://support.microsoft.com In the past, you could filter

your search for the last 3 days, or the last 7 days, or the last month, or the last six months, etc. Now when you go to the search site at

http://support.microsoft.com, you're presented with a very simple interface that doesn't allow you to filter your searches at all. All you

can do is enter a search term, that's it. No way to list the results by date, no way to limit your search to MSDN, or any of the other

options we used to have. This breakage of the search site started about two weeks ago and we're still hoping that they'll fix it soon. Until

then, we'll have to suspend the KB articles of the month feature because there's no way to figure out what KB's came out in the last month!
none

------------------------------------------------------------------------------
5. Tips of the Month

Richard Hicks wrote in last month with a great tip on how to automate routing table entries on a new ISA Firewall. Check this out:

"I am writing in response to a request you made in your latest newsletter (November 2007) for any "must have" settings on ISA firewalls.

What I have to offer isn't so much a setting, but more of a way to automate a critical setting required when configuring an ISA firewall -

the routing table.

For deployments such as ours, with a massive internal network that spans the globe, getting the routing table configured correctly is vital

to the proper operation of an ISA firewall. With numerous registered networks that are internally reachable, manually typing in a bunch of

"route add -p blah blah blah..." at the command line can be tedious, time consuming, and of course prone to error. My solution was to

create a quick VBScript that automates this. My script prompts you for the gateway you wish to use, then reads a text file that contains the

network address and subnet mask for each of our internal networks and populates the registry with that information. The code is as follows:

###

<em>Option Explicit</em>

<em>On Error Resume Next</em>

<em>Dim Shell, Gateway, FSO, File, Line</em>

<em>Const ForReading = 1</em>

<em>Gateway = Trim(InputBox("Enter the Default Gateway for this Network: "))</em>

<em>If Gateway = "" Then
WScript.Quit
End If</em>

<em>Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.OpenTextFile("routes.txt", ForReading)</em>

<em>Set Shell = CreateObject("WScript.Shell")</em>

<em>Do Until File.AtEndOfStream</em>

<em>Line = File.ReadLine
Shell.RegWrite
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\PersistentRoutes\" & Line & "," & Gateway & ",1", "", "REG_SZ"</em>

<em>Loop</em>

<em>Set Shell = Nothing
Set File = Nothing
Set FSO = Nothing</em>

<em>MsgBox "Static Routes Added Successfully!", vbInformation, "Update Complete"</em>

###

I'm sure this code could be cleaned up a bit, with additional bounds checking and error handling, but it works for me. I would be very

interested in hearing what you think of this tip."

Great tip, Richard! Thanks!

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://www.collectivesoftware.com/NewsletterLink.shtml)Question: My web filters and anti-virus can't stop users from connecting to secret

proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better - now

with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next

trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://www.collectivesoftware.com/NewsletterLink.shtml)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

6. ISA Firewall Links of the Month

ISA 2006 EAL 4+ Common Criteria Evaluation
http://www.microsoft.com/isaserver/commoncriteria/default.mspx

A fine collection of ISA Firewall Webcasts
http://www.microsoft.com/technet/isa/community/sharpen.mspx

An update enables multicast operations for ISA Server integrated NLB
http://support.microsoft.com/kb/938550

ISA Firewall Quick Tip : How to Disable Caching of Specific Website
http://www.elmajdal.net/ISAServer/How_to_Disable_Caching_of_Specific_Website.aspx

ISA Firewall Virtual Labs!
http://www.microsoft.com/technet/isa/virtuallab/default.mspx

------------------------------------------------------------------------------
7. Blog Posts

A lesson learned by debugging Silverlight through ISA Server
http://blogs.isaserver.org/pouseele/2007/12/09/a-lesson-learned-by-debugging-silverlight-through-isa-server/

Multiple L2TP/IPsec VPN clients behind a NAT device
http://blogs.isaserver.org/pouseele/2007/11/24/multiple-l2tpipsec-vpn-clients-behind-a-nat-device/

Fixing Windows Media Player Authentication Prompts
http://blogs.isaserver.org/shinder/2007/11/22/fixing-windows-media-player-authentication-prompts/

Client requests to access a published Web site are blocked when you configure ISA Server 2006 to allow direct authentication to access a

published Web server
http://blogs.isaserver.org/shinder/2007/10/17/client-requests-to-access-a-published-web-site-are-blocked-when-you-configure-isa-server-2006-

to-allow-direct-authentication-to-access-a-published-web-server/

------------------------------------------------------------------------------

8. Ask Dr. Tom

QUESTION: I am getting access denied HTTP 502 proxy error when I log on to any FTP site. I have read all articles and references to how to

fix this but nothing works. What can I do. Any help is appreciated. For testing purposes, I even opened all ports internal to external and

it still gets blocked. Thanks! - Carlos.

ANSWER: FTP problems are common for all firewalls. You mention that you're getting a proxy error, which indicates that you're using HTTP

tunnel FTP connections to the ISA Firewall, which also means that you're using the Web browser to access the FTP site. There are many issues

that can lead to FTP problems, so there's no "magic bullet" to fix your problem. Check out the articles at Using Active PORT Mode FTP

Programs from Behind the ISA Firewall(http://www.isaserver.org/pages/search.asp?query=FTP) and there's a good chance you'll find a solution

there.

QUESTION: Dear Dr Shinder,

We are experiencing the following error message when accessing OWA from internally and externally.
<ul><li>Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)</li><li>IP Address:

192.168.96.22</li><li>Date: 07/12/07 12:43:06 PM</li><li>Server: ecdc-eln-isa01.ecdc.int</li><li>Source: proxy</li></ul>We have a front end

Exchange server that is configured for OWA and ISA 2004. I can access the page by using the https://servername/exchange but not

https://webmail.ecdc.co.za

Can you please guide me as to what I am doing wrong? --Prakash Odhav

ANSWER: You don't mention from where you're trying to connect to the OWA site through the ISA Firewall. I will assume that you're testing

the configuration from an external client. The most likely reason for the error you're seeing is that the name on the Public Name tab of the

Web Publishing Rule that publishes the OWA site. Remember, the name on the Public Name tab must be the same as the common/subject name on

the Web site certificate you're using on the Web listener. So, if you reach the site using https://owa.company.com/exchange , the name on

the certificate must be owa.company.com. In addition, you need to configure your external DNS entries so that owa.company.com resolves to

the IP address on the external interface of the ISA Firewall, or of the NAT device in front of the ISA Firewall that forwards the

connections to the ISA Firewall's external interface.

QUESTION: Hi Tom,

I would appreciate it if you could help with the current situation I'm having. I've been using ISA 2000 without any issues for years, I

decided recently to configure a ISA 2006 server to replace the 2000 box and afford functionality for Sharepoint that was not available in

2000.

My problem is this. I have 5 subnets
10.100.10.0/22 - Local to head office
10.100.20.0/22 - Namibia
10.100.30.0/22 - Durban
10.100.40.0/22 - Port Elizabeth
10.100.50.0/22 - Cape Town
10.100.10.0/22 works fine and clients can connect without a problem but all the other subnets cannot. They have all been added to the

routing table and to the Internal Network config.

Pinging from the subnets works, but any other protocol is dropped as spoofed. When I examine the logs it would seem that ISA is seeing the

Serial interface of the router (i.e. 192.168.100.2 - Namibia) and dropping the packet.

I have created access and subnets for these locations but without any luck. Been battling for 3 weeks and am unable to find any help on the

subject.

Could you give me some advice on what to try next. You response will be greatly appreciated.

Kind regards, Jeremy

ANSWER: If the ISA Firewall is seeing a NATed address from the other networks, then you need to include that NATed address in the definition

of the ISA Firewall Network that the connection is being received from on the ISA Firewall. From what I can tell, you have a single default

Internal ISA Firewall Network. In that case, you need to add the addresses being presented to the ISA Firewall, in this case, at least the

address 192.168.100.2. However, this is problematic, since this is an off-subnet address, and therefore there needs to be a router between

the ISA Firewall's internal interface and the NAT device that's presenting the 192.168.100.x addresses to the ISA Firewall. However, you

might be trying to use the internal interface as a router, which worked with ISA 2000, but does not work with ISA 2006, because ISA 2000 did

not perform stateful packet inspection on the internal interface, and ISA 2006 does perform stateful packet inspection on all interfaces.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Take Control of your Proxy Traffic with ClearTunnel and ISA Server
(http://www.collectivesoftware.com/NewsletterLink.shtml)Question: My web filters and anti-virus can't stop users from connecting to secret

proxies, unauthorized chats, and compromising web sites over HTTPS. Is there a solution?

Answer: Power-up your proxy with ClearTunnel! This award-winning software makes ISA web filters and anti-virus do their job better - now

with ClearTunnel your server can transparently inspect and cache secure HTTPS/SSL content for the first time. Don't wait for the next

trojan horse virus, close the SSL hole today.

Get a free evaluation of ClearTunnel from Collective Software now.(http://www.collectivesoftware.com/NewsletterLink.shtml)
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Visit the Subscription Management section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@isaserver.org.
Copyright © ISAserver.org 2007. All rights reserved.

No comments: