If there were an award for putting together the worst possible security design for an Exchange Server organization, which topology do you think would win? In my experience, something I call the Exchange Publishing Nightmare Scenarios because they represent the worst case scenarios for network security when deploying an ISA Firewall to secure Exchange Web services. The figure below shows the topology for one version the Exchange Publishing Nightmare scenario. We’ll call this the Nightmare on Exchange Street scenario.

Figure 2

In the Exchange Publishing Nightmare Scenario the ISA Firewall is separated from the internal network by a third party firewall and from the external network by another third party firewall. As seen in the figure above, there are two “hardware” firewalls deployed, one on the edge of the corporate network and a backend firewall in front of the corpnet. A DMZ segment is seen on the back end “hardware” firewall where a single NIC “hork mode” ISA Firewall is deployed. There are several serious defects in this design:

• The back-end “hardware” firewall represents unnecessary point of failure
• The back-end “hardware” firewall represents another opportunity for firewall misconfiguration – the most common cause of firewall related security issues
• The ISA Firewall is subjected to the security weaknesses of the back-end “hardware” firewall. A quick look at www.secunia.com shows that the ISA Firewall (2004 and 2006) have no active security issues. Compare this with any “hardware” firewall and you will see that the ISA Firewall is more secure than just about any hardware firewall

A variant of this Exchange Publishing Nightmare Scenario places a hork mode ISA Firewall in the DMZ between the “hardware” firewalls, something that I refer to as the Hork Mode Sandwich scenario.

The problem with the Hork Mode Sandwich and the Nightmare on Exchange Street scenarios is that the full firewall feature set is gutted from the ISA Firewall when deployed in hork mode. There is no technical reason for this type of deployment. The only reasons for such a deployment would be political or ignorance. If you need or want to use a back to back Firewall deployment, then place the ISA Firewall closest to the resources that need protection, as the most secure firewall should be nearest the protected resource, and the ISA Firewall is most likely the most secure firewall in this scenario.

I’ve heard excuses that “the customer wants to do it this way”. That is not an acceptable excuse. Would you give a child a loaded gun to play with just because he wanted it? Would you hand a kid a stick of dynamite and a match because he likes to blow things up?  Of course not. You use your superior knowledge of guns and explosives (at least compared to the child’s understanding) to protect the child.

In the area of Exchange security using the ISA Firewall, you are the expert and it is your responsibility to protect the customer from poor security designs, regardless of what the customer “thinks” he wants.

I’m fortunate because I can turn down customers who want to harpoon their network security due to their lack of understand of strong network security principles and the ISA Firewall. If you’re not as lucky as me, and you are forced to deploy desultory security designs such as the Nightmare on Exchange Street and Hork Mode Sandwich scenarios, then protect yourself from both a moral and potentially legal front by having the customer sign a release statement that releases you from responsibility for security breaches due to the poor security design demanded by the customer. You’ll be glad you did.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tarek Majdalani an ISA Firewall MVP has posted a new article on how to installing the ISA Firewall remotely. Check it out at:

http://www.elmajdal.net/ISAServer/Installing_ISA_S...y.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

GFI WebMonitor for ISA Server available in three versions to meet administrators’ particular web management requirements

London, UK, 22 August, 2007 – GFI Software, a leading developer of network security, content security and messaging software, today announced the release of the latest version of GFI WebMonitor for ISA Server, a solution that gives administrators comprehensive control over corporate web usage and what employees are downloading from the Internet. GFI WebMonitor 4 boosts employee productivity and increases security whilst maintaining optimum use of the Internet as a business tool.

The Internet is an important business-to-business (B2B) resource but uncontrolled and unmonitored access could lead to lower productivity when employees waste time browsing non-work related material. Research carried out by IDC shows that up to 40% of employee Internet activity is non-work related and this includes the downloading of music files, usage of social sites like Facebook or eCommerce sites like eBay and browsing the web for personal entertainment. Access to the Internet also increases the risk of viruses, spyware and unauthorized software being downloaded. Such activity can lead to malicious software active on companies’ systems, leading to security breaches and data loss.

A practical method of mitigating these unwanted aspects of the corporate Internet connection would be to deploy GFI WebMonitor. This solution grants the administrator full control over Internet resources to create a secure online experience, to proactively counter risks of vicarious liability and, in turn, to set higher efficiency levels.

GFI WebMonitor for ISA Server is available in three editions, offering administrators a specific or holistic web management solution. These are: the WebFilter Edition; the WebSecurity Edition and the UnifiedProtection Edition, a suite that delivers a secure browsing experience through the use of multiple anti-virus engines, increases productivity through the WebGrade URL Filter and drives implementation of user web policies through granular download control policies.

WebFilter Edition
The WebFilter Edition of GFI WebMonitor for ISA Server comes with WebGrade, a 100% human-reviewed site categorization database and web filtering technology that gives administrators control over what sites users can browse and block access to websites in particular categories, such as adult, online gaming, P2P and travel websites. The WebFilter Edition permits real-time web monitoring of all corporate web activity and also bandwidth monitoring. Administrators are also able to proactively enforce company policy on a per-user basis to filter out unwanted web usage.

WebSecurity Edition
The WebSecurity Edition provides the tools needed to create download control policies and monitor what files employees are downloading from the web and to block particular file-types such as mp3s. GFI WebMonitor increases the probability of detecting viruses since it uses multiple virus scanning engines to scan all downloaded files. The WebSecurity Edition also reduces the potential risks of social engineering by blocking access to phishing websites through the use of an auto-updatable database of phishing URLs. In so doing administrators are also lowering the risk of data-leakage from within the company.

UnifiedProtection Edition
Other features common to both editions include monitoring of which websites users are browsing and what files are being downloaded; monitoring and blocking of those applications that connect to their home pages to download updates; the ability to track download and upload traffic and URL hits over time; allow exceptions through the use of whitelists and blacklists; and controlled access to the configuration and monitoring interfaces.

“GFI WebMonitor delivers three major benefits that previously were available only to customers with enterprise-level budgets. First, GFI WebMonitor on an ISA Server can deliver a secure browsing experience for employees by protecting them against viruses, spyware and fraudulent websites. Second, it can enhance productivity by controlling access to websites such as adult and bandwidth hungry sites and, third, it aids the implementation of company security policies through Active Directory integrated features,” David Vella, Director of Product Management at GFI said.

“We are offering excellent performance, benefits and functionality at a price that is affordable for SMBs. At the same time, the product is easy to use and requires the administrator to spend less time configuring and maintaining the system,” he added.

A free trial of the three editions of GFI WebMonitor is available for download from http://www.gfi.com/downloads/downloads.aspx?pid=we...lid=en. Clients who would like to purchase either edition can do so through any of GFI’s authorized resellers. Full pricing details can be found at http://www.gfi.com/pricing/pricelist.aspx?product=webmon.

About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, Adelaide and Hamburg which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners throughout the world. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.

So you’ve installed Windows Server 2003 SP2 on your ISA Firewall and now your external Outlook Web Access (OWA) clients are getting repeated authentication prompts. What’s up with that? Looks like it’s our usual suspect — the Windows Server 2003 RSS bug! Who’d a thought the RSS bug would cause this problem? I didn’t.

The good news is that there’s a fix for this. Go to:

http://support.microsoft.com/kb/936702/en-us

And you’ll find the instructions on how to fix the problem.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Adrian Dimcev, a big ISA Firewall fan, has put up a new ISA Firewall information site. Adrian has a lot of useful and detailed information about the ISA Firewall and how to setup the ISA Firewall in a virtualized environment for testing purposes. In addition, Adrian is putting together a very detailed series of documents on how the ISA Firewall’s L2TP/IPSec server and protocols work. I highly recommend this site and it’s worth your time to check it out.

Visit Adrian Dimcev’s site at: http://www.carbonwind.net

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tarek Majdalani has a great ISA Firewall tip over on his Web site on how to allow the Cisco VPN client outbound access through the ISA Firewall. Check it out at:

http://www.elmajdal.net/isaserver/How_To_Allow_Cis...r.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Troubleshooting FTP access problems leave many ISA Firewall admins bald from tearing their hair out trying to find a solution. Here’s a great KB article on a specific cause of FTP problems related to the Firewall client.

Check it out at:

http://support.microsoft.com/kb/884580/en-us

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Most performance related problems with the ISA Firewall are due to DNS misconfiguration or disabling Path MTU Discovery. However, if you have a busy ISA Firewall in a large enterprise environment, authentication might be slowing down your ISA Firewall. If your ISA Firewall has to do with a lot of authentication requests, you can significantly speed up the Firewall by following the directions in this KB article:

http://support.microsoft.com/kb/326040/en-us

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve seen a number of posts in the VPN boards on the ISAserver.org message boards regarding site to site VPNs that stop working and the only way to get them up again is to restart the ISA Firewall machine. Attempts at restarting the RRAS service don’t work.

The problem appears to not be a problem with the ISA Firewall itself, but with the RRAS Service on Windows Server 2003. You can check out this KB article and get a hotfix at:

http://support.microsoft.com/kb/888090/en-us

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

That’s right! Jim has created a new guide to troubleshooting RPC/HTTP publishing. If you have any problems with your RPC/HTTP publishing, you need to check out Jim’s guide first. If you still can’t figure out the problem, then come on over to the ISAserver.org Web boards and we’ll see what we can do to help.

Check out the guide at:

https://blogs.technet.com/isablog/archive/2007/08/...g.aspx

https://blogs.technet.com/isablog/archive/2007/08/...s.aspx

https://blogs.technet.com/isablog/archive/2007/08/...s.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)