From: http://www.computerweekly.com/Articles/2007/07/13/...ts.htm

“This concentration on configuring the server for different roles also affects the host-based firewall, which for the first time is turned on in the server operating system by default. The built-in firewall, unlike Microsoft’s application-level ISA Server firewall, blocks traffic at the port level according to the role that the administrator defines for it.”

What does this guy think the ISA Firewall is? I can answer that question based on the above quote. He has no idea what the ISA Firewall is and what it does.

FACT: The ISA Firewall is a network layer and application layer inspection firewall with Web Proxy and VPN server and VPN gateway capabilities. That means the ISA Firewall can exert “port level” control, just like the build in Windows Firewall in Windows 2008, but of course, much more secure because of the sophiscation added by the Firewall Packet Filter driver and Firewall service driver.

LESSON: Never believe what a “reporter” tells you — trust only experts in the technology of interest if you want the facts.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you’re an RSS fan, I have some good news for you! ISAserver.org has added RSS feeds to the Web boards. Just look for the RSS icon on the board you’re interested in and add it to your reader. The RSS icon looks like this

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

The Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their ISA Server computers and to diagnose current problems. The tool scans the configuration settings of the local ISA Server computer and reports issues that do not conform to the recommended best practices.

The ISA Server Best Practices Analyzer is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The ISA Server Best Practices Analyzer is supplied with two supplemental tools.

• The ISA Data Packager enables you to create a single .cab file containing ISA Server diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.
• BPA2Visio generates a Microsoft Office Visio® 2003 or Visio 2007 diagram of your network topology as seen from the ISA Server computer based on output from the ISA Server Best Practices Analyzer Tool output.

Download the new enhanced ISA Firewall BPA at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

A Community Technology Preview for Microsoft’s midmarket server, code-named Centro, is ready for download with many of the features now in Windows Server 2008 Beta 3 built in.

Centro combines Windows Server 2008 and Microsoft’s System Center line of management products. The CTP also has updates for System Center Essentials, Microsoft Exchange 2007 and security such as the ISA Firewall.

For more information: http://searchwinit.techtarget.com/originalContent/...0.html

Troubleshooting RPC/HTTP is not an easy task. The reason for this is that there are so many moving parts to an RPC/HTTP solution it’s often hard to figure out which part is broken. The ISA Firewall’s log files are of no help at all, so you have to take a different approach to troubleshooting RPC/HTTP publishing failures.

If your RPC/HTTP isn’t working, try checking for the following things:

• Make sure the ISA Firewall is joined to the domain — this is a basic ISA firewall security best practice
• In ISA 2004, make sure you’re using a different Web listener than that used by OWA forms-based authentication publishing. In ISA 2006, you can use the same listener because the listener will fall back to basic for the RPC/HTTP client
• Make sure you’re delegating Basic authentication in the RPC/HTTP Web Publishing Rule
• Make sure that the RPC/HTTP Web Publishing Rule is for authenticated users only. That can be all authenticated users, or selected users or groups
• Make sure your client is running Outlook 2003 on Windows XP SP1 and above
• Make sure your client has the CA certificate of the CA that issued the Web site certificate bound to the Web Listener that’s accepting connections from the RPC/HTTP client. This CA (root) certificate should be installed in the client’s Trusted Root Certification Authorities\Certificates machine certificate store.
• Make sure that you enter the correct name for the Web proxy in the client configuration. This may or may not be the same name of the mailbox server. It is always the common name on the certificate bound to the RPC/HTTP Web listener
• Make sure that IIS is installed on the OWA Web site
• Make sure that the RPC/HTTP Web Proxy service is installed on the OWA server
• Make sure a Web site certificate is installed on the OWA server
• Make sure that the name on the TO tab in the Web Publishing Rule is the same as the name on the Web site certificate bound to the OWA site
• Make sure that the /rpc directory on the OWA Web site is configured to use Basic authentication only
• Make sure the RPC over HTTP proxy service is starting by checking the Event Viewer
• Make sure you have configured RPC/HTTP service correctly on the OWA Server by using the Properties dialog box of that Exchange Server

While not a totally comprehensive list, if you can check on each of these issues, I’d estimate that you have a 90% chance of finding out what the problem is.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Usually when I hear that SecureNAT clients stop working but Web Proxy and Firewall clients continue to work, it makes me think of a DNS issue. The reason for this is that SecureNAT clients must resolve host names themselves, while Web Proxy and Firewall clients allow the ISA Firewall to resolve names on their behalf.

However, I now think of something else when SecureNAT clients stop working but Web Proxy and Firewall clients can still connect to the Internet. Now when I hear this, I think of receive-side scaling bug that was included with Windows Server 2003 Service Pack 2.

Read all about it here and check out the fix:

https://blogs.technet.com/isablog/archive/2007/03/...2.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft has just announced a CTP (Community Technology Preview) for Windows Server (codenamed Centro). Centro is also sometimes referred to as Windows Mid-Market Server, and is an integrated bundle of Microsoft products aimed at mid-size businesses and markets. Products integrated into the “Centro” system include Exchange Server 2007, System Center Essentials 2007, SQL Server 2005, ISA Firewall, and additional Forefront security software. The upcoming CTP of Centro will be based around Windows Server 2008 Beta 3, and should incorporate the latest technologies and improvements from that release.  An updated version of Windows Small Business Server, codenamed Cougar and built around a similar product bundle is also under development.

The final version of Centro will be 64-bit only, and is expected to ship some time in 2008.  First announced in 2005, Centro was Microsoft’s attempt to offer an all-in-one solution to mid-size businesses that incorporates a variety of products and relevant licenses, rather than selling such offerings piecemeal.

For more information:

http://arstechnica.com/journals/microsoft.ars/2007...roduct

Exchange Server Q&A with the MVP Experts 

Exchange MVPs will be on hand to answer your questions about Exchange Server, Outlook and Exchange for Small Business Server.  So if you are thinking of upgrading to Exchange Server 2007 or have questions about Exchange Server 2003 we hope you can join us for this informative online chat!

Chat 1

When:   Tuesday June 19^th

Time:    5pm PST or 8pm EST

Where:  TechNet Chat Room www.microsoft.com/technet/community/chats/chatroom.aspx

No password required

Chat 2

When:   Thursday June 21st 

Time:    10am PST or 1pm EST

Where: TechNet Chat Room www.microsoft.com/technet/community/chats/chatroom.aspx

No password required

=============================================

Q&A with the Security MVP Experts

We invite you to attend an Q&A with the Microsoft Security MVPs. In this chat the MVP experts will answer your questions regarding online safety issues such as phishing, spyware, rootkits as well as server related topics. If you have questions on how to protect your PC, please bring them to this informative chat

When:   Thursday June 21^st

Time:    4pm PST and 7pm EST

Where:  TechNet Chat Room www.microsoft.com/technet/community/chats/chatroom.aspx

No password required  

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Built under the code-name Stirling, the package of security applications will include Microsoft’s Antigen server anti-virus, anti-spam and content filtering technologies — in the form of its Forefront Security for Exchange Server and Forefront Security for SharePoint products — along with its Internet Security and Acceleration (ISA) Firewall software, Forefront Client Security desktop defence system, and network access control tools.

The system will also integrate elements of Microsoft’s Systems Center IT management platform, company officials said.

By pulling the various security programs together under a single umbrella, Microsoft officials said they can help customers more easily achieve their goals of making IT infrastructure easier and cheaper to manage while providing improved protection through tighter product integration.

One of the most important aspects of Stirling — which Microsoft plans to preview in 2007 and follow with a public beta version in 2008 before launching during the first half of 2009 — is a centralized management and reporting console.

For more information:

http://www.pcworld.idg.com.au/index.php/id;670407799

This is a little off topic, but someone asked a question on the blogs about a comparison between OWA and the Full Outlook client. I didn’t know of the existence of such a doc at the time, but I coincidentally found one today!

Check it out at:

http://www.microsoft.com/exchange/evaluation/featu...n.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)