You might remember collective software — they’re the smart guys who put together several great solutions for ISA Firewall admins. The best among them being ClearTunnel, which allows you to perform outbound SSL bridging and LCS-bridge, which allows you to use SIP with LCS sites published behind the ISA Firewall.

Collective Software has to do a lot of debugging when working with their products and the ISA Firewall, so they made a very cool debugging tool to help them with their work. This tool is implemented as a Web Filter, so it very useful for getting inside the ISA Firewall’s head and figuring where stuff is coming from. And because it’s a Web Filter, you can examine traffic moving through the ISA Firewall in an SSL to SSL bridging scenario.

This is a 100% free filter and Collective Software would like to make this available to the ISA Firewall community as thanks for their support. You can use this to help in general troubleshooting, and if you create your own filters, it should help you even more.

You can find the tool and some documentation at:

http://www.collectivesoftware.com/Support/TrafficLog.pdf
http://www.collectivesoftware.com/Downloads/Traffi....6.msi

The Collective Software site is at

www.collectivesoftware.com

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Dr. Tom Shinders ISA Server 2006 Migration Guide provides a clear, concise, and thorough path to migrate from previous versions of ISA Server to ISA Server 2006. ISA Server 2006 is an incremental upgrade from ISA Server 2004, this book provides all of the tips and tricks to perform a successful migration, rather than rehash all of the features which were rolled out in ISA Server 2004. Also, learn to publish Exchange Server 2007 with ISA 2006 and to build a DMZ.

• Highlights key issues for migrating from previous versions of ISA Server to ISA Server 2006.
• Learn to Publish Exchange Server 2007 Using ISA Server 2006.
• Create a DMZ using ISA Server 2006.
• Dr. Tom Shinders previous two books on configuring ISA Server have sold more than 50,000 units worldwide.
• Dr. Tom Shinder is a Microsoft Most Valuable Professional (MVP) for ISA Server and a member of the ISA Server beta testing team.
• This book will be the Featured Product on the Internets most popular ISA Server site www.isaserver.org.

Buy the book at: http://www.amazon.com/Shinders-Server-2006-Migrati...sr=8-2

About the Author
Thomas W. Shinder, MD is an MCSE and has been awarded the Microsoft Most Valuable Professional (MVP) award for his work with ISA Server and is recognized in the firewall community as one of the foremost experts on ISA Server. His first two books on ISA Server have sold more than 50,000 units worldwide. Tom has consulted with major companies and organizations such as Microsoft Corp., Xerox, Lucent Technologies, FINA Oil, Hewlett-Packard, and the U.S. Department of Energy. Tom is the primary contributor on ISAserver.org (www.isaserver.org), where he answers hundreds of questions per week on the discussion boards and is the leading content contributor.

=======================

Hey, that’s me! I hope you will enjoy our latest ISA Firewall book. We put together a great team to write this book and I guarantee you’ll learn new and valuable things on how to install, configure, manage and optimize your ISA Firewall deployments.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I’ve always been a big fan of secure Exchange RPC publishing. It’s been a rocky ride for this protocol, because the Blaster worm gave the RPC endpoint mapper port TCP 135 a bad name and many ISPs just shut down this port, without realizing that ISA Firewalls provided complete protection against Blaster and many other RPC exploits. Then RPC/HTTP became available with Outlook 2003 and that pretty much put Secure Exchange RPC publishing on the back burner.

Nevertheless, many companies can’t use RPC/HTTP and still require Secure Exchange RPC. If that’s you, and you’re using Exchange 2007, you might want to be aware of a problem with the KB925403 update for publishing Exchange 2007 with ISA 2006. This update might break your Secure Exchange RPC publishing.

The ISA Team Blog has a discussion on this problem and a solution. It’s worth checking out. Find it at http://blogs.technet.com/isablog/archive/2007/12/1...6.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tim Mullen, of www.hammerofgod.com, has produced the most comprehensive set of Computer Sets yet available. You can use these Computer Sets to import into your ISA 2006 Firewalls. Not only will these Computer Sets allow you to block connections by country, you can create your ISA Firewall rules so that you can accurately log where spam is coming from, and from where attacks are coming. There’s no end to the usefulness of these Computer Sets!

Three cheers to Tim for providing these to the ISA Firewall community, free of charge.

Find these sets at:

http://hammerofgod.com/download/ISASets/

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

WebSpy Products such as the award-winning Vantage and ISA Server Suite have delivered to companies real business benefits by reducing risk and increasing productivity, whilst facilitating harmonious and open relations between employees and employers. WebSpy’s COO Lagis Zavros, said that, “The tools are a great way for companies to truly assess and drive the behavior of their employees towards responsible usage of the network and Internet without alienating them.” He added, “This recognition by Microsoft further cements our relationship and shows that the Microsoft Partner Program can deliver real business value to partners.”

WebSpy supports over 150 vendor solutions and as a Microsoft Independent Software Vendor (ISV) WebSpy also offers Microsoft’s Internet Security and Acceleration Server (ISA) as a unified solution for protecting organizations from Internet threats and reporting on user activity. For further details refer to:

http://www.webspy.com/isaserver/index.aspx

For more information: http://www.earthtimes.org/articles/show/webspy-att....shtml

HTH,

Tom

There are a couple of ways you can manage the ISA Firewall. You can use either a RDP connection to the ISA Firewall, or you can use the ISA MMC console from a workstation somewhere on an ISA Firewall Protected Network. In this article, Tarek Majdalani goes through the details of each method available for managing the ISA Firewall or ISA Firewall array.

Check out the article at:

http://elmajdal.net/isaserver/Administrating_ISA_S...n.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I was showing a friend of mine my ISA 2006 firewall setup and configuration and he wanted to know why I had additional information appear in my log files and additional nodes in the left pane of the console. I told him you get those things when you install the ISA 2006 Supportability Update!

What you do get with the ISA 2006 Supportability Update? Check this out:

• All software updates issued since ISA Server 2006 was released to manufacturing.
• Improved log viewer functionality, including an enhanced details pane view, text coloring, and new log filtering functionality.
• Updated ISA Server Microsoft Management Console (MMC) snap-in functionality that provides access to troubleshooting tools and options available directly from the ISA Server Management console.
• Integration with the Microsoft ISA Server Best Practices Analyzer Tool. For more information, see http://go.microsoft.com/fwlink/?LinkId=79754.
• New diagnostic logging functionality.

You can download the ISA 2006 Supportability Update at:

http://www.microsoft.com/downloads/details.aspx?Fa...ang=en

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Symptom: Attempts by Web proxy clients to download from a PASV mode FTP server fail.

Issue: By default, FTP traffic handled by Web Proxy Filter uses Active mode.

Solution: Set the DWORD value NonPassiveFTPTransfer to 0 in the registry on the ISA Server computer, which sets the mode to Passive. The default value is 1, indicating that Active mode is used. For information about setting this registry key, see the Microsoft Knowledge Base article 300641 “How to enable passive CERN FTP connections through ISA Server 2000 or ISA Server 2004 Standard Edition.” The registry instructions in this article also apply to ISA Server 2006 and ISA Server 2004 Enterprise Edition.

When setting this value in ISA Server 2004, you should ensure that ISA Server 2004 Service Pack 2 (SP2) is installed, to avoid the issue described in Microsoft Knowledge Base article 900256 “Error message when ISA Server 2004 Web Proxy client users try to access an external FTP site by using passive FTP functionality: ‘Error Code: 502 Proxy Error’.” Note that information in this article does not apply when using the Microsoft Windows® command-line FTP client, which cannot be used by Web proxy clients. In addition, the Windows command-line FTP client cannot work in Passive mode.

From: http://www.microsoft.com/technet/isa/2006/ts_outbo...p.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tim Mullen came up with a good question the other day regarding directionality notations in his ISA Firewall’s log files. What appeared to be an inbound connection was logged as an outbound connection.

To clarify the situation, Jim Harrison came up with the following explanation, which indeed explains the situation very nicely:

===============================================

The traffic “direction” is determined by the rule.

What rule is quoted for the deny action?

If it’s the default rule, then that’s correct, because Access rules only deal in “outbound” traffic.

Since the “default deny rule” is an access rule, it deals only with “all outbound protocols”.

Here’s another conundrum to wrap up in your dilemma…

SvrPubRule

Primary Connection: TCP:666 Inbound

From: External

Access Rule

Primary Connection: TCP:666 Outbound

From External

To: Local Host

If the SPR is listed first, it will “fire” and the traffic will be listed as “inbound”

If the access rule is listed first, it will fire and the traffic will be listed as “outbound”.

===============================================

Thanks Jim!

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Consider the following fun facts regarding Web Farm Load Balancing with ISA 2006 Firewalls:

• Load balancing is not supported for Secure Sockets Layer (SSL) connections tunneled through the ISA Firewall (which is server publishing, not Web publishing). It is only supported in Web publishing, when the HTTPS connection is terminated on at the ISA Firewall, and then forwarded over HTTP or HTTPS to the Web farm (which represents SSL to SSL bridging).
• For SSL bridging scenarios, both IP affinity (source IP-based) and session affinity (cookie-based) are supported.
• In an SSL to SSL bridging scenario, the servers in the Web farm authenticate to the ISA Firewall with a server certificate. You can deploy these certificates as follows:
• Deploy a server certificate on each server in the Web farm. For example, if the server farm consists of Server1.internal.net, Server2.internal.net, and Server3.internal.net, you must acquire a unique certificate for each server, with the name of the farm member as it appears in the server farm object.
• Alternatively, deploy a server certificate for the Web farm object. In this case, you acquire a certificate with the internal name you specified for the Web publishing rule for the farm, and deploy the certificate on each server in the Web farm. In this case, you use the same name for each server certificate installed on the Web farm members. The key is that name is used in the Web Publishing Rule.

For more information about Warm Farm Load Balancing, check out:

http://www.microsoft.com/technet/isa/2006/deployme...b.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)