USEast Technologies LLC acquires NS-Series ISA appliance support business from NEI Inc.

USEast Technologies will assume responsibility for supporting the Microsoft^®-based NS Series installed base

Randolph, Massachusetts, July 29, 2008 - USEast Technologies announced today that it has reached an agreement with NEI, a leading provider of server appliance products and services for storage, security and communications software vendors, to assume responsibility for technical support and maintenance of its installed base of NS Series security products. The NS Series of products are security appliances based on Microsoft’s Internet Security and Acceleration (ISA) server technology and are installed in more than 500 locations worldwide. Under the agreement, NEI will continue to provide logistical support for the hardware component of the NS Series through USEast Technologies.

“We are pleased to partner with USEast Technologies to help support the NS Series installed base,” said Tom Brodeur, NEI’s senior director of global support services. “We have worked closely with Don Adams and his team in recent years to enhance NS customer support and we are confident USEast will provide superior support services for the NS customer base.”

“Don Adams and his team are well-versed in Microsoft security technology and should bring a revitalized commitment and enthusiasm to the NS Series ISA installed base,” said Dr. Thomas Shinder, Microsoft Forefront MVP and author of numerous books about Microsoft security technologies. “Don was intimately involved in the original design of the NS Series when he was employed by Network Engines, Inc., (renamed NEI) and I anticipate that USEast will soon offer the NS Series installed base exciting new Microsoft Forefront Edge security solutions.”

“We are excited about the opportunity to provide ongoing support for the NS appliance installed base,” stated Don Adams, president and founder of USEast Technologies. “We are currently contacting all customers and communicating our plans for providing support for the installed base of NS appliances and supplying NS Series upgrades. In the near future we will be communicating our plans for offering a new generation of Microsoft Forefront Edge Security appliances and solutions.”

About USEast Technologies LLC

USEast Technologies is based in Randolph, Massachusetts.  The company provides services and products for Microsoft security and virtualization technologies.  For more information about USEast Technologies, visit www.useast.com.

About NEI

Founded in 1997, NEI is headquartered in Canton, Massachusetts, and trades on the NASDAQ exchange under the symbol NENG. NEI network appliance solutions are made to ease and enhance the deployment, manageability, and security of IT infrastructure applications. With a heritage of providing product and service technologies tailored to support the entire lifecycle of its customers’ appliances, NEI has become the appliance partner of choice for OEMs, ISVs and software integrators worldwide. For more information about NEI’s products and services, visit www.nei.com.

Contact Info:

Send email to PR@USEast.com

Call 781-583-1448

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Rod Payne, on the ISAserver.org message boards (http://forums.isaserver.org/m_2002027432/mpage_3/tm.htm), brings up an interesting problem, and from what I can tell, an undocumented “problem”.

In Rod’s words:

“With the help of all of the experience posted here thus far, I have reached the point where almost everything is working.  The last problem I have is that if “user must change password at next logon” is set, they are not prompted to reset the password when logging in using FBA.  Instead, they are returned to the logon page and have the message, ”You could not be logged on to ISA Server. Make sure that your domain name, user name, and password are correct, and then try again.”  Not much of a clue for the user.  I assume that the same thing will happen with a naturally expiring password (but it is harder to create a test case).

If they first select “I want to change my password after logging on”, then they get the password change screen and they can change their expired password and log on. 

Since password changes work, even on expired accounts, it looks like everything is set up correctly for LDAPS, certificates, web listener, etc.

When someone attempts to log on using an expired password, is it supposed to go to the change password page and have them change it, or are they supposed to know (somehow) that it is expired and that they need to check the “I want to change my password after logging on”?”

It does sound like a problem, since I know in the past that users were presented with information that they needed to change their passwords when their passwords expired. I made a few guesses trying to figure out what the problem was, but then Rod said that PSS told him that this behavior was “by design” and the case was closed. It seemed interesting that it was “by design” because there was no evidence of this behavior when the product was designed (ie, RTM)

Jim Harrison jumped in and clarified things:

“ISA 2006 SP1 did change this behavior for FBA using LDAP as the credentials authority.

As CSS said, this is to help guard against auth attacks.  If the attacker receives a “you must change your password” response, 1/2 the battle is won because he knows that the account is valid.

When ISA is allowed to participate as a domain member, it can use Windows calls to verify the account password status.

It’s not possible for ISA to validate the account password status when using LDAP as a credentials authority and so only a valid logon is allowed to change a password.”

So there you go. If you didn’t know about this, you do now. If you haven’t read this, you probably won’t know because there no information about this change in the ISA 2006 SP1 doc

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Now here’s an interesting problem. What happens when you have multiple domains in the same forest that the ISA firewall belongs to and the same user name exists in multiple domains? The user might not be able to log on!

The following scenario can lead to this problem:

• You use Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish a local intranet site.
• You enable forms-based authentication (FBA) and the Allow users to change their passwords feature for the Web Listener.
• The ISA Server is a member of a domain. For example, the domain is Domain1.
• There are multiple domains in the forest, and there are user accounts that exist with the same account name in different domains. For example, the user accounts are Domain1\user1 and Domain2\user1.
• One of the user accounts is disabled. For example, Domain1\user1 is disabled.
• You try to use the other user account to log on to the local intranet site. For example, you use Domain2\user1 to log on to the local intranet site.

What to do? Check out http://support.microsoft.com/kb/952675 for a solution to this problem.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

One of my favorite features of the ISA firewall is secure RPC publishing. While this feature took a hit after the Blaster worm was released to the wild, the hit wasn’t related to the RPC publishing feature. In fact, the secure Exchange RPC publishing feature actually protected all Exchange Servers published behind the ISA firewall.

I have to admit that the attractiveness of the secure RPC publishing solution isn’t what it used to be, given that we now have RPC/HTTP and can publish RPC/HTTP servers behind the ISA firewall and do it securely by taking advantage of the HTTP Security Filter.

However, RPC/HTTP does have a number of requirements that some ISA firewall admins don’t want to deal with. There are the certificate deployment issues, you need the right version of Outlook, and you need the right versions of Exchange and Windows. If you can’t meet all of these requirements, then secure RPC publishing remains a good solution.

However, if you have Exchange Server 2007 behind an ISA 2006 firewall and use secure Exchange RPC publishing, you might find that while users can connect to the Exchange Server, they don’t receive new mail notifications. The problem is that the UUID for the notification RPC interface is missing in the properties of the Exchange RPC Server protocol. You’ll see this happen after installing the update on the ISA firewall that supports publishing Exchange 2007 925403

You can fix this problem by installing ISA 2006 SP1. If you don’t want to install SP1, you can workaround the problem by adding the correct RPC interface in the definition of the Exchange RPC server protocol.

Go to http://support.microsoft.com/kb/951713 for the details on how to add the new RPC interface.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Shijaz Abdulla is an ISA firewall MVP and maintains a great site over at www.shijaz.com. I found an interesting article he did on the top 12 configuration or design errors people do with the ISA firewall. These errors include:

1. Using a single NIC or “hork” mode ISA firewall
2. Incorrect default gateways on published servers
3. Contradictory firewall rules
4. IP addressing errors on the firewall’s NICs
5. Installing services on the firewall that create port contention
6. SMTP Fix-Up on a front end PIX
7. FTP clients are unable to upload
8. Windows Server 2003 SP2 and the Scalable Networking Pack
9. Scheduling limitations
10. Multiple default gateways on the firewall
11. Wrong common name on Web site certificates bound to Web Listeners
12. DNS server configured on multiple NICs on the firewall

Check out Shijaz’s full article for the details over at:

http://www.shijaz.com/isaserver/top_10_isa_blunders.htm

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Yuri Diogenes on the ISA/TMG/IAG team and Henning Petersen on the Microsoft CRM team have teamed up to put together a great article on how to publish CRM 4.0 through the 2006 ISA firewall.

Check it out here:

https://blogs.technet.com/isablog/archive/2008/07/...6.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

One of the big improvements with SP1 for the ISA 2006 firewall is the diagnostic logging feature. I covered diagnostic logging in my article on ISA 2006 SP1 over at http://isaserver.org/tutorials/New-ISA-Firewall-20...2.html

By default, there number of entries allowed for a query is limited to 10,000 and there is a 30 second timeout for query execution. In most cases these will be good enough. However, if you find that you’re running up against these limits, you’ll want to increase them (or in some circumstance, decrease them). Here’s how you do that:

1. Click Start and then Run. In the Run dialog box, type regedit.

2. Navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

3. Right-click Microsoft, and then create the following key if it does not exist: RAT\Stingray\Debug\UI

4. To specify the maximum number of entries that the query should handle and the timeout value, do the following:

a. Right-click UI, click New, and then click DWORD(32-bit).

b. Create the following value: DIALOG_QUERY_MAX_RECORDS

c. In DIALOG_QUERY_MAX_RECORDS, specify a maximum value for the number of entries that can be handled by the query.

d. Create the following value: DIAGLOG_DLVIEWER_TIMEOUT

e. In DIAGLOG_DLVIEWER_TIMEOUT, specify the query timeout value.

For more information, check out the ISA Server 2006 SP1 feature doc at:

http://www.microsoft.com/downloads/details.aspx?di...f6ae50

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

Consider the following scenario:

• You have a computer that you use as a Microsoft Internet Security and Acceleration (ISA) Server 2006 Configuration Storage Server or as a management console. You do not use this computer as an ISA server.
• You install an ISA update or a service pack on this computer.
• You open the “Add or Remove Programs” item in Control Panel to remove this update.

In this scenario, you find that a Remove button does not appear in the ISA Server 2006 update entry in the Currently installed programs list. In this entry, a note states the following:

This update cannot be removed.

If you try to remove the update manually, you may receive an error message that resembles the following:

Setup failed while trying to get server settings from the Configuration Storage server required for the installation.

This also applies to ISA 2006 SP1.

Check out the solutions at:

http://support.microsoft.com/kb/941106/en-us

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Microsoft Security Architect / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/UAG)

Yuri Diogenes comes up with an interesting problem related to RPC communications between two 64bit hosts when there is an ISA firewall between them. The good news is that ISA 2006 SP1 fixes the problem.

Check out the details at:

https://blogs.technet.com/isablog/archive/2008/07/...6.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you’re an experienced ISA firewall admin, you probably have had a chance to configure the firewall’s HTTP Security Filter to increase the level of security the firewall can apply to both inbound and outbound connections. While the HTTP Security Filter is useful, it does suffer from a couple of limitations. One of those limitations is the lack of support for Regular Expressions.

The Forefront Intelligent Application Gateway (IAG) does not suffer from this limitation and makes liberal use of Regular Expressions for both positive and negative logic filtering. However, this feature can also trip you up.

To see an example of how you might run into problems publishing your Web Applications using the IAG and how to solve RegEx issues, check out Yuri Diogenes’ article on this subject at http://blogs.technet.com/yuridiogenes/archive/2008...l.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)