“Microsoft Security Response Center (MSRC) issued bulletin MS08-037 to address vulnerabilities in DNS resolvers caused by predictable UDP source port usage. MSKB 956190 addresses behavior observed when traffic crosses a NAT-based firewall and provides workarounds to mitigate this behavior.

Traffic crossing a NAT device cannot be assumed to maintain the original source port because of the likelihood of multiple internal hosts using the same protocol to send traffic to the same external destination; especially in the case of an infrastructure protocol such as DNS. The NAT device will typically create a new connection to the external network using whatever source port allocation algorithm it has available. In the case of ISA and TMG, this is deferred to Windows; specifically Winsock.”

Go to https://blogs.technet.com/isablog/archive/2008/08/...7.aspx to read the rest.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Quick, what single ISA firewall feature is most likely to boggle your mind? CARP? Access Rules? Web Listeners? Secondary Connections? The HTTP Security Filter? No, I don’t think so. From my experience with the ISA firewall, 9 out of 10 ISA firewall admins have their minds boggled by NLB.

And what boggles the mind of the 1 out of 10 ISA firewall admins who aren’t boggled by NLB? Its getting the new support for multicast NLB to work with the ISA firewall array.

Jason Jones comes to the aid of both the boggled and unboggled by giving a nice, clear step by step guide on how to configure multicast NLB on the 2006 ISA firewall array after SP1 is installed. Check it out at http://blog.msfirewall.org.uk/2008/08/enabling-nlb...a.html

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

If you’re running the IAG 2007, one thing you might want to do is make your ActiveSync site available through the SSL VPN gateway. Here’s a great two part series on how to get that done:

http://blogs.technet.com/edgeaccessblog/archive/20...2.aspx

http://blogs.technet.com/edgeaccessblog/archive/20...2.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

KCD is a powerful tool in your ISA firewall’s authentication’s toolbox. However, KCD configuration isn’t for the faint of heart. KCD will work in your typical ISA firewall scenarios, but there are a few scenarios where it can’t work. Check out this article on KCD with Cross-Forest accounts over on the Microsoft Community center at http://technet.microsoft.com/en-us/library/cc752953.aspx for more information.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

As the ISA firewall admin in your company, one of your duties is to make sure that the check writers in your company don’t fall for the FUD the “hardware” firewall vendors shoot at them in order to get them to move away from the ISA firewall for a more expensive, lower powered, solution.

One of the ploys the hardware firewall sales guys often pull is the deep packet inspection ruse. They’ll tell your check writer that the ISA firewall doesn’t perform deep packet inspection (which is false, BTW). But your boss doesn’t know what deep packet inspection is, so he’s likely to swallow that information hook, line and sinker.

What you need is a way to counter the hardware firewall guys’s sales FUD. When it comes to issue of deep packet inspection, Jim Harrison has provided you with a great article that you can use to shoot down the hardware firewall guys’ claims. Check out Jim’s article “Deep Packet Inspection”; What Does it Mean, Really? at http://technet.microsoft.com/en-us/library/cc707728.aspx  This article provides you the ammunition you need to make sure that your ISA firewall stays in place.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Probably one of the most misunderstood memory related settings on Windows based computers is the /3GB settings. Many people think that if you have 4 GB of RAM on the machine, you should automatically enable that setting. Not so! In fact, if you enable it on the ISA firewall, you’re going to be in for a world of hurt.

Why? The main problem is that you reduce the amount of kernel mode memory to 1 GB, which leads to reducing the total available nonpaged pool memory available to the ISA firewall. In fact, you drop the amount in half, from 256 MB or 128 MB. This can lead to connections being dropped when you have a large number of connection or spikes in activity.

The good news is that the ISA firewall BPA picks up the problem and call it out as an issue if you setup the /3GB switch.

Many thanks to Yuri Diogenes for pointing out this issue in his blog post at http://blogs.technet.com/yuridiogenes/archive/2008...r.aspx  We’ve been aware of this issue for years, but I don’t think I’ve blogged about it before or mentioned it in the articles or Web boards.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Great news! We’ve been wondering for quite a while now about the purpose and the usefulness of the new Average Request Processing Rate perfmon counter included with ISA 2006 SP1. Now we know! If you want to know, then check out this blog post on the ISA/TMG Product Team site at:

https://blogs.technet.com/isablog/archive/2008/08/...r.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

An ISAserver.org member wrote to me about a problem last week after I posted an announcement about a new Celestix offering that includes Kaspersky AV and anti-malware on the box. The advantage of putting Kaspersky on the Celestix ISA firewall is that the Celestix ISA firewall can inspect the contents of the session between your internal clients and external servers and block malware before it has a chance to enter and infect your network.

Inline anti-malware is a great thing. Why? Because you can’t always depend on endpoint security. Users might disable their AV and anti-malware software, the AV or anti-malware software might not be updated, or the AV or anti-malware software on the clients might have been corrupted by other malware or by the user’s attempts to get around it.

In contrast, the ISA firewall administrator is responsible for maintaining the ISA firewall and the AV and anti-malware solution and can assure that the software is updated, current and uncorrupted. Most of us can agree that there is no replacement for in-line network AV and anti-malware devices when it comes to a comprehensive defense in depth plan.

The problem with this scenario, as mentioned by our good ISAserver.org member, is that when there is an SSL connection between the internal client and external server, then the AV and anti-malware software is totally helpless at providing protection. The reason for this is that the ISA firewall, out of the box, does not perform outbound SSL inspection. Once the SSL connection is established between the client and external server, the contents of the communication is hidden within an SSL tunnel, similar to what you see when an internal user establishes a VPN connection to a remote network.

There’s a reason why we don’t allow outbound VPN connections to a remote network. You have no idea how secure the remote network is, you have no idea what security controls they’ve placed on that remote network. If you can’t trust that network, you can’t trust that a direct tunnel to that network isn’t going to suck down all sort of viruses and malware into your network, completely hidden from the AV and anti-malware protections that you’ve implemented at the firewall.

So, if you don’t allow VPN connections for valid security reasons, why would you allow SSL connections? Did you know that much of today’s malware takes advantage of SSL connection to hide from your firewall controls, so that it can download more malware from attackers’ Web servers? How are you going to protect your network from this gaping SSL security hole?

If you’re using an ISA firewall the solution is easy. While we don’t have outbound SSL inspection available out of the box, you can get the ClearTunnel add on to provide this vitally important security. ClearTunnel breaks open the outbound SSL tunnel so that your ISA firewall can inspect the session and clean out the malware before it makes it to your client computers and spreads to other clients and servers on your network.

To learn more about ClearTunnel, check out my article at http://www.isaserver.org/tutorials/Product-Review-...l.html

To get more information about ClearTunnel from Collective Software, check out http://www.collectivesoftware.com/Products/ClearTunnel

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Windows 2008 Server and Windows Vista were both released with support for SSL/TLS ciphersuites which use the AES symmetric encryption. Windows 2003 Server was released without these ciphersuites, and so IAG 2007 did not support them either. Recently Microsoft has released a hotfix for Windows 2003 Server which adds two TLS AES ciphersuites, one for 128-bit encryption and one for 256-bit encryption. Installing this hotfix on an IAG 2007 appliance will add support for the TLS AES ciphersuites. More information about the hotfix is available at http://support.microsoft.com/kb/948963/en-us

From the IAG Team blog at:

http://blogs.technet.com/edgeaccessblog/archive/20...d.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Dall Ball, on the ISAserver.org mailing list shared an interesting problem. He noted that after installing ISA 2006 SP1, his users were starting to see errors that they hadn’t seen before. The error returned to the users’ browsers was:

• Error Code: 502 Proxy Error. The request is not supported. (50)

It seemed like a pretty mysterious problem to me, even after checking a few lines of log files information provided by Dan. But then Dan did a packet trace on the connection and sent to Jim Harrison. Jim read the capture and said:

Do you have compression disabled?

If so, have a peek at the script in http://support.microsoft.com/?id=927263.

This script is supported for ISA 2006 after SP1.

This is a problem I wasn’t aware of! You might have the same problem as Dan if the following is true:

On a server that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 with Service Pack 2, you disable the following two Web filters:

• Compression Filter
• Caching Compressed Content Filter

After you do this, ISA Server 2004 blocks requests that include the Accept-Encoding HTTP header when a forward proxy is used.

These Web filters were introduced in ISA Server 2004 Service Pack 2. You might disable these Web filters because of program compatibility problems that involve some Web servers.

So, if you’re seeing random 502 proxy errors with the request not being supported (50), then you should run the script found at http://support.microsoft.com/kb/927263

UPDATE:

More information on this issue from Jim Harrison:

“When compression is disabled, ISA will strip off the “Accept-encoding” header that the client sends.

This is done to prevent the web site sending compressed responses because ISA can’t apply HTTP body inspection to it.

In this case (and several others, it seems), the web site sends compressed content anyway (it’s a Sun server; waddayexpect?).

Since ISA knows it can’t process compressed HTTP bodies, it rejects it.

Adding this value causes ISA to forward the “Accept-encoding” header and when the content is delivered compressed, ISA simply sends it back to the client as-is without inspecting it.”

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)