It might be because you’re trying to install it on a trial version of the ISA firewall.
Check out this thread on the ISAserver.org message boards:
http://forums.isaserver.org/m_2002068660/mpage_2/k...069981
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
From time to time I hear an ISA firewall admin talk about how an auditor told him that he needs to put a “firewall” in front of the firewall (the ISA firewall). Most of the time the ISA firewall admin is too busy to deal with it and just goes ahead and put some cheap NAT device in front of the ISA firewall and it palliates the auditor.
However, for those ISA firewall admins who are concerned about cost containment and security, I recommend that you confront the auditor with the following fact:
You do not need to put a firewall in front of your ISA firewall in order to be compliant for any industry regulations. The ISA firewall meets all requirements for an edge firewall and no other firewall is ever required to meet regulatory requirements
The above paragraph is a fact. It’s incontrovertible and cannot be denied.
So, if you run into an auditor who says you must put another firewall in front of the firewall, you should confront the auditor and find out why. Ask him to point to the specific regulation that states that a non-ISA firewall has to be put in front of the ISA firewall. Then ask how introducing increased complexity and adding costs to the solution leads to meeting regulatory requirements.
The auditor should back down. If the auditor does not back down, you should have them sign off on a statement that they agree to take responsibility for any security events that take place because of the non-ISA firewall. In addition, they would also sign off on the costs of the non-ISA firewall, since the non-ISA firewall is not required, they should be willing to pay for your new ISA firewall, since it is their opinion that is not based on fact, that lead to the recommendation.
Usually the auditor will back down and admit that he didn’t know what he was talking about. At that point you should thank him for his efforts and commend him for his ability to learn about new technologies, and finally give him props for realizing that “hardware” isn’t magic.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
“If you are one of those ISA Server administrators that perform most of your tasks remotely, and now that ISA Server 2006 SP1 is released, you intend to install it remotely, but you are worried that few services would need to stop and you would be disconnected from the remote desktop session in the middle of the installation process and afraid of not being able to reconnect to ISA Server again. Then the good news is that with SP1 for ISA Server 2006, you can safely install it remotely through RDP session”
Check out the article by Tarek Majdalani at:
http://www.elmajdal.net/ISAServer/Installing_Servi...y.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Microsoft® Internet Security and Acceleration (ISA) Server 2006 Service Pack 1 introduces new features and functionality to ISA Server 2006 Standard and Enterprise Editions.
The new features focus on configuration change management and enhanced troubleshooting designed to help you identify and resolve ISA Server configuration issues within the ISA Server Management console.
The service pack includes the following new features and feature improvements:
Download it now at:
http://www.microsoft.com/downloads/details.aspx?Fa...ang=en
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
If you are using Microsoft Internet Security and Acceleration (ISA) Server with the Internet-based client management feature of Microsoft System Center Configuration Manager 2007, configuring SSL to SSL bridging provides a high level of security for Internet traffic. In this scenario, connections from Configuration Manager Internet-based clients are authenticated and terminated at the ISA Server, inspected, and then new SSL connections are made to the Configuration Manager Internet-based site system servers.
However, the configuration is far from simple. What to do? Read the How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management at:
http://technet.microsoft.com/en-us/library/cc70769...).aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Microsoft Internet Security and Acceleration (ISA) Server 2006 is an integrated network security solution that enables greater protection in key scenarios, such as branch office security, Internet access, and application publishing. In this session, we discuss these main scenarios and illustrate the key features and functionality of ISA 2006. We also discuss the future road map for ISA Server.
Presenters: Adam Jung, Senior Product Manager, Microsoft Corporation and Tom Shinder, MVP
If you missed the live Webcast, then you have a second chance by watching the recording.
Check it out at:
msevents.microsoft.com/cui/eventdetail.aspx?eventI...377111
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Have you been thinking about getting an SSL VPN solution on your network? Not sure which one is best for you? Are you concerned about how hard it is to configure most SSL VPNs and do you wonder about how secure the solutions are?
If so, you should consider giving the IAG 2007 a try. IAG 2007 is the easiest to configure and most secure SSL VPN solution on the market today. Don’t believe it? Then try it out in a Virtual Lab and prove it to yourself.
One of my favorite Virtual Labs for the IAG is TechNet Virtual Lab: Forefront Edge Security and Access - Creating and Configuring Intelligent Application Gateway (IAG) 2007 Portal Websites Go ahead an give it a try and let me know what you think.
Register for the IAG virtual lab at:
http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
“Some customers implement ISA Server 2006 Enterprise Edition with NLB and use a virtual name mapped to the virtual IP as proxy server on Internet Explorer. They notice that if they do that the HTTP request that the request sent to the ISA Server 2006 is authenticated using NTLM protocol. This post will explain why this is an expected behavior and how to allow Kerberos authentication while maintaining the NLB configuration.”
Check out the details of this article written by Yuri Diogenes and Jim Harrison and reviewed by Doron Juster at:
https://blogs.technet.com/isablog/archive/2008/06/...b.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Join us to learn everything you need to know about remote access and how the Microsoft Intelligent Application Gateway (IAG) provides a highly customizable and easy-to-use solution for secure remote access for all users. We go through key customer scenarios, IAG features and functionality, and the future road map. The IAG product stands out in the single sockets layer (SSL) virtual private network (VPN) market for its focus on strong policy management, end point security, and application optimization.
Presenter: Pradeep Bethi, Technical Solution Professional; Microsoft Corporation
Register and view the recorded Webcast at:
http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
All ISA Firewall admins will run into problems with their ISA firewalls sooner or later. There are even times when the most experienced of ISA firewall admin just can’t seem to pin down the problem with a particular implementation. In cases like that, you’re going to need to call PSS. While most of us see it as a badge of honor to not have to call PSS, there are times when PSS knows things about the ISA firewall’s internals that outsiders just don’t have access to.
But when calling PSS about your ISA firewall issues, you need to make sure that you’re talking to someone who knows about the ISA firewall. If you don’t, you could end up in more trouble than you started out having in the first place.
Before calling PSS, you should run the ISA firewall Best Practices Analyzer on the ISA firewall. If you have installed the ISA firewall Supportability Update (http://www.microsoft.com/downloads/details.aspx?Fa...ang=en), you’ll see a link in the Troubleshooting node for Use the ISA Server Best Practice Analyzer. Click that link and download an install the BPA, or better, don’t ever click any links on the ISA firewall and download it to a management machine, scan it, and then copy it to the ISA firewall. Download the Best Practices Analyzer at http://www.microsoft.com/downloads/details.aspx?Fa...ang=en
After installing the BPA, run a general purpose scan of your ISA Firewall. Then run some of the other scans available. Many times just running the ISA Firewall BPA will be enough for you to solve the problem yourself.
However, if you don’t have success in solving your problem using the ISA firewall BPA, then the next step is to run the ISA Server Data Packager tool, which is the IsaDataPackager.exe application in the C:\Program Files\Microsoft IsaBPA folder.
The Data Packager allows you to collect static information and package that, and it also allows you to collect information for common scenarios, such as VPN, firewall policy, Web Publishing and others. The Data Packager will collect configuration information and then do a packet trace as you try to reproduce the problem. After you reproduce the problem you can stop the Data Packager and it will then create a .cab file that you can send to PSS.
When you call PSS, explain the problem and then tell them that you have repro’d the problem and have the .cab file to send to them. If the PSS engineer doesn’t know about the .cab file, ask him to connect you to someone who knows about the ISA firewall, because all PSS staff trained in the ISA firewall are also trained in basic and advanced configuration and interpretation of the information in the Data Packager .cab file. You don’t want to waste hours on the phone or worse, be told to remove the ISA firewall and “see what happens”.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
Order today Amazon.com
