Interesting article about NTFS and Registry permissions/DACLs set by the ISA firewall during installation and when users with different administrative roles are configured.

Check out this article by Philipp Sand, Microsoft Support Specialist for ISA Server, at:

https://blogs.technet.com/isablog/archive/2008/09/...s.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Are you looking to add X-Forwarded-For functionality to your IIS Web Server or ISA Server proxy infrastructure like you can with Squid, Apache, F5 Big-IP, Blue Coat, Cisco Cache Engine, Netcache etc? Now you can! Winfrasoft X-Forwarded-For for ISA Server and IIS adds the ability to track and log the source IP address of a client PC through a proxy server chain to the web server.

This is very useful for log analysis when branch offices connect to the Internet via a head office proxy server, and when the real client IP address is required on a web server for accurate reporting and analysis.

Version 2.0 of X-Forwarded-For for IIS introduces some key new features asked for by our customers, this includes:

• Added support for Proxy Trust List
• Supports logging of both X-Forwarded-For data and layer 4 source IP information
• Runs on Windows Server 2008 with IIS 7.0

Version 2.0 of X-Forwarded-For for ISA Server introduces some key new features asked for by our customers, this includes:

• Added support for reverse proxy scenarios
• Works with both HTTP and SSL connections for Web Publishing
• Supports proxy chains longer than two servers in both directions
• Integrates with other 3rd party products that support the X-Forwarded-For de facto standard
• Runs on ISA Server 2004

For more information, check out:

http://www.winfrasoft.com/X-Forwarded-For.htm

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

While searching for stuff to read this weekend, I happened upon this little nugget — the ISA Server Operations Guide. This is a great read as it fills a gap that we have here on ISAserver.org. We spend most of our time giving you advice and guidance on how to get things up and running and how to troubleshoot problems, but not so much time in the regular operations and maintainence of your ISA firewall. The ISA Server Operations Guide give you this key information.

Check out the ISA Server Operations Guide at:

http://technet.microsoft.com/en-us/library/bb794753.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Setting up NAP with IPsec enforcement isn’t for the faint of heart. There are hundreds of moving parts and if you get one of them wrong, it can set you up for a long and arduous troubleshooting session. One good way to start your NAP/IPsec journey is with a virtual lab. After the virtual lab, check out my article series where I give you the step by step and hundreds of screen shots so that you can setup your own lab and see that NAP with IPsec isolation actually works!

Check out the virtual lab at:

http://msevents.microsoft.com/CUI/WebCastEventDeta...ode=US

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

“Virtualization of server workloads has become an increasingly popular method for making more efficient use of computer hardware and the supporting infrastructure. Virtualization provides many advantages to the data center administrator, while necessarily changing the way they create and manage their deployments. Server application virtualization is a more difficult undertaking due to the complexity of properly allocating the hardware across multiple server workloads. Combining applications which cannot coexist on a single machine across multiple Child partitions within the same host presents unique sizing and security challenges as well. Likewise, resulting network virtualization and the potential for multiple simultaneous server failures when the Parent partition fails presents unique security and availability problems.”

Check out the rest of this fantastic article at http://technet.microsoft.com/en-us/library/cc891502.aspx

This is one of the best articles I’ve ever read on the Microsoft.com Web site. Unlike many other articles that rehash stuff we already know, don’t care about, or contain useless information to bolster word counts, this article is chock full with stuff you don’t already know, and contains dozens of tips and tricks and implementation recommendations that you can put to use right away. I give this effort two phat THUMBS UP!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

For how many years have we been waiting for some kind of static NAT feature for our ISA firewalls? You know the scenario, we have multiple SMTP servers and multiple IP addresses bound to the external interface of the ISA firewall. We need to make sure that mail for the domains that we host shows the source IP address associated with the MX record for that domain, or at least represent a single rDNS record for that IP address.

Or, maybe you’re connecting to an external host who’s authenticating based on source IP address. The problem is, as you know, we couldn’t do any of these things with the ISA firewall because all outbound connections sourced from the primary IP address on the external interface of the firewall.

NO LONGER! Collective Software has developed a new tools, called IPBinder. Here’s what IPBinder can do for you:

• Configure Access Rules to specify what IP address should be used as the local source address for outbound connections
• Works with outbound HTTP Web Proxy traffic
• Bind to any TCP protocol — such as outbound SMTP
• Compatible with arrays where each server has different external IP addresses
• Default behavior of Access Rules is preserved automatically unless you change them

For more information and to participate in the beta, check out the IPBinder page on the Collective Software Web site at:

http://www.collectivesoftware.com/Products/IPbinder

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

If you have not had a chance to check out the Microsoft Essential Business Server (EBS) product, you should carve out some time from your busy schedule to take a look at it. Take a look at the public preview software for EBS.

EBS is a three server solution designed for small or mid-sized businesses with up to 300 PCs. The EBS solution includes three servers, which can be run as physical or virtual machines. There is the Management Server, which is a domain controller and file server that also runs System Center Essentials. There is the Messaging Server, which is also a domain controller, and runs Exchange 2007. And finally there is the Security Server, which runs the Threat Management Gateway (TMG) Medium Business Edition. TMG is the next version of the ISA firewall. In addition to running TMG, the Security Server also runs Exchange Edge Server for anti-spam protection.

From what I have heard, there are a number of people who want the EBS solution, but would like to deploy it without the Security Server. The reason most of these people give for not wanting the Security Server is that they already have a “firewall” and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise “simple” network security configuration.

At first blush you might think “sure, that is a valid request. If the customer already has a firewall, why introduce a second firewall into the mix?” The problem with this thinking is that the EBS team put a great deal of work thinking about the EBS threat models and how to make sure that all components of the solution have adequate defenses against the enumerated threats.

The TMG in the EBS solution allows remote access to a number of services on the EBS network. Some examples of the services to which users can gain remote access to include OWA, RPC/HTTP, Exchange ActiveSync, Terminal Services and Terminal Services Gateway, and SMTP. And these are the default settings. In a production network, you’ll likely see the TMG allow inbound access to POP3S, IMAP4S, DNS and other protocols.

Given all the remote access traffic that the EBS solution supports, you need to be assured that the connections from the external clients can be trusted. The problem the EBS team has, and you as a potential EBS customer, is that how can you define the threat model and the response to the established EBS threat model if you can’t control the nature of the defenses against those threats.

The type of “firewall” that small and midsized businesses might already have in place can vary widely. In most cases, the “firewall” they are currently using is little more than a NAT device that also provides some NAT editors and the ability to perform reverse NAT or “port forwarding” for UDP and TCP ports. Some of them might even include a rudimentary remote access VPN server or even support site to site VPN connections. Other “firewalls” the customer might have in place might include some degree of content filtering or even anti-malware capabilities.

The thing is, the EBS team does not know what kind of “firewall” you already have in place. But they do know what security features and capabilities the TMG has. The TMG provides an exceptionally high level of security for remote access connections by providing pre-authentication for inbound connections to Web servers, a firewall generated log on page, protections against anonymous attacks, an HTTP Security Filter to ensure HTTP protocol stream compliance and security, an SMTP filter to block SMTP exploits, an Edge Exchange Server prevent spam and its attendant malware and phishing attacks from entering the network over the SMTP protocol channel, strong outbound access control on a per user, per group, per protocol, per site basis, network flood protection, stateful packet and application layer inspection for all communications through and to the TMG firewall (including remote access VPN connections), and many more security capabilities.

Thus, the threat and response model for the EBS solution is based on a relatively sophisticated set of network security tools that are available with the TMG. Yes, it is possible that a small or midsized business has paid thousands of dollars for another firewall solution that can provide some of the features included in the TMG feature set, but it is unlikely that a non-TMG firewall could provide all the features that are used to provide the strong inbound and outbound access controls and connection scrubbing that the TMG firewall can provide.

So, rather than thinking of the TMG as a potential burden to your network, think of it as a unique opportunity to increase your network’s security posture to a level that your network has not seen before. This is not to say that you need to get rid of your current network firewall. Two heads are better than one, and two firewalls are better than one. The EBS team has done a great job at making it easy to drop in the TMG firewall behind your existing firewall. After the TMG firewall is installed, all you need to do on your existing firewall is configure some port forwarding rules for HTTP, HTTPS, SMTP, RDP and other protocols, so that they are redirected to the external IP address on the TMG firewall.

While at first glance it might seem that the TMG adds needless complexity to the EBS network configuration, the fact is that the EBS installer does most of the heavy lifting for you, so you do not really need to understand the internals of the TMG installation and configuration during the initial setup. The only thing you need to do is configure old firewall with port forwarding rules. You do not even need to renumber your network or change the default gateway settings on the machine on your network.

The bottom line is that the TMG firewall allows you to roll out a secure EBS networking solutions using a known, standard security model that is common to all EBS network scenarios. Sure, you can go in and break the EBS TMG security model by creating unsecure rules, but out of the box, the settings insure a well-defined baseline for network security, something you can’t say if you stayed with the old “firewall” or NAT device and had not introduced the TMG firewall into the design.

I would like to hear what you think about the TMG as part of the EBS solution. Send me note at tshinder@isaserver.org and I’ll discuss your opinions in the next newsletter.

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Cat’s sleeping with dogs? Fish riding bicycles? Cows with wings? ISA firewall on a DC? Tell me it’s not true! For years we’ve been waving the flag that the ISA firewall should never, ever, never ever, never ever never never ever be installed on a domain controller. This is a key tenet on why the SBS 2003 platform could never be considered secure, since the DC was an Internet facing device and had a horked ISA firewall configuration required to support domain traffic to the firewall.

So, what’s up with this new article on the ISA firewall community site? What article? ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller at http://technet.microsoft.com/en-us/library/cc891503.aspx

Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can’t come out and say “hey, this is a great idea” any more than parents and teachers can say to kids “hey kids, its a great thing that you run with scissors in your hands”, the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid’s scissors and “round the edges” of the firewall policies on the branch office domain controller that also hosts an ISA firewall.

Let me know what you think of this development? Do you think this guidance gives hapless admins the imprimatur to install ISA firewall’s on DCs? Will this hurt the overall reputation of the ISA firewall as a enterprise grade network firewall? Or, does it matter, since the ISA brand is soon to go on life support at the TMG firewall bellys up to the bar to take the torch from the ISA firewall?

Thanks!

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

“Microsoft Security Response Center (MSRC) issued bulletin MS08-037 to address vulnerabilities in DNS resolvers caused by predictable UDP source port usage. MSKB 956190 addresses behavior observed when traffic crosses a NAT-based firewall and provides workarounds to mitigate this behavior.

Traffic crossing a NAT device cannot be assumed to maintain the original source port because of the likelihood of multiple internal hosts using the same protocol to send traffic to the same external destination; especially in the case of an infrastructure protocol such as DNS. The NAT device will typically create a new connection to the external network using whatever source port allocation algorithm it has available. In the case of ISA and TMG, this is deferred to Windows; specifically Winsock.”

Go to https://blogs.technet.com/isablog/archive/2008/08/...7.aspx to read the rest.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Quick, what single ISA firewall feature is most likely to boggle your mind? CARP? Access Rules? Web Listeners? Secondary Connections? The HTTP Security Filter? No, I don’t think so. From my experience with the ISA firewall, 9 out of 10 ISA firewall admins have their minds boggled by NLB.

And what boggles the mind of the 1 out of 10 ISA firewall admins who aren’t boggled by NLB? Its getting the new support for multicast NLB to work with the ISA firewall array.

Jason Jones comes to the aid of both the boggled and unboggled by giving a nice, clear step by step guide on how to configure multicast NLB on the 2006 ISA firewall array after SP1 is installed. Check it out at http://blog.msfirewall.org.uk/2008/08/enabling-nlb...a.html

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)