Check the News category to get the latest news and reports about ISA Server Universal Threat Management Firewalls.
Find out when patches, scripts, free tools and new versions are due for release. Stay informed upcoming webcasts and seminars. Various links to reports on new security threats and malware and how to configure ISA Server to protect and secure the corporate network.
If you read the first part of my two part series on ISA 2006 SP1, you might remember the discussion about the Test button and some limitations I found regarding the Test button. I recently pointed out blog post by Yuri Diogenes regarding the Test button showing that the connection worked from the ISA firewall to the published Web server, but external users were not able to connect to the published Web site.
While the Test button is a great boon to ISA firewall admins, is does work within some specific constraints. Dima Datsenko, a software development engineer on the ISA Server Sustained Engineering team provides a list of 7 issues that you should be aware of when working with the test button.
You can read Dima’s post here:
https://blogs.technet.com/isablog/archive/2008/07/...s.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
One of the things that I noticed when Change Tracking is enabled on the ISA firewall, is that it provides more information about how the ISA configuration has changed than you might expect. For example, you’ll be able to see the changes made to the ISA firewall configuration when you install ISA 2006 SP1. Even more interesting, you can see that changes that are made to the firewall configuration when you install third party ISA plug-ins.
Jonathan Barner on the ISA firewall sustained engineering team provides some examples of this on the Forefront TMG (ISA Server) Blog site at:
https://blogs.technet.com/isablog/
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Jonathan Barner from Microsoft PSS has been busy putting up posts on Change Tracking using the ISA Firewall. Here’s are some of the most recent ones:
Change Tracking - Odds and Ends
Change Tracking - Descriptions
Change Tracking - Log Management via Scripts
Change Tracking - Log Viewer Tips
Change Tracking is a Client-Side Feature - Implications on Deployment
Change Tracking - How secure is it?
Change Tracking - Preface and Reasoning
That’s all we have for now. I’ll keep you updated as more come through.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
If you’re been an ISA firewall admin for a while, you might recognize the acronym “CARP” (no, I wasn’t thinking of Blue Coat and transposing the middle two letters). CARP stands for the Cache Array Routing Protocol. The purpose of CARP is allow you to cache Web objects only once in a CARP array and not duplicate objects on servers in that array. This “cache an object only once” feature effectively increases the number of objects you can store in cache, since space isn’t wasted by duplicating objects in the distributed cache.
There are two types of CARP — client side and server side. Most people recommend client side CARP because if provides much higher performance than server side CARP. With client side CARP, the client is able to determine which CARP array member is responsible for a FQDN and sends the request directly to that array member. With server side CARP, the request is sent to any member of the array, and the server then becomes responsible for contacting the server responsible for the FQDN, if indeed the server that receives the request isn’t responsible for the FQDN.
In order for client side CARP to work, the client must have access to the autoconfiguration script.
While that’s all well and good, there has been some messaging regarding CARP over the years that suggests that CARP provides a high-availability solution. I have to admit that I’ve been a bit overzealous in the past and said that CARP has some HA capabilities, but that it wasn’t transparent and required users restart their browsers in order to get connected again and that client side behavior is somewhat inconsistent. Making the use of client side CARP for HA a bit of a “CARP shoot” (cf. Jim Harrison).
Nevertheless, many people would like to think that CARP not only extends the amount of available space in your array’s cache, but also provides a transparent HA and load balancing solution.
So, what do we do about HA and load balancing for Web Proxy client requests? Enterprise Edition of the ISA firewall supports both unicast and multicast mode NLB and you can use this for your HA and Load Balancing needs. But, beware and take this advice from Jim Harrison:
Last word on the subject of NLB for FWC or client side CARP traffic :
Just
Don’t
Do
It
CARP wasn’t designed to support HA. As Jim says:
CARP was *NEVER* designed or intended to be HA – only distributed caching.
If you try to use it for anything else, you’ll lose.
Quit trying to make CARP into something it’s not and never will be.
If you want HA, use NLB, but be prepared for the inevitable intra-array traffic increase that this will incur if you enable server-side CARP.
So, you can still have Web Proxy clients and NLB. The question is, how do you configure it? Let’s look at the options:
Configure the client to use autoconfiguration. If you do this, the client will obtain the autoconfiguration script for the ISA firewall array and then perform client side CARP. Client side CARP does not work with NLB, so we can’t use this option
Configure the client to use the autoconfiguration script. This has the same affect was using WPAD for autoconfiguration, so this clearly won’t work either.
Configure the client to use the internal VIP for the Web Proxy server. This should work. The connections from the internal client will be load balanced between the members of the ISA firewall array. Now you have two options:
The default setting is to disable CARP. When the Web Proxy clients are load balanced among the Firewall array members, the same Web content will end up being cached on more than one member of the ISA firewall array, since each array member thinks its responsible for the entire FQDN space, unlike the situation when CARP is enabled, where each member of the CARP array takes a portion of the FQDN space. This leads to some wastage of disk space as the same object could be cached on multiple ISA firewalls in the array.
We could enable CARP and allow the members of the array to perform server side CARP. In this case, the client sends a request to the internal VIP on the ISA firewall array and the connection is load balanced to a machine in the NLB array. Since this is random, there is no assurance that the connection request is made to the CARP array member that is responsible for the FQDN in the request. If the connection request goes to a CARP array member that is not responsible for the FQDN, the CARP array member will send the request to the array member that is responsible for the FQDN. Then that array member can return the object from it’s cache, or if the object isn’t in the its cache, it will retrieve the object, place it in it’s cache, and then return it to the CARP array member that requested the object. Then that CARP array member, who wasn’t responsible for the FQDN, returns the information to the client that made the request, and that array member does not cache the information, since it’s not responsible for that FQDN.
This has the potential for creating an over abundance of intra-array traffic so that machines in the CARP array can perform server side CARP.
As Jason Jones and Jim Harrison so aptly put it, you have the following options when it comes to Web Proxy clients:
Web Proxy Client is supported by client side CARP
Web Proxy Client is supported by NLB (with or without server side CARP)
Web Proxy Client is supported by NLB and server side CARP (accepting additional intra-array traffic)
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Quote:
“ISA Server 2006 SP1 includes a fix released in September 2007 that allowed ISA 2006 arrays to use multicast and IGMP-aware Integrated NLB. Implementing this change is a four-part process:
1. Install the update (or preferably; SP1)
2. Run the nlbclear utility
3. Run the script with appropriate command-line options
4. Reconfigure Integrated NLB
In order to change the ISA 2006 Integrated NLB so that it can support multicast or IGMP, we need to change the storage schema. Since CSS is based on Active Directory Application Mode (ADAM), any time you change the schema you have to do so at the server which holds the Flexible Single Master of Operations (FSMO) Schema Master Role. The problem encountered by most folks was that although it’s a general truth that the first-installed CSS is the Schema Master, most folks can’t easily determine if this is actually true in their particular deployment. Server failures and replacements can often leave the CSS replication group without a Schema Master. This state won’t normally affect CSS operation, since ISA doesn’t make schema updates as part of normal ISA operations, but when you need to make the changes required by this particular update, or if another update or service pack requires a schema change, the installation will likely fail for lack of a responsive Schema Master.
Since the ISA admin needs a simple way to determine which CSS owns the Schema Master role, I went on a search for such a tool. One TechNet article offers a method using an optional ADAM Schema MMC snap-in, but because I’m a command-line and script geek (I often miss my seriously-modded Kaypro-4); I wanted something a bit less GUI-dependent. Unfortunately, none of the provided ADAM management tools allow you to simply query the FSMO roles without issuing a “transfer” or “seize” command. Unless a FSMO master is missing from the CSS set, why reassign a role just to find out which server currently owns it?”
Check out the rest of this article written by Jim Harrison on the ISA Firewall Team Blog (whoops! It’s changed its name, it’s now the Forefront TMG (ISA Server) Product Team Blog) at:
https://blogs.technet.com/isablog/archive/2008/07/...a.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Until now there has been no real way of fully backing up your ISA Server deployments. Some may think that restarting servers, manual exports and custom scripting is the solution. However, many hours will be spent re-installing, importing settings, re-configuring and tweaking – but inevitably losing log data. The result is loss of data and productivity due to system down time.
Restores may not work as expected and even more time will be lost as everything is rebuilt from scratch.
Now you can backup on the fly and restore again in minutes!
Major Features
Minimum Server System Requirements:
Languages:
Backup for ISA Server is compatible with multi-lingual versions of Windows Server 2003, however, it is only available in UK English.
Although multi-lingual versions of Windows Server 2003 can be used, Backup for ISA Server is ONLY compatible with the English version of ISA Server. Non-English versions of ISA Server are NOT supported.
For more information and downloads, check out:
http://www.winfrasoft.com/BackupForISA.htm
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Yuri Diogenes published a very nice article on a problem one of his customers had with publishing a Web Server, with the Test button not indicating what the problem was. You can read this article over at https://blogs.technet.com/isablog/archive/2008/07/...n.aspx
Yuri and the team did a great job showing the network monitor traces of the problem. However, you really didn’t need to use NetMon to figure out the problem. Here’s why.
When you use the Test button, you’re testing connectivity from the ISA firewall’s internal interface to the IP address of the Web server. If the Test button shows that things are OK, then you know there is an intact request/response path between the ISA firewall’s internal interface and the published Web server.
But what about the situation where can external client is able to connect to the published Web server, but the published Web server is not able to return a response. This indicates a broken request/response path, with the broken part being the response path.
Now think about what could cause a broken response path. We know that there isn’t a physical layer problem, since the request path was intact. Thus, there must be a software configuration error or issue somewhere.
We know that the request/response path was intact from the ISA firewall’s internal interface to the published server. And by default, Web Publishing Rule replace the source IP address in the external client request with the IP address of the ISA firewall’s internal interface.
However, many ISA firewall admins will configure the Web Publishing Rule to preserve the source client IP address. In that case, the source IP address the Web server sees is the public address of the requesting client. That means that the Web server will need to be able to have a route to the Internet that passes through the ISA firewall. In many cases, that default route isn’t through the ISA firewall, as the default gateway on the Web server may be another IP address, or interposed routers on the corporate network might be using another IP address as their route of last resort.
You could also use ping to confirm this issue — no reason to muddy the water with HTTP requests. In fact, network monitor would not even be required to solve this problem, as you would see the external client requests in the Web server’s log files and you would not see the responses reach the client. However, NetMon would have been useful in that you would not see the responses reach the ISA firewall, even though the request made it to the Web server.
Yuri’s article is a nice reminder that you need to remember your basic TCP/IP when working the ISA firewall. The ISA firewall is a network device, a piece of your network gear, and you need to treat it that way.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
First, I want you to read these articles by Jonathan Barner on the ISA firewall Team Blog site:
https://blogs.technet.com/isablog/archive/2008/07/...t.aspx
https://blogs.technet.com/isablog/archive/2008/07/...t.aspx
Then I want you to think about it.
I’ll give you my take on this issue tomorrow. Stay tuned!
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Jonathan Barner shares some very useful tips for working with the new Change Logging feature included with ISA 2006 SP1.
Check them out here:
https://blogs.technet.com/isablog/archive/2008/07/...s.aspx
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
Order today Amazon.com
