Still confused about what Direct Access really is and what it can mean for your business?  Bookmark the DirectAccess FAQ for answers to many of your DirectAccess questions.  Learn how your users can be seamlessly and securely connected to your network any time they have an internet connection.  Keep your users up to date with security and system health policies using DirectAccess. 

Announcing the Forefront TMG Best Practices Analyzer Version 8!  This announcement discusses new features and functions found in the latest release of the Best Practices Analyzer tool, including URL Filtering, ISP Redundancy, HTTPS Inspection, Anti-Malware protection and much more!   

Forefront TMG Case Studies – Many of our customers will wait a while and look to see how a software product performs in the real world before making the decision to adopt a new technology.  The same goes for the Microsoft Forefront TMG product, the successor to the popular and proven Microsoft ISA technology.  Customers want to know why TMG is being adopted, why they should change from their current ISA platform, and what benefits they will realize when they decide to make the move.  A great way to answer those questions is through real world case studies such as those found here where customer testimonials can help illustrate some of the benefits found in Microsoft TMG. 

Error installing a replica of ISA Server 2006 CSS

1. Introduction

When you attempt to install a replica CSS, you may encounter the following error message:

Figure 1 – Error while installing ISA Server 2006 CSS.in replica mode

When ISA Server 2006 Setup displays the “Setup failed to start the configuration agent” message, this means that the Microsoft ISA Server Storage Control Service was unable to perform certain tasks that were supposed to be completed at that point in time. To understand this error, we need to review the ISA Sever 2006 Setup Log files.

2. Reviewing Setup Log files

ISA Server 2006 Setup log files are located in %windir%\temp, for this specific issue the log file that we should review starts with ISAFWSRV_NNN.log, which contains Firewall service setup information. The relevant part of this error in the setup file is shown here:

14:52:30 ISA setup CA INFO : Source path = C:\ISA Server 2006 Enterprise\FPC\Program Files\Microsoft ISA Server\msfpcstg.dll

14:52:30 ISA setup CA INFO : GetHandleToDllEx(msfpcstg.dll) succeeded

14:52:30 ISA setup CA INFO : LoadStorage succeeded

14:52:30 ISA setup CA INFO : StorageInitialized OK

14:52:30 ISA setup CA INFO : This is a deferred CA - ADAM server name should be already set in registry

14:52:30 ISA setup CA INFO : ADAM server name is: mycss.contoso.com

14:52:30 ISA setup CA INFO : Server=mycss.contoso.com, Username=(null), Domain=(null)

14:52:31 ISA setup CA ERROR : MixerSetup() failed, hr=0x80004005

Setup failed while initializing configuration agent.

MSI (s) (E4!E4) [15:09:26:746]: Product: Microsoft ISA Server 2006 -- Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : (Error 37060) Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : EXIT: InitConfigurationAgent, Custom Action failed (0x643)

15:09:26 ISA setup CA INFO : msfpc.DLL was successfully unloaded from delay-load list

The error code 0x80004005 is a very generic error, it actually means “unspecified failure” according to Common HRESULT Values MSDN article..

3. ISA Data Packager

One approach that can be used in scenarios like this is to get an ISA Data Packager in repro mode. . The following action plan can help you understand and resolve CSS replication problems encountered during installation:

1) On the original CSS, download the latest version of ISA BPA from www.isabpa.com and install it.

2) Go to Start / Programs / Microsoft ISA Server / ISA Tools and click ISA Data Packager

3) Click the option "Collect data using one of the following repro scenarios"

4) Select "Configuration Storage Server" and click Next;

5) Click Modify Options

6) Select:

a. ISA BPA

b. ISA Info

7) Click Start data collection

8) The Data Packager will start to run. When the option "Press spacebar to start the capture" appears, press the spacebar to begin the data capture

9) Try to install the CSS replica.

10) When the error message appears, click OK; wait until the installer completes the roll back process,

11) Return to the original CSS and press spacebar again to stop the capture. Wait until the CAB file is generated on the desktop.

4. Reviewing ISA Data Packager Result

One of the files within this CAB file that you can review to see if the whole ISA Data Packager collection was done successfully is called IDP.yyyy-mm-dd.hh-mm-ss.time.trace.log (for example IDP.2009-1-23.15-29-13.trace.log). This is a log that the IDP (ISA Data Packager) writes the details of the steps that were performed during the data collection. In this case one thing that didn’t look correct was the error below:

* -- Accessing "FPC.Root"

* Connecting to CSS "mycss.contoso.com"

* Connecting to "Containing" Array..

* -- Exporting ISA configuration (this may take some time)...

* *** Failed to gather ISA configuration data.

*

* Error Number : 8000FFFF

* Description : Catastrophic failure

*

* The error occurred on object 'My Application Protocol' of class 'Protocol Definition' in the scope of array 'mycss'.

When ISA Data Packager runs it tries to exports the ISA Server configuration to an XML file. In this case the export action failed with error 8000FFFF (Catastrophic failure). According to this log, the object “My Application Protocol” which is located in the “Protocol Definition” container in the “mycss” array couldn’t be exported.

5. Solution

When ISA Storage Control Service is initializing, the agent tries to gather ISA configuration data by synchronizing with the existing CSS . This action fails because of a corrupted object in the existing CSS. Putting the pieces together, it makes sense that the installation of the CSS replica would have failed.

The solution I this case is to manually remove the “My Application Protocol” object. ISA storage mechanisms can’t access the corrupted custom protocol object becaue of the schema validation that is performed during object access. Thus, you must use ADAM management tools to do this. You can use a similar approach as described in Method 2 of the KB935767 to access ADAM and make a manual modification. The actual DN (Distinguished Name) of the problematic object will be unique, but in the case of a protocol definition, it would be located in CN={ProtocolUUID},CN=ProtocolDefinitions,CN=RuleElements,CN={ArrayUUID},CN=Arrays,CN=FPC2

Author

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront Edge Team

Technical Reviewers

Jim Harrison

Program Manager - Microsoft Forefront Edge

Mohit Saxena

Technical Lead - Microsoft CSS Forefront Edge Team

Published Tuesday, February 17, 2009 12:26 AM by isablog

Filed under: ISA, BPA

Forefront TMG (ISA Server) Product Team Blog : Error installing a replica of ISA Server 2006 CSS

Site Search

Advanced Search

Web security and Web filtering for ISA Server
Monitor, control and protect your ISA Server users with filtering policies, real-time monitoring and multiple virus scanning engines
Learn more and download 30-day trial

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)

Case study: Migrating a unihomed ISA 2000 firewall configuration to a multihomed ISA 2006 firewall configuration.

• Published: Jan 20, 2009
• Updated: Jan 20, 2009
• Section: Tutorials :: Configuration - General
• Author: Thomas Shinder

If you would like to read the other parts in this article series please go to:

• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

Introduction

In the first two parts of this series on ISA and TMG networking, I discussed the concepts of ISA/TMG Firewall Networks and Network Rules. In those articles I tried to make it clear that you need to have a good understanding of how the ISA/TMG firewall sees the networked world before you can get the most out of your firewall configuration.

Now that you have a good understanding of ISA/TMG Firewall Networks and Network Rules, let us take a look at a case study. In this case study the client wanted to migrate from ISA 2000 to ISA 2006. As you might know, there is no direct upgrade path from ISA 2000 to ISA 2006. I do not consider this a major problem (in most cases) because the networking model used by ISA 2004 and ISA 2006 firewalls is completely different than that used in ISA 2000. It is better to start over and determine what the requirements are, and see how the new network model and new features included with the newer firewall version can help meet and optimize those requirements.

The client was using the ISA 2000 firewall for Web Publishing Rules only. It was not used for outbound access in any way. Its only duty was to perform reverse Web proxy for a number of applications hosted on an internal Web server. The client did use the ISA 2000 firewall to route requests to different Web sites based on the path in the request. Because of this, internal clients needed to connect to the Internal Web sites through the ISA firewall.

Current Infrastructure: Unihomed ISA Firewall on Internal Subnet

Figure 1 shows the old network configuration that’s relevant to our ISA firewall design. As you can see, there is a front end ASA gateway connecting the customer’s network to the Internet. The ASA gateway is the device that enables all inbound and outbound access into and out of the network.

There was a core router that routes to a number of internal network IDs. There is a unihomed ISA firewall on one of these network IDs. Since the ISA 2000 firewall is unihomed, all networks are considered internal. However, this observation is somewhat moot since the ISA 2000 firewall didn’t see network world in terms of ISA Firewall Networks. The default gateway for the old ISA 2000 firewall is local IP address on the LAN router.

Figure 1

Figure 2 shows the old traffic path used by internal clients when they tried to connect to the company’s Web sites. When planning out ISA or TMG firewall deployments, it's critically important that you understand the current network infrastructure and the request/response paths used by both internal and external clients to reach those resources. The old request/response path for internal clients can be described in the following steps:

1. Client on one of the internal subnets sends a connection request to the unihomed ISA firewall. This request must cross network IDs and thus packets must be sent to the core router for routing.
2. The core router forwards the packets to the ISA 2000 firewall.
3. The ISA firewall proxies the request to the Web site, which is on the same network ID as the ISA firewall.
4. The Web site responds to the ISA firewall’s request for information.
5. The ISA firewall forwards the response to the internal client that made the request. The request must be forwarded to a different network ID than where the ISA firewall exists, so response packets are sent to the ISA firewall’s default gateway, which is the core router.
6. The core router forwards the response to the internal client that made the request.

Figure 2

After understanding how internal clients reached the Web sites through the unihomed ISA 2000 firewall, the next step was to figure out how external clients reached the Web sites. Figure 3 shows the request/response path:

1. An external client resolves the name of the Web site to an IP address on the external interface of the ASA gateway.
2. The ASA gateway does reverse NAT to forward the request to the unihomed ISA 2000 firewall. In order to reach the remote subnet on which the ISA firewall exists, the ASA gateway forwards the packets to the core router’s local IP address.
3. The core router forwards the packets to the ISA firewall.
4. The ISA firewall does reverse Web proxy and forwards the request to the Web site.
5. The Web site sends its response to the ISA firewall.
6. The ISA firewall sends its response to the client that made the request. Since the source IP address is an Internet IP address, the ISA firewall sends the request through it’s default gateway, which is the local IP address on the core router.
7. The core router uses the ASA gateway as its default gateway, and forwards the packets to the ASA.
8. The ASA forwards the packets to the client that made the initial request for the Web content.

Figure 3

Now that we have a good understanding of the request/response paths for connections to the ISA firewall for Web content, we can now think about how to redesign the configuration so as to provide a much higher level of security using the new networking model included with the ISA 2006 firewall.

New Network Configuration: ISA Firewall as Inline Network Security Device

We decided to increase network security by changing from a unihomed ISA firewall configuration to a dual homed, inline network device configuration. When the ISA firewall is deployed in this way, attackers would not be able to bypass the firewall to obtain content on the internal Web servers. In addition, this configuration enables the ISA firewall to shore up the security weaknesses inherent in the ASA gateway, thus providing a dual layer of protection for both inbound and outbound access. Our initial design did not include outbound access control, but it would be something to consider in the future. For now, we will focus only on using the ISA firewall for reverse proxy.

As you know now, ISA and TMG firewalls need to have Networks defined in order to allow traffic to cross them. In addition to defining these Firewall Networks, we need to configure Network Rules to connect the Firewall Networks.

In figure 4 you see how we deployed the new ISA firewall. First, the ISA firewall was placed behind the ASA gateway and it uses the LAN interface of the ASA gateway as the ISA firewall’s default gateway. The other NIC on the ISA firewall was connected to the default Internal Network. The default Internal Network is defined by all IP addresses located behind the internal interface of the ISA firewall. In this case, since there were multiple internal subnets behind the ISA firewall, we had to add all of these IP addresses to the definition of the default Internal Network.

In addition, we had to make sure that the ISA firewall was configured with routing table entries that let the firewall know to use the core router to forward connections to different network IDs within the default Internal Network. We needed to do this because the ISA firewall’s default gateway was the LAN interface on the ASA gateway, which represents a departure from the previous ISA firewall’s configuration, where it was using the core router as its default gateway.

We also needed to configure an ISA Firewall Network for the DMZ segment between the ISA firewall’s external interface and the LAN interface on the ASA gateway. The reason for this was that they were currently using the ASA at their VPN gateway. External VPN clients connect to the ASA and need access to content behind the ISA firewall. After creating the ISA Firewall Network for the DMZ, we set a Network Rule to Route connections between the DMZ and default Internal Network. The ASA had to be configured to inform the VPN clients to use the ISA firewall’s external interface as the gateway address for all the internal network IDs.

The other Network Rule applying to this configuration is one enabling traffic between the default Internal Network and the default External Network. This Network Rule set a NAT relationship between the default Internal and default External Networks.

Figure 4

Figure 5 gives you a look at the request and response traffic between an external client and the Web servers that the new ISA firewall configuration will provide access to:

1. The external client resolves the name of the Web site to an IP address on the external interface of the ASA gateway that will perform reverse NAT on the connection.
2. The ASA gateway forwards the packets to the external interface of the ISA firewall.
3. The ISA firewall needs to forward the request to the Web server on a remote subnet. In order to do this, it forwards the packets to the local interface on the core router.
4. The core router forwards the packets to the Web server.
5. The Web server responds to the request. Since the request appears to come from the IP address of the ISA firewall (the default setting for Web Publishing Rules), it sends its response through its gateway address, which is the local address on the core router.
6. The router forwards the packets to the internal interface of the ISA firewall.
7. The ISA firewall returns the response to the requesting client through the ASA gateway.
8. The ASA gateway forwards the packets from the ISA firewall to the requesting client.

Figure 5

The next problem we had to deal with is how internal clients reach the Web servers. Since I prefer to not loop back through the ISA firewall to reach internal resources, I proposed that the following should be the optimal request/response path (figure 6):

1. The internal client makes a connection request to the Web server that is on a remote network ID. In order to do that, it uses it’s default gateway, which is the local IP address on the LAN router.
2. The router forwards the packets to the Web server.
3. The Web server responds to the client request. Since the request came from a client on a remote subnet, it forwards the response through the local IP address on the core router.
4. The router forwards the response to the requesting client.

Figure 6

While that would have been the optimal solution in terms of performance and simplicity, this “direct access” method would not work in our scenario. The client was using the ISA firewall to do some neat routing tricks based on the path statement in the request, so both internal and external clients need to go through the ISA firewall to make the solution work. This required that the Web Listener used in the Web Publishing Rules be configured to listen on both the internal and external interfaces of the ISA firewall. In addition, a split DNS infrastructure needed to be put into place, so that internal clients resolved the names of the Web sites to the IP address on the internal interface of the ISA firewall.

With those configuration settings in place, the new request/response path would look like this:

1. The internal client makes a request for the Web site. The site name resolves to the IP address on the internal interface of the ISA firewall. Since the client is on a subnet remote from the internal interface of the ISA firewall, the request is forwarded to the client’s default gateway, which is the local IP address on the core router.
2. The core router forwards the packets to the IP address on the internal interface of the ISA firewall.
3. The ISA firewall reverse proxies the request to the Web site on a remote subnet. To do this, the ISA firewall sends the packets through the core router to reach the remote subnet on which the Web server is located.
4. The router forwards the packets to the Web server.
5. The Web server returns the response to the source IP address of the request, which is the internal IP address on the ISA firewall. In order to reach this IP address on a remote subnet, the Web server sends the packets to the local interface of the core router.
6. The core router forwards the packets to the ISA firewall’s internal interface.
7. The ISA firewall sends the response to the client that made the original request. In order to reach the client on the remote subnet, the ISA firewalls sends the packets to the local address on the core router.
8. The router sends the packets to the client that made the original request.

Figure 7

Summary

In this last article of our three part series on how the ISA and TMG firewalls see the network, I went over a case study were we migrated a unihomed ISA 2000 firewall configuration to a multihomed ISA 2006 firewall configuration. In order to make the migration a success, we needed to understand how ISA/TMG Firewall Networks work and how to configure Network Rules to connect those Networks. We needed to make sure that all the appropriate addresses were configured in the default Internal Network, and we also created another ISA Firewall Network to support VPN clients terminating on the ASA gateway in front of the ISA firewall. Finally, a detailed understanding of the request/response paths between clients and published servers was critical to making the solution work.

Since we have spent so much time on network designs the last few weeks, let us take advantage of this momentum and examine some network designs for unihomed ISA firewalls. While concepts of ISA Firewall Networks and Network Rules do not apply to unihomed ISA Firewalls, there are still some routing options, as we can take advantage of Web Routing Rules to do some neat things work unihomed ISA firewalls. See you then! –Tom.

If you would like to read the other parts in this article series please go to:

• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

About Thomas Shinder

Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

• Real-Time Article Update (click for sample)
• Monthly Article Update (click for sample)
• Monthly Newsletter (click for sample)

Latest articles by Thomas Shinder

• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)
• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
• ISA Firewall Web Caching Capabilities
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

Understanding the concept of Network Rules.

• Published: Jan 13, 2009
• Updated: Jan 13, 2009

If you missed the first part in this article series please read Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

Introduction

In our last article on ISA and TMG firewall networking, I talked about how ISA and TMG firewalls use Networks to control traffic moving through and to the firewall. To recap, ISA and TMG Firewall Networks are collections of IP addresses located behind a specific NIC on the firewall. The addresses can be on and off-subnet for the specific NIC, but in order for a client behind any NIC on the TMG or ISA firewall to reach a destination through the firewall, that client’s IP address must be included in the definition of the ISA or TMG Firewall Network from which it connects. If the client’s IP address is not part of the ISA Firewall Network definition for the NIC that receives the request, the connection will be dropped as spoofed.

If you have not read part 1 of this series on ISA and TMG Networking, or want to brush up on what ISA/TMG Firewall Networks are all about, click here.

Now that you understand the details of ISA/TMG Firewall Networks, the next step is to understand how to connect those Networks. In order a host on one ISA/TMG Firewall Network to connect to a host on another ISA/TMG Firewall Network, the source and destination Networks must be connected. The way you connect ISA/TMG Firewall Networks is by creating a Network Rule.

Network Rules connect ISA/TMG Firewall Networks in one of two ways: NAT or Route. When you connect ISA/TMG Firewall Networks to each other, you also define the route relationship between the Networks.

Note:
Pay attention to the capitalization when I refer to networks. A “network” with a lower case “n” is a generic network, while a Network with an upper case “N” is an ISA/TMG Firewall Network.

When you define a NAT relationship between the source and destination Network, all IP addresses on the source Network are hidden from the destination host. The destination host sees the source IP address as the primary IP address on the external interface of the ISA/TMG firewall. The primary IP address is the IP on top of the IP address list (when there is more than one IP address bound to the external interface of the ISA/TMG firewall). A NAT route relationship is one-way. When you NAT from source to destination, you do not NAT from destination to source. For example, when you NAT from the default Internal Network to the default External Network, you do not NAT from the default External Network to the default Internal Network.

In general, when there is a NAT relationship between the source and destination Network, you create Access Rules to allow connections from the NATed to the non-NATed Network (for example, from the default Internal Network to the default External Network) and Publishing Rules to allow connections from the non-NATed Network to the NATed Network (for example, from the default External Network to the default Internal Network).

When you define a route relationship between two ISA/TMG Firewall Networks, the route relationship is reciprocal. That is to say, if you create a route relationship from source to destination Network, then there is also a route relationship between the destination and source Network. When there is a route relationship, no IP addresses are hidden, and the source IP address is always preserved.

In general, you use Access Rules to allow traffic in both directions when there is a route relationship between source and destination Networks. For example, if you have a route relationship defined for connections from the default Internal Network to a DMZ Network, then you can use Access Rules to allow connections from the default Internal Network to the DMZ Network, and you can use Access Rules to allow connections from the DMZ Network to the default Internal Network.

An example Network Rule appears in figure 1 below. In this example, there is a Network Rule that connects the DMZ Network to the default Internal Network and the route relationship is Route.

Figure 1

Remember, there must always be a Network Rule that connects the source and destination Network. Even if you create an Access Rule that allows a connection from a host on one Network to a host on another Network, the connection attempt will fail because the Networks are not connected by a Network Rule. This problem can be hard to troubleshoot because when you check the ISA/TMG firewall’s log files, you will see that the connection attempt is denied, but there would not be any information indicating that the problem is a missing Network Rule. Well, that’s been true for ISA firewalls. I have not yet tested this with TMG firewalls. However, the problem should be less frequent with TMG firewalls, since when creating a new TMG Network, you are asked to define the Network Rule before the Network is created. In contrast, with the ISA firewall, you could create a Network without creating a Network Rule.

Network Rule Examples

To get a better understanding of how Network Rules work in connecting ISA/TMG Firewall Networks, let’s look at a few examples. In figure 2 below, you will see a typical configuration for an ISA/TMG firewall with a default Internal and default External Network. In this example, there is a Network Rule connecting the default Internal and External Networks, and the Network Rule defines a NAT relationship between the Networks.

When clients on the default Internal Network try to connect to hosts on the default External Network, the source IP address seen by the host on the default External Network is going to be the primary IP address on the external interface of the ISA/TMG firewall. In effect, the ISA/TMG firewall is “hiding” the IP address of the source client.

Figure 2

ISA and TMG firewalls can be configured with multiple NICs. There is no limit on the number of NICs you can install in an ISA or TMG firewall. In fact, you can even create virtual NICs using 802.1q VLAN tagging, as long your NICs and NIC drivers support this configuration. When you have multiple NICs installed on the ISA firewall, you can create an ISA/TMG Firewall Network for each of the NICs (recall our discussion of ISA/TMG Firewall Networks in part 1 of this article series, where each NIC represents the “root” of each ISA/TMG Firewall Network).

In the figure below, you can see that there are three NICs installed on the ISA firewall. One NIC is connected to the default External Network one NIC is connected to the default Internal Network, and one NIC is installed on a DMZ Network. There are two Network Rules configured on the ISA Firewall:

• A Network Rule connecting the default Internal Network to the default External Network, and the route relationship is NAT
• A Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is Route

In this configuration, connections from the default Internal Network to the default External Network will be NATed, and the destination hosts will see the source IP address of the connection as the primary IP address on the external interface of the ISA firewall. When hosts on the default Internal Network connect to hosts on the DMZ Network, the destination hosts on the DMZ Network will see the source IP address as the actual IP address of the host on the default Internal Network. Likewise, since the route relationship is reciprocal, when a host on the DMZ Network tried to connect to a host on the default Internal Network, the host on the default Internal Network will see the source IP address as the actual IP address of the host on the DMZ Network.

In this next example (figure 3), connections from the default Internal Network to the default External Network are allowed by using Access Rules. Connections from the default External Network to the default Internal Network are allowed by publishing rules (either Web or Server Publishing Rules). Connections from the DMZ Network to the default Internal Network, and from the default Internal Network to the DMZ are allowed using Access Rules.

Figure 3

What do you think will happen if a host on the DMZ Network tries to connect to a host on the default External Network? Since there is no Network Rule in place connecting hosts on the DMZ Network to the default External Network, the connection attempt will be denied, as seen in figure 4 below. Even if there is an Access Rule allowing the connection, the connection attempt will fail because there is no Network Rule connecting the Networks.

Figure 4

Let us say that we create a Network Rule that connects the DMZ Network to the default External Network and define the route relationship as NAT. When there is a NAT relationship, we can use either public or private addresses on the source Network. Connections from hosts on the DMZ Network to the default External Network are allowed by using Access Rules, and connections from the default External Network to the DMZ network are allowed by using publishing rules.

Figure 5

Figure 6 below shows a slight alteration in the configuration. In this case, there is a route Network Rule connecting the DMZ Network to the default External Network. Because there is a route relationship, we must use public addresses on the DMZ Network, because private addresses are not routable over the Internet. We can use Access Rules to allow connections from the DMZ Network to the default External Network, and we can also use Access Rules to allow connections from the default External Network to the DMZ Network.

Up to this point, I’ve been telling you that when you have a route relationship, you can use Access Rules to control traffic in both directions. However, it is possible to use publishing rules. In the case or Web Publishing Rules, the route relationship isn’t an issue, because the connections are always proxied from the source and destination Network, so no actual “routing” at an IP level actually takes place. However, the situation is a little different with Server Publishing Rules.

When there is a route relationship between the source and destination Network, you can allow incoming connections using either an Access Rule or a Server Publishing Rule. In some cases, you might want to use a Server Publishing Rule instead of an Access Rule, because application layer inspection filters are bound to some Server Publishing Rules that can’t be bound to access rules.

For example, in the example configuration noted in the above figure 5, there is a route relationship because the default External Network and the DMZ Network. Suppose you have an SMTP server on the DMZ Network. You want to allow incoming SMTP messages from the Internet to the SMTP server on the DMZ Network. In this case, you could create an Access Rule to allow incoming SMTP connections from the default External Network to the DMZ Network, or you could create a Server Publishing Rule that publishes the SMTP server on the DMZ Network.

The advantage of using a Server Publishing Rule in this scenario is that the SMTP filter can be bound to the “SMTP Server” protocol. “Server” protocols are for inbound connections only. The SMTP filter can’t be bound to the “SMTP” protocol, which is used for Access Rules. Thus, a Server Publishing Rule using the SMTP Server protocol allows us to apply application layer inspection on the incoming connections.

I should note here that when you do use Server Publishing Rules to publish servers in a scenario where this is a route relationship between the source and destination Network, you still publish the machine using the actual IP address of the published server. However, the ISA or TMG firewall then performs a bit of magic to intercept the connection so that application layer inspection can be performed. The firewall does what is called “port stealing” on the Server Publishing Rule, so that when connections destined to the actual IP address of the published server are made, the firewall “steals” the connection and passes it to the application layer inspection filters. If the connection passes inspection, then it is forwarded to the published server. If the connection does not pass inspection, then it is dropped.

Figure 6

Now let us change our focus and look at the connectivity between the DMZ Network and the default Internal Network. In figure 7 below, you can see that we have a Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is NAT. Because the route relationship is NAT, when hosts on the default Internal Network try to connect to hosts on the DMZ Network, the DMZ Network hosts will see the source IP address of the connection to the be primary IP address on the DMZ NIC.

To allow connections to the DMZ Network from the default Internal Network, you need to create Access Rules. To allow connections from hosts on the DMZ Network to hosts on the default Internal Network, you need to create publishing rules. What you cannot do when there is a NAT relationship from the default Internal Network to the DMZ Network is create Access Rules allowing connections from the DMZ Network to the default Internal Network.

Figure 7

Figure 8 shows a reversal of the Network Rule connecting the DMZ Network to the default Internal Network. In this case, the Network Rule defines a NAT relationship from the DMZ Network to the default Internal Network. When hosts on the DMZ Network try to connect to hosts on the default Internal Network, the hosts on the default Internal Network will see the source IP address of the connection request as the primary IP address on the Internal Network NIC. Access Rules are allow connections from hosts on the DMZ Network to the default Internal Network and publishing rules allow connections from hosts on the default Internal Network to the DMZ Network. You cannot create Access Rules to allow connections from the default Internal Network to the DMZ Network because the hosts on the default Internal Network are on the non-NATed Network.

Figure 8

The next scenario looks at a scenario that is a common point of confusion: the back to back ISA/TMG firewall configuration. In a back to back firewall configuration, there is a front-end ISA/TMG firewall that is connected to the Internet, and there is a back-end ISA/TMG firewall that is connected to a DMZ behind the front-end firewall and an internal network behind the back-end firewall.

In the typical case, the front-end ISA/TMG firewall has a NAT route relationship between the DMZ network behind the front-end firewall and the default External Network. The back-end ISA/TMG firewall has a NAT relationship between the default Internal Network and the default External Network.

What you should appreciate here is that in this typical scenario, the DMZ network in front of the back-end ISA/TMG firewall is part of the back-end ISA/TMG firewall’s default External Network. Because it is part of its default External Network, the route relationship is going to be NAT. Therefore, if hosts behind the back-end ISA/TMG firewall need to connect to machines on the DMZ network between the firewalls, then you will create Access Rules to enable those connections. If there are machines in the DMZ network between the firewalls that need to connect to hosts behind the back-end ISA/TMG firewall, then you will need to create publishing rules to enable those connections.

Figure 9

Now let’s look a variation of the above scenario. In this case, on the back-end ISA/TMG firewall we create an ISA/TMG Firewall Network for the DMZ between the firewalls. Then we create a Network Rule that connects the default Internal Network on the back-end ISA/TMG firewall to the DMZ Network and define a Route relationship between the Networks. Now when hosts connect to resources on the DMZ Network, an Access Rule is used to allow the connection and the hosts on the DMZ Network see the source IP address as the original client IP address. This configuration also allows you to create Access Rules to allow hosts on the DMZ Network to connect to hosts on the default Internal Network behind the back-end ISA/TMG firewall.

This scenario is important because many people would like to terminate VPN connections at the front-end firewall. When VPN clients are terminated at the front-end ISA/TMG firewall, they are given IP addresses that are part of the DMZ Network. Thus, they act as DMZ Network hosts. You can then create Access Rules that allow the VPN clients access to resources on the default Internal Network behind the back-end ISA/TMG firewall. The take home point is that since the VPN clients are given IP addresses that belong to DMZ Network definition on the back-end ISA/TMG firewall, you can use Access Rules instead of publishing rules due to the route relationship between the two Networks.

There is one more thing you should be aware of in this back to back configuration where there is a route relationship between the back-end ISA/TMG firewall’s default Internal Network and the DMZ Network. When hosts on the back-end ISA/TMG firewall’s default Internal Network try to connect to the Internet, the connections must go through both firewalls. When the front-end ISA/TMG firewall receives the outbound connection request from hosts on the back-end ISA/TMG firewall’s default Internal Network, the source IP address is going to be the actual IP address of the host making the request.

Normally, the default Internal Network for the front-end ISA/TMG firewall will include the IP addresses on the DMZ Network. However, since there is a route relationship between the DMZ Network and the back-end ISA/TMG firewall’s default Internal Network, you need to include the addresses in the back-end ISA/TMG firewall’s default Internal Network in the addresses that define the front-end ISA/TMG firewall’s default Internal Network. If you fail to do this, the front-end ISA/TMG firewall will see the source address as one that doesn’t belong to it’s default Internal Network and will drop the connection as spoofed.

Figure 10

Summary

In this, part two in our series about ISA/TMG Network concepts, I went over some scenarios that were designed to help you understand the concept of Network Rules. Network Rules are required to connect Networks. If source and destination Networks are not connected, no communications will be allowed between those Networks, even if there are Access Rules configured to allow the connections. When defining a Network Rule to connect a source and destination Network, you also define the route relationship. The route relationship can be either NAT or Route. Access Rules and publishing rules are supported in a different way, depending on the route relationship between the source and destination Networks.

Next week we will look at a case study where we had to have a good understanding of how ISA/TMG firewall Networks work in order to get a working solution. This case study involves migrating an old ISA 2000 firewall to ISA 2006. Not only that, but the migration also includes changing over from a unihomed ISA firewall to a dual-homed firewall. As you might imagine, there were several network issues that needed to be addressed. You find out what the problems where and how we solved them in the next article. See you then! –Tom.

If you missed the first part in this article series please read Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

About Thomas Shinder

Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

• Real-Time Article Update (click for sample)
• Monthly Article Update (click for sample)
• Monthly Newsletter (click for sample)

Latest articles by Thomas Shinder

• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
• ISA Firewall Web Caching Capabilities
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)
• X-Forwarded-For and the ISA Firewall: Track your Originating Client through a Web-proxy Chain and on Your IIS

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

What ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions.

• Published: Dec 16, 2008
• Updated: Dec 16, 2008

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

Last week I did a blog post asking our ISAserver.org members what kind of content they would like to see on the site. I expected the typical stuff, such as “more articles on integrating with other networking equipment vendors” and “more information on how NLB works” and “more articles on how to make ISA and TMG work with Exchange 2007, SharePoint and OCS” and maybe even “more stuff about ISA and TMG add-ons”. I was not disappointed. I did get requests for all of that kind of content.

There was also another comment that I thought was interesting. Someone wrote to me and said that what he would like is some information on the basics. For example, the basics of ISA networking. This fellow said that many Microsoft admins who use ISA have a basic understanding of TCP/IP networking but do not have a good grip on how the ISA firewall see the networked world and any information that would help along those lines would be very helpful.

The comment was a timely one for me, as it dovetailed with some other experiences I was having last week. Therefore, in the spirit of this request for some return to the basics and my experiences last week, we will go over some of the basics of ISA/TMG firewall networking.

ISA/TMG Firewall Networks

NOTE:
Pay close attention to the capitalization I use in this article. Network with a capital “N” refers to an ISA/TMG Firewall Network – which is a network objects that the firewall uses to define collections of IP addresses directly accessible from a specific network interface. In contrast, when a lower case “n” is used for network, I am referring to a generic network or network segment.

ISA and TMG firewalls see the networked world based on the concept of the Network network object. The Network network object defines traffic that moves through the firewall. All traffic that moves to or through the firewall must source from one Network and have a destination to another Network. If the source and destination traffic are on the same Network, then the traffic doesn’t move through the firewall. However, there are times when traffic with the same source and destination Network can bounce off the firewall. We will take a look at this example later.

What is an ISA Firewall Network? An ISA/TMG Firewall Network is a collection of IP addresses that can directly reach a NIC on the firewall without having to traverse the firewall. For example, consider a simple scenario where the ISA firewall has two NICs: an internal interface with an IP address of 10.0.0.1 and an external interface with a public IP address. There is a host connected to the same network as the firewall’s internal interface and that client has an IP address of 10.0.0.2. In this example, the internal interface and the client at 10.0.0.2 are part of the same network, since the client can directly reach that interface without crossing the firewall. In addition, the client can’t be on the same network as the external interface of the firewall, since it would have to cross the firewall to reach that interface.

The figure below depicts this example. The internal interface has the IP address 10.0.0.1 and the client behind that interface has IP address 10.0.0.2. The client behind the internal interface can reach the internal interface directly. The client behind the internal interface cannot reach the external interface directly. Therefore, the client could never be a member of the ISA Firewall Network that the external interface belongs to.

Figure 1

As I mentioned earlier, an ISA Firewall Network is defined as a collection of IP addresses that can be reached directly through one of the interfaces on the ISA or TMG firewall. However, this does not mean that all of those IP addresses have to be on the same network ID as the interface on the ISA firewall.

For example, in the figure above, the internal interface of the ISA firewall was on network ID 10.0.0.0/24 and the client was an “on subnet” client that was also on network ID 10.0.0.0/24. The ISA Firewall Network defined for that interface was 10.0.0.0-10.0.0.255.

What if there is a router behind the ISA firewall’s internal interface and there are remote network IDs that need to connect to the Internet through the ISA Firewall’s internal interface? For example, in the figure below you see that I have added a router and a remote network ID behind that router, which in this case is 192.168.1.0/24. Will the ISA Firewall need to see connections from the 192.168.1.0/24 network ID as being on the same ISA Firewall Network as connections from the 10.0.0.0/24 network ID?

The answer is YES. The reason for this is that both 10.0.0.0/24 and 192.168.1.0/24 in this example have to connect to and through the ISA firewall using the same NIC. Since the ISA Firewall see each NIC as the root of an ISA Firewall Network, all connections made directly to and through the firewall on that interface are part of the same ISA Firewall Network.

Figure 2

However, in order to make this work, you need to add those addresses to the definition of the ISA Firewall Network. In this example, the definition of the default Internal Network would include the addresses 10.0.0.0-10.0.0.255 and 192.168.1.0-192.168.1.255. All of these IP addresses are part of the default Internal Network and reach the ISA firewall through the same network interface card.

Figure 3

The reason we need to include all the addresses that are behind a specific NIC on the firewall is that if there is a host that tries to connect through the ISA firewall on that NIC from a source IP address that is not part of that ISA Firewall Network, the connection request will be dropped as a spoof attempt. The ISA or TMG firewall sees the connection attempt as a spoof because the IP address is not part of the definition of that ISA Firewall Network.

For example, check out the figure below. We have defined the default Internal Network in this example as all IP addresses in the 10.0.0.0/24 and 192.168.1.0/24 ranges (note that I have included all the addresses in each network ID – that is not a requirement. I could have included only a subset of those IP addresses if I wanted to). What if a host with the IP address 172.16.0.2 tried to connect to the ISA Firewall through the NIC that represents the “root” of the default Internal Network?

The connection attempt would fail. The reason why it would fail is that 172.16.0.2 is not part of the definition of the default Internal Network in this example. Since the ISA Firewall does not recognize this source IP address as part of the default Internal Network, it will not allow the connection through the NIC that defines the “root” of the default Internal Network. It will call out this connection as a spoof attempt. All spoof attempts are blocked by the firewall.

Figure 4

What if you wanted to allow connections from that host at 172.16.0.2? It is a simple matter of adding that IP address to the definition of the ISA Firewall Network that this host uses to connect to and through the ISA firewall. In this case, you could add just that IP address, or if you have other hosts on that network ID, you could add the IP addresses of those hosts, or you could add all the addresses in that network ID.

You define that addresses that belong to a specific ISA Firewall network in the Properties dialog box for that Network. In the figure below, you can see the addresses tab for the default Internal Network. This default Internal ISA Firewall Network includes all addresses on the network ID 192.168.1.0/24.

Figure 5

You can create multiple ISA Firewall Networks on a single ISA Firewall. For example, suppose you wanted to create an ISA Firewall Network for wireless guest computers to connect to the Internet. In this case, you would add a third NIC to the ISA firewall (the other two interfaces are for the external interface and the internal interface). The third NIC would become the “root” of a new ISA Firewall Network. You would then assign addresses to that ISA Firewall Network. Each NIC on the ISA firewall needs to be on a different network ID, so after installing the third NIC, we assign it an IP address on a network ID that is different than the other two NICs. Then we assign IP addresses for the new ISA Firewall Network. In the figure below, you can see that all addresses on network ID 192.168.0.0/24 are part of the Guest ISA Firewall Network.

Figure 6

It is important to remember that an IP address can participate on a single ISA Firewall Network. You can not assign the same IP address to two different ISA Firewall Networks. If you do, you will receive an error message.

Out of the box, the ISA or TMG firewall will have the following Networks defined:

• The default External Network – the default External Network is defined by all IP addresses that are used by any other ISA Firewall Network. Any address that is not used by any other ISA Firewall Network will automatically be included as part of the default External Network. The NIC that defines the default External Network is usually the NIC with the default gateway bound to it. ISA and TMG MBE firewalls support a single default gateway
• The default Internal Network – this is the network you define during setup that represents your primary internal network. You can have multiple internal networks if you like, but there is only one default Internal Network which you set up during installation of the ISA firewall. The default Internal Network typically contains your key infrastructure services, such as DNS, DHCP and Active Directory domain services. The default Internal Network is important because much of the ISA and TMG firewall’s System Policy is configured to access resources on the default Internal Network
• The Local Host Network – The Local Host Network is defined by the IP addresses bound to all NICs on the ISA or TMG firewall. For example, if the firewall had two interfaces, one with IP address 2.2.2.2 bound to it and the other with 10.0.0.1 bound to it, then IP addresses 2.2.2.2 and 10.0.0.1 are members of the Local Host Network. Note that this breaks one of the rules of ISA/TMG Networks – in that these IP addresses are also members of the Networks to which those NICs are connected. The 2.2.2.2 is likely a member of the default External Network and the 10.0.0.1 is a member of the default Internet Network.
• VPN Clients Network – The VPN Clients Network contains the IP addresses of connected VPN clients. There are two ways to assign IP addresses to VPN clients: using a static address pool and using DHCP. If you assign IP addresses to VPN clients using a static address pool, then you must remove those IP addresses from any other Network that might contain them. For example, if you want to assign on-subnet addresses to VPN clients (such as 192.168.1.200-192.168.1.225/24 when the internal interface is on 192.168.1.1/24), you must remove those addresses from the definition of the on-subnet network.
  In contrast, if you want to use DHCP to assign IP addresses to VPN clients, then you do not have to remove those addresses from the definition of any other Network that might also be using those addresses. It makes sense, since when you use DHCP to assign these addresses; you know that no other host should be able to use the same IP address on any other Network. In contrast, if you assign static addresses to VPN clients, you do not know for sure that there might be an error that would lead you to use the same addresses on another Network. Addresses are automatically added and removed from the VPN clients Network when they are used and released by the VPN clients. Note that this represents a second exception to our rule that an IP address can belong to a single Network – since you use DHCP to assign IP addresses to VPN clients, those addresses can belong to another ISA/TMG Firewall Network.
• Quarantined VPN Clients Network – The Quarantined VPN Clients Network contains the IP addresses of VPN clients that have not yet passed VPN quarantine control. This is configured as a separate Network from the VPN Clients Network because you might want to create Firewall Rules that allow quarantined VPN clients access to resources on a Protected Network (a Protected Network is any ISA/TMG Network that isn’t the default External Network) or even on the Internet so that they can remediate themselves. IP addresses are automatically moved from the Quarantined VPN Clients Network to the VPN Clients Network when the VPN client passes quarantine control checks.

Figure 7

Summing up what we know at this point:

• ISA/TMG Firewall Networks are used for spoof detection. If a source IP address arrives at an interface that is a root of an ISA Firewall Network that isn’t an IP address defined for that Network, then the connection attempt is dropped as a spoofed connection attempt
• An IP address can be assigned to a single ISA/TMG Firewall Network. The only exceptions to this rule are seen with the Local Host Network and the VPN Clients and Quarantined VPN Clients Networks when you use DHCP to assign addresses to VPN clients.
• An ISA/TMG Firewall Network can contain IP addresses from multiple network IDs. What all these IP addresses have in common is that if they need to connect to and through the ISA or TMG firewall through the same NIC

ISA/TMG Firewall Networks also are used to do one more important task: define whether connections are routed or NATed from the systems on a particular Network to another Network. In order to hosts on a Network to communicate with hosts on another Network, the two Networks must be connected using a Network Rule. The Network Rule accomplishes two things:

• Enables communications between the two ISA/TMG Firewall Networks
• Sets a routing relationship between the two Networks

I’ll go into more details on Network Rules and connecting Networks to one another in the second part of this series on ISA/TMG firewall networking.

Summary

In this article, we went over what ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions. We saw that an IP address can belong to only a single Network, with the exception of the Local Host Network and the VPN Clients and Quarantined VPN Clients Networks. We then finished off with a brief overview of the default ISA/TMG Firewall Networks. Next week I will continue the story by showing you how ISA/TMG Networks are used to connect hosts on one Network to another, and how Networks are used to define a route relationship between source and destination. See you then! –Tom.

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

About Thomas Shinder

Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

• Real-Time Article Update (click for sample)
• Monthly Article Update (click for sample)
• Monthly Newsletter (click for sample)

Latest articles by Thomas Shinder

• Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)
• ISA Firewall Web Caching Capabilities
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)
• Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)
• X-Forwarded-For and the ISA Firewall: Track your Originating Client through a Web-proxy Chain and on Your IIS

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

Announcing: Forefront Threat Management Gateway, Medium Business Edition

I am pleased to announce that the first version of the new Forefront Threat Management Gateway (TMG) has been released to manufacturing as part of the Windows Essential Business Server 2008 (EBS) release. As I first blogged in April of this year, Forefront TMG is a new era for the ISA Server product line. It is taking us and our customers into new and innovative protection directions based on the ever-increasing threats we are seeing on the Internet today.

Forefront TMG, Medium Business Edition is fully integrated in Windows Essential Business Server and installed by default. One of the unique capabilities of this edition is the simplified setup and configuration – without taking away the ability for customers or value added service providers to provide the customization or control they may require for their specific environments. We took a specific approach in this release by asking the administrator what he/she wants to achieve, not how to do it. The end result is a server pre-configured with best practices for the most common security and access needs including Internet access, remote access and common firewall rules.

Not only does Forefront TMG include a fully featured and highly rated corporate firewall capability, but it adds a Unified Threat Management (UTM) capability to the EBS installation. It truly provides a comprehensive, all-in-one integrated edge security solution, for both the headquarters and the branch offices. The real value comes through the tight integration of the different UTM components, as well as with the other applications and solutions encompassing EBS. The integrated anti-virus subscription services provide administrative relief to IT professionals from having to constantly monitor the security threats and changing edge policies. The “Am I Secure?” page provides an easy, at a glance view of the security state and statistics of the system avoiding the need for complex understanding and expertise to provide protection for the business.

As our software, hardware and appliance partners announce exciting value–add offerings, I will keep the community informed. In addition, I will be announcing future details around the public beta for the next edition of TMG later this year on this blog. I think you will be excited and surprised and certainly well worth the wait when we announce. Stay tuned to this channel for continual updates!

David B. Cross

Product Unit Manager

Published Tuesday, September 16, 2008 1:13 PM by isablog

Forefront TMG (ISA Server) Product Team Blog : Announcing: Forefront Threat Management Gateway, Medium Business Edition

ISA 2006 SP1 and IAG 2007 Supportability Statement

Introduction

Occasionally you find the combination of two things that result in something better than the sum of the individual parts. Some combinations that come to mind are peanut butter and chocolate, steak and lobster, and ISA Server 2006 and IAG 2007. You can’t eat ISA and IAG but combined in the IAG 2007 product they create an awesome SSLVPN with rich features. Just like a good soup, IAG 2007 benefits from high quality ingredients. For more information on this “better together” approach review the articles below:

http://www.microsoft.com/forefront/edgesecurity/iag/en/us/secure-remote-access.aspx

http://www.microsoft.com/Forefront/edgesecurity/iag/en/us/faq.aspx

Real World Experience

Recently, I began seeing questions about the addition of ISA 2006 SP1 on customers IAG 2007 systems. After some research it turned out that Windows update was detecting the lack of ISA 2006 SP1 and prompting administrators to install the service pack on their IAG 2007 servers. If you are familiar with IAG 2007 predecessor eGap 3.6 you will remember that the internal server was protected by a SCSI interface that shuttled between the external and internal servers. In IAG 2007 the external server and SCSI interconnect have been removed and replaced by ISA 2006. In this configuration ISA 2006 protects the external interface of IAG 2007 amongst other things.

Since SP1 for ISA 2006 includes feature updates as well as security updates, just like any other windows application it is essential to make sure there is no security vulnerability that might affect the ISA application. Hence it is important to make sure the ISA server is also updated from time to time.

When you first initialize the IAG 2007 system you will notice that ISA server 2006 is installed as well. As applications are added to the portal trunk, rules are created in ISA 2006 to allow the specific traffic types that IAG 2007 will publish. If IAG 2007 is configured for automatic updates or you visit the Windows update site, SP1 for ISA 2006 will be queued for installation if it is not already installed. You can review the benefits of SP1 for ISA 2006 by following this link: http://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx

As you can see from reading the list we fixed a few things in ISA 2006 with SP1. In addition, patch management is part of the Desktop, Device, and Server security process best practices that IT professionals should be following. Recently, while testing IAG 2007 SP2 our product group tested with ISA 2006 SP1 installed and found no issues related to this service pack. So go ahead and add ISA 2006 SP1 to your IAG 2007 system. I bet you will find it’s a great combination and is a high quality ingredient in your security soup.

Author
Dan Watson
Security Support Engineer –IAG Team
Microsoft – NC

Technical Reviewers
Yuri Diogenes
Security Support Engineer – ISA/IAG Team
Microsoft – Texas

Mohit Saxena
Security Technical Lead – ISA/IAG Team
Microsoft – Washington

Published Thursday, September 18, 2008 8:02 PM by edgeaccessblog
Filed under: Intelligent Application Gateway, ISA Server 2006 SP1

Intelligent Application Gateway Product Team Blog : ISA 2006 SP1 and IAG 2007 Supportability Statement

Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication

One of the most popular questions we get regarding the ISA firewall and Exchange Server is how to get transparent authentication for the Outlook client. Most users prefer to store their passwords and don’t want to enter their passwords each time they open Outlook. The problem is that if you use basic authentication at the client and at the ISA firewall’s Web Listener, you will always need to enter credentials when Outlook starts up.

Thomas Shinder Blog » Blog Archive » Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication

Tales from the Edge is Online

Today we are launching in the Forefront Edge Community page a new session called: Tales from the Edge. Jim Harrison and I will host articles about Forefront Edge Suite bringing real world scenarios and documenting things that were not documented yet. In this new wave we are going to release four brand new articles with very precious information about Edge products. Visit the new Forefront Community Page at:

http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687298.aspx

Filed under: ISA Administration

Yuri Diogenes's Blog : Tales from the Edge is Online

Wednesday, August 06, 2008 5:58 AM yuridio

Intermittent Performance Problem while Accessing Internet through ISA Server 2006

1. Introduction

One of the most challenges for the ISA Admin is to determine the culprit for an intermittent issue. This gets worse when the issue is related with performance. While there are many elements that can impact ISA Server’s performance, this post will describe an interesting case where the client was having problems to browse Internet through ISA Server. The web sites were coming up really slow and regardless of the browser (IE6 or IE7) the issue was happening.

Read more at the source.

Source: Yuri Diogenes's Blog : Intermittent Performance Problem while Accessing Internet through ISA Server 2006

Wednesday, July 30, 2008 3:06 PM yuridio

Do you really know what is and what is not supported on ISA Server?

Last two months for some reason were pretty busy of calls for ISA Server issues where customers were running on a non supported scenario. Interesting enough, the articles for non supported configurations are out there since ISA Server 2004. Maybe it is time to refresh your favorites and to start add those articles to it. Here you will find supportability boundaries, limitations and unsupported scenarios:

Article: Troubleshooting Unsupported Configurations

Description: In the above article you will find nice explanations about some behaviors, including the reason why ISA Server does not support multiple default gateways.

Article: Best Practices for Performance in ISA Server 2006

Description: this article will explain the options to deploy ISA Server 2006 in a virtual environment.

Article: Configuring ISA Server 2004 on a Computer with a Single Network Adapter

Description: this article is also valid for ISA Server 2006 and it has the limitations and unsupported scenarios for ISA Server when running in a single NIC system.

Besides the official ISA Server TechNet Library articles, we (ISA Server Team members) are documenting in the ISA Team Blog behaviors that are expected. Here are the articles that were published so far:

Understanding By-Design Behavior of ISA Server 2006: Buffering and Streaming Web Publishing Rule Content

Understanding By-Design Behavior of ISA Server 2006: Using Kerberos Authentication for Web Proxy Requests on ISA Server 2006 with NLB

Files larger than 512MB are not served from cache after ISA Server firewall service is restarted

The tip for the IT professionals that are implementing ISA Server 2006 is to review those articles before start any deployment. I know how frustrate it is to build the whole infra-structure and when call to CSS to open a ticket get the bad news that the environment is not supported. Although this can be a frustrated experience, you should feel glad that this product has very known and public supportability boundaries. This helps you to understand what can and what cannot be done before start deploying your ISA Server.

Filed under: ISA Administration

Yuri Diogenes's Blog : Do you really know what is and what is not supported on ISA Server?

Winfrasoft’s Backup for ISA Server Goes RTM

Until now there has been no real way of fully backing up your ISA Server deployments. Some may think that restarting servers, manual exports and custom scripting is the solution. However, many hours will be spent re-installing, importing settings, re-configuring and tweaking – but inevitably losing log data. The result is loss of data and productivity due to system down time.

Restores may not work as expected and even more time will be lost as everything is rebuilt from scratch.
Now you can backup on the fly and restore again in minutes!

Major Features

• Backup of ISA Server configuration
• Backup of ISA Array configuration
• Backup of ISA Enterprise policy
• Backup of Firewall logs
• Backup of Web Proxy logs
• Backup of IP and Routing information
• Backup Array log data from a single server
• Scheduled backup jobs
• High security - AES 256bit encryption
• Small size - PPMd compression (over 95%)
• Central network storage of backups
• Supports selection files
• Command line interface for scripting
• Slick .NET based Wizard driven user interface
• ISA Server 2004 and 2006 support
• Native support for Websense Security Suite*

Minimum Server System Requirements:

• Windows Server 2003
• ISA Server 2004 Standard Edition or Enterprise Edition or
• ISA Server 2006 Standard Edition or Enterprise Edition

Languages:

• Backup for ISA Server is compatible with multi-lingual versions of Windows Server 2003, however, it is only available in UK English.

• Although multi-lingual versions of Windows Server 2003 can be used, Backup for ISA Server is ONLY compatible with the English version of ISA Server. Non-English versions of ISA Server are NOT supported.

For more information and downloads, check out:

http://www.winfrasoft.com/BackupForISA.htm

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Thomas Shinder Blog » Blog Archive » Winfrasoft’s Backup for ISA Server Goes RTM

Server Publishing with ISA Server 2004/2006 and Route Relationship Between Networks

Suppose you have the following scenario:

You are running ISA Server in 3-Leg configuration with a route relationship between the Internal and Perimeter networks. There's a FTP Server and some Web Servers operating in your Perimeter network.

ISA IP-Addresses:

Internal 172.118.115.15

Perimeter 39.1.1.15

External 192.168.101.15

FTP Server Address is 39.1.1.5 connected to Perimeter network

You have already published some Web Servers connected to your Perimeter network, and made them available to External and Internal Users. Now you want to publish a Non-Web Server e.g. the FTP Server connected to the Perimeter network to the Users in the External and Internal networks. You want to use the ISA IP-Addresses for this publishing scenario.

To do so you open the ISA MMC right-click Firewall Policy and Select New ->'Non-Web Server Protocol publishing rule'. You Enter a Name for the rule e.g. "Publish Perimeter FTP Server to Internal and External", in the Next Window you enter the IP Address of the Server, e.g. 39.1.1.5, next you select the FTP-Server Protocol. Then you select on which networks and which IP-Addresses the ISA Server will listen for requests intended for the published FTP Server.

On the Next Page you Finish the Wizard and Apply the changes.

That's easy, isn't it?

Now you want to verify the access to the FTP Server.

You first check the access from External to IP 192.168.101.15, works fine.

Next you want to access the Server from your Internal network using IP 172.118.115.15... it doesn't work.

But why? You start troubleshooting, looking at the ISA Live Logging, and realize, that no ISA rule matches the requests and therefore the request is denied.

On the ISA Server start a command window (Start, Run, cmd), and check if there is a socket Listening to Port 21 using the command netstat -an | findstr 21

The Output shows, that there actually is a Listening socket for the configured External IP, but no socket for your Internal IP.

ISA Server provides a tool called fwengmon to analyze and troubleshoot firewall connectivity issues by monitoring ISA Server in kernel-mode driver (fweng.sys) (ISA 2006: http://www.microsoft.com/downloads/details.aspx?familyid=01fc5551-5d44-4a99-966a-bd86caeb43d7 or ISA 2004: http://www.microsoft.com/downloads/details.aspx?FamilyID=F3306399-D4F9-4989-865E-C61F8293C330).

You execute fwengmon.exe with the /C parameter to check the created objects and receive output similar to this:

The output shows, that ISA has created one socket for 39.1.1.5:21 (FTP Server IP) and one for your external IP 192.168.101.15:21, but no socket for your internal IP. This is called ISA 'port stealing' and represents the route relationship for the traffic.

Does ISA simply ignore the complete publishing rule? Why is there no internal socket, and why can ISA Server create sockets for IP Addresses not configured on ISA?

The Answer: ISA will only create sockets and bind them to ISA Servers owned IP-Addresses for Non-Web Server Protocol publishing rules when there is a NAT relationship between those networks.

If ISA recognizes that there is a route relationship between the networks ISA will not create a socket for the Server IP Address you want to publish. Therefore the access will work when you try to directly connect to the Server IP Address 39.1.1.5:21.

!NOTE! The Web Listener used for Web publishing will always include the ISA Web Proxy Filter. Because an application proxy mechanism such as the Web Proxy Filter creates a completely new connection between ISA and the published server, and because the default for Web Publishing rules is to “Use the ISA computer IP address” when creating these connection. Thus, ISA appears to perform NAT on the traffic between the client and server, because it creates sockets for its configured IP Addresses even if there is a route relationship between the networks.

Question - But for all that, is it possible to publish my FTP Server without changing the network relationship between Perimeter and Internal to NAT?

Answer - Yes, you can do this

To solve the issue, you have to create a new network rule.

1. Navigate to Configuration, right-click Networks and select New -> Network Rule.

2. Choose a Name, e.g. "Internal to Perimeter FTP Server"

3. Add the FTP Server to the Sources. Click Add, New/Computer and create a Computer Object for your FTP Server. Then select this Object to add it to the Sources.

4. Add your Internal network to the destinations.

5. Configure a Network Address Translation (NAT) relationship.

6. Finish the Wizard and verify that the new rule order is lower (numerically) than the rule defining the route relationship between Perimeter and Internal. Apply the changes.

7. After the changes have been applied, you can use fwengmon to verify that the socket has been created in Kernel Mode and use netstat -an to check if there is a listening socket.

You can see, that the socket for the 39.1.1.5:21 disappeared and a new socket for 172.118.115.15:21 is created.

8. When you verify the access from your Internal, you'll see, that you now can connect to the 172.118.115.15:21 and that the correct rule is being matched.

Philipp Sand | Support Specialist ISA Server

Published Tuesday, June 24, 2008 12:54 PM by isablog

Forefront TMG (ISA Server) Product Team Blog : Server Publishing with ISA Server 2004/2006 and Route Relationship Between Networks

Another Look at Web Publishing. Part II: Host Headers with SSL and Certificates

In Part I, I mentioned that separate TCP connections are established for conveying a Web request from a client to an ISA Server computer and for forwarding the request from the ISA Server computer to the published server. In this part, I’ll focus on some issues that need special attention when one or both of these connections must become an SSL connection for encrypted communication.

SSL Connections and SSL Bridging

Whenever ISA Server terminates or initiates an SSL connection on a segment between a client and a published Web server, we say that it performs SSL bridging. The following SSL bridging scenarios are possible:

· HTTPS-to-HTTPS bridging—A request arriving at the ISA Server computer on an SSL connection is forwarded to the published server over an SSL connection. In this scenario, both the client and ISA Server send encrypted requests.

· HTTPS-to-HTTP bridging—A request arriving at the ISA Server computer on an SSL connection is forwarded over an ordinary TCP connection. In this scenario, the client sends an encrypted request, and ISA Server sends an unencrypted request.

· HTTP-to-HTTPS bridging—An HTTP request arriving at the ISA Server computer is forwarded over an SSL connection. In this scenario, only ISA Server sends an encrypted request.

The client indicates that an SSL connection is required in the first segment by specifying the HTTPS protocol in the URL requested, and the properties of the Web publishing rule that applies to the client’s encrypted request (if there is a Web publishing rule with a Web listener that listens on the IP address and port to which the request is sent) determine whether an SSL connection is required between the ISA Server computer and the published server. Web requests that require an SSL connection are typically sent to port 443.

Whenever an SSL connection is required, the server, that is the ISA Server computer in the first segment and the published Web server in the second segment, must present a server certificate to prove its identity to the client during the SSL handshake. On the segment between the original client and the ISA Server computer, the SSL handshake can be completed successfully only if the common name on the certificate matches the host name in the URL requested. On the segment between the ISA Server computer and the published server, the SSL handshake can be completed successfully only if the common name on the certificate presented by the published server matches the name that is expected by ISA Server, which acts as the client here. In some cases, the SSL handshake can succeed if a subject alternate name on the certificate matches the required name, but this possibility is beyond the scope of this discussion.

In addition, for each SSL connection you can optionally require the client to present a certificate to prove its identity to the server, but this option is also beyond the scope of this discussion.

It is important to bear in mind here that the SSL handshake takes place after the TCP connection is established, but before the HTTP request message is sent. The HTTP request is sent as an encrypted message only after the SSL connection is established. In other words, the server must respond with the certificate before it receives the Host header in the HTTP GET request. The server has only the information received during the TCP handshake and the beginning of the SSL handshake. In particular, the server knows the IP address and port used to establish the TCP connection. If we confine this discussion to requests sent to port 443, the server must return the same certificate for all requests that arrive on the same IP address, even if they are destined for different Web sites.

From the Client to the ISA Server Computer

Let’s examine how this name matching can be achieved. When a client requests an SSL connection with an ISA Server computer, the ISA Server computer must present a certificate with a common name that matches the host name in the URL requested. The request can reach the ISA Server computer only if the host name in the URL requested is resolved to an IP address of the ISA Server computer, for example, by querying DNS. On the ISA Server computer, you can configure a Web listener to listen for requests from a specific network on a specific IP address and specify a certificate with a common name that matches the host name which resolves to this IP address. The appropriate certificate must be installed in the Personal store for the local computer on the ISA Server computer, and the client will trust this certificate only if the root certificate of the Certification Authority (CA) that issued the certificate is installed in the Trusted Root Certification Authorities store on the client computer.

In ISA Server 2006, you can publish multiple Web sites or applications on different IP addresses using the same Web listener. In this case, you can specify a different server certificate for each Web site. This is done by mapping a different server certificate to each IP address on which the Web listener listens. ISA Server will present the server certificate that is mapped to the IP address on which each request arrives. In ISA Server 2004, you can specify only one SSL server certificate in a Web listener.

If you are publishing multiple Web sites that have public names with the same DNS suffix, you can use a single IP address and a single Web listener to publish multiple sites by using a wildcard certificate. For example, if you want to publish Web sites with the resolvable public host names mail.contoso.com, news.contoso.com, and blogs.contoso.com, you can acquire a wildcard certificate for *.contoso.com and install it on the ISA Server computer. Clients sending requests for any of the host names just listed will accept a certificate with the common name *.contoso.com as a valid certificate.

From the ISA Server Computer to the Published Server

Now let’s move on to the SSL connection between the ISA Server computer and the internal server that hosts the published Web site, which must be listening on the port for forwarding Web requests that is specified in the applicable Web publishing rule (this port is typically 443). In this case, you need to configure your Web publishing rule to accept the common name on the certificate that will be presented by the published server. For a single published server, this means that the name of the published server (ISA Server 2004) or the internal site name (ISA Server 2006) specified on the To tab of the Web publishing rule must match the common name on the certificate that will be presented by the published server. In ISA Server 2004, this name must be resolvable to the IP address of the published server because ISA Server 2004 uses this IP address to establish the TCP connection with the published server. In ISA Server 2006, if your ISA Server computer cannot resolve the internal site name to the IP address of the published server, you can select Computer name or IP address, and then type the required IP address or a name that can be resolved by the ISA Server computer.

Thus, ISA Server 2006 offers you a simple way to use the same certificate on the published server and your ISA Server computer. You can do this by requesting the certificate from a commercial CA on the internal Web server, installing it on the internal Web server, exporting it along with its private key, and then importing it to your ISA Server computer. In this case, the common name on the certificate will be identical to the host name that the original client provides in the URL. This can also be done on ISA Server 2004, but the procedure, which is publicly available, is a bit more complicated.

For example, if you are publishing https://www.fabrikam.com/orders and you want to protect the private information that external clients submit from disclosure to unauthorized folks on the Internet and within your organization, you can create a Web site named www.fabrikam.com on an internal server, request a certificate with the common name www.fabrikam.com from the server, install the certificate on the server, and export it to your ISA Server 2006 computer. Then, in This rule applies to this published site (the internal site name), type www.fabrikam.com, and in Computer name or IP address, type the IP address of the published server. The domain name of the published server is not used by ISA Server in this case.

If the Web site is hosted on an ISA Server 2006 Web farm, certificates with the same common name must be installed on all the farm members, and the internal site name specified on the Web Farm tab must match the common name on the certificates. To install these certificates, you can request a certificate with the same common name from each farm member. Alternatively, you can obtain and install a certificate on one farm member, and then you can export the certificate along with its private key and import it to the other farm members. In all of these cases, of course, the ISA Server computer must trust the CA that issued the certificate.

Note. If you request a server certificate on a published server and you intend to export it to a farm member or to the ISA Server computer, the certificate must have an exportable private key. When you import a certificate to a server, in the Certificate Import Wizard opened from the Certificates snap-in, you select Mark this key as exportable on the Password page.

ISA Server 2004 only supports wildcard certificates on the ISA Server computer. ISA Server 2006 also supports the use of wildcard certificates on the published Web server for publishing multiple Web sites using a single certificate. When using HTTPS to HTTPS bridging, you cannot use a wildcard certificate on an ISA Server 2004 computer to authenticate the internal Web server. Instead, on the internal Web server, install a different certificate that matches the name of the internal Web server, as specified on the To tab in the Web publishing rule.

After the SSL handshake is completed successfully and the SSL connection is established, the HTTP GET request can be forwarded to the published Web server. As in the case of forwarding an HTTP GET request without SSL that I described in Part I, if the Forward the original host header instead of the actual one option is selected, the Host header that is included in the request will contain the host name specified in the original URL requested by the client. If this option is not selected, the Host header will contain the name or network address of the published server (ISA Server 2004) or the internal site name (ISA Server 2006) that is specified in the properties of the applicable Web publishing rule.

There is one issue that should be mentioned here. In the case of HTTPS-to-HTTP bridging with the Forward the original host header instead of the actual one option selected, ISA Server 2006 adds the port number 443 to the Host header if a port number was not included in the original URL. If the Web application that is running on the Web server does not expect the Host header to include the port number, the Web application may generate an error. For information about how to resolve this issue, see the Microsoft Knowledge Base article 925287 “ISA Server 2006 includes the Host header together with the port number of the Web server after you publish a Web site.”

Pesach Shelnitz
Forefront TMG (ISA Server) Team

Published Thursday, June 19, 2008 10:28 AM by isablog

Forefront TMG (ISA Server) Product Team Blog : Another Look at Web Publishing. Part II: Host Headers with SSL and Certificates

Another Look at Web Publishing. Part I: Host Headers without SSL

The purpose of this series of blog entries is to describe some details of Web publishing with the hope that by getting back to basics and taking another look at how Web publishing works, you’ll be able to create more efficient, error-free Web publishing rules with greater ease. In this post, I’ll try to explain how Host headers are used in ISA Server Web publishing in the simple HTTP scenario without SSL, and then in Part II, I’ll try to extend the picture described here to scenarios with SSL.

URLs: The Source of the Host Name

When an external user wants to retrieve content from the Internet in a Web browser, the user must provide a URL, which identifies the resource to access. The URL can be provided in several ways, such as by typing the URL in a text box or by clicking a link containing the applicable URL. The Web browser then uses the information in the URL to connect to the Web server and send a request message to the Web site for the resource requested.

Let’s examine some details of this process. A URL can include several components, some of which are optional. For example, the URL http://www.fabrikam.com:80/products/catalog.aspx?category=shoes&model=123 includes the components listed in the following table.

 

Scheme	http
Authority	www.fabrikam.com:80
Path	products/catalog.aspx
Query	category=shoes&model=123

The first component of a URL is the scheme, which is separated from the rest of the URL by a colon followed by two slashes. The scheme determines the required syntax for the rest of the URL and indicates how it should be interpreted. In this blog entry, we will confine ourselves to the syntax for HTTP URLs, that is, the syntax of the sample URL just given.

The authority component includes the host subcomponent, which is the most important part of the URL for this discussion, because it is copied into the Host header in an HTTP request message. In this example, the authority component consists of only a host subcomponent with a host name and a port (80). In this case, the port can be omitted without altering the meaning of the URL because the default port for HTTP is 80. Note also that the query string included in the sample URL is optional and is not important for this discussion.

TCP Connections for Sending HTTP GET Requests

A Web browser, such as Internet Explorer, uses the host name in a URL both as both the name of the server with which it must establish a TCP connection in order to send request messages to the Web site and as the name of the Web site itself. Before the Web browser can establish a TCP connection with the server, it must obtain the IP address of the server, for example, by querying DNS (unless, of course, the host name is provided in the form of an IP address). The Web browser then sends a TCP SYN packet to the IP address obtained and the port specified in the URL (or to port 80, the default port for HTTP) to start the three-way handshake for establishing a TCP connection. For this process to succeed, the server must be listening on the applicable port.

If the Web site is published by ISA Server, the host name must resolve to an IP address of an ISA Server computer that is specified in the properties of a Web listener associated with a Web publishing rule (or to the IP address of a device that will direct requests to an ISA Server computer), and the TCP connection must be established with the ISA Server computer.

Note. This process may fail with the Winsock 10060 error (WSAETIMEDOUT, Connection Timed Out). This error means that there was no response to the TCP connection attempt and usually indicates some sort of network problem.

After the TCP connection is established, the Web browser sends an HTTP GET request with the information specified in the URL to the ISA Server computer. In GET requests sent directly from a Web browser to a Web server, the path is included in the first line of the request, and the host name is specified in the Host header. The request line and Host header in a GET request for our URL would appear as follows:

GET products/catalog.aspx HTTP/1.1
Host: www.fabrikam.com

Since ISA Server acts as a proxy server for Web proxy clients that send outgoing Web requests to the Internet, I should mention that when a GET request is sent to a proxy server, the request is made using the full URL in its original form, so that it can be processed by the proxy just as the original client did. A GET request sent to a proxy server for the URL http://www.fabrikam.com:8080/products/catalog.aspx would appear as follows:

GET http://www.fabrikam.com:8080/products/catalog.aspx HTTP/1.1

Notice that there is no Host header in this GET request.

When an incoming GET request for a published Web site arrives at an ISA Server computer, ISA Server determines if the Host header in the request corresponds to a public name allowed by a Web publishing rule associated with the Web listener that allowed the TCP connection. The options on the Public Name tab of each Web publishing rule specify whether the rule applies to any host name (or IP address) that may appear in the Host header of a GET request or only to the one or several host names (or IP addresses) that are listed on the Public Name tab. ISA Server forwards only GET requests with a Host header containing a public name that is accepted by an applicable Web publishing rule.

The Host header in a GET request arriving at an ISA Server computer that publishes one or more Web sites may contain one of several fully qualified domain names (FQDNs) that resolve to the same IP address. In this case, the Host header distinguishes between different FQDNs that share a single IP address and can be used to route requests to different Web sites on the same server.

From the point of view of the client Web browser, the ISA Server computer is the Web server specified in the Host header. However, from the point of view of the ISA Server computer, the published Web server is an internal server. If the request is allowed by a Web publishing rule, the ISA Server computer must still connect to the published Web server and forward the GET request to it.

In the properties of a Web publishing rule, there are options that determine the IP address with which the ISA Server computer will establish the TCP connection for forwarding a GET request to the published Web server, as well as the Host header and path that will be used in the GET request. On the To tab of a rule that publishes a single Web server or load balancer, you must provide a resolvable name of your internal Web server (ISA Server 2004) or the internal name of your Web site (ISA Server 2006).

ISA Server 2004 always uses the IP address obtained by resolving the server name specified on the To tab to establish the TCP connection for forwarding a GET request to the published server. ISA Server 2006 offers another possibility in Web publishing rules that publish a single Web server or load balancer. In the optional Computer name or IP address field, you can type a resolvable name or IP address of the published Web server. If you do, this IP address will be used to establish the TCP connection with the published Web server, and the internal name of the Web site does not need to be a resolvable name of the internal Web server. If you leave this field blank, the internal site name must be resolvable, and the IP address obtained by resolving it will be used to establish the TCP connection with the internal Web server.

After the TCP connection between the ISA Server computer and the published Web server is established, ISA Server acts as a Web client and forwards the HTTP GET request to the published Web server. By default, except in the case of certain wizard-configured rules, ISA Server changes the original Host header to a Host header that contains the name for the published Web server (ISA Server 2004) or the internal name of the Web site (ISA Server 2006). However, if the Forward the original Host header instead of the actual one option is selected on the To tab, ISA Server will establish the TCP connection with the published Web server as described, but will include the Host header received from the original client in the HTTP GET request that it sends to the published Web server.

Note. In the Web proxy log, the field for the URL requested will always contain the name of the server (ISA Server 2004) or the internal site name (ISA Server 2006) specified on the To tab regardless of how you configure the Forward the original Host header instead of the actual one option.

In ISA Server 2006, you can replace a single internal Web server by a load-balanced Web farm. When ISA Server needs to forward an HTTP GET request to a Web farm, ISA Server selects an IP address from the set of IP addresses of the farm members specified in the Web farm properties and establishes a TCP connection with the applicable farm member for forwarding the GET request to it. In this case, the internal site name and the option for forwarding the original Host header are specified on the Web Farm tab.

Note. Web publishing fails if the internal site name specified on the Web Farm tab cannot be resolved to an IP address. We recommend that you set the internal site name to the FQDN of one of the members of the server farm.

Forwarding the original Host header is useful, for example, when you want to publish multiple Web sites on the same Web server using a single Web publishing rule. In this case, the original Host header is now used only to identify the Web site on the published server, and not the published server itself.

In Part II, I’ll try to explain how the picture described here changes when one or both of the TCP connections must become an SSL connection for encrypted communication.

Pesach Shelnitz
Forefront TMG (ISA Server) Team

Published Thursday, June 19, 2008 10:09 AM by isablog

Forefront TMG (ISA Server) Product Team Blog : Another Look at Web Publishing. Part I: Host Headers without SSL

Sunday, June 08, 2008 5:25 PM yuridio

TMG New Features - Policy Enforcement

1. Introduction

Throughout the years ISA Server suffered many improvements in the way that handles firewall policy, if you remember, on ISA Serve 2000 we have to stop the service so the policy could take effect immediately, which improved a lot on ISA Server 2004. However even with ISA Server 2006 there is still a common complaint from customers, which was: I applied a new ISA Server policy but I see that my user still accessing the web site. He has to close it and open a new connection in order to take effect. The answer up to now was: well, that’s expected in ISA Server. The connection that is already established will not be affect, only the new one. In TMG we have a new feature called Policy Enforcement that can address this need and this post will give you an overview on that.

2. Compliance Enforcement

The key feature of TMG in this area is the fact that it enforces the new policy for compliance purpose. In other words: if the company security policy changes and those changes need to rapidly reflect in the edge then you can just make the changes and re-apply to the TMG Server. In summary, the process works like this:

Figure 1 – Policy Enforcement.

The re-evaluation of the existing HTTP session happens right after the policy takes effect for the first traffic within the session. Therefore you could potentially see an open session for the site that you just prohibited because no traffic was exchange within that session yet.

On step two, when the administrator applies the change, the Saving Configuration Change window shows the following warning about this new feature:

Figure 2 – New configuration change window.

3. Conclusion

This is just one more improvement that you will see in TMG and it is an improvement that bring more control and security enforcement to the network administrator. For more information about policy enforcement review the official TMG documentation at TMG TechNet Library Page.

Filed under: TMG

Yuri Diogenes's Blog : TMG New Features - Policy Enforcement

Thursday, May 29, 2008 3:51 PM yuridio

ISA Server 2006 SP1 is on the way to make this summer even hotter

The expected ISA Server 2006 SP1 is on the way, Jim Harrison has blogged in the ISA Team Blog about the new features of this release. The ISA Server community is very excited about this announcement as externally by Tom Shinder blogging on his blog.

I just delivered a webcast to the IT community in Brazil through Support Academy (an initiative from Microsoft Latam Team) about those new features and here are some of the demos (I removed the narration since it was in Portuguese J):

Demo 1 – Configuration Change Tracking

· This demo shows the functionalities of this new feature and how to easily identify what change was done in the Firewall Policy.

Demo 2 – Web Publishing Rule Test Button

· Very cool feature that can be used proactively to see if the publishing rule is working (prior to put in production) or reactively while troubleshooting an issue.

Demo 3 – Traffic Simulator

· Tired to wait for the user to be able to see the error that he is receiving when accessing a web site? Now you can do your own simulation with this tool.

Demo 4 – Diagnostic Logging Query

· With this integration you will be able to understand exactly what is going on when ISA is processing your request.

Start planning your summer migrations for ISA Server 2006 SP1.

Filed under: ISA Setup, ISA Administration

Yuri Diogenes's Blog : ISA Server 2006 SP1 is on the way to make this summer even hotter

Dr. Tom Shinder has published a new article on using the new Web Access Policy node.  Tom says:

This new node provides a location where you can configure the TMG firewall to allow outbound HTTP, HTTPS and Web proxy forwarded FTP connections to the Internet. This change also seems to represent an increased focus on HTTP for the product. While previous versions of the ISA Firewall did have a sophisticated Web proxy filter and HTTP Security Filter, the TMG firewall takes things to the next level by adding malware inspection for outbound HTTP requests.

Read the rest of the article at the source.

Source: Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 1)

USEast Technologies acquires NS-Series ISA appliance maintenance contracts from NEI

USEast Technologies will assume responsibility for supporting the Microsoft^®-based NS Series installed base

Randolph, Massachusetts, May 27, 2008 - USEast Technologies announced today that it has reached an agreement with NEI, a leading provider of server appliance products and services for storage, security and communications software vendors, to assume responsibility for technical support and maintenance of its installed base of NS Series security products. The NS Series of products are security appliances based on Microsoft’s Internet Security and Acceleration (ISA) server technology and are installed in more than 500 locations worldwide. Under the agreement, NEI will continue to provide logistical support for the hardware component of the NS Series through USEast Technologies.

“We are pleased to partner with USEast Technologies to help support the NS Series installed base,” said Tom Brodeur, NEI’s senior director of global support services. “We have worked closely with Don Adams and his team in recent years to enhance NS customer support and we are confident USEast will provide superior support services for the NS customer base.”

“Don Adams and his team are well-versed in Microsoft security technology and should bring a revitalized commitment and enthusiasm to the NS Series ISA installed base,” said Dr. Thomas Shinder, Microsoft Forefront MVP and author of numerous books about Microsoft security technologies. “Don was intimately involved in the original design of the NS Series when he was employed by Network Engines, Inc., (renamed NEI) and I anticipate that USEast will soon offer the NS Series installed base exciting new Microsoft Forefront Edge security solutions.”

“We are excited about the opportunity to provide ongoing support for the NS appliance installed base,” stated Don Adams, president and founder of USEast Technologies. “We are currently contacting all customers and communicating our plans for providing support for the installed base of NS appliances and supplying NS Series upgrades. In the near future we will be communicating our plans for offering a new generation of Microsoft Forefront Edge Security appliances and solutions.”

About USEast Technologies LLC

USEast Technologies is based in Randolph, Massachusetts. The company provides services and products for Microsoft security and virtualization technologies. For more information about USEast Technologies, visit www.useast.com.

About NEI

Founded in 1997, NEI is headquartered in Canton, Massachusetts, and trades on the NASDAQ exchange under the symbol NENG. NEI network appliance solutions are made to ease and enhance the deployment, manageability, and security of IT infrastructure applications. With a heritage of providing product and service technologies tailored to support the entire lifecycle of its customers' appliances, NEI has become the appliance partner of choice for OEMs, ISVs and software integrators worldwide. For more information about NEI’s products and services, visit www.nei.com.

Contact Info:
Send email to PR@USEast.com
Call 781-583-1448

Home

Alessandro Perilli has some interesting thoughts regarding how Microsoft might address virtualization security.  I wonder if ISA server will play some part in their strategy?  See more info at the source.

Source: Is Microsoft working on a VMsafe-like framework? | virtualization.info

Dr. Tom Shinder is excited about the summer release of ISA 2006 SP1.  Check out what he's got to say at the source.

Source: Thomas Shinder Blog » Blog Archive » ISA 2006 Service Pack 1 Details Leaked

Understanding Why ISA Server re-prompts for Authentication when Passwords Expire

Introduction

There are times that the user does not change their password on the day that Group Policy forces a password change. Normally, if the user logs off and tries to logon again, Windows will inform him that his password is expired and require him to change it. ISA is not able to perform the same action as Windows.

This article describes what happens when the user’s domain password expires while he is trying to browse Internet through ISA Server and ISA Server uses a rule that requires authentication.

Read more at the source.

Source: Understanding Why ISA Server re-prompts for Authentication when Passwords Expire

Looks like that TMG beta 1 has gone public.... Read on!

Sunday, May 25, 2008 1:05 AM yuridio

Overview of Forefront Threat Management Gateway Beta 1

1. Introduction

The Microsoft Forefront Threat Management Gateway promises to be the milestone that all ISA Server admins were waiting for. I heard all the time people saying that the difference between ISA Server 2004 and ISA Server 2006 were not that big and that we pretty much have the same product for 4 years already. Well, that isn’t really true; there are indeed many differences between 2004 and 2006. Maybe some people were waiting for a huge upgrade like it was from ISA 2000 to 2004 and this didn’t happen. After two years since ISA Server 2006 was released, we have now (without a doubt) a big change, maybe will not be noticeable now but it will in the final version.

You can download the beta version from here and use the installation guide article that my friend Tom Shinder wrote. This beta version available for download has only a limited set of features. However, before install read the release notes to see what you can and what you cannot do.

There are many things that you will notice and see that it is different from ISA Server 2006. As far as installation is concern there are some things that you need to remember:

· IIS will be installed: that’s correct; IIS now will be installed by TMG. You might be thinking: “I remember that we have issues with IIS and ISA in the same box…”. You are right for ISA Server, but for TMG we need IIS because TMG needs SQL Reporting Services 2005 and SQL Reporting Services 2005 needs IIS. It is important to emphasize that IIS is not removed if you uninstall TMG.

· 64 bits System: although the final version of TMG requires a 64-bit processor and Windows Server 2008 64-bit, this beta version can be installed in a 32-bit system with Windows Server 2008.

· WEBS: the TMG beta version that we have available for download it will be part of the Windows Essential Business Server. TMG will be available through WEBS Standard and Premium Edition.

Note: The official TMG documentation is available at Microsoft TechNet Library web site.

View the complete article at Overview of Forefront Threat Management Gateway Beta 1

Microsoft Internet Security and Acceleration Server News

Source: Heavy on the Technical : ISA / IIS / Biztalk / WSPS / MOSS Info for the Month of April 

Forefront Threat Management Gateway, the Next Generation of ISA Server, Now in Public Beta

Get a first look at the Forefront Threat Management Gateway, the next generation of ISA Server, as part of the new Forefront codename “Stirling” integrated security system. This first look public beta provides Web anti-malware for enhanced protection against Internet-based threats, simplified management, secure connectivity, and support for Windows Server 2008. Download the public beta today.

http://technet.microsoft.com/evalcenter/cc339029.aspx

Go and get the ISA Server Best Practices Analyzer (IsaBPA) version 6 now!

http://www.microsoft.com/downloads/details.aspx?familyid=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

Internet Security and Acceleration (ISA) Server TechCenter

http://www.microsoft.com/technet/isa/default.mspx

Please note that if you have feedback on documentation or wish to request new documents - email isadocs@microsoft.com

ForeFront Edge Security Forums at http://forums.microsoft.com/ForeFront/default.aspx?ForumGroupID=384&SiteID=41

Discuss ISA Server at the new Microsoft Forefront™ Edge Security forums, available at TechCenter

Internet Security and Acceleration Server Blog

The ISA Server Product Team Blog (http://blogs.technet.com/isablog/) is updated on a regular basis. Latest entries include:

Understanding By-Design Behavior of ISA Server 2006: Buffering and Streaming Web Publishing Rule Content

http://blogs.technet.com/isablog/archive/2008/04/09/understanding-by-design-behavior-of-isa-server-2006-buffering-and-streaming-web-publishing-rule-content.aspx

Introducing a New Era for ISA Server

http://blogs.technet.com/isablog/archive/2008/04/09/introducing-a-new-era-for-isa-server.aspx

ISA Server 2006 form base authentication problem using UPN logon format on a multiple domain environment

http://blogs.technet.com/isablog/archive/2008/04/17/isa-server-2006-form-base-authentication-problem-using-upn-logon-format-on-a-multiple-domain-environment.aspx

ISA Server 2006 Service Pack 1 Features

ISA Server 2006 Service Pack 1 Features

Introduction

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Service Pack (SP) 1 will be available for your installation pleasure this summer!

This Service Pack introduces new features and improved functionality for ISA Server 2006 Enterprise and Standard Editions. The new features focus primarily on enhanced troubleshooting mechanisms designed to help you identify and resolve ISA Server configuration issues. Also included in this package are the updates we’ve promised for so long, such as SAN certificate support.

Service Pack 1 new and improved features

ISA Server 2006 SP1 includes the following new features:

· Configuration Change Tracking — logs all configuration changes applied to ISA Server configuration to help you backtrack through your change history.

· Web Publishing Rule Test Button — helps you verify that the rule configuration agrees with what is set at the published web server and provides specific suggestions when they disagree.

· Traffic Simulator — simulates network traffic as it would be seen by the ISA rules engine and gives you specific information about traffic processing along the way.

· Diagnostic Logging Query — an extension to the Diagnostic Logging feature provided in the Supportability Pack, this feature makes it much easier to see only the data that is relevant to the current troubleshooting effort.

ISA Server 2006 SP1 also includes such feature improvements as:

· Support for Network Load Balancing (NLB) multicast and multicast with IGMP operations (KB 938550)

· Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers

· Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts (KB 942637 )

For additional feature improvements, see "Improvements to existing features" later in this document.

More info at the source

Source: ISA Server Product Team Blog : ISA Server 2006 Service Pack 1 Features

Finally, after waiting over 2 years, Citrix finally releases their Branch Office Appliance.  Please let us know if anybody actually sees one.  We'd love to hear your feedback.

New Citrix Branch Repeater Uses ISA Server

Wednesday, May 21, 2008, 2:43:00 PM | David Burt

Citrix has announced the availability of the new Citrix Branch Repeater, an "all-in-one" device for delivering applications to branch offices.   The Citrix Branch Repeater was developed jointly with Microsoft, and  uses Microsoft ISA Server 2006 Web caching to accelerate delivery of web content to the branch.  ISA Server 2006  helps branch office users easily and securely access the Internet or corporate-based resources. More on ISA's use in the new Citrix Branch Repeater on  Thomas Shinder's ISAServer.org blog here.

Internet Security & Acceleration (ISA) Server,  first launched in 1997 as the Microsoft Proxy Server, is a very versatile product with a great many uses, including as a VPN, a Firewall, a URL filtering proxy, and with Citrix, a Web caching device.   In addition to Citrix, ISA has a rich partner ecosystem that includes providers of URL filters, Anti-Virus, Reporting, User Authentication, and more on our partner page here.

Forefront Team Blog