If you've been trying to create a site to site VPN using 2004 ISA firewall using a pre-shared key only, I feel your pain. You've probably seen that it doesn't work. The key is to not configure the pre-shared key in the Remote Site Wizard. Instead, leave the pre-shared key checkbox unchecked. Then click the VPN Clients tab in the Details pane, and click the Select Authentication Methods link on the Tasks tab in the Task Pane. On the Authentication tab in the Virtual Private Networks (VPN) dialog box, put a checkmark in the Allow customer IPSec policy for L2TP checkbox and enter the pre-shared key. Use the same procedures and the same key on all your VPN gateways. Keep in mind that remote access VPN clients and VPN gateways will be able to use this key -- so if you can do anything about it, always try to use certificates instead of pre-shared keys. Remember, using pre-shared keys reduces the level of security provided by the ISA firewall to that of a lowly PIX packet filter!

HTH,
Tom

One of the things that drove us nuts with the 2000 ISA firewall was that problem of site to site VPNs. You could use PPTP or L2TP/IPSec to create a site to site VPN, but the problem was that most downlevel VPN gateways (PIX, Sonicwall, etc) use the less secure IPSec tunnel mode. The new ISA firewall fixes this problem with its support for IPSec tunnel mode. The problem is that each vendor has it own proprietary approach to creating a site to site VPN. Don't worry! Microsoft has come to our recue with a bevy of very cool docs that show you how to create the site to site VPNs with a variety of downlevel VPN gateways -- PIX, Astaro, SmoothWall and more! Check it out at:

http://www.microsoft.com/isaserver/techinfo/guidance/2004/vpn.asp

HTH,

Tom

ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall's “killer app”.

However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don't have time to make the ISA 2004 firewall their avocation. They need to handle WinXP/Win9x/Win2000 clients, WinNT4/Win2003/Win2003 servers, SQL Servers, Exchange Servers, SharePoint Servers, Certificate Servers, RRAS Servers, IIS Servers, and lots more. There are only so many hours in a day, and the attraction to a firewall like ISA 2004 is that it appears easy to configure. And, on the whole, they would be right.

However, while the HTTP Security filter has a powerful and easy to use interface, the documentation of the feature is abysmal. What do I mean by “abysmal“? Search your dictionary for “tautology“ and then read the Help file and any other MS docs on this subject you might find.

Most firewall admins who opt for ISA 2004 firewalls do so because they want to take advantage of the unique protection provided by ISA 2004, especially for the ISA 2004 firewall's one of a kind VPN and Exchange security features. This level of protection can be made even better if MS would actually explain and define the various components of this filter and how it works. Otherwise, the HTTP Security Fitler's power and utility will end up in the dustbin of history like the H.323 Gatekeeper and possibly the VPN-Q feature (I'll moan about VPN-Q in a future posting).

So the celebrity challange for MS is to come up with clear (not concise! concise usually means “I don't have the time or inclination to fully explain the subject and explore implications), complete and useful documentation on the HTTP filter. This is how ISA 2004 firewalls can displace Checkpoint and PIX, and prevent users from adopting a Linux based solutution. After all, if I'm going to have to spend hours, days or weeks figuring out how to configure a key piece of a firewall, I don't have to pay for it, I'll just use Linux! :-)

So, MS docs team -- belly up to the bar and give the ISA 2004 firewall community what it needs, not what you think they need.

Thanks!
Tom

Spoof detection in ISA 2004 firewalls is a handy feature that helps protect the firewall from spoof attacks. However, there are some circumstances that generate spurious spoofs , such as when implementing NLB. No problem! Here's the fix, courtesy of our good friend, Barclay Neira:

Here is the location you would need to update. All other information is the same:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters

Thanks Barclay!

One of the most common problems seen on the Web boards and mailing lists are Instant Messenger related issues. How do you get them to work? How do you make them stop working? My solution is to remove the dreaded IM'ers from the users machines :-)

However, if you want more information on how to get these things to work, check out:

Microsoft ISA Server Message Boards: Tips for msn,yahoo,kazaa: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000096

Lots of very useful tips and tricks there.

HTH,
Tom

A frequent request on the ISA boards is a script or other free method that you can use to fail over and fail back if you have multiple external interfaces. Custler, a frequently posted on the http://forums.isaserver.org message boards has posted a very nice script to get you started. Jim Harrison may jump in with a fix that will help it work in Windows 2000.

Check it out here:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000012#000011

Thanks guys!

Tom

I wrote to Jerry Bryant about putting some beta newsgroups for ISA 2004 on the msnews.microsoft.com Web site. Silly me, there were already ISA 2004 beta 2 newsgroups. The problem is that they're very effectively hidden from public view! This explains why the level of activity in the “public” newsgroups for ISA 2004 is so much less than what I saw during the ISA 2000 beta.

Anyhow, if you're interested in getting invovled with the public ISA 2004 Beta 2 newsgroups, here's the secret sauce:

Viewing these Newsgroups with an NNTP Newsreader

Since these are private newsgroups, your server will require you to logon using the following information:

• Server: privatenews.microsoft.com
• Account name: privatenews\ISA2004
• Password: BetaPassword
• Note that the password is case-sensitive.

Viewing these Newsgroups through Outlook Express

1. Launch Outlook Express
2. Select Tools - Accounts
3. Select Add & click News
4. Enter Your Name
5. Enter an alias (you may want to consider avoiding posting with your real e-mail alias, as these newsgroups are exposed publicly through the web interface. More about e-mail aliases and privacy.)
6. Internet News Server Name Page - enter privatenews.microsoft.com and check "My news server requires me to log on". Click "Next".
7. Enter Account name - privatenews\ISA2004
8. Enter password (case-sensitive): BetaPassword
9. Click Next & Finish
10. Close and download the newsgroups.

Of course, you can go to http://forums.isaserver.org and we have a very active discussion going on regarding ISA 2004 firewalls.

HTH,
Tom

Microsoft has posted some video presentations that you can download and view at your leisure. Do what I do -- burn these guys to a DVD and play them while flying from one gig to another. You can watch Martin Sargent reruns only so many times :-)

With ISA Server 2004 now not that far away, Microsoft have released a bunch of ISA 2000 Presentations.

Internet Security and Acceleration Server Network Design for Microsoft .NET Applications
In this presentation you will learn how to design a network for multi-tiered Microsoft .NET applications. The session introduces each element of the architecture and explains how to use ISA Server in different places throughout the network.

Microsoft® Internet Security and Acceleration Server Best Practices and Troubleshooting
In this presentation you will get the best practices for installing and administering Microsoft Internet Security and Acceleration Server.

Microsoft® Internet Security and Acceleration Server Deployment Techniques
In this presentation see how to deploy Microsoft Internet Security and Acceleration Server to provide caching and firewall functions. Learn about planning issues, guidance on client types, and the design of ISA Server policies.

How to Protect Your Network Using Microsoft® Internet Security and Acceleration Server 2000
In this presentation see how Microsoft Internet Security and Acceleration Server 2000 can be used to provide both proxy, caching and firewall security for your network, and more.

HTH,
Tom

If you're planning on attending TechEd this year in San Diego, then you might be interested in another session that I'm doing. Here's the info:

Date: May 25
Time: 5:00PM -- 6:15PM
Code: SECC04
Description: ISA Server 2004 Enhanced Microsoft Exchange and VPN Services Support: How ISA Server Provides Enhanced Security for MS Exchange and VPN
Speaker Name: Tom Shinder -- ISAServer.org
Code: Canbana4
Reg Type: COMM

I'll talk about what's new, what cool, and what's unique about ISA 2004's VPN and Exchange Server protection features.

Hope to see you there!

Thanks!
Tom

If you're an ISA firewall fan, and want to get together with other ISA afficianados, then check out the Birds of a Feather (BOF) session we're putting together for TechEd. A number of ISA gurus (and me too) will be there! Here's the run down so far:

Application layer firewalls are the present and future of secure network computing, and ISA firewalls set the standard. ISAserver.org gurus and MVPs Tom Shinder, Chris Gregory, Jason Ballard and Jim Harrison crack open the case on ISA Server firewall placement and config. Bring your config and design questions to this interactive and info-packed session.

If you're going to TechEd and haven't voted on this session yet, then do! Head on over to http://www.ineta.org/bof/Default.aspx and vote for our session. Only sessions that get enough votes will be given space.

Thanks!
Tom

If you didn't already know, ISA firewall's are the firewalls for protecting Microsoft Exchange Servers. One of the things the hampers adoption is the belief by many firewall and network admins that they need to change up their current network topologies in a big way to support a new ISA firewall. Not true! Check out this article I posted today to see how easy it is to get ISA firewall protection without having to re-jigger your entire network infrastructure to support it.

http://www.msexchange.org/articles/2004protectexch.html

Thanks!
Tom

The ISA firewall's SMTP Message Screener is pretty cool. Its not a full-fleged spam whacker, but it provides a nice first line of defense against unwanted email. One thing that was a bit problematic with the ISA 2000 firewall's SMTP Message Screener was that it depended on DCOM messages being passed between the SMTP relay with the SMTP Message Screener installed and the ISA firewall machine. You don't see this problem if the SMTP Message Screener is on the ISA firewall itself, but you do see it if it's on another machine.

If you see an error that looks some like this:

DCOM got error "General access denied error " from the computer proxy
when attempting to activate the server:
{0820D243-0B18-4B0A-88F0-D857F0C91E62}

Then you'll benefit from this cool fix from Jim Harrison:

As always, Jim dredges up the best fixes in the biz!

Thanks!
Tom