So you want to ensure that you have full access to ISA before, during and after patching for 09-016 (assuming you don’t have a box with more than 4 procs) http://blogs.technet.com/sbs/archive/2009/04/20/ms09-012-and-isa-server-standard-edition-14109-failures.aspx

http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx

Listen to this for the reason you want to add a policy for remote management:

Inside SBS Episode #12 – The ISA Server Meltdown | Odeo: Search, Discover and Share Digital Media from Millions of Audio and Video Clips:
http://odeo.com/episodes/538067-Inside-SBS-Episode-12-The-ISA-Server-Meltdown

Mark, Damian, Justin, Chris on ISA.

8:53 minutes in Justin talks about it.

  • Launch the ISA console
  • Click on Firewall Policy
  • Click on Edit system policy

Okay see that setting that says “Remote Management”?

 

See where you build a rule to add your external [static] IP address to remotely manage the box via TS no matter what?  See where you can even add the ability to ping from your remote server?

 

Click edit, then add your static IP to that category of “remote management computers”.  Adding that rule there means you won’t hit a “lockout” when you remotely manage ISA….like…installing a security patch.

SBS Premium with ISA Server 2004 on Quad Core CPUs



I hope Darren doesn’t mind me stealing his entire REALLY good blog post about how he got stuck installing Windows 2003 sp2 and ISA on a quad core CPU server and how he needed to get up to ISA 2004 sp2 or sp3 to fix this 


Recently a customer of mine purchased a Dual Quad Core server to act as their SBS Premium server.  They planned to run SQL Server and ISA Server on this machine, and wanted the machine to last 5 to 7 years, so a dual Quad core configuration isn’t out of line, and price wise, it wasn’t much more expensive than two dual core processors.


When they went to install the ISA Server component however, they found that ISA Server wouldn’t start.  Complaining about there being too many processors. 


SBS supports two PHYSICAL CPUs as counted by the number of CPU Sockets on the main board, not by the number of processor cores reported to the operating system.  So ISA not working isn’t a licensing issue, but rather a bug in ISA’s detection of the number of CPUs.


Fortunately, there is a fix: Install ISA Server 2004 SP2.  <edit now install ISA 2004 sp3 instead — Download details: ISA Server 2004 Standard Edition Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A05A074A-5033-4792-AF8B-58B90D841436&displaylang=en>


To figure out the fastest / least error prone way of doing this, I contacted Microsoft’s Pre-Sales Tech support, and here’s the exact order in which they recommend doing the installation:


Now, there are few different things you need to do before going ahead with installing SP2 on ISA 2004.
1.) Make sure you download SP2 for ISA 2004 and two following roll outs first:



2.) Go ahead and install everything in the following order; SP2, KB 916106 then KB 917902. <instead install ISA 2004 sp3>


Once that is done with, you’ll probably want to install SP2 for Windows, apparently this is a potential problem with ISA; please view the following blog posting for information on the issue, before actually going ahead and installing it.


VPN, SecureNat/Nat and Outlook clients not working after installing Windows Service Pack 2 in SBS 2003 Premium


http://blogs.technet.com/sbs/archive/2007/03/19/vpn-securenat-nat-and-outlook-clients-not-working-after-installing-windows-service-pack-2-in-sbs-2003-premium.aspx


After all that is done, there is a chance that you might experience a performance issue with the workload spiking on one of the CPUs, the support team hasn’t had any calls on it, but just in case, here’s the KB on how to fix it.


Throughput for an ISA Server that is running on a Windows Server 2003 Service Pack 2 (SP2)-based multiprocessor computer may be greatly reduced or completely blocked


http://support.microsoft.com/kb/934809
Darren’s Space: SBS Premium with ISA Server 2004 on Quad Core CPUs:
http://darrenmyher.spaces.live.com/blog/cns!1ABA4CA6583AB317!155.entry

Charlie needed to connect to Gmail’s nntp folders inside of Outlook.  He had ISA’s rules to not be all open and realized it was impacting Gmail. 

(Necessary if you’re going to use Outlook rule processing, since SBS
doesn’t include a default rule for this.) You’ll need to add an ISA Rule
to make it work on some machines. I could post the XML file, but it’s
easy enough to set up:

1.) Open ISA Mgmt console.
2.) Scroll down to near the bottom, just about the SBS Internet Access
Rule
3.) Click Tasks tab on right, click Create a New Access Rule
4.) Give it a name – “Gmail SSL Allow” (or whatever). Click Next
5.) Select Allow, click Next.
6.) Select This Rule Applies to Selected Protocols from the drop down
list.
7.) Click Add. Expand Mail. Select IMAPS (and IMAP4 if you also use
non-secure IMAP servers somewhere.) Click Add. Click Close.
8.) Click Next to move to the Access Rule Sources page. Click Add
9.) Expand Network Sets, select All Protected Networks. Click Add. Click
Close.
10.) Click Next to move to the Access Rule Destinations. Click Add.
11.) Expand Networks, select External, click Add. Click Close.
12.) Click Next to move to the User Sets. I leave this at All Users.
13.) Click Next to move to the Completing New Access Rule page.
14.) Click Finish. Then Click Apply to make the rule actually active.

You’re in business.

Charlie.

MPECS Inc. Blog: SBS Premium – SBS Post Install ISA Rule Must Do for DHCP:
http://blog.mpecsinc.ca/2007/10/sbs-premium-sbs-post-install-isa-rule.html


Philip’s blog talks about the case of the missing DHCP


Amy talks about why this happens:


Why DHCP Stops Working After You Add a Custom Access Rule – SecureSMB:
http://msmvps.com/blogs/securesmb/archive/2007/10/13/why-dhcp-stops-working-after-you-add-a-custom-access-rule.aspx


One of the unusual-ness of SBS is the behavior of rule making on the box it’s protecting.  This is one side effect we see, and in particular I’ve seen it pop up post sp2.  ISA is very RFC aware and my guess is that with the application of sp2 it’s gotten a bit more RFC aware than it already was.  But that’s pure speculation and probably what is going on is the mere ‘change’ that a service pack application brings and perhaps teh consultant has changed rule order post sp2 and is not equating that with the action.  But bottom line, watch your rules.  I don’t have a special DHCP rule here and my server works just fine.

>>> HOT TOPICS for OCTOBER 2007 <<<

The following “hot topics” were posted and resolved during the month of
September:

ISSUE
=====
When you try to access external FTP sites in an ISA environment, you may
experience ISA error message:

ISA Server: extended error message :
200 Type set to I.
200 PORT command successful.
550 Permission denied on server.  You are restricted to your account.

This mostly occurs when you visit some FTP sites which needs authentication
in IE7 using the URL form
ftp://username:password@ftp.site.com.

In IE6
——-
You can also access the FTP site using the URL
ftp://ftp.site.com. It will
prompts you to input username and password. After inputting username and
password, you can access the ftp site.

In IE7
——-
No matter what types of clients you are using (SecureNAT, web-proxy(BTW, it
will not work with folder view enabled) or firewall client). You just cannot
access it successfully.

CAUSE
======
This is because folder view is disabled in IE7, this is by design. This is
controlled by windows shell. Internet Explorer 6 and the Windows shell were
basically the same program but used different user interface (UI) entry
points. However, IE7 install new component of its own, it is not the same
program of Windows shell.

RESOLUTION
===========
To workaround the issue, you must access the website in Windows Explorer.

MORE INFORMATION
=================
Separation of Internet Explorer 7 from the Windows shell
http://support.microsoft.com/?id=928675



ISSUE
=====
ISA firewall service failed to start after you installed ISA 2004 Server on
the SBS. When we manually start firewall service, it retuned “Windows could
not start the Microsoft firewall on local computer. For more info review the
Event Log.  If this is a non-Microsoft service, contact the vendor and refer
to service specific error code -2147221005″.

In application log, you got Firewall error 14001: “The description for Event
ID ( 14001 ) in Source ( Microsoft Firewall ) cannot be found. The local
computer may not have the necessary registry information or message
DLL files to display messages from a remote computer. You may be able to use
the /AUXSOURCE= flag to retrieve this description; see Help and Support for
details.

Reinstalled ISA Server, however this issue persists.

CAUSE
======
Corrupted registry or components.

RESOLUTION
===========
Check the permission on following registry keys:

HEKY_CLASSES_ROOT/Fpc.FPCFilterExpressions
HEKY_CLASSES_ROOT /Fpc.FPCFilterExpressions.1 HEKY_CLASSES_ROOT /FPC.Root
HEKY_CLASSES_ROOT /FPC.Root.1 HEKY_CLASSES_ROOT /FPCSTG HEKY_CLASSES_ROOT
/FPCSTG.1 HEKY_CLASSES_ROOT /FPCSTG.FPCStorageEnvironment HEKY_CLASSES_ROOT
/FPCSTG.FPCStorageEnvironment.1 HEKY_CLASSES_ROOT /FPCSTG.FPCStorageFactory
HEKY_CLASSES_ROOT /FPCSTG.FPCStorageFactory.1

Set the above registry keys with following permission:

Administrator – Full Control
System – Full Control
Network Service – Full control
Authenticated Users – Full Control
Creator Owner – Full Control
Server Operators – Full Control


ISSUE
=====
OWA access problem via ISA 2006.  Error Code: 500 Internal Server Error. The
number of HTTP requests per minute exceeded the configured limit. Contact
the server administrator. (12219).


CAUSE
======
Incorrect authentication method, FBA was enabled on both ISA and Exchange.


RESOLUTION
===========
Disabled FBA on Exchange server and enabled it on the ISA web listener.

MORE INFORMATION
=================
Publishing Exchange Server 2003 with ISA Server 2006
http://www.microsoft.com/technet/isa/2006/deployment/exchange2003.mspx


After doing a firmware upgrade and a driver upgrade to 10.24.0… reboot your server.


ISA will will block the traffic and not let it out.  I had a feeling it would freak out just a smidge with that firmware/nic driver upgrade…and it did.


Now on to see if that helps with getting SP2 on the box.

http://simultaneouspancakes.com/Lessons/2007/01/15/isa-and-dhcp/


When you start using ISA to restrict things… be careful about restricting too much…..


Depending on where you put that ISA rule set you could end up shutting off DHCP services as a result….. 



——– Original Message ——–
Subject: Sharing info.. ISA Rules
Date: Sat, 13 Jan 2007 22:25:44 -0000
From: Pop <Iknowyouwantit@lol.com>
Newsgroups: microsoft.public.windows.server.sbs


If you already all knew it then sorry… 😉


Set up a denied access rule for ‘banned sites’ a few days later noticed pcs
were not getting an IP address from server DHCP (oh yes, router DHCP
switched off…lol)
Noticed the above rule was before the SBS Protected network rule, moved it
below and DHCP working again…


Interesting…

So I’m looking in my ISA log files because for the last couple of days my Scorpion Software Firewall dashboard has indicated I’ve been getting ntp attacks from two IP addresses: 192.168.116.1 and 192.168.142.1 and it’s now where I have some time on my hands to figure out what’s going on…. they aren’t getting out …but what are they there?  My internal IP address on this network is based on the old SBS 4.x numbering of 10.0.0.x, my home IP range is 192.168.16.x… the 192.168.1.254 is my external nic attached to the router…so WHY do I have two IP addresses attempting to get a time sync and being denied?  When I ping them they are unavailable, and an arp -a brings back nothing.  Well in chatting with Amy she indicated that the logging I was seeing “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” was not hitting a “rule” but rather at the kernel mode.  It was labelling them as spoofed as it didn’t see these addresses in my domain.



No kidding…. neither did I… so what are they?  So Amy Googled and found that one might be a Vmware network connection and the other Cisco…. Vmware?  Hang on .. I have vmware on this workstation but it’s not loaded up… and at the time I had the two nics enabled (I’ve since disabled them)



And sure enough…that was the IP addresses that the nics were assigned in the interface and ISA was just doing was it was supposed to be doing on my internal network and saying “yo, I don’t recognize these, they aren’t on my approved internal IP addresses so I’m blocking them”.  Okay so not exactly like that, but you get my meaning.


Sure ’nuff, disabled the nics as I’m not running a vmware on this machine at this time and that was indeed it. Once again, the firewall dashboard stuck something in my face that I don’t think I would have noticed otherwise.


And by the way…. to Amy … Ditto!  THANK YOU! for all that you do for the SBS and ISA Community!  http://isainsbs.blogspot.com/2007/01/thank-you.html

The recent closure of the Open Relay Database as reported by incidents.org points out how email and spam have changed over the years.  Once upon a time Open Relays abounded and was the main way that spam attacks were launched. Now spam comes and attacks us from various ways from spam bots to NDR attacks.  No longer is Open Relay our main SMTP security issue these days.  In fact Exchange 2003 is not a mail relayer by default.  Nevertheless, while our servers have gotten more secure, the spam impact is rising. As they’ve changed the playing field, we’re using different tools to fight back.  While the built in IMF spam filter in Exchange 2003 sp2 is an excellent spam filtering, there are new hosted solutions that place the burden of filtering on the backs of specialized vendors that can better see the Spam trends.  From vendors such as Postini, Microsoft’s Frontbridge, to the vendor that I personally use, ExchangeDefender.com it provides additional filtering in front of your Exchange server.

Hosted Exchange filtering provides several benefits.  The first being that these vendors specialize in seeing the trends of viruses and spam and thus can act on these trends much faster than I can.  Secondly they house the spam on their servers and not mine.  And last but certainly not least, one of the reasons that I chose this was to provide a more secure connectivity to my mail server.  I was able to do this by utilizing my ISA server 2004 to provide a bit more protection for my Small Business Server network. 

Before the change, I could literally see pings from various countries entering my network via the open port 25 that I used to accept inbound email connections.  Using an add on tool to ISA Server 2004, the Firewall Dashboard from Scorpion Software, you could see the various countries and IP addresses: 


Figure 1 – Scorpion Software’s Firewall Dashboard showing various SMTP connections


While attempts to guess a username and password on a mail connection on a network that has passphrases or a password policy that ensures that they are long, strong and not easily crackable at all, should not be a concern to the savvy network administrator, the reality is for many firms is that they would prefer to reduce an exposed attack surface if it’s reasonable to do so.  There have been cases where firms have been subjected to dictionary attacks and have had a password cracked merely to use the mail server and authenticate it to be used in more spam attacks.  These attacks called SMTP auth attacks have increased over the years.  In addition, the concern that I have with my firm located in California with data of California residents, is that should an attacker use a SMTP auth attack and through my own stupidity or misconfiguration, a password is cracked, that event would warrant a event under a law in California called SB1386 whereby I would need to notify clients of my firm’s that their sensitive data may have been breached.

In our case, it is extremely reasonable and extremely easy to limit the connections to our mail server ports with a bit of judicious editing to our ISA server policy that allows connections to our mail server.  The service that I use,
ExchangeDefender only connects to my server from a specific set of IP addresses.  Therefore, to ensure that we only accept inbound port 25 connections from those servers, we will set up rules in ISA Server 2004 to better protect the server and limit SMTP connections to only those 5 IP ranges.  This will then in turn, close down the potential for SMTP auth attacks and other misdirected connections to the port 25 in my server, thus reducing even more of an already limited attack surface via the server.

Our first step in the process is to determine the IP addresses that we need to restrict port 25 to.  The IP addresses are all Class C addresses.  We begin by launching the ISA management console as shown below:

Figure 2 – Default rules as provided by the SBS 2003 “Connect to Email and Internet Wizard”


In my case, my version of ISA server 2004 is installed on the SBS 2003 network server and has a rule wizard that has pre-built the access to the server for email.  I will edit that rule to provide the additional restrictions I need, but I need to remember that should I need to rerun the Connect to Internet and Email Wizard, or CEICW as it’s commonly called, that is inside the Small Business Server network, it will reset these email rules to default.  So at the end of this process, I’ll make sure that I backup the ISA configurations I’ve customized to ensure they are retained.

So we begin by editing the policy and providing the additional IP restrictions so that only the IP addresses from the ExchangeDefender servers can connect to the SMTP connection on my server.  In my example using SBS 2003’s ISA server configuration, it has built for me a SMTP access rule that I will edit.  Double check on the Smtp Server Access Rule and browse to the “From” tab.  From here you can see that the current allowed connections are from the entire Internet.  This is what we will be editing.

Figure 3 – Editing the SMTP server access rule
 


We will first begin by adding the necessary Address ranges that we need to limit connections.  After clicking on “Add” we are presented with a Network Entities screen.  We now need to click on “New” to add a new category of addresses that we will limit inbound port 25 connections from.  As you can see, you are presented with various ways that you can add different rules sets for access.  Ranging from “Networks” to sets, to various computers, to address ranges and so on.  This makes it easy to add a rule with a specific need in mind.

Figure 4: Defining the Network Entities


We will build a series of Address ranges based on the information given to us by the Hosted Antivirus and AntiSpam provider that we will use to limit the connections.  While we can use several categories of network entities to build the rule, including Address ranges for each range, Subnets for each one, the easiest way is to use the Computer Set rule and include in one set the five ranges that we have been given by the vendor to limit the connections to.  This allows for the best organized rule as all of the vendors IP ranges that he has given us to limit connections to will be included in one spot.  Be sure to add enough descriptive information to the rule set to ensure that you will remember the intent and to document it in your Firewall change log or whatever process you use to document firewall changes.

Figure 5: Using New Computer  Rule Element


When everything is all done, the rules we have built will be included as one set.  We can now easily remove the existing rule of “External” which allows all connections from all locations, with the more restrictive rule that only allows the 5 address ranges that have been specified.  And like all other edits to Firewall rules in ISA, it’s as easy as clicking on the “Apply” button to easily change the rule to our new edited one.
 
Figure 6:  Applying the new configuration



Last but not least, we need to remember that in the Small Business Server 2003 environment we need to remember that should we re-run the firewall wizard for any reason, any SBS wizard specific rule that we customized before will be reset back to the original once you rerun that wizard.  Therefore documentation of the changes you make, and ensuring that at the end of the process of customization you click on properties of the rule and you export the rule to allow for easy import will ensure that you can easily and quickly get the Firewall settings back as you need them to be.

Figure 7:  Exporting out the changed configuration


In reality for many of us that use the power of ISA 2004 to better protect and report on the Internet connectivity on our SBS 2003 networks, we typically only run the Connect to Email and Internet wizard once when initially setting up the ISA 2004 configuration.  After that first configuration, we tend to edit the rules as we need them and there is typically no need to rerun the setup wizard. 

You can now use or go to any number of port probing web sites and tools ranging from Steve Gibson’s veritable Shields Up on his
www.grc.com web site to Microsoft’s portquery tool and see that no longer is your port 25 seen open to the Internet and ready for drive by port 25 password attempts. While you are still fully able to get all of your cleaned and de-spammed email, you are no longer the fully exposed connection you once were.

Before you limit the connections, a port query response comes back with the following:

Data returned from port:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 25 Dec 2006 03:06:17 -0800
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000000.


After you limit the connection, the response comes back as follows:

TCP port 25 (smtp service): FILTERED
portqry.exe -n xx.xx.xx.xx -e 25 -p TCP exits with return code 0x00000002.


Thus providing a bit more protection from drive by SMTP auth attackers.

While I would never say that a firewall should be a “set it up and then forget about it”, typically the ISA 2004 configuration is straightforward enough that typically my only needs for adjusting are when my business needs change or a security stance changes have dictated a change in the firewall.  The rest of the time,  it just keeps doing what it does very well, being a great protection and reporting access tool for my business’ network.

And now, it gave me just a little bit more help in the war against SPAM.


(Now blogged from this location on my blog site, was formerly blogged at another location)


P.S.  as I’ve joked with folks.. the worse thing about all these external hosted spam filtering services is that they make your email boring.

As a FYI a blog post I did on how to use ISA 2004 to better close your SMTP connection to the outside world … especially when you are connnected to ExchangeDefender.com is up on the ISA server blog


http://blogs.technet.com/isablog/archive/2006/12/28/exchange-spam-filtering-and-isa-server.aspx


Exchangedefender.com is the service that I use that prefilters, cleans and despams my firm’s email….


Bottom line it makes my email boring these days.  And I’m serious about that… it’s quite dull these days.  Only business email.  🙂


P.S.  The post is off the blog site.. sorry if you are looking for it.  No, I really won’t go into why it was removed (not for reasons some folks might be thinking of anyway).