This Is The Last Post

This is the last post for this particular blog.

Don’t panic! I’ve created a new blog. The new blog will have a much broader focus and cover not only ISA but the full range of security challenges encountered by small businesses every day. It will include technical how to, as well as opinion, commentary and product reviews.

The new blog location is
The RSS feed for the blog is

I will keep this blog online for some period as an archive.

ISA @ SMBNation

ISA will be featured in the technical track at SMB Nation this year. My presentation back in March at SMBTN was well received. I’ll be building on that presentation. I will demonstrate several configurations that are in demand for SMB consultants:

Spam and Flood protection
Limiting Internet Access: Integration with AD and Group Policy
Logging and Reporting
Backup and Recovery

So be there. Dana Epp, Security MVP has organized top drawer technical content for this conference. It’s September 29 – October 1.

Also, a heads up. I’ll be presenting at SMB Focus in Sydney Australia in November as well. Plan now and I’ll see you there.

Thoughts on what it means to not have an edge SBS

Situating SBS on the edge of the small business network has always been a controversial topic. A network in a box for small companies has to include some kind of firewall doesn’t it? So through the years it was RRAS, Proxy 2.0, ISA 2000 and ISA 2004. With word out that SBS will no longer be supported on the edge that means that ISA on that box and RRAS are both out of the picture. Considering that most SBS servers are currently protected by RRAS that’s significant.

Having worked in the small business market for a number of years I can tell you with certainty that this will leave the vast majority of SBS customers with networks protected by their DSL router. A DSL router just isn’t sufficient to protect against today’s application targeted attacks. Neither is it sophisticated enough to serve the publishing needs of Exchange 2007 without leaving gaping holes to exploit.

Microsoft knows best how to protect Microsoft software. SBS is jammed packed with Microsoft software as are most small business desktops. What then will be the official “best practice” recommended by Microsoft to protect their software that these customers are so dependant upon?

The Skinny on ISA in SBS 2008

The official word:

“With respect to ISA, here’s what we’re public on:

– SBS no longer will support being the edge box. You’ll need SBS to be behind a network firewall of some sort — could be a hardware firewall, could be a software firewall, such as ISA.

– ISA, itself, will no longer support running on the SBS server itself — this is really related to #1. We’re building the SBS tools in the next rev assuming that the network firewall is elsewhere.”

I wish I was allowed to say more about what’s going on in the next version of SBS but I’m not. So from the official statement above it doesn’t take a rocket scientist to notice that you’re going to have to place your ISA server in front of SBS next time around on a seperate server. Unfortunately there’s no public statement about what this means the product list is for SBS Premium because obviously we’re going to need another license of Windows for that second server. We’ll have to wait and see.

ISA 2004 SP3 Released

ISA 2004 SP3 is here.

ISA Server 2004 SP3 includes the following new features and improved functionality:

Improvements to the ISA Server Management console with the addition of a new Troubleshooting node

Enhanced log viewing functionality

Additional log filtering functionality

Diagnostic logging, including over 200 new diagnostic logging events

Integration with the Microsoft ISA Server Best Practices Analyzer Tool

Support for publishing Microsoft Exchange Server 2007 with ISA Server 2004

Vista might not connect immediately

Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista

Read all about it in TechNet. Vista contains a feature which uses DNS to locate and connect to a pre-defined website. This is part of the new network identification feature. So when Vista detects a new network and pops up the box for you to select how much you trust this newly connected network, this article explains what has happened in the background.

The key issues are:

1. Vista clients behind ISA may not immediately recognize that they are connected to the Internet via a firewall
2. ISA logs will contain denied DNS traffic destined for (yes, this is a valid IP address)

And don’t panic.