ISA Firewall Site to Site VPN Quick Fix

If you’ve been trying to create a site to site VPN using 2004 ISA firewall using a pre-shared key only, I feel your pain. You’ve probably seen that it doesn’t work. The key is to not configure the pre-shared key in the Remote Site Wizard. Instead, leave the pre-shared key checkbox unchecked. Then click the VPN Clients tab in the Details pane, and click the Select Authentication Methods link on the Tasks tab in the Task Pane. On the Authentication tab in the Virtual Private Networks (VPN) dialog box, put a checkmark in the Allow customer IPSec policy for L2TP … Continue reading ISA Firewall Site to Site VPN Quick Fix

ISA Firewall Site to Site VPNs with Downlevel VPN Gateways

One of the things that drove us nuts with the 2000 ISA firewall was that problem of site to site VPNs. You could use PPTP or L2TP/IPSec to create a site to site VPN, but the problem was that most downlevel VPN gateways (PIX, Sonicwall, etc) use the less secure IPSec tunnel mode. The new ISA firewall fixes this problem with its support for IPSec tunnel mode. The problem is that each vendor has it own proprietary approach to creating a site to site VPN. Don’t worry! Microsoft has come to our recue with a bevy of very cool docs … Continue reading ISA Firewall Site to Site VPNs with Downlevel VPN Gateways

The Evils of SSL Tunneling

As a firewall administrator your primary concern is access control. You want to control exactly what services internal network users can access on other networks, and you want exact control over what services external users can access on the internal network. That’s the reason you have a firewall. If you don’t want someone to access a specific service on the Internet, then you either do not allow it (the preferred method) or you explicitly block it (the less preferred method). This isn’t a radical approach and is something inherent in all good firewall policies. For example, you have created a … Continue reading The Evils of SSL Tunneling

Using RADIUS Authentication with the ISA Firewall’s VPN Server (2004)

 By Thomas W Shinder M.D. Got questions? Discuss this article over athttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000170 Like the ISA Server 2000 firewall, the ISA firewall (ISA Server 2004) supports RADIUS authentication for VPN clients. RADIUS authentication is most useful when the ISA firewall is not a member of the Internal network domain. Situations where you would not want to make the ISA firewall a member of the Internal network domain would include those where the ISA firewall is the Internet edge firewall and there are other back-end firewalls on the network. While it is completely acceptable to make the ISA firewall on the Internet … Continue reading Using RADIUS Authentication with the ISA Firewall’s VPN Server (2004)

ISA 2004 HTTP Security Filter – Will It Meet Its Potential?

ISA 2004 firewalls include a very powerful HTTP Security Filter. This filter allows you to block virtually any HTTP connection attempt, based on the settings you configure in the filter. The HTTP Security filter allows you to configure the ISA 2004 firewall to perform detailed searches of the HTTP header and body, and block connections that match your criteria. When used properly, this has the potential to be the ISA 2004 firewall’s “killer app”. However, most firewall admins have to do double, triple, quadruple and quintiple duties. They don’t have time to make the ISA 2004 firewall their avocation. They need … Continue reading ISA 2004 HTTP Security Filter – Will It Meet Its Potential?

Disabling Spoof Detection in ISA 2004 Firewalls

Spoof detection in ISA 2004 firewalls is a handy feature that helps protect the firewall from spoof attacks. However, there are some circumstances that generate spurious spoofs , such as when implementing NLB. No problem! Here’s the fix, courtesy of our good friend, Barclay Neira: 284811 HOW TO: Disable the IP Spoofing Detection Feature in Internet Security and Acceleration Server http://support.microsoft.com/?id=284811 Here is the location you would need to update. All other information is the same: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters Thanks Barclay!

Protecting Microsoft Exchange with ISA Server 2004 Firewalls:Integrating the ISA Firewall into an Established Network Infrastructure

Protecting Microsoft Exchange with ISA Server 2004 Firewalls:Integrating the ISA Firewall into an Established Network InfrastructureBy Thomas W Shinder M.D. Nobody likes to start from scratch. This is especially true if you have a well established network and firewall infrastructure that’s working for you. Why would you want to go and change everything just to add a new application layer intelligent firewall to your setup? Things are working already and you haven’t been successfully attacked for at least 6 weeks. This is something I come across a lot when recommending ISA firewalls to organizations that already have a firewall and … Continue reading Protecting Microsoft Exchange with ISA Server 2004 Firewalls:Integrating the ISA Firewall into an Established Network Infrastructure

Fixes for Instant Messenger Related Problems

One of the most common problems seen on the Web boards and mailing lists are Instant Messenger related issues. How do you get them to work? How do you make them stop working? My solution is to remove the dreaded IM’ers from the users machines 🙂 However, if you want more information on how to get these things to work, check out: Microsoft ISA Server Message Boards: Tips for msn,yahoo,kazaa: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000096 Lots of very useful tips and tricks there. HTH,Tom

Cool Script for Auto Failover and Failback for Windows 2003 ISA Firewalls

A frequent request on the ISA boards is a script or other free method that you can use to fail over and fail back if you have multiple external interfaces. Custler, a frequently posted on the http://forums.isaserver.org message boards has posted a very nice script to get you started. Jim Harrison may jump in with a fix that will help it work in Windows 2000. Check it out here:http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000012#000011 Thanks guys! Tom

The Mystery of the ISA 2004 Beta Newsgroups

I wrote to Jerry Bryant about putting some beta newsgroups for ISA 2004 on the msnews.microsoft.com Web site. Silly me, there were already ISA 2004 beta 2 newsgroups. The problem is that they’re very effectively hidden from public view! This explains why the level of activity in the “public” newsgroups for ISA 2004 is so much less than what I saw during the ISA 2000 beta. Anyhow, if you’re interested in getting invovled with the public ISA 2004 Beta 2 newsgroups, here’s the secret sauce: Viewing these Newsgroups with an NNTP Newsreader Since these are private newsgroups, your server will … Continue reading The Mystery of the ISA 2004 Beta Newsgroups