Download New ISA 2000 Video Presentations

Microsoft has posted some video presentations that you can download and view at your leisure. Do what I do — burn these guys to a DVD and play them while flying from one gig to another. You can watch Martin Sargent reruns only so many times 🙂

With ISA Server 2004 now not that far away, Microsoft have released a bunch of ISA 2000 Presentations.

Internet Security and Acceleration Server Network Design for Microsoft .NET Applications
In this presentation you will learn how to design a network for multi-tiered Microsoft .NET applications. The session introduces each element of the architecture and explains how to use ISA Server in different places throughout the network.

Microsoft® Internet Security and Acceleration Server Best Practices and Troubleshooting
In this presentation you will get the best practices for installing and administering Microsoft Internet Security and Acceleration Server.

Microsoft® Internet Security and Acceleration Server Deployment Techniques
In this presentation see how to deploy Microsoft Internet Security and Acceleration Server to provide caching and firewall functions. Learn about planning issues, guidance on client types, and the design of ISA Server policies.

How to Protect Your Network Using Microsoft® Internet Security and Acceleration Server 2000
In this presentation see how Microsoft Internet Security and Acceleration Server 2000 can be used to provide both proxy, caching and firewall security for your network, and more.

HTH,
Tom

Another TechEd ISA 2004 Session

If you’re planning on attending TechEd this year in San Diego, then you might be interested in another session that I’m doing. Here’s the info:

Date: May 25
Time: 5:00PM — 6:15PM
Code: SECC04
Description: ISA Server 2004 Enhanced Microsoft Exchange and VPN Services Support: How ISA Server Provides Enhanced Security for MS Exchange and VPN
Speaker Name: Tom Shinder — ISAServer.org
Code: Canbana4
Reg Type: COMM

I’ll talk about what’s new, what cool, and what’s unique about ISA 2004’s VPN and Exchange Server protection features.

Hope to see you there!

Thanks!
Tom

Microsoft Tech·Ed 2004

Birds of a Feather Session for ISA Fans at TechEd in San Diego

If you’re an ISA firewall fan, and want to get together with other ISA afficianados, then check out the Birds of a Feather (BOF) session we’re putting together for TechEd. A number of ISA gurus (and me too) will be there! Here’s the run down so far:

Application layer firewalls are the present and future of secure network computing, and ISA firewalls set the standard. ISAserver.org gurus and MVPs Tom Shinder, Chris Gregory, Jason Ballard and Jim Harrison crack open the case on ISA Server firewall placement and config. Bring your config and design questions to this interactive and info-packed session.

If you’re going to TechEd and haven’t voted on this session yet, then do! Head on over to http://www.ineta.org/bof/Default.aspx and vote for our session. Only sessions that get enough votes will be given space.

Thanks!
Tom

Microsoft Tech·Ed 2004

Protecting Microsoft Exchange with ISA Server 2004 Firewalls: Integrating the ISA Firewall into an Established Network Infrastructure

If you didn’t already know, ISA firewall’s are the firewalls for protecting Microsoft Exchange Servers. One of the things the hampers adoption is the belief by many firewall and network admins that they need to change up their current network topologies in a big way to support a new ISA firewall. Not true! Check out this article I posted today to see how easy it is to get ISA firewall protection without having to re-jigger your entire network infrastructure to support it.

http://www.msexchange.org/articles/2004protectexch.html

Thanks!
Tom

DCOM Error Related to SMTP Message Screener

The ISA firewall’s SMTP Message Screener is pretty cool. Its not a full-fleged spam whacker, but it provides a nice first line of defense against unwanted email. One thing that was a bit problematic with the ISA 2000 firewall’s SMTP Message Screener was that it depended on DCOM messages being passed between the SMTP relay with the SMTP Message Screener installed and the ISA firewall machine. You don’t see this problem if the SMTP Message Screener is on the ISA firewall itself, but you do see it if it’s on another machine.

If you see an error that looks some like this:

DCOM got error “General access denied error ” from the computer proxy
when attempting to activate the server:
{0820D243-0B18-4B0A-88F0-D857F0C91E62}

Then you’ll benefit from this cool fix from Jim Harrison:

That GUID represents the VendorParametersSet processing DLL in ISA.

Try this:
1 – open a cmd window and navigate to your ISA installation folder.
2. type (no quotes): “regsvr32 vps2.dll”
3. say “OK” to the next to popups
4. type (no quotes): “net stop isactrl /y”
5. wait until all the services are stopped
6. type (no quotes): “net start w3proxy”
7. wait until the web proxy service starts
8. If you’e running Integrated or Firewall mode, type (no quotes): “net start fwsrv”
9. If you’re running RRAS on the ISA, type (no quotes): “net start remoteaccess”
10. if you’re running Cache or Integrated mode, type (no quotes): “net start w3schdwn”

As always, Jim dredges up the best fixes in the biz!

Thanks!
Tom

ISA 2004 Firewall Client Weirdness

The ISA firewall’s Firewall Client app is really the killer app of the ISA 2000 and ISA 2004 firewall. It’s a real shame that so many people shy away from it, because its a key component to a strong outbound access control scheme. Without strong outbound access control, you might as well run a dumb packet filter router like a PIX!

Anyhow, the Firewall client from ISA 2004 can get a bit flakey. The reason for this is that it uses an encrypted connection between the Firewall client machine and the ISA 2004 firewall. The ISA 2004 firewall client can whack out when trying to connect to ISA 2000 and Proxy 2.0 machines because it uses only the TCP channel (TCP 1745) when connecting to the firewall. Proxy 2.0 expects to be able to use the UDP control channel, and at times ISA 2000 will want to use one too. You can fix this problem by adding the following Registry key on the Firewall client machines:

HKEY_LOCAL_MACHINE\Software\Microsoft\Firewall Client 2004\EnableUdpControlChannel = 1

That’s your fact for the day. Now on to documenting for the ISA 2004/Exchange Kit the procedures required for putting together a unihomed ISA 2004 box to support reverse proxy for OWA and RPC/HTTP connections.

Laterz,
Tom

The Pain of Putting the Front-end Exchange in the DMZ

I finally finished the ISA 2004/Exchange Deployment Kit doc on the FE/BE Exchange config where the front-end is in a trihomed DMZ segment. What a pain! Actually, the ISA config is easy, but there are so many steps in configuring the Exchange Servers, Exchange Services, Email clients and certificate management, its easy to miss a step. On top of that, add in the vargaries of spazzing out virtual machines. Not sleeping for over 24 probably doesn’t help either 🙂

However, the final doc is a real work of art. I know that everyone has been wanting support for the FE in the DMZ, and now with ISA 2004 is works.

I hope I’ll be able to demo the config for you at TechEd. Maybe if I get really motivated, I’ll do some .avi movies of the config and put them on CD for you to take home. If only I could buy more hours in day. I’m getting up before going to bed these days!

Thanks!

Tom

ISA 2004 RPC Filter Breaks Certificates Snap-in

I really like using the Certificates MMC snap-in because it greatly simplifies issuing certificates to domain members when using an enterprise CA. Sadly enough, the ISA 2004 RPC filter kills the Certificates snap-in, and also the Certificate Request Wizard used to issue certificates to IIS and Exchange Services. Bummer.

The solution is to disable the RPC filter in the Add-ins node and then create an Access Rule that allows all IP traffic between the communicating hosts. Just make sure to remember to disable this rule and re-enable the RPC filter after you’ve issued the certificates!

If you don’t want to go through that hassle, you can always use the Web enrollment site, or create a file for an offline request.

HTH,
Tom

First Article

This is my first article in a blog ever. I was wondering how blogs are different than “this is my cat” Web sites from the early 1990’s. BTW — did I show you a picture of my cat?