Yesterday we published a new article in the Tales from the Edge Community Page. This article describes in details how it works the new logging feature in TMG. To give you a better perspective about what this means at the end I created this video demo that shows what the article explains.
I decided to do that because recently I was answering a question on ISA Server 2006 Forum where the ISA Admin was saying that every time that he shutdown or restarts his SQL Server for maintenance his ISA Server stopped. Well, while this is expected on ISA Server we can always show that this won’t happen in TMG.
You can watch online here:
But if you prefer, you also can download the WMV file from here:
Enjoy it.
How many times were you wonder what the difference between HKEY_LOCAL_MACHINE\IsaStg_Eff1 and \IsaStg_Eff1Policy is? Well, yesterday we posted an article on ISA Server Team Blog that will demystify that and much more. Check it out here:
http://blogs.technet.com/isablog/archive/2008/10/29/isa-policy-storage-101.aspx
The Microsoft Windows Server 2008 Event Viewer is a whole new program inside the Operating System, the changes made to it were completely significant and rich in new features. There are so many things that you can now do with Event Viewer that it is worth to take some time off and play with it. The new Event Viewer in Windows Server 2008 bring also new security capabilities for auditing and more in depth explanation of the events. In this area my recommendation is that you read the following article Auditing and Compliance in Windows Server 2008 from TechNet Magazine.
I’m also pointing out about this because recently I worked again in an ISA case where the infamous 5783 was happening and again the challenge was to get the data while the issue was happening. During the call I was explaining that the new eventmon can assist a lot on that since we can attach an action to the event, as you can see below:
Obviously the "wow" came out due this feature that we asked so much for many years and the “what” was followed by the statement: so are you saying that TMG still have this problem?
Let me clarify this once more: there is no bug when ISA Server lose the secure channel with the DC, there is no option to turn on or turn off this error. This problem can happen due many circumstances as I explained and demo on my blog about that. The fact is that if the circumstances are still in place, the 5783 can potentially happen in TMG. The old MaxConcurrentAPI registry key is still there in Windows Server 2008 and can be used to tuning authentication performance as you can see in the “Increase the Number of NPS Concurrent Authentications” article.
So what it is our hope to once for all stop dealing with this problem? Well, the main hope is that the companies start to use a Web Browser that supports Kerberos authentication, such as Internet Explorer 7 or higher. This can dramatically decrease the authentication pressure in ISA and in the DC, making this problem go away.
Last post I explained how Netmon 3.2 can be used to identify an expected traffic and this week I received an email that says: “…is nice that Netmon 3.2 can be used to that but sometimes this happen while we are out of the office and it is hard to track it more information about that traffic. How I can trigger an action when this event happens in the ISA Server?”.
Very interesting question and thanks for asking that! We actually do have a way to take an action based on this ISA Server 2006 Alert. The ISA Server 2006 Alerts can be customizable in such was that you can trigger an action when it happens. So for example, let’s say that you want to trigger an action when the following alert occurs:
Figure 1 – Event 21284.
You can easily configure that by using the option below:
1. Open ISA Server Management Console.
2. Click Monitoring and click in the Alerts tab.
3. Choose the option Configure Alerts Definitions.
4. In the Alerts tab select the event below and click in Edit.
Figure 2 – Alert Definitions.
5. In the window below click in Actions and choose what action you want to take:
Figure 3 – Selecting the type of event to run.
That’s pretty much it, enjoy your alert customization!
1. Understanding the Problem
I already worked in many cases where customer wants to know why ISA is alerting that it might be under attack by logging events such as:
Figure 1 – Number of TCP Connections.
…and also this one:
Figure 2 – Denied Connections per Minute.
These alerts are part of the default Flood Mitigation settings in ISA Server 2006 and are trigged when ISA detects that the amount of traffic exceed the default setting. This can be a false positive, which means that this amount of connection might be coming from a legitimate system and the behavior might be because this is a really busy system. But, it also can be a real attack due a compromised system in your network.
The alert is pretty straight forward and it identifies the source system that is generating this huge amount of traffic. The problem is that sometimes you go to this system, run an Anti-Virus scan and nothing comes up, run an Anti-Spyware and nothing comes up, etc. Sometimes the user is just playing around with some cool tools that he found online or sometimes there is a malicious process that it is actually sending this traffic against ISA Server.
2. Netmon 3.2 Can Help you on that!
The reason why I’m talking about Netmon 3.2 now is because during TechEd Brazil I met a guy from ISSA Brazil and he was telling me about his experience with Netmon 3.2 and how the security specialists were amazed with the improvements in Netmon 3.2. He actually wrote an article in the ISSA Magazine (in Portuguese) about Netmon 3.2, that you can download it here. This was a great feedback from the field and it is really important to us to spread it out the evolution of such great tool and how this can help people in the field.
For this scenario that I’m explaining here Netmon 3.2 was perfect, mainly because it could show me what other tools could not. For this case, when we ran Netmon in the source machine (the one that ISA Server was showing in the alert) we found out what process was sending the traffic:
Figure 3 – Process that was sending the traffic.
As you can see, for this example an internal user was using the freeware tool NMap Scanner to perform a scan against the internal IP of the ISA Server, which obviously was a bad idea. This is only a simple example of how Netmon 3.2 can assist you to identify a process that is generating an unexpected traffic.
3. Conclusion
The flood mitigations settings on ISA Server can help you to identify and block hosts that are sending an exaggerated amount of traffic to ISA Server. This is the first step to assist you to block a compromised system. Moving further you need to understand why the source machine is doing that and this article explained you how Netmon 3.2 will assist you on that. You can download Netmon 3.2 from here.
Who went to TechEd Brazil last week will be able to access the content through the website www.teched.com.br. All the sessions will be available for download, but it will take a couple of weeks to do that happen. My friend Danilo Bordini from Microsoft Brazil already published on his Blog the slides for his presentations and you can download it here. While the content is not available in the web site, you can also download my two presentations here. Enjoy it !!
Last Tuesday at TechEd Brazil I was pleased to have around 200 people in the audience with a high expectation about what comes with TMG. This was the first official Microsoft presentation about TMG in Brazil and you can imagine how people were watching closely. While my presentation was about TMG MBE, there were many questions that were not applicable for this release, but we know that the future is coming and Beta 2 is closer than you can imagine. Although the felling of “I want to know more” was a reality during this 1 hour and 15 minutes of presentation, the audience was also amazed by some of the new features that come with TMG, such as Malware Inspection, new Logging architecture (LLQ), Policy Enforcement and NAP Integration.
During the Malware Inspection Demo, the user was downloading a ZIP file that has a piece of malware in the file. TMG filter intercepted the traffic, scanned, found the malware and showed the following screen to the final user:
That was a great: “wow that’s cool !!”. The presentation moved smoothly and the result was really positive, which makes me feel good to know that the message touched the ISA Admin’s heart that were there.
This week I’m delivering an ISA Server 2006 Workshop to Microsoft Premier Customers. While the training is going really well one thing that I notice was the following common question from students in the class: why sometimes I can’t access a website while I’m behind ISA and if I bypass ISA it works?
This is a really broad question and we need data to better understand what is causing such behavior. I’m assuming that all firewall policies are correctly configured and that you have no issues on that side. If this assumption is correct then the next question is: what it is the error message do you receive when tries to access the page behind ISA?
Situations like that needs precision on those answers and data gathering is essential for the success of the case. To give them an example that sometimes ISA just does what is suppose to do, I showed them the following scenario:
Client is trying to access a website through ISA Sever 2006 and logging shows the error below:
Error Code 64: Host not available
Error 64 is generic and I agree that doesn’t help at all. For this reason you need to dig in to find out what is going on otherwise it will be hard to determine the root cause. For this scenario a simple netmon trace helped us to determine the root cause:
- ISA Sends the request to the destination server:
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Via: 1.1 SRV
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; MS-RTC LM 8)
Host: www.contoso.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF
The destination server responds:
- Http: Response WebSite:
_BuildHTTPConversation:
- Response: 0x1
ProtocolVersion: HTTP/1.0
StatusCode: 302, Moved temporarily
Reason: OK
Server: XXXXX
Location: https://srv.contoso.com
Looking closely to the binary details in netmon hex details pane we have the root cause for that:
48 54 54 50 2F 31 2E 30 20 33 30 32 20 4F 4B 20 28 43 6C 75 73 74 65 72 20 42 6F 6D 62 20 62 79 20 53 68 69 66 74 34 29 0D 0A 53 65 72 76 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33 2E 32 36 20 28 55 6E 69 78 29 0D 0A 4C 6F 63 61 74 69 6F 6E 3A 20 68 74 74 70 73 3A 2F 2F 73 65 72 76 65 72 31 31 2E 64 6F 6C 6C 61 72 73 6F 6E 74 68 65 6E 65 74 2E 6E 65 74 2F
The destination server does not terminate the response in accordance with RFC-2616. This RFC says:
“.. HTTP/1.1 defines the sequence CR LF as the end-of-line marker for all protocol elements except the entity-body”
From: http://www.ietf.org/rfc/rfc2616.txt
Therefore ISA correctly rejects it as malformed. What we should see in a normal HTTP Response is:
Conclusion: bypassing ISA as an attempt to proof that the issue is on ISA sometimes doesn’t prove the real point. ISA Server inspects the packet and act according to RFC for that protocol. If the destination server is not in accordance with that protocol ISA will correctly drop the packet as malformed.
They were surprise with the result and confident that from now on, they will research before blame ISA J.
With Windows Server 2008 bring so many cool features such as SSL VPN, many customers are asking some questions about this integration. Here are some common questions and answers about this:
1) Can I install ISA Server 2006 in a Windows Server 2008?
No. TMG will be the first Microsoft Firewall that you can install on Windows Server 2008 system.
2) Can I install ISA Server 2006 in a 64bits System?
No. TMG will allow that.
3) Can I join and ISA Server 2006 to a Windows Server 2008 Domain?
Yes you can. We will update the articles below with that info:
http://technet.microsoft.com/en-us/library/bb794821.aspx
http://technet.microsoft.com/en-us/library/bb794807.aspx
4) Does ISA Server 2006 support SSL VPN?
No, but you can publish SSL VPN through ISA Server. Here it is a great article from Tom Shinder that explains how to do that:
http://www.isaserver.org/tutorials/Publishing-Windows-Server-2008-SSL-VPN-Server-Using-ISA-2006-Firewalls-Part1.html
5) Can I publish Secure FTP using II7 through ISA Server 2006?
Not in a supported manner. FTPS is not supported on ISA, for more information check the official article here: http://technet.microsoft.com/en-us/library/bb794745.aspx
Many customers are thinking in going to a 64 bits system for the amount of advantages that this type of system brings, such as performance improvement. You are not wasting your time waiting for TMG, the amount of features, improvements and robustness that this new Firewall will provide is just AMAZING. Do you want to know a little bit more about those advantages? Read this article from Tom Shinder and you will understand why TMG is the Cornerstone of EBS J
http://blogs.isaserver.org/shinder/2008/09/02/why-the-forefront-tmg-is-a-cornerstone-of-essential-business-server-ebs-network-security/
"Troubleshooting Sharepoint/MOSS 2007 publishing through ISA Server can be really challenging, mainly because most of the times the argument is: but it works just fine internally. Although this can be a good argument it doesn’t prove that the issue is on ISA Sever. .."
Check it out the complete post that born from a nice collaboration between ISA and Sharepoint Team:
http://blogs.technet.com/isablog/archive/2008/10/02/unable-to-check-out-a-document-in-moss-2007-published-through-isa-server-2006.aspx