ISA is an application that sits on the top of the Windows OS and consumes many OS features and functionalities. Many administrators still confused about what it is and what it is not an ISA related issue. I decided to enumerate the top five common questions (or misconceptions if you will) about ISA in four core areas: Encryption, VPN, Load Balance and Authentication.
1) I want to force ISA Server to use SSL V3. How do I do this?
This is not an ISA question. ISA Server consumes the cryptography system from the OS, more precisely from the SCHANNEL security provider. If you want to play with the SSL version, ciphers and hashes use the KB below:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll. Whatever is used by the OS will be respected by ISA.
VPN 2) Does ISA 2006 Radius authentication support Radius access-challenge message?
RRAS not ISA is responsible for that. ISA server just consumes RRAS functionalities and features. In this particular question the answer can be found at http://technet.microsoft.com/en-us/library/cc728366(WS.10).aspx, where it says that Access-Challenge is an attribute supported by MS implementation of RADIUS.
3) Can ISA Server assign a specific IP address to my VPN Client?
RRAS not ISA is responsible for handling this. For this particular case you can use Active Directory feature that allows you to assign a static IP for one specific user. See http://technet.microsoft.com/ru-ru/library/cc759712(WS.10).aspx for more information
Load Balance 4) Does ISA Server NLB support Switch Layer 3?
ISA Server uses Windows NLB capabilities, hence the same supportability statement used on Windows NLB for this matter is true for ISA. In this case refer to the following NLB Q&A:
Switch is operating in Layer-3 mode
NLB is not supported when the hosts are homed to a switch operating at Layer-3. Instead, create a VLAN for all the nodes in the NLB cluster, and configure that VLAN to operate in Layer-2 mode.
Authentication 5) Why ISA Server needs bi-directional (two-way) trust between domains in order to use Kerberos Constrained Delegation?
Windows not ISA imposes this. For more details explanation on this read http://technet.microsoft.com/en-us/library/cc752953.aspx
Have a good day and keep in mind that not always it’s an ISA issue neither is an ISA question :)
Consider a scenario where you planned the migration from ISA to TMG, you read the migration guide and you watched the migration video from Jim and Mohit. You did all the homework and on the day that you try to migrate you get an error saying: Import Failed Error 0x004040f. When you click Details button you will see the message: “No CA Certificate selected for HTTPS Forward Bridging”.
What happens is that if you install TMG and right after installing you launch the Getting Start Wizard, follow all the wizard then follow Web Access Policy wizard and try to enable all the features that are in there you will ended up with configuration that is not clean. You will have rules and components already configured in TMG, which shouldn’t be there while importing the settings from ISA. So, make sure that you have a really clean install prior to import the data from ISA.
Have a good TMG Migration… …and remember Chapter 6 of the TMG Book is your friend !!
The future of security baseline management has arrived. The new Security Compliance Manager will enable you to plan, deploy, operate, and manage your organization’s security baselines for Windows® client and server operating systems, and Microsoft applications.
Earlier this year the Microsoft Solution Accelerators team announced the beta release of this free new tool. They gathered feedback from IT pros and organizations around the globe, and they’re excited to share the result: a tool designed to help your organization efficiently manage the security and compliance process for the most widely used Microsoft technologies.
The Security Compliance Manager will help you accelerate knowledge to merge best practices, customize once to centralize decision making, and export to multiple formats to enable monitoring, verification, and compliance. The tool will ultimately help to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.
· Download the Security Compliance Manager.
· Learn more about Security Compliance Manager.
· Help spread the word: Tell your friends about Security Compliance Manager.
· Thoughts? Favorite features? Feedback? Tell it to the dev team.
Want the facts straight from the development team? Check out this series of short videos! Better yet, post your own video response sharing your favorite feature.
We just released this hotfix for Forefront TMG 2010, which cover issues involving integrated NLB feature on TMG, mainly when used in VPN Scenarios (Site to Site for example). More information about this fix go to the link below:
Last week I worked on an interesting case where I was lucky enough to have a buddy here from MS Texas available to help me out on an issue related to Entourage. Before I introduce him, let’s consider a scenario (described in the figure below) where Entourage clients were unable to access their mailbox when are located in the external network (Internet) passing through ISA Server 2006.
Notice that in this case there are two CAS Servers in NLB and for the internal MAC users they were able to access their mailbox without any problem.
Since the initial assessment done by the Messaging Admin concluded that internal MAC clients were able to access their Exchange mailbox, we had to understand what it was ISA role on this error. The initial troubleshooting on the ISA Server side in this type of case is always to get the live logging and see what ISA is reporting about this error. For this particular scenario ISA was logging that the error 405 was coming from the CAS server (IIS) as shown below:
In order to confirm that, we went to IIS logs and confirmed that it was IIS sending the 405. It was during this time that I asked for assistance to one of our Entourage SME here at MS Texas, Austin McCollum. Rapidly Austin noticed that the reason why IIS was sending this 405 was because the connection attempt was sending a request to the /owa vidir rather than /exchange (which is the one used by Entourage). Although the client was configured to send the request to mail.contoso.com/exchange, there was a redirect rule on ISA Server (created by the Admin) that was redirecting all the traffic from mail.contoso.com/exchange to mail.contoso.com/owa. This redirect rule was created by the ISA Administrator in order to automatically redirect clients to the OWA vdir since all his infrastructure was Exchange 2007 (and used to be Exchange 2003). This is not a necessary step, better to rely on Exchange to handle that.
After fixing this problem we were confident that the issue will be resolved…NOT!! Again, we got 405 and again it was coming from CAS (IIS). However at this time it was going to the correct place /exchange. Austin used his article http://blogs.technet.com/austinmc/archive/2009/04/17/connecting-entourage-with-exchange-2007.aspx in order to fix other configuration issues, however the 405 persisted and for our surprise the /exchange vdir had not authentication selection, nothing, nada...hence it fails to authenticate. We enabled basic authentication and after that everything started working.
3. Why it was working internally?
The question that really got into our mind was why this was working internally and if you look to the network diagram you will see that the topology is composed by a NLB on the CAS side. What it was happening was that internal clients were were hitting the CAS Server that had no authentication problem on /exchange vdir. Also, since they were not passing through ISA, they didn’t face the initial problem with the /exchange redirect.
True teamwork here, Thanks Austin !!
Next April 13th 11:00 AM PST a colleague from my team here at MS Texas (Mohit Kumar) will be delivering a presentation about Troubleshooting ISA Server 2006 VPN Issues for Microsoft Partners, if you are a partner and deal with ISA Server you should watch this presentation. Here it is the agenda with the core topics that will be covered:
The registration is open at https://training.partner.microsoft.com/learning/app/management/LMS_ActDetails.aspx?UserMode=0&ActivityId=577437
Enjoy it !!
Just a quick update on the part 2 of this series of 3 articles about Netmon RWS Parser. Check it out at http://technet.microsoft.com/en-us/library/ff536096.aspx
Consider a scenario where Firewall Administrator configure E-Mail Protection feature on Forefront TMG 2010 and enable EdgeSync traffic as shown below:
The environment was working fine but later the Firewall administrator wants to add an additional IP on the Receive Connector (in the Forefront TMG terminology this will be the External SMTP Route). However when try to open the properties of this connector on TMG and go to routing tab on TMG we have the following message:
Note: When EdgeSync is enabled you can’t make direct changes on some properties of the Exchange Edge and should do it via Exchange Hub Transport Server. For more information the settings that are replicated via EdgeSync see http://technet.microsoft.com/en-us/library/bb232177.aspx
Firewall administrator contacted the Exchange Administrator that tried to change this setting directly on the Exchange Edge console by following the procedure below:
After some time that this setting was applied the following message appeared on Forefront TMG Alerts:
After this message appears, this configuration is reverted back to the original state (without the additional IP on the send connector).
2. Why I cannot change my Exchange Edge Settings?
This is an expected behavior when Exchange Edge is installed on the same computer as Forefront TMG 2010 as part of the E-Mail Protection feature. Forefront TMG Managed Control Service is responsible for identifying changes on the E-Mail protection policy and replicates it from TMG to Exchange Edge, which means that changes done directly on the Exchange console will be overwritten.
3. What should I do in this case that I need to add an additional IP on the External connector?
The workaround to add additional IPs after configure EdgeSync via E-Mail Protection on TMG 2010 is to temporally disable EdgeSync via TMG 2010 console as shown below:
After disabling this setting, applying the changes on TMG, you can change the External connector to add the additional IP. Once the additional IP is added you can re-enable EdgeSync using the procedures from Using Mail Protection with Exchange EdgeSync on Forefront TMG.