ISA & TMG NAT behavior And MS08-037

re: ISA & TMG NAT behavior And MS08-037

PsYteAk — Thu, 28 Aug 2008 10:13:26 GMT

Good article!

Just wondering…

Shouldn’t it be SecureNAT client instead of SecureNET? Or is it two different names for the same thing?

re: ISA & TMG NAT behavior And MS08-037

isablog — Thu, 28 Aug 2008 18:33:19 GMT

I have a personal preference for "SecureNET" because it allows you to mentally consider the fact that the traffic flow from a host / application which is neither a Firewall client nor a Web Proxy client can be processed by a route relationship. "SecureNAT" doesn't allow for this mental flexibility.

..hope it's not too confusing...

BlogMS Weekly Articles Published - 25th August 2008 to 31st August 2008

BlogMS - Official Microsoft Team Blogs — Mon, 08 Sep 2008 12:57:42 GMT

body { font-family: Arial; font-size: 10pt} 183 Microsoft Team blogs searched, 88 blogs have new articles

re: ISA & TMG NAT behavior And MS08-037

isablog — Wed, 12 Nov 2008 01:19:55 GMT

We've created updates to ISA and TMG to support source port randomization for UDP traffic across NAT relationships.

You can obtain the update packages here:

ISA 2000 (requires SP2): http://www.microsoft.com/downloads/details.aspx?FamilyID=1455d4e6-a0b5-4583-82f1-ee8239fca207

ISA 2004 Std Ed (requires SP3): http://www.microsoft.com/downloads/details.aspx?FamilyID=0ab83f12-653b-4be1-befe-594c4ef62baa

ISA 2004 Ent Ed (requires SP3): http://www.microsoft.com/downloads/details.aspx?FamilyID=55ce3623-2f7b-4900-9a2f-7e2aa2fe9c50

ISA 2006 (requires SP1): http://www.microsoft.com/downloads/details.aspx?FamilyID=e96a6e20-0c04-4c7d-9f3e-207b02ae29cc

TMG MBE: http://www.microsoft.com/downloads/details.aspx?FamilyID=e974422f-42b0-426c-8852-ff8e67264909

DNS/NAT update available for ISA and TMG

Yuri Diogenes's Blog — Wed, 12 Nov 2008 01:35:17 GMT

We just released an update for ISA (2000, 2004 and 2006) and TMG MBE for the behavior that Jim Harrison

ISA/TMG Updates zu MS08-037

Forefront & Security Blogs — Wed, 12 Nov 2008 14:22:37 GMT

Wer heute in den WSUS geschaut hat, wird Updates für alle ISA Server-Versionen gefunden haben. These

re: ISA & TMG NAT behavior And MS08-037

Nori — Sun, 16 Nov 2008 06:51:08 GMT

After installing this update PPTP stopped working.

Only after removing it could I get PPTP to work again.

re: ISA & TMG NAT behavior And MS08-037

isablog — Mon, 17 Nov 2008 22:34:16 GMT

Nori, have you contacted CSS?

Can you elaborate on "stopped working"?

re: ISA & TMG NAT behavior And MS08-037

Kai Wilke — Fri, 05 Dec 2008 18:28:52 GMT

After applying the patch, you're not able to establish PPTP connections to your ISA, because TCP 0.0.0.0:1723 stops listening for incomming PPTP calls.

re: ISA & TMG NAT behavior And MS08-037

isablog — Tue, 09 Dec 2008 21:46:18 GMT

Due to some installation issues on Forefront TMG (MBE), the package at: http://www.microsoft.com/downloads/details.aspx?FamilyID=e974422f-42b0-426c-8852-ff8e67264909 has been re-released. The code which manages the UDP NAT pool has not changed; only the installation process.

re: ISA & TMG NAT behavior And MS08-037

isablog — Tue, 09 Dec 2008 22:00:24 GMT

Kai! - whereyabeen?!?

Given that the update only allocates UDP sockets and PPTP operates on TCP:1723, this error doesn't male sense.

I'll see if I can repro it. If not, will you have cycles to provide more targeted data?

Exception List Script for ISA Server and Forefront TMG UDP Updates

Forefront TMG (ISA Server) Product Team Blog — Tue, 09 Dec 2008 23:12:53 GMT

Why do I need this? Last month, we released a collection of updates to help mitigate the problem caused

re: ISA & TMG NAT behavior And MS08-037

Nori — Thu, 11 Dec 2008 23:33:36 GMT

I didn't have time to troubleshoot further why PPTP stopped working or contact CSS.

So I just uninstalled.

re: ISA & TMG NAT behavior And MS08-037

RNA — Thu, 14 May 2009 17:32:21 GMT

There is already a solution to the problem of PPTP ports disappeared?

Already tried hotfix KB968078 that supersedes KB956570 but that has the same problem.

re: ISA & TMG NAT behavior And MS08-037 & MS09-016

Kai Wilke — Fri, 15 May 2009 18:27:19 GMT

A few minutes ago i ran into the same PPTP issue again. Thx to MS09-016 for making trouble...

Deinstalled MS09-016 and everything runs fine again. But now I'm sitting in front of a non-patched ISA box, again!

Hope PSS will fix this issue soon, so that ISA admins would be finally protected against the Kaminsky DNS exploit.

> Kai! - whereyabeen?!?

Jim? (i guess, because nobody else would use the word "whereyabeen") ;)

I'm still in Berlin. But i've played in the last two years a little bit more with Cisco stuff than with ISA.

Regarding the help... sure you can ping me via email. (kw at itacs dot de)

-Kai