Internet Security and Acceleration (ISA) Server 2004 SP3 provides the latest updates to ISA Server 2004 Enterprise Edition, with increased security, new troubleshooting tools, and improved log viewer functionality. This service pack also adds support for publishing Microsoft Exchange Server 2007 with ISA Server 2004. We strongly recommend customers install ISA Server 2004 SP3 on all computers running ISA Server 2004.

• ISA Server 2004 Enterprise Edition Service Pack 3
• ISA Server 2004 Standard Edition Service Pack 3
• ISA Server Diagnostic Logging Viewer
• New Warning event message that occurs in ISA Server 2004 SP3 to notify delay in logging

There’s also a new diagnostic log viewer which looks interesting, I’ll have to check it out. Hopefully this means that ISA Server 2006 will get the same functionality updates as well.

ISA Server 2004 Service Pack 3 is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Now this is something that it is not normally done and I don’t think that ISA Server was designed to work this way. I was doing some specific testing yesterday and as a shortcut, rather than find out what ports I needed inbound (which ended up being UDP 28000 – 29000), I allowed UDP 1024 – 65535 inbound with some unexpected results. The Microsoft Firewall service crashed with the following event logged:

Event Type: Error
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 14079
Date: 14/03/2007
Time: 10:14:13 AM
User: N/A
Computer: CLAFW

Description:
Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and then start it again. Check for related error messages.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The following alerts were logged in the ISA Server Management Console:

Resource allocation failure
Description: A shortage of available memory caused the Microsoft Firewall to fail during initialization of reverse Network Address Translation (NAT). . Use the source location 325.1524.5.0.5720.100 to report the failure.

Resource allocation failure
Description: A shortage of available memory caused the Firewall service to fail. The ISA Server computer cannot support additional connections for the server. The Event Viewer Data window displays the number of active connections. The failure is due to error: The data area passed to a system call is too small.

Server Publishing Failure
Description: ISA Server failed to read one or more server publishing rules from the stored configuration because an internal error occurred. Error location 325.1524.5.0.5720.100. The stored configuration may be corrupted. The failure is due to error: Ran out of memory

Deleting the rule and restarting the Microsoft Firewall service got the server up and running, but there’s something I won’t do again.

Crash the ISA Server Firewall Service – Open All Inbound Ports is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

•  LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 1)
•  LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 2)
•  LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 3)
•  LDAP Pre-authentication with ISA 2006 Firewalls: Using LDAP to Pre-authenticate OWA Access (Part 4)

This is an excellent feature of ISA Server 2006 because it allows scenarios whereby ISA Server cannot be the edge firewall for whatever reason and is placed in the DMZ instead. LDAP allows for ISA Server to authentcate against Active Directory without the server being a member of the domain. However, once you configure LDAP authentication you cannot then use additional authentication methods such as RADIUS OTP and RSA SecurID. You can see this on the web listener Authentication tab, once you select the option to ‘Collect additional delegation credentials in the form’, LDAP is no longer selectable.

I think that this is a bit of an oversight by the ISA Server team so it would be great to get this feature into an ISA Server 2006 Service Pack or the next version of ISA Server (2008, codename Nitrogen). If this is a feature that you might find compelling you can get feature requests into Micrsoft through their partners (if your aren’t one yourself) or look out for the next ISA Server beta when it pops up on Microsoft Connect.

ISA Server 2006 and LDAP Authentication is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

First off, I’ll discuss how SecurID authentication works in ISA Server. Microsoft have licensed the agent software from RSA and offered RSA SecurID authentication since ISA Server 2000 Feature Pack 1. This is built into the product and does not require a separate agent installation. As of ISA Server 2006, the SecurID agent version is 6.1.1.53. You can view the support DLLs in the ISA Server program folder (\Program Files\Microsoft ISA Server, aceclnt.dll, sdmsg.dll and sdui.dll).

To allow the ISA Server to authenticate against the RSA ACE server, an agent host record needs to be created (assuming a Windows box is hosting the ACE server):

1. Log onto the RSA ACE server and start the Database Administration tool in Host Mode
2. Add a new agent host and use ‘Net OS Agent’ as the agent type
3. Enable the tick-box labelled ‘Open to All Locally Known Users’ if you want all users to be able to authenticate
4. Click OK to save the changes and copy SDCONF.REC (located in \WINDOWS\SYSTEM32) to ISA Server.

Configuring SecurID support in ISA Server as a simple process:

1. Copy SDCONF.REC to \WINDOWS\SYSTEM32. The ISA Server help file says to put this file into the ISA Server program folder, but this worked fine for me in the SYSTEM32 folder.
2. Ensure that the local account NETWORK SERVICE has Full Control to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\SDTI. This is so that ISA Server can write the secret to the registry.
3. You may also need to add the PrimaryInterfaceIP string value to the registry under HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\ACECLIENT depending on your ISA Server configuration. The value must match that set in the agent host record.

You can test RSA SecurID authentication with the RSA Test Authentication utility available from the Microsoft web site. Download this utility and copy the extracted utility to the ISA Server program folder and execute from there (if you don’t you will receive an error).

RSA Test Authentication Utility for Internet Security and Acceleration (ISA) Server 2006

Now that the SecurID authentication requirements have been configured you can create a web publishing rule to enable access to Outlook Web Access. This is a simple wizard driven interface (use the Exchange Web Client Access Publish Rule wizard) and is discussed in detail in ISAServer.org so I won’t go into detail here.

Once the rule and a corresponding web listener has been created, you will need to edit the properties of the web listener:

1. Choose the Authentication tab and ensure that ‘HTML Form Authentication’ is selected as the authentication method
2. Enable the tick-box labelled ‘Collect additional delegation credentials in the form’
3. Then select the radio button labelled ‘RSA SecurID’
4. Click OK and apply your configuration changes.

Now you should have three fields listed on the Outlook Web Access authentication page: username, token code and password. ISA Server also provides for a scenario where the RSA username and the Windows username are different, adding a forth field for a Windows username.

This is an excellent method of taking authentication that one step further to ensure only trusted users have access to your corporate resources. The same authentication options offered in ISA Server also allow for other two-factor authentication solutions via RADIUS OTP (One Time Password). With this option you could authenticate against Secure Computing’s SafeWord PremierAccess or Verisign’s Unified Authentication to provide two-factor authentication.

One thing to note about enabling RSA authentication on your OWA rule, if you also use this rule for ActiveSync, this will break ActiveSync. I have not looked into this further, but I would recommend creating a separate rule for ActiveSync using a second certificate.

Strengthening OWA Authentication with ISA 2006 and RSA SecurID is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

1. Published Public Web Sites

Access to unauthenticated web sites was being blocked and displaying the following error in the browser:

Error Code: 403 Forbidden. ISA Server is configured to block HTTP requests that require authentication. (12250)

Which looked like this in the browser:

The standard configuration for publishing public web sites via ISA Server 2004 would be to disable any authentication methods via the web listener and this is still the case with ISA Server 2006 (although performed a little differently). However ISA Server 2006 provides new authentication delegation options as well as rejecting authentication over HTTP by default. Authentication delegation in ISA Server 2006 allows you to specify other authentication types than just Basic auth. In a web publishing scenario where the published site does not use authentication there are two ways to stop this prompt: 1. On the rule, the Authentication Delegation option must be set to ‘No delegation, and client cannot authenticate directly’ or 2. On the web listener click the Advanced button on the Authentication tab and enable ‘Allow client authentication over HTTP’. Here’s a view of the Authentication Delegation tab (click for a larger view):

2. Routing and Remote Access

The Routing and Remote Access configuration was hosed and the service was actually un-configured. To renable this configuration I opened the VPN configuration properties, reset it, then applied the configuration. I then also had to re-add our pre-existing DHCP Relay configuration as well. (We have a couple of quarantined subnets to which the ISA Server relays DHCP addresses)

ISA Server 2004 to 2006 Upgrade is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

0xc0040357
The Server referenced by Array CLAFW does not exist.

After a bit of searching, I found this page by John Howard (jeez our Prime Minister is a busy boy ) that details the issue. In my case it was the exact same issue, I removed the offending report job from the ISA Server Management Console and my export worked fine.

0xc0040357: The Server referenced by Array <SERVERNAME> does not exist is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Application Layer Firewall protection for Exchange Server 2003 with ISA Server 2004

And reinforcing a post from last month:

“We do not recommend placing an Exchange front-end server in a perimeter network because it is not designed to be a security context, and it requires extensive connectivity to Active Directory and the Exchange back-end servers.”

Application Layer Firewall protection for Exchange Server 2003 with ISA Server 2004 is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

“ISA Client Spy is a FREE utility designed specifically for use with Microsoft ISA Server 2004. With ISA Spy, you can keep an eye on your user’s browsing activity in real time. ISA Client Spy is a standalone application which does not require any Web Filters or Application Extensions to be installed on your ISA Server. It will work with any logging method enabled on your ISA Server or even when logging is disabled all together. ISA Client Spy can be installed on any Windows XP/2000/2003 computer which also has the ISA Server 2004 Management Console installed.”

PS: I don’t condone spying on users.

ISA Client Spy is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

The Industry Insiders: Securing the network using Microsoft ISA Server 2004
http://blogs.technet.com/industry_insiders/articles/404588.aspx

Whilst on the subject of layer 7 – here’s why outbound HTTP/S should be authenticated (and users should not have admin access to their workstations)- HTTP Tunnels:

HTTP Tunnel  (I think this one is particularly insidious, because they sell it as a “service”, lets hope the CEO does’nt stumble across this site)
Zebedee

HTTP tunnel software allows for tunneling almost any protocol over HTTP. For example, a user could use a HTTP tunnel to bypass the firewall to use their peer-to-peer software and download stuff from the Internet.

Securing the network using Microsoft ISA Server 2004 is post from stealthpuppy.com. Except as noted otherwise, this work is © 2005-2012 Aaron Parker and is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.