Alexander’s Blog

Microsoft has joined with key Original Equipment Manufacturers (OEMs) to bring Internet Security and Acceleration (ISA) Server 2004-based security appliances to market. These solutions combine the best of ISA Server 2004 with a hardened version of Microsoft Windows Server 2003 and optimized hardware so they are ready to deploy right out of the box.

Key benefits include:

1. Hardware comes preloaded, preconfigured, and pretested with ISA Server 2004.

2. Hardened configuration for reduced attack surface.

3. Easy to purchase, set up, and deploy.

4. Out-of-box configuration tools and Web-based administration available (on some models from some OEMs).

A list of hardware vendors that have partnered with Microsoft is available here. For hardware FAQs for ISA Server 2004, click here.

More info…

Microsoft has just released three updated tools for ISA Server 2004.

MSDEToText.vbs tool allows you to display the contents of an MSDE Firewall and Web Proxy log on screen, or you can write it to a text file.

CacheDir.exe is an updated version of the previous tool that allows you to view the ISA Server 2004 cache contents in real-time. You can also save the contents of your cache to a file and mark items as obsolete so they are no longer served to the clients.

Remote Access Quarantine Tool for ISA Server 2004 is meant to prepare your ISA Server 2004 running on Windows Server 2003 as an RQS listener component.

ISA Server allows you to configure Virtual Private Networks (VPNs) so you can create a Point-to-Point Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) over IPSec tunnels to the ISA Server. ISA Server also allows you to create site-to-site VPN tunnels. However, in some cases hosting VPNs on the ISA Server itself is not enough. In situations where you may be using a third-party VPN server, or if you want to host a VPN server on the internal network for your clients, you may be interested in setting up a VPN behind the ISA Server firewall on your private network.

You can configure VPN client access in ISA Server Management Console which allows VPN access to the ISA Server computer, not to another server on the private network. Normally you wouldn’t want your users to be tunneling into the ISA Server. You would want them to tunnel into a server behind the ISA Server firewall.

In this article we will learn how to configure a VPN server on the private network and configure ISA Server with the rules required to publish an internal VPN server. You can either use PPTP or L2TP over IPSec tunnel. Compared to L2TP over IPSec, PPTP is much easier to configure so we will use PPTP in this document.

Here’s what our scenario looks like.

The first thing you need to do is to install and configure your VPN server. The procedure for configuring a VPN server on a Windows Server 2003 is described in the KB article How To Install and Configure a Virtual Private Network Server in Windows Server 2003. Because we will use server publishing feature on the ISA Server, the VPN server should be using the private interface of ISA Server as its default gateway. In our scenario this will be the interface using IP address 10.0.0.1.

Creating a Server Publishing Rule
As mentioned above, we will use PPTP to publish our VPN server. This requires a server publishing rule on the ISA Server computer.

1. Open ISA Server Management console and select Firewall Policy.

2. In the task pane on the right hand side click on the Tasks tab.

3. Click on Create New Server Publishing Rule.

We will use the screen shots to look at the rest of the steps.

10.0.0.2 is the IP address of the internal VPN server that you are publishing through the ISA Server.

Selecting PPTP Server will configure inbound TCP port 1723 for VPN. It will also use the built-in PPTP filter on the ISA Server.

If you have more than one IP addresses on your external interface and you want to publish VPN server on all of them then you need to make sure that ISA Server listens on all of those networks. In our example we are only using one IP address on the external interface so will only configure ISA Server to listen on the External network.

Don’t forget to enable VPN access for clients either through Remote Access policy or through Active Directory in the users’ account properties or else users will not be able to create VPN connections.

For a printer friendly version of this article, click here.

When configuring ISA Server 2004, one challenge a lot of people face is how to design the services so you can use Active Directory groups to configure ISA Server rules. If you want to use users or groups in ISA Server 2004 rules, you must make ISA Server a member of Active Directory domain so it can communicate with Active Directory. As a member server, ISA Server can be configured to take advantage of specific users or groups in Active Directory by creating User Sets. A User Set is a group of users that are defined together as a single set. The set can include three types of users or groups:

1. Windows users and groups
2. RADIUS
3. SecurID

For example, if you want only the members of Information Technology (IT) department to access the internal network when they use a Virtual Private Network (VPN), you can create a network rule where the source network will be VPN Clients and the destination network will be Internal network. You can create a User Set that includes only the members of IT department and configure the network rule to apply only to the IT User Set.

For security reasons, administrators prefer not to add their ISA Servers to the corporate Active Directory domain. One solution is to create a separate forest in the DMZ, add ISA Server to that forest and configure ISA Server to use domain accounts for access policy rules. However, this is a lot of work and it would require you to maintain separate accounts in two different forests.

If you only want to use users and groups for authentication (instead of access rules) then you can use a RADIUS server. Microsoft’s RADIUS server is called Internet Authentication Server (IAS) and is included in Windows Server 2003. This will eliminate the need for you to add ISA Server 2004 to the Active Directory as a member server. However, there’s one thing that you should know about this solution. It may seem like you can add a group from the RADIUS server to a User Set but you can’t. You can either add an individual (Specified User Name) from the RADIUS server or add everyone (All Users in Namespace), as shown in the screen shot below.

Another option is to use SecurID option, which will add additional cost. RSA SecurID for Microsoft Windows software offers better security by combining something the user knows (a secret PIN) with something the user possesses (a unique RSA SecurID token).

The token generates a one-time password every 60 seconds. The options for adding SecureID are identical to the RADIUS options. You can add either a Specified User Name or All Users in Namespace.

SecureID also offers other advantages. You can find out more about SecureID on TechGalxy’s ISA Server page. Look for Secure ID for Windows under ISA Server 2004 topics on that page.

Today I was installing ISA Server SP2 on an ISA Server 2000 computer and ran into this roadblock where it simply wouldn’t install the SP2. Here’s what the computer configuration looked like.

Windows 2000 Advanced Server with SP4

ISA Server 2000 with SP1

No IIS or SMTP service running on the server
When I tried to upgrade SP1 to SP2, it copied a whole bunch of files and then I saw the following error.

I clicked OK to uninstall partially installed SP2 and then started trying different techniques. At one point when I installed SP2 and received the exact same error, I carefully clicked OK because clicking Cancel would have left it in a state of confusion. Unfortunately, even after clicking OK it came up with the error that ISA Server is now in a partially updated state and may not work correctly.

I tried to remove SP2 using Add/Remove Programs but it said I’ve already installed a later hotfix so I can’t uninstall SP2. Basically I was stuck. Some of Microsoft’s KB articles indicated that the file FLTRSNK1.DLL seems to be tied to inetinfo.exe so I decided to install IIS and SMTP service and then tried to reinstall SP2. At that point all 5 ISA-related services and RRAS were stopped. That did the trick. SP2 finally installed successfully. After rebooting the computer, I removed IIS and SMTP because this server didn’t need those services. Everything seems to be working fine at this point.