Alexander’s Blog

I am working on securing the entire network for one of my clients. I ran into this article on TechNet that targets the specific area of extranet and how you can best secure it. The article is full of valuable information for securing your extranet environment and is called Plan security hardening for extranet environments.

Part of the article discusses this extranet hardening tool that’s offered by Microsoft. It’s called Extranet hardening planning tool: back-to-back perimeter (http://go.microsoft.com/fwlink/?LinkId=85533&clcid=0×409).

The tool will help you figure out which ports are required for our ISA Server, routers and firewalls. This tool is a Microsoft Office Visio file that you can edit to customize for your own environment. For example, here are some things that you can do with this tool:

• Add your custom port numbers, where applicable.
• Where a choice of protocols or ports is provided, indicate which ports you will use.
• Indicate the specific ports that are used for database communication in your environment.
• Add or remove requirements for ports based on:
  1. Whether you are configuring e-mail integration.
  2. Which layer you deploy the query role to.
  3. If you are configuring a domain trust relationship between the perimeter domain and the corporate domain.

If you are trying to get your external NIC on the ISA Server obtain an IP address from a DHCP server and can’t, check out this KB article 841141 from Microsoft. This solution applies to both ISA Server 2004/2006.

The external network adapter on your ISA Server 2006 or ISA Server 2004 computer cannot obtain an IP address from a DHCP server

SYMPTOMS
When you try to configure the external network adapter on your Microsoft Internet Security and Acceleration (ISA) Server 2006 computer or on your ISA Server 2004 computer to obtain its Internet Protocol (IP) address from a Dynamic Host Configuration Protocol (DHCP) server, the external network adapter does not receive a valid IP address.

CAUSE
This behavior occurs because the default ISA Server system policy does not permit DHCP replies from external DHCP servers to the ISA Server computer.

RESOLUTION
To resolve this behavior, follow these steps:
1.    Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2.    In the console tree, click Firewall Policy.
3.    In the right pane, click the Tasks tab, and then click Show System Policy Rules.
4.    Click Allow DHCP replies from DHCP servers to ISA Server.
5.    In the details pane, click Edit System Policy.
6.    Click the From tab.
7.    Click Add.
8.    If you know the IP address of the external DHCP server, follow these steps:
a.     In the New list, click Computer.
b.     In the New Computer Rule Element dialog box, type a name for the DHCP computer rule element in the Name box, type the IP address of the DHCP server in the Computer IP Address box, and then click OK.
c.     Expand Computers, click the DHCP computer rule element that you just created, click Add, and then click Close.
To add the external network instead of the specific DHCP server, expand Networks, click External, click Add, and then click Close.

Note Microsoft recommends that you add the specific DHCP server instead of the external network to make the ISA Server computer less susceptible to external attacks.
9.    Click OK, and then click Apply to save the changes and update the configuration.
Note This procedure is for renewals only. If you do not have an IP address, you may want to allow DHCP traffic from any network until an address is leased. If you do not already have a lease, the “specific DHCP server” setting in step 8 will not work because Windows will be forced into DHCP Discover mode. This mode is strictly for broadcast traffic.

If you haven’t used ISA Server 2006 Capacity Planner you might want to check it out. It’s an online tool that lets you plan secure publishing, branch office gateway, and Web access protection.The tool recommends how many CPUs, amount of disk space and amount of memory that will be suitable for you based on the questions that you answer. While you can argue that the tool is not really exact science but it is a great place to start if you are trying to figure out what kind of hardware you will need to configure and ISA Server in your environment.

You can check out ISA Server Capacity Planner here.

Check out these MSDN Virtual Labs and TechNet Virtual Labs if you haven’t already. These are a series of guided, hands-on labs which can be completed in 90 minutes or less. The best part is these labs don’t require any installation and are available to you immediately for FREE. Here are the topics that are currently available to you.

MSDN Virtual Labs

ASP.NET 2.0
ASP.NET
BizTalk Server
Commerce Server
Fritz Onion’s Intro to ASP.NET
Internet Information Services (IIS)
JPlusN (J+N)
Microsoft Expression
.NET Framework 3.0
Soup to Nuts
Visual Studio
Visual Studio 2008
Visual Studio Team System
Visual C#
Visual J#
Visual Basic
Visual C++
Connected Systems
Data Access and Storage
Office
Security
Smart Client
SQL Server 2005
SQL Server 2005 Upgrade
Visual SourceSafe
Web Services
Windows Embedded CE 6.0
Windows Live
Windows Mobile
Windows Vista
Windows XP Embedded
TechNet Virtual Labs

TechNet Virtual Labs

Antigen
BizTalk Server
Configuration Manager
Enterprise Search
Exchange Server
Forefront Security
Groove Server
Identity Integration Server (MIIS)
Internet Information Services (IIS)
Internet Security and Acceleration (ISA) Server
Office Communications Server
Office System
Operations Manager
SQL Server 2005
SQL Server 2000
SharePoint Server
Systems Management Server (SMS)
Windows Mobile
Windows Rights Management Services (RMS)
Windows Server 2003 R2
Windows Server 2008
Windows SharePoint Services
Windows Small Business Server
Windows Vista

With the release of ISA Server 2004 Service Pack 2 (SP2), Microsoft extends branch office interoperability with several new features that can help companies quickly, efficiently, and securely integrate branch offices into an organization’s computing ecosystem.

ISA Server 2004 SP2 also includes a number of additional updates and changes to elivate the performance and usability of ISA Server 2004. The following are technical changes included in ISA Server 2004 SP2:

1. Support for Microsoft Windows Server 2003 R2 and other R2-related releases (for example, Microsoft SQL Server 2005)

2. Improvements in the Cache Array Routing Protocol mechanism

3. New certificate alerts

4. Service Quality Monitoring (SQM) support (also known as Opt-in Customer Experience Improvement Program)

5. All accumulated Hotfixes through 11/1/2005