ISA Server Product Team Blog

Unlock the mystery of the “Result Code” and “Error Information” columns on the ISA Server 2004 logging page:

When troubleshooting ISA Server 2004 one of the first places you are going to go to is the Logging page  to see what is happening with your traffic.

 

For additional information you might want to add the following two columns to the logging page to get additional information regarding ISA’s behavior displayed on the Logging page:

• Result Code
• Error Information

For  information on the Result Code column see, Error Codes on MSDN Web site.

 

For more information on the Error Information column, search product help for “Error information log values”.

 

Gershon Levitz

ISA Server Product Team

Planning an Enterprise Deployment

Before you deploy ISA Server 2004 Enterprise Edition, you have to consider where you are going to locate the Configuration Storage servers, which store the configuration for all of the ISA Server arrays in the enterprise. Some of the aspects you should consider are:

The number of Configuration Storage servers that you want to install for failover/redundancy.

The amount of bandwidth available for synchronization of the servers.

Hardware availability - we recommend that the Configuration Storage server be behind the ISA Server firewall, not on the same computer. Additional Configuration Storage servers therefore require additional hardware.

More detailed information on these considerations, and other important information on enterprise deployment planning, is available in the document Deployment Guidelines for ISA Server 2004 Enterprise Edition. 

 

Nathan Bigman

ISA Server User Education Lead

 

Why doesn't ISA support defining multiple server certificates on a single IP

Many clients have wondered, why doesn’t ISA support defining multiple server certificates for a single IP. Such feature could have been useful when publishing several sites over SSL using the same public IP. On such configuration published site is using a different external names (e.g. mail.contoso.com, docs.contoso.com, …), where all public names are mapped to a single public IP.

If the listener on ISA is using a server certificate using name of one site (e.g. mail.contoso.com), clients that access docs.contoso.com will get error prompt from the browser. The common solution for avoiding this prompt is by using wildcard certificate (for the name “*.contoso.com”).

The reason such feature is not provided by ISA due to an inherent limitation of the SSL protocol:

When the client sends the "CLIENT HELLO" SSL message, the server is expected to send back a server certificate. However, the "CLIENT-HELLO" does not contain any indication to the name of the server that the client is interested in (this indication appears only in the Host header of the HTTP request, sent only after the SSL handshake have already been established). Server has no choice but to return a single server certificate per the (IP,Port) pair (a.k.a. listener), which is the only thing he "knows" before receiving the HTTP request.

Future versions of SSL protocol may support this. In case they do, ISA will probably leverage this support to allow multiple server certificates assigned to a single IP.

 

Note on ISA 2006:

The “multiple certificates per listener” feature in ISA 2006 is targeted in completing the 2006’s SSO (Single Sing On) experience. ISA 2006 provides SSO, when administrator uses with a single listener. E.g. administrator can configure two publishing rules for site1.contoso.com and site2.contoso.com assigned to the same web listener (with SSO domain: contoso.com), in a way, that will require user to authenticate only once.

However, since user might probably use SSL, the administrator must be able to return two different server certificates from the same listener. He (the administrator) will still have to use at least two IPs on that listener due to the issue described earlier in this blog entry.

 

 

Zvi Avidor, ISA Server Product Team.

 

ITunes and ISA Server 2004 Service Pack 2

Prior to SP2, if a requested destination name was in the list, it was accessed directly. With SP2 - a requested name in the list is accessed directly, unless IP addresses are included in the list. In that case, an attempt is made to resolve the site name to an IP address. Access is direct only if the resolved IP address is found in the list.

There have been lots of questions from customers on how to make ITunes work after applying ISA Server Service Pack 2.

First of all, some background on what’s happening. A server might return a compressed response (with an "Content-Encoding: gzip "HTTP header) even though ISA Server did not specifically request compressed data. For security reasons, if the ISA Server compression settings are not enabled to Request compressed HTTP content from servers, then ISA Server will deny the response.

This is what’s happening with ITunes.

The good news: the music can go on…You can configure ISA Server so that ITunes will work. Here’s how:

1. On the General node, click Define HTTP Compression Preferences.
2. On the Settings tab, add a computer set that includes the IP address of the site to the list.
3. Select the site and click Set Compression.
4. Enable Request compressed HTTP content from servers.

Let the music play!

Adina Hagege

ISA Server Product Team

ISA Server 2004 Best Practices Analyzer Tool V2

Installing SP2 on ISA 2004 Enterprise Edition in Mixed environment (Workgroup/Domain)

If you're installing ISA 2004 SP2 on a mixed environment when ISA Services in Workgroup and ADAM in Domain, you may get this installation failure.

 

Error 1603: Setup failed while registering new events and alerts. Refer to the KB article of this update for support

  

To resolve this use the following workaround:

1. Let's say ISA machine is logged on with ISA\MyAdmin

2. On the ADAM machine create local user MyAdmin with the same pwd as ISA\MyAdmin, add it to the local administrators group.

3. Add ADAM\MyAdmin to the ISA enterprise administrators group:

   On the ADAM machine:

   a. Start --> programs -->  ADAM --> ADSIEdit

   b. Connect to port 2171, DN: CN=fpcconfiguration

   c. Expand fpcconfiguration, cn=Roles

   d. Right click on CN=Administrators--> properties --> double click on "member"

   e. Change the "Locations" to point to the local machine

   f. Add your local user (MyAdmin)

4. Run SP2 setup on ISA machine logged on as ISA\MyAdmin

5.Remove the account you created in step #2

 

Stop Microsoft Operations Manager (MOM) agent before installing ISA Server hotfixes or service packs

With the recent release of ISA Server 2004 SP2 and ISA Server 2006 Beta, I thought it would be good time to reiterate the following.

 

Monitoring applications, such as MOM agent, use the ISA Server files and may interfere with the ISA Server setup and removal procedures. To avoid issues, stop the MOM agent before performing any of the following actions.

 

1. Install ISA Server hotfix
2. Install ISA Server service pack
3. Repair or modify the ISA Server installation
4. Uninstall ISA Server
5. Upgrade ISA Server

Hope this helps

 

Gershon Levitz, ISA Team

 

Learn more at the ISA Server Guidance Center

Download the new ISA Server Best Practices Analyzer (BPA) Tool, at the Microsoft Download Center web site.

 

 

posted by isablog | 0 Comments

Configuring direct access in SP2

ISA Server 2004 SP2 makes some changes to the way that destinations specified for direct access are handled.

The piece of UI in question is the direct access list in the Web Browser tab of the network properties. Under the heading Directly access these servers or domains.

Prior to SP2, if a requested destination name was in the list, it was accessed directly. With SP2 - a requested name in the list is accessed directly, unless IP addresses are included in the list. In that case, an attempt is made to resolve the site name to an IP address. Access is direct only if the resolved IP address is found in the list.

The bottom line recommendation is to add entries to the list as follows:

• Either specify both the IP address and FQDN of the destination, or the FQDN only. If there are only FQDNs on the list, behavior remains as it was prior to SP2.
• If you add any IP address to the list, then you should add all IP address ranges that you want the client computer to access directly. Otherwise, destinations that are not in the list will be routed through the ISA Server.
•  If other IP addresses are added to the list, the address range of 127.0.0.0-127.255.255.255 (127/8) are automatically added to the list.
• If no IP addresses are in the list and you want to prevent requests from IP address 127.0.9.1 from being routed, add 127.0.0.1 as an FQDN to the list. 

Application Signatures for HTTP Filtering

You allow your internal clients to access the Internet, but want to limit their use of some applications. You can block their use of applications that run over HTTP by using the HTTP filtering capability of ISA Server 2004. But to block the application, you need the application signature. Here's how you find the signature:

Use a network traffic capturing utility, such as Network Monitor (known affectionately in some circles as NetMon). Install the utility on ISA Server. Best to do this sort of thing in a lab, unless you're completely comfortable about the security effects of the utility you use. Configure the utility to capture packets from a specific client.

On that client, access the application you're interested in. In the monitoring utility, find the HTTP request packet from the client (usually follows handshake packets) and look for a signature in the packet. A little finesse is needed, because you want to pick a signature that is general enough to always block the application, but not so specific that it blocks everything. For example, the signature "a" is a little too generic.

Once you've located a signature, you can add it to the Signatures tab of the HTTP policy for the access rule, and test it in production.

You can read more about this in the document "HTTP Filtering in ISA Server 2004", at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx.

Nathan Bigman, ISA Server Product Team

 

 

Someone Else's Thoughts on ISA Server in SBS

Nothing new to add to this thoughtful post on ISA 2004, Internal Servers and Subnets. Definitely a worthwhile read for those of you using SBS, but also worthwhile for anyone doing remote management.

CEIP, SQM - the sticky yellow banner in the ISA UI

Ever wondered what CEIP stands for?

How about SQM?

Have you seen the yellow sticky banner on top of the ISA UI that just doesn't go away and wondered what it's all about?

 Well, here are all the answers... read on.

CEIP stands for Customer Experience Improvement Program and it’s the ‘official’ name for SQM which stands for Service Quality Measurement. This is a relatively new technology used in more and more MS products to improve connection with customers and help the product teams learn about how the product is really doing in real life (after leaving the factory grounds).

In ISA, we decided to adopt this technology and we just introduced it in ISA2004 SP2 and in ISA2006 Beta. When you install those, you can see on top of the UI a yellow banner with a link in it saying something like ‘click here to learn about the Customer Experience Improvement Program’. If you click it, you can choose to participate (and you should!) or not to (bad choice). There’s also a link pointing to our ‘official’ word on SQM – it’s here: http://www.microsoft.com/isaserver/help.mspx (try it some time).

If you choose to participate in the program, we start collecting information about your ISA server/servers and send this info to MS. This is very similar to when you see an app crashing and you get this Watson pop up saying ‘click here to send the error report to MS’. The main difference is that in SQM we don’t collect info only when things go bad, we collect info about typical real-life scenarios and use it to optimize the product to the way users really use it.

Let me give you an example:

Take Cache for instance. Cache is a feature we introduced many years ago in ISA and we’re developing it (see the cool feature called BITS for instance) and testing it to make sure it’s reliable etc. etc.

Now if we wanted to know what’s the typical size of cache users usually have we’d be in a tough spot till today. We could conduct a survey but we’d probably get no more than 20-30 customers to answer us. Then we’d deduce the cache size based on this survey and invest work in optimizing the cache to work at its best at this specific size.

Now think SQM! with SQM we get cache sizes from thousands of ISA servers on daily basis.  We shipped ISA2004 SP2 a few days ago and we have cache sizes reported to us from more than 1500 ISA servers worldwide. This is amazing!

So we know that looking at 1500 real ISA servers, the typical cache size is between 2-5GB of disk. This is not guessing, this is not survey. These are hard facts. We can now tune the performance of the cache to work at its best at those sizes.

Talk about improving the customer experience.

Want more? Look for my next post on SQM.

 

 

A Plethora of Applications

A few words about allowing access via ISA Server to a whole plethora of applications.

 

The nice thing about ISA Server is that, when you first install, you can rest assured that only traffic specifically allowed by the system policy is actually going to pass through to your corporate network.

 

On the other hand, this implies that you’re going to have to do some configuration work if you want to actually allow additional access. For standard applications--say Web browsers--where you only want to allow access to HTTP, this is fairly straightforward. But when you want to allow access to more complex applications, you may find yourself in that oh-so-tempting predicament: maybe I should just open up all those darn ports in order to finally allow this access?

 

That, however, is definitely NOT what you want to do. I hope that this post will help you realize how you should actually approach this conundrum...

 

Let’s consider the following example: some application that runs over HTTPS, using some unidentified (by you, as of yet) protocols.

Here’s what you should do to allow that access:

1. Have a client try to access that application.
2. Check the ISA Server logs to determine which traffic is being denied. Specifically, identify the protocol that was denied.
3. Create a new protocol, carefully specifying the primary and secondary connections required for that application (as you identified in step 2).
4. Create an access rule, allowing use of that new protocol for any clients in your network that require access.
5. Deploy Firewall Client software on the clients requiring access; otherwise, secondary connections will not work.

ISA Server Service Pack 2: My Favorite Features

You’ve all no doubt already seen the official announcements about the recent release of ISA Server Service Pack 2. So I won’t use this blog as a platform to tout the official stance. Instead, I’m going to give my personal two cents on this release.

 

This release is exciting for me! I’ve been working with customers for several years now, listening to how they use ISA Server’s great features to provide secure access across networks. I’ve also heard a lot of (often legitimate) pain points from the customers. I’ve heard requests for missing features. I’ve heard requests for more self-help.

 

What’s nice about the recent SP2 release is that it really addresses both the request for specific new features--requests that we heard directly from customers--with the necessary hot fixes always included in any service pack.

 

You’ll be reading a lot about how SP2 helps improve the branch office solution introduced in ISA Server 2004. The new features--HTTP compression, BITS caching, and traffic prioritization--all help improve branch office interoperability. You can read more about these features here.

 

One nice new feature is the certificate alerting system that we added. These new alerts should help you better troubleshoot issues that you might experience when invalid certificates are used, or when certificates expire. This feature impacts so many areas of the ISA Server products--in fact, everywhere that a certificate might be used. This could be in Web publishing scenarios. This could be in Configuration Storage server connections.

 

My favorite new feature in Service Pack 2 is the Customer Experience Improvement Program. I’m looking forward to learning more about how you experience the product, and to using this feedback to help us shape future improvements. You can read more about this program here.

 

So, go install ISA Server Service Pack 2--for Enterprise Edition or for Standard Edition.

 

Billy Ostrow

ISA Server Product Team

ISA Server Content Newsletter - January 2006

ISA SERVER CONTENT NEWSLETTER - JANUARY 2006

This newsletter is the first in a new series highlighting Microsoft® Internet Security and Acceleration (ISA) Server 2004 content. Content is updated on a regular basis with best practices papers, troubleshooting tips and hints, knowledge base articles, and useful tools. Customer feedback is monitored, and documentation is targeted in response to common issues and customer requests. A feedback link is included in each document, to allow you to respond on a document-by-document basis. Thank you for your feedback.

WHAT'S NEW ON ISA SERVER GUIDANCE
ISA Server Guidance provides an authoritative, comprehensive portal to deployment, maintenance, best practices, and troubleshooting information for ISA Server. ISA Server Guidance is located on Microsoft.com. All documents are hosted on the Microsoft Technet Web site.

TROUBLESHOOTING SERIES
The troubleshooting library is designed to document common issues you might encounter when installing, configuring, and maintaining ISA Server 2004. New for this quarter:

·         Troubleshooting Configuration Storage Servers This paper describes a series of steps for troubleshooting the installation and maintenance of ISA Server 2004 Enterprise Edition Configuration Storage servers.

·         Troubleshooting Networking Configuration. This document describes common issues that may occur when configuring network objects. It includes guidelines for defining network rules to determine how traffic passes between networks, and firewall policy rules to
specify how traffic is inspected and filtered.

·         Troubleshooting Unsupported Configurations. This article provides a quick look-up resource for some common unsupported configuration scenarios that customers may encounter.

·         Troubleshooting Logging. This document includes tips and hints for troubleshooting logging issues.

BEST PRACTICES AND RECOMMENDATIONS

Best practices documents include recommendations and guidelines for
deploying and configuring ISA Server. New documents include:

• Deployment Recommendations for Connection Limits in ISA Server 2004. This paper explains the connection limit quota mechanism, and how to define custom limits. It also includes information on troubleshooting connection limits.
• Logging Best Practices. This article provides tips for configuring ISA Server 2004 logging. It includes recommendations for logging formats, and capacity guidelines.

PUBLISHING SCENARIOS
Providing external access to Microsoft Office Outlook® Web Access servers
is a common ISA Server publishing scenario. New this quarter:

• Outlook Web Access Publishing with Client Certificates and Forms-Based
  Authentication.This document includes detailed procedures to help you publish an Outlook Web Access server over a secure connection. External Clients are authenticated by means of a client certificate, and prompted with a form to provide credentials to the Outlook Web Access server.
• Outlook Web Access Publishing with RADIUS and Forms-Based Authentication. This article walks you through the steps required to configure forms-based authentication on the ISA Server computer, and authenticate incoming requests against a RADIUS server.

OUTBOUND WEB ACCESS

In some business scenarios internal clients protected by ISA Server 2004 may require access to secure Internet Web sites. Configuring Internal Client Access to Web Sites over SSL explains how to configure an SSL tunnel between internal clients and an external Web server. Or alternatively, how to bridge HTTP client requests over HTTPS to an external Web server.

ISA SERVER TOOLS

 There are a number of new and updated ISA Server Tools available.

• CacheDir Tool. View real-time cache contents, save cache content, and mark
  items as obsolete in the cache.
• Firewall Kernel Mode Tool (FwEngMon.exe). Analyze and troubleshoot firewall
  connectivity issues by monitoring the ISA Server kernel mode driver
  (Fweng.sys). This new release includes support for ISA Server 2004
  Enterprise Edition features, and can display a list of active Network Load
  Balancing (NLB) hook rules.
• Remote Access Quarantine Tool. Prepare ISA Server running on Windows Server
  2003 as an RQS listener component for VPN quarantine control.
• Microsoft SQL Server Reporting Services Sample Pack. This sample pack
  includes a Reporting Services project with predefined Report Definition
  Language (RDL) files for generating reports from ISA Server logs stored in
  an SQL database using SQL Server Reporting Services.

MICROSOFT KNOWLEDGE BASE ARTICLES

Recent Microsoft Knowledge Base articles include:

• POP3 Clients Cannot Connect to an Exchange Server that is Behind an ISA Server Firewall (http://support.microsoft.com/kb/909130/en-us). This article describes an issue that might prevent POP3 clients from communicating with an Exchange server protected by ISA Server 2004. The solution includes modifying a registry setting.
• You May Experience High Memory Usage on an ISA Server 2004-based Computer
  that Logs Messages to an MSDE database (http://support.microsoft.com/kb/909636/en-us). This article explains a problem that may occur because of the way in which SQL Server handles physical memory, and describes how to limit the physical memory allocated to SQL Server on the ISA Server computer.
• DHCP Clients may not Obtain the Configuration Script when you use DHCP Option 252 to Automatically Configure Internet Explorer (http://support.microsoft.com/kb/911072/en-us). This article describes an issue that may occur in specified network topologies when VPN client access is not enabled in ISA Server, and provides a resolution.
• ISA Server 2004 Firewall Client Program no Longer Works After you Update a
  Computer to Microsoft Windows Vista Beta 2 (http://support.microsoft.com/kb/911077/en-us). This article describes compatibility issues between the ISA Server 2004 Firewall Client and the Vista Beta. There is no workaround.

 

Getting Content About Content

Finding a solution to an ISA Server problem isn't always easy:( .There's plenty of ISA Server content and info out there that may help, but navigating through it is a challenge.  Here's a few tips that may help along the way:

 

Need to get installation or upgrade information?

• When you run ISA Server Setup, there's useful Getting Started online help available from the Auto-Run window. This guide is also available from the ISA Server Guidance Center at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx along with lots of other docs to help you in initial configuration scenarios, performance tuning etc.
• There are a couple of Quick Start Guides for Enterprise Edition and Standard Edition available for download at http://www.microsoft.com/isaserver/techinfo/guidance/2004/configuration.mspx.

 

Need to know more about a standard feature or piece of functionality?

• Use the online help! It provides conceptual overview of all features, and contains procedures for all of the UI.
• Once you're in the UI, find information for each dialog page by clicking the ? in the corner of the page. The information won't be in-depth, but might be a useful reminder. There are also help links in trickier parts of the UI, pointing you to more information.
• For tips and hints on configuring features, recommended settings, gotchas etc - try the Best Practice documentation series. These docs aim to highlight configuration pitfalls. There are a number available on subjects such as networks and routing, access rules, NLB etc. Flick through the Guidance Center sections (http://www.microsoft.com/isaserver/techinfo/guidance/2004/default.mspx to find these.
• Search through Tom's isaserver.org doc library at http://www.isaserver.org.

Configuring a specific scenario?

• The Guidance Center (http://www.microsoft.com/isaserver/techinfo/guidance/2004/default.mspx) has lots of walkthrough docs for specific scenarios such as publishing, VPN, outbound access. These may not always fit your exact configuration, but they are usually a useful place to start.
• Tom's (http://www.isaserver.org) has lots of docs for walking you through different scenarios and configurations - both big and small!

Troubleshooting a specific issue?

• For specific errors, try a KB keyword search on the ISA Server Support Center at http://support.microsoft.com/ph/2108.
• The Troubleshooting doc series on the Guidance center targets common issues. These can be found on the Guidance Center pages (http://www.microsoft.com/isaserver/techinfo/guidance/2004/default.mspx).
• Try searching through newsgroups to see if others have shared your pain. Search through MS ISA Server newsgroups using Outlook Express, or try Web access at http://www.microsoft.com/technet/community/newsgroups/server/isa.mspx.
• Search through Tom's isaserver.org message boards too, at http://forums.isaserver.org/.
• For a list of MS ISA Server blogs, check http://www.microsoft.com/isaserver/community/default.mspx.

Not Content?

If you couldn't find content to answer your question, say so! There are feedback links straight to the ISA Server Team in the online help and in most ISA Server docs posted on the Web.