Welcome to ISAserver.org

QSS Installation?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> General >> QSS Installation?

Page: [1]

Message

<< Older Topic Newer Topic >>

QSS Installation? - 20.Feb.2006 10:39:19 PM

bjblackmore

Posts: 103
Joined: 9.Aug.2005
Status: offline

Hi,

I'm going through the documentation for the installation of QSS, and it says I have to install the 'Microsoft FTP Service'. Is this the same FTP service that gets installed with the IIS service? If so, is it safe to run IIS on a front facing ISA server? Won't this open up a security hole?

Any advice greatly appreciated.

Cheers

Ben

Post #: 1

Featured Links*

RE: QSS Installation? - 22.Feb.2006 2:34:13 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ben,

Excellent questions. I'm fowarding this thread to the author of QSS.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bjblackmore)

Post #: 2

RE: QSS Installation? - 22.Feb.2006 11:00:13 AM

fesnouf@hotmail.com

Posts: 64
Joined: 14.Jan.2002
From: Paris
Status: offline

Ben, Thomas,

You are right Thomas, Excellent question.

When I have created QSS 3 years ago, I needed a way to exchange data between the Security Client component (installed on the workstation) and the Approval Server (on the ISA 2004 itself). The reason is that the client will make a technical �picture� of the machine and send it to the server part, which will decide it is compliant. All the �intelligence� is on the server side which is totally different if you compare QSS with RQC/RQS.

I have decided to use FTP for the following reasons :

�           I did not want to create my own �multithreaded� component (I have some customers that provides hundreds of simultaneous VPN tunnels),
�           ISA 2004 by default has a FTP application filter,
�           Only people from the VPN networks can FTP the ISA 2004 machine (nobody else !),
�           Creating your own component or protocol implies that you must prove that you are not another source of attack : this is in general a lot of discussion for nothing
�           You only need to run the FTP service on ISA, not the other ones (especially WEB)
�           If this service has a bug somewhere and is a source of attack, I assume that Microsoft will have a strong process to provide a patch, and that it will be deployed pretty quick. Since the only way for a user to talk to isa smtp service is to upload a file, the risk is extremely low (compared with the risk of an application running on IIS/WEB service).

I don�t plan to change that system in the next release of QSS , except if you give me good feedback on this ;-)

For your info, the next release of QSS will support all Microsoft new things : Vista, antispyware, ISA 2006� if you have any special request, just let me know (Thomas you can broadcast this info ;-). This will help me to make a product that is compatible with all kind of scenarios.

Keep in mind that RQC/RQS will not be enhanced (my opinion), that NAP will not arrive before 2 years � so QSS is still a good product for the community.

Feel free to contact me.

Regards

Frederic ESNOUF
ISA MVP

(in reply to tshinder)

Post #: 3

RE: QSS Installation? - 22.Feb.2006 11:29:37 AM

bjblackmore

Posts: 103
Joined: 9.Aug.2005
Status: offline

Hi Frederic,

Thanks for the reply, and answering the question.

Just wondering, did you receive my email yesterday? I am quite eager to get QSS working in our organisation. I just need to run those other questions past you, before I can recommend it to our MD.

Many thanks

Ben
MCSA

(in reply to fesnouf@hotmail.com)

Post #: 4