• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on Dumbing Down the ISA Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on Dumbing Down the ISA Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on Dumbing Down the ISA Firewall - 13.Feb.2005 6:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on how to dumb down the ISA firewall at http://isaserver.org/articles/2004dumbdownisa.html

Thanks!
Tom

[ February 13, 2005, 06:57 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on Dumbing Down the ISA Fi... - 14.Feb.2005 4:14:00 PM   
tinto

 

Posts: 247
Joined: 9.Sep.2004
From: Italy
Status: offline
great article... when reading about "teddy bear" I was actually Rolling on The Floor Laughing
[Big Grin]

(in reply to tshinder)
Post #: 2
RE: Discussion about article on Dumbing Down the ISA Fi... - 14.Feb.2005 4:17:00 PM   
bsockel

 

Posts: 12
Joined: 25.Jan.2005
From: Texas
Status: offline
Just got through reading the article and i had some questions. We will be using our ISA Server primarily as a web caching server, but i do want to take advanages of things such as the Stateful packet inspection. We are running our ISA server behind another firewall. The Server has multiple Nic Interfaces installed.

My Question is by utilizing the other templates such as Edge Firewall Network template, Front or Back firewall network template do you lose the functionality that you would when you use the Single network template?

(in reply to tshinder)
Post #: 3
RE: Discussion about article on Dumbing Down the ISA Fi... - 14.Feb.2005 5:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Tinto:
great article... when reading about "teddy bear" I was actually Rolling on The Floor Laughing
[Big Grin]

Hi Tinto,

LOL! Yes, esp since my wife took away my teddy bear last year [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 4
RE: Discussion about article on Dumbing Down the ISA Fi... - 14.Feb.2005 5:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by B Sockel:
Just got through reading the article and i had some questions. We will be using our ISA Server primarily as a web caching server, but i do want to take advanages of things such as the Stateful packet inspection. We are running our ISA server behind another firewall. The Server has multiple Nic Interfaces installed.

My Question is by utilizing the other templates such as Edge Firewall Network template, Front or Back firewall network template do you lose the functionality that you would when you use the Single network template?

Hi B,

You don't lose the ISA firewall's caching ability at all when you use any of the other templates. Front-end, back-end, edge or 3-leg all enable you to use *all* the features of the ISA firewall, include its full Web proxy *and* Winsock proxy feature sets.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on Dumbing Down the ISA Fi... - 15.Feb.2005 8:05:00 PM   
armani007

 

Posts: 5
Joined: 13.Jan.2004
From: Vancouver, BC
Status: offline
Hi Thomas,

I would love to participate in your forums and will continue to try, but I have to make a suggestion. Your signature is rather large and distracting.
I understand you want to promote your great book, but the 2 pictures in your signature and your multiply replies to posts and questions means that most of the page is taken up by your signature.
Anyway, it's your site and I don't mean to tell you how you should conduct yourself, but I kindly request you look at a way of reducing the size to make the threads more readable and less distracting.
Please don't take this the wrong way ... I really appreciate your effort and time in making such a great resource available to the community. Poeple interested in purchasing an ISA server book will more than likely purchase your book anyway since it is the first hit on a searh for ISA server in Amazon and other search engines.

(in reply to tshinder)
Post #: 6
RE: Discussion about article on Dumbing Down the ISA Fi... - 15.Feb.2005 9:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Karan,

Good points, I don't entirely disagree with you. How about if I removed the ISAserver.org logo? Would that work?

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about article on Dumbing Down the ISA Fi... - 16.Feb.2005 5:52:00 PM   
armani007

 

Posts: 5
Joined: 13.Jan.2004
From: Vancouver, BC
Status: offline
Any reduction in size is happily accepted [Big Grin]

Thanks!

(in reply to tshinder)
Post #: 8
RE: Discussion about article on Dumbing Down the ISA Fi... - 16.Feb.2005 6:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Karan,

Cool. Here's the new sig [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on Dumbing Down the ISA Fi... - 7.Mar.2005 6:55:00 AM   
doppleclutch

 

Posts: 5
Joined: 4.Feb.2005
Status: offline
I hate to play the devil's advocate on this, but:

1. "Dumbing down" ISA is an useful tool for identifying problems. I've seen 3rd party HTTP controls, not to mention MS's own Windows Update, having "some" issues running through ISA in its default state.

2. I haven't tried it yet with ISA "Dumbed Down", but I thought MS Messenger had problems when using video/audio chat with ISA in its default. Most consumer "Dumb" firewalls don't.

3. In SBS Land, there have been some reports of issues with ISA and LPR print servers from some major manufacturers. This is still under investigation, but ISA2K and/or the firewall client may be contributing factors in the funky behavior.

In short, longtime users of this site "get" the humorous way the information is presented, but the tone of the presentation can seem arrogant. I rather see this information being used as a tool in identifying and resolving problems i.e. something doesn't work with ISA "Set Level on Kill", so let's find out why by NOT firing the ISA Phaser, and slowly raise the Phaser settings.

(in reply to tshinder)
Post #: 10
RE: Discussion about article on Dumbing Down the ISA Fi... - 7.Mar.2005 10:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi DC,

1. Agree that sometimes you have to dumb down the firewall to figure out what's going on. However, that's for diagostic reasons only, not as a secure configuration to use in production. The issue with WU and other sites that don't work with authenticating Web proxies is fixed by using Direct Access and the Firewall client.

2. The problem with Voice/Video isn't a dumbing down issue, its a problem with not have a SIP ALG. In that case, ISA just can't do it [Frown]

3. Can't say about SBS, if the ISA firewall is co-lo'ed on the same box. It really wasn't designed as a host-based firewall, its designed as a network firewall.

The article was written to highlight the ISA firewall as a security device, and how the SPI-only firewalls don't provide the level of security required on networks today. True 'nuf it was written as a humor piece for ISA fans. I would have taken a different approach if I were writing it for Windows IT Pro magazine [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion about article on Dumbing Down the ISA Fi... - 7.Mar.2005 9:45:00 PM   
MorfiusX

 

Posts: 25
Joined: 12.Jan.2005
Status: offline
Tom,

Thanks for the article BTW.

I sent a link to my manager who insisted our PIX 506e was the best thing since sliced bread...

I was having problems with our PIX that was in front of our ISA server. So, I had to convince him that the ISA firewall would be fine as the edge-most firewall. Things work better now that I did it too.

(in reply to tshinder)
Post #: 12
RE: Discussion about article on Dumbing Down the ISA Fi... - 8.Mar.2005 12:40:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Morph,

Great! That's always been my experience too. And you'll be more secure in the process. Best of both worlds!

Thanks!
Tom

(in reply to tshinder)
Post #: 13
RE: Discussion about article on Dumbing Down the ISA Fi... - 28.Jul.2005 4:43:00 AM   
kallu

 

Posts: 1
Joined: 28.Jul.2005
Status: offline
To assess the extent to which my ISA is dumbed down, can I get a report of the current a-z settings ? can any body help, please ?

(in reply to tshinder)
Post #: 14
RE: Discussion about article on Dumbing Down the ISA Fi... - 28.Jul.2005 8:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Kallu,

You bet! Go to www.isatools.org and look for the isainfo tool. It will completely document your configuration.

HTH,
Tom

(in reply to tshinder)
Post #: 15
RE: Discussion about article on Dumbing Down the ISA Fi... - 27.Aug.2005 12:24:00 AM   
tarner

 

Posts: 8
Joined: 26.Aug.2005
From: MD/DC
Status: offline
I have been trying to implement a single-homed ISA on DMZ attached to a hardware based FW. The goal is proxy OWA SSL requests to a internal OWA machine with a port 80 redirect to SSL on ISA.
All servers are 2003 and ISA 2004 on the ISA PC.
The tricky part is that RSA WebID agent 5.3 is running on the OWA machine configued with SSO.
RSA says that if a web filter is not applied that the proxy should just forward the request. The requirment is just to forward plain and simple and not filter.
The first afternoon we had no luck. We added host file entries matching the CA FDQN. Were getting forbidden messages at best. Were close!
Design -
Internet -> FW/NAT -> DMZ (one nic)
DMZ -> FW/Route -> LAN (LAT)
You can pick the addresses, all rfc1918 type except Internet

Questions:

Does dumbing down ISA apply in this situation?
One one NIC , how do we open the settings to get this to work.
What is the LAT in this situation? ?
What is the External and Internal logic?
The caching service is not coming online for some reason also.
Do we use SSL bridging? Yes SSL to SSL
Do we need some path to the RSA WebID agent DLL file on the OWA PC? This article for ISA 2000 clearly demos the config for this scenario http://www.microsoft.com/technet/security/prodtech/isa/isafp1/sidw.mspx#EEAA
Sorry for all the questions. Appreciate the help.

(in reply to tshinder)
Post #: 16
RE: Discussion about article on Dumbing Down the ISA Fi... - 27.Aug.2005 12:49:00 AM   
tarner

 

Posts: 8
Joined: 26.Aug.2005
From: MD/DC
Status: offline
Excuse me. To add to the post. What is the equivalent config for pass through using ISA 2004.
================
Scenario 4: Authentication for RSA SecurID on IIS
In this scenario, the Web server authenticates for RSA SecurID, and the ISA Server computer does not authenticate. You do not install the Web filter on the ISA Server computer.
you must configure a Web publishing rule that allows anonymous access on the Web server whose path begins with /WebID/; that is, include the path /WebID/* in the destination set

To create a destination set
1. In the console tree of ISA Management, right-click Destination Sets, click New, and then click Set. 2. In Name, type MyDocs. Then, click Add.
3. In Destination, type www.microsoft.com.
4. In Path, type /WebID/*.

To create a Web publishing rule
1. right-click Web Publishing, click New, and then click Rule. 2. In Name, type My Rule. Then, click Next. 3. In Destination Sets, choose Specified destination set. 4. In Name, select MyDocs. Then, click Next. 5. On the Client Type page, select Any request. Then, click Next.
6. On the Rule Action page, choose Redirect the request to this internal Web Server (name or IP Address). 7. Click Next, and then click Finish.
In addition, to allow the RSA SecurID credentials to pass through ISA Server to the Web server, you must configure a Web publishing rule that is applied to a destination set that includes the xxx and the /WebID/* paths, and that applies to Any user (or to a specific client address set). Excuse the large post please.

(in reply to tshinder)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Discussion about article on Dumbing Down the ISA Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts