Today we have the pleasure of very nice guest blog post from Thijs Wientjes. Thijs is a Senior Technical Consultant with Getronics Consulting and he was kind enough to share some of his insights on how to configure network settings on ISA and TMG firewalls. I found this to be a great review of settings that all ISA and TMG firewall admins should know about. Enjoy!
================================================================
In the past years I’ve come across various problems at customer sites where their ISA or TMG firewall was behaving in a very strange way. The configuration within the management console seemed to be OK, and all other network components with which the ISA/TMG firewall communicating with also seemed to be configured just fine. Still, we’d see strange problems like:
- OWA Web Publishing Rules performing very, very poorly
- PPTP VPN access failed to establish a connection, while L2TP did not experience any problems.
- Adding a second site-to-site VPN tunnel caused the existing VPN tunnel to go down, and no VPN connectivity was possible until the new tunnel was removed from the configuration.
- SMTP server publishing returned lots of failed connection attempts. Some mail would come through, but a lot of mail just failed to be delivered.
Over time we realize that all of these problems were caused by advanced Network card features that are supported in newer versions of Windows. ISA and TMG are sometimes unable to work properly if these options are enabled. Somewhere deep within the TMG documentation these options are mentioned, with the advice to turn all these options off.
It would be nice if these options could be automatically set to ISA/TMG best practices standards by TMG setup or the Best Practices Analyzer (BPA). Until then, I will summarize the best practice settings to avoid problems below.
Registry settings
The following configuration should be added to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
“EnableRSS”=dword:00000000
“EnableTCPA”=dword:00000000
“EnableTCPChimney”=dword:00000000
“EnableSecurityFilters”=dword:00000000
Network card
If the above registry settings are set and the ISA/TMG firewall is rebooted, the following options should be disabled on each NIC (this is an example for a Broadcom NIC):
IPv4 and IPv6 Checksum Offload: None
IPv4 and IPv6 Large Send Offload: Disable
Receive Side Scaling: Disable
TCP Connection Offload:Disable
TCP Global settings
I’ve come across the situation where all the above settings were set correctly but still the ISA or TMG firewall had problems. If this is the case, check the TCP global settings from the command line:
netsh int tcp show global
The output should look something like this:
Querying active state…
TCP Global Parameters
———————————————-
Receive-Side Scaling State : disabled
Chimney Offload State : disabled
Receive Window Auto-Tuning Level : normal
Add-On Congestion Control Provider : ctcp
ECN Capability : disabled
RFC 1323 Timestamps : disabled
If receive side scaling and/or chimney offloading are enabled, you can disable them with the following commands:
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
================================================================
I do want to point out that ISA and TMG do support Receive Side Scaling, but that there are issues with some network adapters and their drivers. If you run into the performance issues that Thijs points out, then go ahead and disable these advanced features. Let us know how this works out for you!
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
[email protected]