ISA Firewall Dirty Dozen
There are a handful of questions asked over and over again on the ISAServer.org message boards and mailing list. These same questions are asked on the ISA firewall public newsgroups. In order to save everyone a lot of time, I have collected the top 12 most frequently asked questions and my answers. I call this top 12 list my ISA Firewall dirty dozen. The order I list these questions is not important – it is just the order that they came to mind.
The ISA Firewall Dirty Dozen
- I want to have multiple external interfaces on my ISA firewall. How do I set this up?
The ISA firewall can support multiple external interfaces. However, only one of those interfaces can be configured with a default gateway. Any other external interface will need to use information in the ISA firewall’s routing table to reach remote locations. In the past there was an application called RainConnect you could use to do this. Now that RainConnect is defunct, your only option is to use a multi-WAN router in front of the ISA Firewall.
- My Yahoo/AOL/MSN/Windows Messenger is not working. How do I fix this?
Instant messaging software represents a significant risk to your network. Files can be transferred through the IM channels, and even if files are not transported, a significant amount of proprietary information can traverse the IM channel without you being able to detect or block it. One solution to this problem is to use a product like Websense together with the ISA Firewall. With Websense, you can control which users can access IM channels and also block peer to peer applications. But to answer the question, the instant messengers all require their own protocols and some of them are included with the default protocol list included with the ISA firewall. Although most of the IMers allow you to use the Web proxy component of the ISA firewall to access the Internet , you should not configure them to use the Web proxy since they might not support Web proxy authentication. Instead, use strong user/group authentication included with the Firewall client. For information on how to use the MSN Instant Messenger, read Instant Messaging with ISA Server. For Yahoo and AOL IMers, make sure the client is a Firewall client and configure an Access Rule allowing the protocols specific for that Instant Messenger application.
- I put Exchange on my ISA firewall and OWA/SMTP/POP3/IMAP4/NNTP is not sending/receiving? How do I fix this?
I cannot emphasize strongly enough that you should NOT put extraneous software on the ISA firewall machine. Applications and services such as Microsoft Office, Microsoft SQL Server, Microsoft Exchange, Microsoft SharePoint Portal Server, and any other service or application should not be installed on, and should not be run on, the ISA firewall machine. This recommendation includes not running the Web browser on the ISA firewall machine. The firewall is the focal point of your network security. You do not want to jeopardize network security by compromising the firewall by significantly increasing its attack surface. Put Exchange on an internal network server and publish the OWA/SMTP/POP3/IMAP4 and NNTP services using Web and Server Publishing Rules.
- My Secure Exchange RPC Server Publishing rule and/or my Exchange RPC over HTTP Web publishing rule is not working. I did everything you said to do in your articles on the ISAserver.org Web site. What is wrong?
Secure Exchange RPC publishing and Exchange RPC over HTTP publishing suffers from a similar problem: the relative lack of guidance from the Microsoft Exchange team on how to correctly configure a DNS infrastructure to support these remote access solutions. Have you ever wondered how the Outlook client resolves the name of the Exchange Server? Does it use only the NetBIOS name? Does it use the FQDN? Does it sometimes use the NetBIOS name and sometimes use the FQDN? Do different versions of Outlook resolve the Exchange Server’s name differently? Can you find this information anywhere on the Microsoft Exchange Web site? Does information in this KB article actually help you -- Troubleshooting slow startup of Outlook and Exchange Clients. How about this one: Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality?
The best solution to your secure Exchange RPC publishing and RPC over HTTP publishing problems is a split DNS infrastructure. The split DNS allows you to use the same names on the internal network and from remote locations. You can find more information on configuring a split DNS and how to configure the Outlook client by reading You Need a Split DNS at and Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
- My Firewall client shows a red arrow on it and cannot contact the ISA firewall. What is up with that?
There are a number of reasons why the Firewall client will not connect to the ISA firewall. The most common reason is that the name cannot be resolved. By default, the Firewall client configuration on the ISA firewall uses the NetBIOS name of the ISA firewall and sets the Firewall client machine to use this name. If the client machine can correctly fully qualify this name then the connection will succeed. If the Firewall client cannot correctly fully qualify this name then the connection may not succeed, depending on whether the ISA firewall is a WINS client and the Firewall client machine is configured to query the correct WINS server. In most cases, the ISA firewall and the Firewall client machine will belong to the same domain, so the client system will be able to correctly fully qualify the ISA firewall’s name. However, there are circumstances when you do not join the ISA firewall to the domain and configure user accounts on the ISA firewall itself. In that case, the Firewall client systems will not, by default, be able to correctly fully qualify the NetBIOS name of the ISA firewall and the Firewall client connection will fail. In this case, you need to configure the Firewall client machine with a Primary Domain Name Suffix that will allow the NetBIOS name of the ISA firewall to be correctly fully qualified, and this name must resolve to the IP address on the internal interface of the ISA firewall. The alternative is to have a functional WINS infrastructure in place.
- I need user names in the log files and I need to control access based on user/group account. I do not want to install the Firewall Client or configure the browsers as Web Proxy clients. What is the next step?
There is no next step. In order to control access based on user/group and to get user names in the Firewall and Web proxy log files, you must configure the clients as Firewall and/or Web proxy clients. A Web proxy client is any machine that has its browser configured to use the ISA firewall as its Web proxy server. You do not need to touch the client machines to make them Web proxy clients. The default configuration in Internet Explorer is to use autodiscovery. When configured to use autodiscovery, the Internet Explorer browser will automatically search for wpad entries in DNS and/or DHCP and configure itself. The Web proxy client will authenticate when required when connecting to resources via the HTTP, HTTPS and HTTP tunneled FTP (Web proxy client) connections. A Firewall client is any Windows machine that has the Firewall client software installed. Like the Web proxy client configuration, you do not need to touch the machines to install and configure the Firewall client. You can transparently install the Firewall client software using Windows Group Policy. The Firewall client also can use wpad entries to automatically find the ISA firewall and configure itself. Firewall clients will send user name information to the ISA firewall whenever a Winsock TCP or UDP request to made to the Internet. For details on automatically Web Proxy and Firewall client configuration, check out the ISA Server 2000 in Education Kit.
- I want to put my ISA Server between two “firewalls” and put a single NIC in the ISA firewall. I need all the features available in ISA, including Firewall client support. How do I do this?
While this is possible, it is not a supported configuration. The single NIC configuration is never supported for the Firewall client. However, it is possible to put a single NIC ISA firewall in the DMZ and perform both Web and Server Publishing using what I call the “ISP co-lo Configuration”. This configuration will allow you to publish all protocols using Web and Server Publishing Rules. However, I highly recommend that you reconsider your configuration. The ISA firewall is a true network firewall and provides a higher level of security and access control than most of the firewalls on the market today. To get the most out of the ISA firewall, you should remove the back-end packet filtering firewall and replace it with the ISA firewall. Another alternative is to put the ISA firewall in parallel with the current firewall, and put your more secure network assets behind the ISA firewall and publicly accessible sites behind the packet filtering firewall. This topology allows you to leave the current front-end firewall in place while fully enabling the security and access control features in the ISA firewall on the back end.
- I want to run a Web/FTP/NNTP/Quake/Kazaa/Morpheus server on my ISA firewall. I have created the right Access Rules, but it does not work. Why?
I strongly recommend that you do not install any extraneous software on the firewall. While it is fine to install additional software on the ISA firewall to enhance the firewall’s feature set, it is not appropriate to install Web servers, FTP servers, news servers, Quake servers, Kaaza servers or clients or any other non-firewall related software on the ISA firewall machine. Remember, the ISA firewall is the focal point for perimeter network security and each application or service you install on the ISA firewall increases the attack surface on the firewall. You do not want to increase the attack surface on the firewall as this increases the probability that the firewall can either be compromised or overcome.
- How do I get Internet Explorer/Outlook Express/Hello Kitty working on the ISA firewall? I tried to create packet filters, but the ISA firewall does not have a packet filter feature.
The ISA firewall does not have an explicit packet filter configuration interface because stateful packet inspection is inherent in all the ISA firewall Access Rules. You need to create Access Rules to control inbound and outbound access to and from the ISA firewall machine itself. For example, if you need to allow outbound SMTP from the ISA firewall, you can create an SMTP Access Rule from the Local Host Network to the External network; this type of rule would be required if you wanted to use the ISA firewall as an outbound SMTP relay. I strongly recommend that you do not run Outlook Express or Hello Kitty on the ISA firewall itself, for reasons mentioned earlier.
- I cannot get POP3 and/or FTP working. I do not want to install the firewall client. How do I get mail and FTP files?
You do not need to install the Firewall client to access POP3 or FTP sites on the Internet. The only requirement is that the client is able to resolve the name of the server it needs to connect to and that there is an access rule that enables name resolution and access to the POP3 and/or FTP protocols. Name resolution is often a problem because it is handled differently for SecureNAT, Web proxy and Firewall clients. POP3 is a simple protocol requiring a single connection on TCP port 110. In contrast, the FTP protocol is a complex protocol requiring secondary connections to be made inbound from the FTP server. In this case, you either need to install the Firewall client, or use the FTP Access application filter included with the ISA firewall. The SecureNAT clients can use the FTP Access application filter to support the secondary connections. If you are running into problems with FTP, make sure the FTP Access application filter is enabled.
- How do I see the files in the cache? Also, how to I prevent sites from being cached? Oh, and one more question, how do I clear the cache?
You can use the cachedir.exe tool from the Microsoft website.
- Tech Support told me to “open ports X, Y and Z”. How do I do this?
This is one of the most common issues we encounter. The term “open a port” means nothing and it implies that firewalls are akin to “peg-boards” where you “poke holes” in the firewall/peg-board and let “stuff” through. The TCP/IP protocol suite does not work like this and that is the reason why you have never seen a firewall with an “open port” button. In order to allow traffic through the ISA firewall (or any firewall), you need to know what protocols are required, the direction of the protocol, and what protocols are used for primary and secondary connections. For example, when you use the FTP in Port (Standard) mode, the primary connection is made outbound from the FTP client to the FTP server on TCP port 21. Then the FTP server establishes a new secondary connection to the client from its own TCP port 20 to a high number port on the external interface of the ISA firewall. If you were to ask tech support what ports to open for FTP, would they say “open ports 21 and 20”? Maybe, but who knows, since “open a port” does not mean anything. It is the Internet application vendor’s responsibility to provide this information to you. Otherwise, you will need to use a network analyzer (like Network Monitor or Ethereal) and figure out what protocols, directions, primary and secondary connections are required. Make sure to bill the application vendor for the time you spend on trying to figure out their application!
So there you go, the ISA Firewall dirty dozen. If you can think of any other question that has been covered over 100 times in the ISA Firewall community, let me know and I will add to the list.