ISAServer.org Chat Transcript
May 29, 2003
Note: The Chat Room is always open! We have scheduled chats once a week but you're welcome to visit the chat room at any time to discuss ISA Server related issues. The Chat Room is at:
Please wait, connecting to server...
DrTom : Hey guys, sorry I'm late!
Stefaan : Ha.... I'm living now for more than 25 years in the networking world. So, I would say experiences...
frihani : Hey DrTom
Stefaan : Hi Tom!
DrTom : Hi Frihani!
DrTom : Hi Stefaan!
DrTom : What are you guys talking about today?
frihani : 25+ years.. Ah ha! now i know your secret
DrTom : Stefaan -- I really appreciate your protocol approach to solving ISA Server config and connection problems
frihani : Should we start a topic?
DrTom : What is a popular topic that everyone seems to have problems with?
frihani : Dr Tom, What have you been currently working on vis a vis vmware lab?
Stefaan : Well I was and am still very interested in how all those protocols really work: tty, bsync, x25, tcp/ip ........
DrTom : How about publishing OWA?
DrTom : Frihani -- I have been working on VPN client setups for all versions of Windows
frihani : ohh! good one.. actually i need to publich RPC and have just found your article Dr.
DrTom : Using the new L2TP/IPSec client too!
DrTom : Publishing Exchange RPC is pretty easy, as long as you get the name resolution issues handled correctly
DrTom : Although, I hear there are a lot of problems with Windows XP SP1. I don't use XP SP1, so I haven't had a chance to test it, it works fine without SP1
frihani : interesting.. I only recently became interested in vpn configs.. quite powerful
DrTom : Stefaan -- yes, protocol level understanding is key to really understanding how these things work, your analysis is always very interesting and enlightening!
Stefaan : Tom, thanks! Did you already test ISA on W2K3 as VPN endpoint for L2TP/IPSec NAT-T?
DrTom : Frihani -- yes, the VPN configs are very interesting. I'm putting together a very comprehensive VPN deployment kit on VPN client setup, VPN server setup, VPN gateway setup and Certificate Server setup
DrTom : It will be very easy to find the information you need, when you need it
DrTom : And its hard to do that now! It won't be hard when I'm done
DrTom : I hope
DrTom : Stefaan -- I have tested the L2TIP/IPSec client and it works great!
frihani : that is quite a monster.. btw. your books have become the one stop resource of all isa server admins
DrTom : Stefaan -- I tested the Win9x and the Win2k L2TP/IPSec VPN client with the client behind an ISA/Win2003 server and the clients were connecting to a ISA/VPN/Win2003 server. Works great!
Stefaan : Tom, which packet filters do we need on ISA UDP 500 and 4500 for sure, but is UDP 1701 also needed?
frihani : Dr tom, are you using traversal (UDP ?)
DrTom : Frihani -- Yes! The VPN deployment kit is going to be really big -- it it will be easily managable because there will be a doc at the beginning that will guide you through the docs you need to go through
frihani : ecnapsulating the data packets and all that.
DrTom : Stefaan -- NO protocol rules are required for UDP 1701. However, a packet filter is required for UDP 1701 on the Win2003 VPN Server.
DrTom : You need to create packet filters for UDP 500 receive/send and UDP 4500 receive/send and UDP 1701 receive/send.
DrTom : You need to create Protocol Rules for UDP 500 send/recieve and UDP 4500 send/recieve
DrTom : That's all you need.
DrTom : The ESP header is encapsulated in the UDP 4500 header
frihani : Do you have problems dropping the line?
DrTom : Frihani -- no problems with dropping the line
DrTom : When the ESP header is removed, it exposes UDP 1701, and at this point its not exposes to the ISA Server packet filters
frihani : So you could basically set it up once and have it run continuously?
frihani : I thought that was IP Protocol 51 or something like that
DrTom : Frihani -- yes! Once it setup, it just works.
frihani : interesting.. quite valuable knowledge
DrTom : Frihani -- you don't need to allow any IP protocols through because the IPSec policy agent handles the packet before the packet filters see it
DrTom : Check out the VPN server and VPN gateway docs for Windows 2003 over at the www.microsoft.com/vpn site -- they are very very good!
frihani : As you see it now, is the configuration difficult, i mean, are there lots of room for problems
DrTom : because, how does the UDP header become exposed? We don't need to open a packet filter for IP Protocol 51!
frihani : have you seen any industry shifts with regard to vpn and firewalls?
DrTom : Stefaan -- perhaps the ISA Server packet filters "see" IP Protocol
frihani : like checkpoint, symantec etc
DrTom : Sorry that's IP Protocol 50
DrTom : Frihani -- what type of shifts are you thinking of?
DrTom : I know that they are getting more interested in layer 7 -- which they've essentially ignored in the past
DrTom : I think they see Microsoft biting at their heels in this area -- and I'm sure subsequent versions of ISA Server will have even more powerful layer seven inspection
frihani : Well checkpoints solutions ie: vpn client had good intention but is just too messy to work with
frihani : I wonder if any improvements have been mad
DrTom : Frihani -- third party VPN clients are really paradoxical to me. Here you have a VPN client, the MS VPN client, built into every Windows operating system. It works great, and connects to MS VPN server with no problem and the client is so, so very easy!
frihani : Can you point to a reference regarding the "layer" idea
DrTom : I'll never understand why people want to use 3rd party VPN!
frihani : well people normally responded with that the other end had limited requirements (specific firewall version)
DrTom : Frihani -- the layer 7 idea? There were some front page articles on CNET a few weeks ago that they were getting into "advanced layer 7 filtering" when ISA Server already does this and can be easily extended by 3rd parties or even yourself if you're good
DrTom : with C++
frihani : Has anyone worked with C++ filters etc? Like the SOCKS5 build?
DrTom : frihani -- yes. I think price is the thing. You can get a "SOHOware" or FireBox or something like that with a limited number of connections for less than a Win2k/Win2003 box. And businesses that are price sensitive will go with those solutions
DrTom : Frihani -- the SOCKS 5 filter in the SDK was just an example, I don't believe it actually works
frihani : With regard to price.. the proven features of ISA are certainly worth it...
frihani : Yea i have not heard any positive response from SOCK5
DrTom : Frihani -- yes, I agree. What is a challange is that people want to put it on things like SBS server! That immediately reduces the functionality and protection provided by the firewall
Stefaan : Tom, do you have any news about when the updated L2TP/IPSec client with NAT-T will be available again?
DrTom : Stefaan -- I was able to get the NAT-T client for Win2k yesterday, but I still haven't found the NAT-T client for WinXP -- no information yet on when it will come back
DrTom : It seems that the problem was with interoperability with Symantec firewalls -- that doesn't seem like a bug to me
Stefaan : Haha... that's a good one
Stefaan : Can you install ISA server on W2K3 web edition or isn't that possible?
frihani : I dont think that is possible...
DrTom : I think one thing ISA Server has a problem with is that it sees the world in terms of "internal" and "external". Most firewall admins want to use the firewall as a "firewall/router"
frihani : Have you tried W2k3 with isa at all?
DrTom : Stefaan -- I haven't tried on Web Edition yet! That would be interesting. I'll put it on my list of things to check.
DrTom : Frihani -- I've been using ISA Server on Win2003 for a couple of months
frihani : production serveR?
DrTom : Very, VERY stable in my limited experience (limited in that I have no customers using it on Win2003 yet)
frihani : when willl you feel comfortable migrating your clients?
DrTom : Production in that my own business depends on it and it handles about 20-25 GB of traffic/month
DrTom : Frihani --YES. I feel very comfortable moving my clients to an ISA/Win2003 solution. More stable, more secure, and some neat features like NetBIOS proxy for the smaller businesses
frihani : "Very, VERY stable" sounds quite convincing... and behind the firewall? Exchange, services etc on w2k3?
DrTom : Frihani -- no problem publishing Exchange RPC, SMTP, POP3, IMAP4 or SSL
Stefaan : Tom, when will the hotfix be public available for the UDP publishing issue?
frihani : what about running exchange on w2k3
DrTom : It does it all without a hitch. Same as Win2k, but I almost forget about it in Win2003 because services never seem to get "hung up"
DrTom : Stefaan -- its available now. Check out the latest fixpack. Hold on and I'll point you to it.
DrTom : Here is it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;810493
frihani : Has anyone worked with intrusion detection systems? I've worked with Snort,
frihani : but after ISA, i never caught anything
DrTom : Frihani -- I've not found the ISA Server IDS very useful
Stefaan : Tom, I saw that KB, but you have to contact MS to get it. So, no free download yet?
DrTom : Stefaan -- that's true. Jim told me it was a fix for the problem, but I haven't installed it yet to confirm
DrTom : Maybe we can post to the ISAServer.org mailing list and someone will make it available?
Stefaan : Good idea!
DrTom : I hate sitting on the phone, and even though I don't have to pay for it, it still takes a good amount of my time to get it.
frihani : hehe
DrTom : Anyone use the SMTP filter?
Stefaan : Can Jim not publish it on isatools.org?
DrTom : I find that it can be very useful, but its very difficult to manage
frihani : Dr Tom, I've tried it but it was rejecting exchange to exchange communication
frihani : and had to disable it
DrTom : Most people don't want to spend hours and hours comes up with keywords and domains and then not have an easy mechanism to back up and restore this information
frihani : Isnt there scripting for that?
DrTom : Frihani -- what type of Exchange to Exchange? SMTP messages from one Exchange Server to another?
DrTom : Frihani -- if there is scripting for that, I haven't found it!
frihani : I think it was some sort of Auth smtp command that was getting blocked
DrTom : Frihani -- Oh! Yes, the original release of the SMTP filter did not support AUTH. That meant that you couldn't use credentials based authentication
frihani : right.. why has that been fixed?
DrTom : But if you install ISA Server Feature Pack 1 -- the SMTP filter works! You can now authentication when the SMTP filter is enabled
frihani : oh boy
DrTom : You might need to create a entry in commands list for : AUTH and the size should be 1024 bytes
frihani : I have installed FP1
DrTom : Frihani -- then it should work, just make sure to add the entry to the command list. AUTH and 1024 bytes for the size
frihani : I'll have to test it.. thanks for the info
frihani : my bosses will be pleased
DrTom : Frihani -- you bet! Let me know how it works out for you!
DrTom : Frihani -- tell them you figured it out yourself, then you'll get a raise in pay
frihani : I think spam (keywords and all that ) are a bit difficult to manage...
frihani : maybe someone should bribe Jim to write a script to import export smtp settings
DrTom : Frihani -- interesting you say that. I used keywords only. I have a very extensive keyword list that works well for out business
Stefaan : Tom, does RainWall support an ISA trihomed DMZ configuration?
DrTom : It catches about 99% of all spam and a very very very low false positive rate, because I whitelist legit domains so that they bypass the keyword rules
DrTom : Frihani -- LOL! I'll ask him about that
DrTom : Stefaan -- good question. I haven't check out that scenario yet. Are you wanting to load balance and failover the DMZ interfaces too?
DrTom : I've only tried RainWall with machines that have 2 network interfaces, internal and external
frihani : DR Tom, where do you get your kw list from?
Stefaan : Yep, a customer have asked that one!
DrTom : Frihani -- I've created my own over the years. Its very extensive.
DrTom : Stefaan -- ouch! I can ask for you. Do you know Reiko Sato? She is very smart, very friendly and very helpful on RainWall and RainConnect questions!
frihani : Dr Tom, you were right, the AUTH Command is set for 500 length
DrTom : Frihani -- 500 might be enough in some circumstances, but MS recommends 1024
Stefaan : No, I have not worked with Rainfinity yet, but have just emailed them for some price info. We have some interest in their products.
DrTom : I have tested it out myself using 1024 and it works nicely!
frihani : What about the other commands, should i review them against real mail occurances or are they ok as is?
DrTom : Stefaan -- they are very very helpful. I have always been impressed with their professionalism and willingness to work with customers on solving problems
DrTom : Frihani -- I don't find any compelling reason to remove any other commands. I've not had problems with the current command list and I haven't run across anyone who's had problems (other than the AUTH issue)
frihani : good news.
DrTom : Actually, there is one other issue: STARTTLS. But I think this will be fixed in the future
frihani : TLS security ?
DrTom : Frihani --YES. It would be very good to have that feature for SMTP from your private SMTP clients that are on the road
frihani : right.. well i wanted to move all external clients to Exchange RPC.. but i cant get it working
Stefaan : Tom - good to hear that! I will contact them (probably in the UK I suppose).
DrTom : Frihani -- you can't get RPC working? Do you know what the problem is?
DrTom : Steffan -- yes! Let them know that I sent you and that you are very active on ISAServer.org and with MS too - and that you're an MVP -- they know what MVP's are
frihani : Well it may just be my inexperinece with client settings in outlook. What i thought to do was add the ms Exchange server service in outlook services and point to the external mail dns
frihani : but the syn gets blocked
frihani : also, the rpc port is listening on 0.0.0.0
DrTom : Frihani -- there are some issues with the various builds of Outlook
Stefaan : Hey guys, I have to leave. Thanks for the nice talk!
DrTom : Stefaan -- good to have you here!
frihani : Stefaan, thansk again!
DrTom : Let us know what Raininfity has to tell you
DrTom : Frihani -- is the Exchange Server on the ISA Server? If so, RPC publishing will not work
frihani : exchange is behind ISA
DrTom : Name resolution is very important. Also, don't force encryption until you get the basics working
frihani : oh good thinking
frihani : name resolution meaning the mailboc name or fqdn
DrTom : Once thing you can do to help is to put a HOSTS file entry on the clients to confirm name resolution is not the issue
DrTom : Exchange depends on the NetBIOS name, it really doesn't use the entire FQDN
DrTom : So, the host portion of the FQDN must be the same as the NetBIOS name
DrTom : For example, if the NetBIOS name is BLAH, you have to make a FQ
DrTom : sorry -- you have to make the FQDN blah.domain.com
DrTom : and have the resolve to the external IP address that's listening for the RPC publishing rule
DrTom : You can do this in your DNS, or you can create a HOSTS file entry
frihani : oh i see.. Netbois name is the same for the mahine i was testing@
DrTom : It gets trickly too, because not all clients will resolve the unqualfied request correctly!
DrTom : For example, since Outlook only cares about the NetBIOS name, it uses a single label name for the name query
frihani : Well exchange features are used mosltly in the intranet, but for those who want to pust the limits...
DrTom : If the query is sent to DNS, the query has to be "fully qualified" which means a domain name has to be appended
DrTom : That name is usually the same as the name of the domain the computer belongs to, now you see the problem?
DrTom : There are ways around this, such as using adapter specific settings, etc.
frihani : right... the HOSTS file overrides the dns resolution then
DrTom : Frihani -- perhaps the HOSTS file entry would be the best place the start, then you can reengineeer your public DNS after you get things working the way you want them to
frihani : I am glad i have the auth to make site wide changes then
DrTom : Frihani -- that's right! The entries in the HOSTS file are automatically placed in the DNS client cache immediately after you save the HOSTS file
DrTom : Frihani -- LOL! Yes, you will need that!
DrTom : OK guys, I'm going to have to leave. I turn into a pumpkin at NOON and I've been a pumpkin now for four minutes
DrTom : I appreciate everyone who had a chance to visit and I hope you can come next week. Let everyone know that you can actually learn something at these chats!
frihani : Thanks for the confidence Tom!
DrTom : Frihani -- you bet! See you next week!
DrTom : Bye!
frihani : Ciao.