Your New ISA Firewall: ISA 2006 Service Pack 1 (Part 1)
If you would like to read the next part in this article series please go to Your New ISA Firewall: ISA 2006 Service Pack 1 - Part 2: Traffic Simulator and Enhanced Diagnostic Logging
(NOTE: This is pre-release information and I am aware of a couple of improvments in the final release of the Service Pack that weren't included in the pre-release version. I will update this article and put a blog post on the front page of this site so that you'll know when the updated version of this article appears. Thanks! --Tom.)
While not officially released at the time this article was written, the upcoming ISA 2006 Service Pack 1 is soon to come to an ISA firewall near you. Microsoft has released many of the details to the public in the ISA firewall Team blog over at Forefront TMG (ISA Server) Product Team Blog and Marc Grote has some coverage for it on our site over at ISA Server 2006 Service Pack 1: New features and enhancements.
Instead of rehashing what the ISA firewall team and Marc have put together, I thought I’d go into a bit more detail into some of the major new features included with ISA 2006 Service Pack 1. In fact, it’s my opinion that you will feel like you have received a new version upgrade after you install SP1 on your ISA 2006 firewall! That is how impressive the new features are that are included with the Service Pack 1.
In this article we’ll look at the installation process, then go into the details of the Change Tracker, and then get a good look at how the new Web Publishing Rule Test button works to help solve your most vexing Web Publishing Rule problems.
In the second article in this series, we’ll go into the details of the Traffic Simulator and take a deep dive into the new capabilities that are included in the diagnostic logging feature set.
Note that this article series is based on a pre-release version of ISA 2006 Service Pack 1 and some of the dialog boxes and even functionality might change between the time the article was written and the release version of the service pack.
Installing ISA 2006 Service Pack 1
Double click on the service pack installation file. This brings up the Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1 page. Click Next.
On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
On the Ready to Install the Program page, click the Install button.
The progress bar shows you the progress of the installation.
Yay! The installation is complete with no errors. Click Finish.
At this point you’ll be asked to restart the computer.
After installing Service Pack 1, you won’t see too many cosmetic changes. At least I didn’t notice that many. However, if you click the Firewall Policy node in the left pane of the console and then click the Tasks tab in the Task Pane, you’ll see a new entry in the Related Tasks collection – Go to Traffic Simulator. We’ll talk in detail about the traffic simulator later.
When you click on the Troubleshooting node in the left pane of the console, you’ll notice that there are some new tabs – the Traffic Simulator and the Diagnostic Logging tabs. We’ll go over those features in detail later.
Configuration Change Tracking
The first new major feature we’ll look at is the Change Tracking feature. Change tracking allows you to keep a log of the changes that have been made to the ISA firewall over time. The Change Tracking feature automatically reads the changes you make and records them. You also have provided an opportunity each time you apply new changes to make a comment about the change.
Change tracking can be used to provide change management information regarding your firewall configuration to auditors. This is something that’s dogged ISA firewall admins for some time, as there was no automated means to keep track of changes made to the firewall over the course of time.
Click the Monitoring node in the left pane of the ISA firewall console, then click the Change Tracking tab. Click the Tasks tab in the Task Pane and you’ll see the Configure Change Tracking link. Click that link.
This brings up the Properties dialog box for the firewall. You will also see this dialog box if you right click the name of the firewall in the left pane of the ISA firewall console and click the Properties command.
On the Change Tracking tab you can choose to enable change tracking. Change Tracking is disabled by default, so you’ll have to put a checkmark in the Enable change tracking checkbox to turn it on.
The Prompt for a change description when apply configuration changes option allows you to enter a description of the changes you make when you make changes to the firewall configuration. This is a helpful option, because you might want to turn off this feature when you’re first configuring the firewall. Then after you have the basic configuration set up and backed up, you can then enable this option so that any changes from your base configuration will require an explanation for the change.
The default number of entries in the change tracking log is 1000 and the recommended maximum is 10,000. The absolute maximum isn’t documented at this time, but Microsoft recommends that you don’t go over 10,000 for performance reasons. If you go over that limit, the oldest entries will be overwritten by new entries.
You can also use the CTRL+A and CTRL+C and the CTRL+V keyboard shortcuts to copy the contents of the change tracking log to the clipboard to insert into a text file if you’re concerned about losing older entries.
As you can see in the figure below, when you click the Apply button, you’ll be presented with the Configuration Change Description dialog box where you can enter information about the change you made and perhaps the rationale you had for making the change. Click the Apply button in the Configuration Change Description dialog box.
After you click the Apply button, you’ll see the Saving Configuration Changes dialog box and the progress bar as the changes are saved.
Notice that there is what appears to be a text box in the Saving Configuration Changes dialog box. In the Change description section, you can see the details of your description. However, I thought this was a text box that would allow me to change the description. Instead, it actually means description of the change. This fooled me for about five minutes until I realized the semantic confusion. J
Now click the Monitoring node in the left pane of the console and click the Change Tracking tab. Here you can see that there are four columns:
- Time. This is the time the change was made
- User. This provides the user name of the user who made the change
- Change Summary. This provides a short summary of the change that was made
- Description. This provides the description information you entered when you applied the changes
If you expand the entry, you can get detailed information about the changes made. Most of them make sense, although there is terminology included with some of these descriptions that might made you have to run to the ISA 2006 SDK to try and figure them out. You can also use these detailed descriptions to learn more about how ISA handles different kinds of changes you made to the firewall.
The Change Tracking feature also have a nifty search function, so that you don’t have to eyeball your way through the Change Tracking log. For example, in the figure below you can see that I’ve done a search for a change that had the name “bluecoat” in it and I found that I created a Domain Name Set named Bluecoat and created a policy rule named “Deny Bluecoat”.
Now let’s move on to the next cool feature included with your new ISA 2006 SP1 firewall – the Web Publishing Rule Test button.
Web Publishing Rule Test Button
People run into all sort of problems when creating Web Publishing Rules. The problems might be related to name resolution, or maybe they’re related to certificates, or maybe they’re related to certificate names, or maybe related to IP address, or maybe even a combination of these. For the new ISA firewall admin, these problems can become vexing and make the new admin somewhat unhappy in his new investment in the ISA firewall.
The ISA firewall team is aware of this, and they’ve done a great job in ISA 2006 SP1 to help solves these problems by including a Test button in the Web Publishing Rule wizard and also in the Properties dialog box of the Web Publishing Rule.
Let’s create a secure Web Publishing Rule and see if the Test button can help us out with any errors I might make in the rule.
We’ll start by clicking the Publish Web Sites link in the Tasks tab of the Task Pane. This brings up the Welcome to the New Web Publishing Rule Wizard page. Enter a name in the Web Publishing Rule name text box. In this example we’ll name the rule Secure Web Site and then click Next.
On the Select Rule Action page, we’ll select the Allow option and then click Next.
On the Publishing Type page, we’ll select the Publish a single Web site or load balancer option, since we’re publishing only a single SSL Web server in this example. Click Next.
On the Server Connection Security page, we’ll select the User SSL to connect to the published Web server or server farm, since we want the ISA firewall to establish an SSL link from its internal interface to the published Web server on the default Internal Network. Click Next.
On the Internal Publishing Details page, we’ll enter ssl.msfirewall.org in the Internal site name text box. This is the name that should be on the Web site certificate bound to the Web site on the Internal network. If the common/subject name on the Web site certificate bound to the internal Web site is different form this name, the rule won’t work.
I’ll put a checkmark in the Use a computer name or IP address to connect to the published server checkbox and then enter the IP address of the published server in the Computer name or IP address text box. In this case, the IP address is 10.0.0.2 Click Next.
On the Internal Publishing Details page, you can put in a path that you want to limit users to have access to. In this example we’ll allow them access to all paths on the Web server, so we won’t make any changes on this page. Click Next.
On the Public Name Details page, we’ll select the This domain name (type below) option from the Accept requests for drop down list. In the Public name text box, we’ll enter the name that external users will use to access this site. Remember, this name must also be the subject/common name on the Web site certificate that you’ll have bound to the Web Listener that you’ll use for this rule.
We aren’t limiting any paths in this rule, so we won’t enter anything in the Path (optional) text box. Click Next.
There aren’t any Web Listener yet configured on this machine, so we’ll need to create a new Secure Web Listener that we can use for the Web Publishing Rule. On the Select Web Listener page, click the New button.
On the Welcome to the New Web Listener Wizard page, enter a name for the Web Listener in the Web Listener name text box. In this example, we’ll name the Web Listener Secure Listener and click Next.
On the Client Connection Security page, we’ll select the Require SSL secured connection with clients, since we want the external clients to establish a secure SSL session to the external interface of the firewall. Click Next.
On the Web Listener IP Addresses page, put a checkmark in the External checkbox so that the Web Listener listens for incoming connections on the external interface of the firewall. Since there is only one IP address bound to the external interface of the firewall, there’s no reason for me to click the Select IP Addresses button. However, if there were more than one IP address on the external interface of the firewall, I might want to click the Select IP Addresses button so that I can create Web listeners with different settings for the different IP addresses.
On the Listener SSL Certificates page, select the Use a single certificate for this Web Listener option. We select this option because we only have a single IP address on the external interface of the firewall, and only one certificate can be bound to one IP address. Click the Select Certificate button.
In this example we’ll mess up our configuration by selecting the wrong certificate. To select the wrong certificate, I’ll select the wrongcert.msfirewall.org certificate from the list and then click the Select button.
Now we can see on the Listener SSL Certificates page that we’ve select the wrongcert.msfirewall.org certificate and bound that to this Web Listener. Click Next.
We’re not too concerned with authentication for this rule, so we’ll make things simple by selecting the HTTP Authentication option from the Select how clients will provide credentials to ISA Server drop down list box and then we’ll select the Basic option. Since the firewall is a member of the domain (to improve security), we’ll select the Windows (Active Directory) option from the Select how ISA Server will validate client credentials options.
We have no options to select on the Single Sign On Settings page because in order to support single sign on, you need to use forms-based authentication. Click Next.
Click Finish on the Completing the New Web Listener Wizard page.
You can see the details of the Web Listener on the Select Web Listener page. Notice that there is a warning on the bottom of the page that reads The selected Web Listener is not conifugred with a certificate matching the public name defined in this wizard. User may receive a warning when attempting to connect to the server published by this rule.
This is very useful information and I don’t recall if pre-SP1 ISA 2006 firewalls provided this very useful information. What the wizard is telling us is that the public name configured in this Web Publishing Rule does not match the common/subject name on the Web site certificate that we have bound to the Web Listener. When these don’t match, the browsers will tell users that there is a problem with the certificate, and if they’re using non-browser applications to connect, they might not receive any feedback and the connection will just fail.
We’ll go ahead and click Next and see if the Test button will provide us any information similar to this.
On the Authentication Delegation page, we’ll select the Basic Authentication option from the Select the method used by ISA Server to authenticate to the published Web server drop down box. We’re not too concerned with authentication in this example, but we’ll see if the Test button provides us with any information regarding authentication later.
On the User Sets page, we’ll allow only All Authenticated Users access to the site, since it’s a secure site. That means we removed the All Users entry and added the All Authenticated Users entry. Click Next.
Notice on the Completing the New Web Publishing Rule Wizard page that we have a Test button in the lower left corner of the page. Let’s click that button and see what happens.
Ouch! There’s something wrong with our rule. Let’s click the node on the bottom of the hierarchy and see what information we receive. When we click on the https://ssl.msfirewall.org:443 we see the following feedback:
Testing URL https://ssl.msfirewall.org:443/: A session to the published server could not be established. Error code 2148074274 – The target principle name is incorrect.
Well, that’s sort of useful if you know what The target principle name is incorrect error means. If you’re a new ISA firewall admin, you probably wouldn’t know what that means and you’ll be wailing and gnashing your teeth in this instance. However, even as a new ISA firewall admin, you now have some useful information that you can share with other members of the www.isaserver.org Web site and when you post this information, more experienced ISA firewall admins will easily recognize that this is a certificate name mismatch problem.
What this error means is that ssl.msfirewall.org is not the common/subject name on the certificate bound to the published Web site. However, this is the name that we included on the TO tab in the Web Publishing Rule. In order to fix this problem, we need to check the common/subject name on the Web site certificate bound to the published Web site and then change the entry on the TO tab to match this name.
We’ll click close on the Web Publishing Rule Test Results page and then click Finish on the Completing the New Web Publishing Rule page.
Now let’s double click on the Secure Web Site Web Publishing Rule in the list of the firewall policy rule to open the Secure Web Site Properties dialog box. Click the TO tab. Here we see the ssl.msfirewall.org entry. I went back to the published Web server to see what the actual name on the certificate on the Web site is and found out that it’s actually secure.msfirewall.org. So, in order to fix this problem, we need to put secure.msfirewall.org in the this rule applies to this published site text box on the TO tab.
You can now see that I’ve fixed the problem and that on the TO tab I have entered secure.msfirewall.org.
Now I’ll click the Apply button and run the Test again. Bam! It worked and we see a green checkball indicating that the connection from the ISA firewall to the published Web server is working OK.
Now I’ll click Apply to save the changes and also including information in the Configuration Change Description dialog box.
It appears that the Test button is primarily aimed at making sure that a connection can be established between the ISA firewall itself and the published Web site. It does not seem to test whether an external user can connect to the ISA firewall’s external interface to establish a connection, as there was no check for the public name/certificate problem that the wizard called out. So, while the Test button is very useful for establishing connectivity between the firewall and the Web server, you will need to pay attention to warnings that the New Web Publishing Rule gives you when creating the rule.
In this first part of a two part article series on the details of ISA 2006 Service Pack 1 we went over the details of the Change Tracking feature and the Test button for Web Publishing Rules. In the next article we’ll take a deep dive into the new Traffic Simulator and the enhancements included with the diagnostic logging feature. We’ll also go into several troubleshooting scenarios to show you have you can put these great new features into practice on your production ISA firewalls. See you then! –Tom.
If you would like to read the next part in this article series please go to Your New ISA Firewall: ISA 2006 Service Pack 1 - Part 2: Traffic Simulator and Enhanced Diagnostic Logging