Amy Babinchak’s ISA/SBS Series: Configuring Trend Micro CSM for SSL with ISA Server 2000

Each range that you specify gets its own key. If you are really geeky you could enter the information by hand but having gotten used to and embraced the SBS wizards (finally), using a GUI tool for this is the way to go. A nice one was written by Carl Calvello and is hosted by www.isatools.org called ISASecPort. It is great for adding SSL ports to the registry. Visit Jim Harrison’s www.isatools.org site to download this free tool.

Once you’ve downloaded the ISASecPort.zip file unpack it, read the readme file and

install the application and the VB runtime. Then double click SecurePort.exe to launch the program. Figure 1 is a screen capture of the program interface.

Figure 1:

In the Select Array Name box you can either enter your server name or leave it blank and press the Connect button. Any SSL ports already configured on your server will now be in the Secure Ports on Array box. To add the required port for CSM, in the Add New Port Range boxes enter 4343 in both the Start Port and End Port fields, then click the Add New Port button. That’s it. ISA is now ready for your CSM to speak SSL on port 4343.

Thank goodness for the SBS and ISA community. A great blog entry is found at Kevin Weilbacher’s site from Les Connor with suggestions for configuring CSM once you have it installed. His comments were added to by Susan Bradley in her blog.

You can find them here:

http://msmvps.com/kwsupport/archive/2004/06/19/8543.aspx

http://msmvps.com/bradley/archive/2004/05/07/6038.aspx

A couple of notes on configuring CSM for SBS:

CSM wants to use port 8080. During the installation process you’ll be given an opportunity to change this. Change to port any unused port you like. I use port 8090.

Not changing the default port will result in no clients being able to access the Internet, including the SBS server. Some also suggest creating a new website for CSM to reside in. I’ve not run into a problem using the default site and specifying a port other than 8080 for it to use.

Load the firewall client on workstations. If you aren’t using the firewall clients yet, start now. Doing so creates ISA logs and reports listed by username rather than IP address. This makes troubleshooting much easier. Add port 4343 to the SSL tunnel list as described above.

Pay special attention to the portion of Les’ instructions on separating your SBS server from the workstation by creating a separate “domain” in CSM for your server. Once you’ve created a separate space for your server then you can set directory exclusions to prevent particular folders and files from being scanned. You do not want CSM to scan your Exchange database, queues or the Trend folders. By default CSM will scan your Exchange database and this could end up costing you data. At a minimum you should exclude these folders and files:

C:\Program Files\Exchsrvr\Mailroot\vs 1\PickUp
C:\Program Files\Exchsrvr\Mailroot\vs 1\Queue
C:\Program Files\Exchsrvr\MDBData
C:\pagefile.sys

There are separate exclusion lists for Scheduled scans, manual scans and automatic scans so you may need to enter your list of exclusions up to 3 times depending on which types of scans you are going to be running on the server.

I’ve left the how to configure CSM to catch the most virus, spam, malware, and prohibited content purposely out of this article. There are as many opinions on this topic as there are spammers and hackers in cyberspace. Once you’ve done the installation as above CSM will play nice on your SBS server and is ready for you to configure as you wish.