Amy Babinchak’s ISA/SBS Series: Configuring Trend Micro CSM for SSL with ISA Server 2000

Amy Babinchak’s ISA/SBS Series:
Configuring Trend Micro CSM for SSL with ISA Server 2000
By
Amy Babinchak



 Harbor Computer Services
 Small Business Computer Specialists
 Office (248) 546-6056
 Mobile (248) 890-1794



Got Questions?
Discuss this article at:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014334

Trend Micro has made a wonderful product for SBS called Client/Server/Messaging Suite (CSM). However, they haven’t yet produced great documentation for how to install it on SBS. This product provides anti-virus, anti-spam, content filtering, and malware/spyware detection. To make this all work the setup makes some pretty grand assumptions about IIS, Exchange and ISA not all of which are relevant to a typical SBS installation. In this article I’ll alert you to some of the pitfalls, point you to some great community resources, and show how to configure ISA to allow SSL communications on the 4343 port for CSM.

Although you can configure ISA at any time to handle SSL on port 4343 it will make the installation go a little smoother if you do it before you begin the CSM installation.

ISA provides SSL services on ports that you tell it to. The list of SSL ports is contained in the registry at:
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Arrays\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Arrays\{156B14DF-4F0E-4684-9451-C9B2F9E12EE2}\ArrayPolicy\WebPolicy\Proxy-TunnelPortRanges.

Each range that you specify gets its own key. If you are really geeky you could enter the information by hand but having gotten used to and embraced the SBS wizards (finally), using a GUI tool for this is the way to go. A nice one was written by Carl Calvello and is hosted by www.isatools.org called ISASecPort. It is great for adding SSL ports to the registry. Visit Jim Harrison’s www.isatools.org site to download this free tool.

Once you’ve downloaded the ISASecPort.zip file unpack it, read the readme file and

install the application and the VB runtime. Then double click SecurePort.exe to launch the program. Figure 1 is a screen capture of the program interface.

Figure 1:

In the Select Array Name box you can either enter your server name or leave it blank and press the Connect button. Any SSL ports already configured on your server will now be in the Secure Ports on Array box. To add the required port for CSM, in the Add New Port Range boxes enter 4343 in both the Start Port and End Port fields, then click the Add New Port button. That’s it. ISA is now ready for your CSM to speak SSL on port 4343.

Thank goodness for the SBS and ISA community. A great blog entry is found at Kevin Weilbacher’s site from Les Connor with suggestions for configuring CSM once you have it installed. His comments were added to by Susan Bradley in her blog.

You can find them here:

http://msmvps.com/kwsupport/archive/2004/06/19/8543.aspx

http://msmvps.com/bradley/archive/2004/05/07/6038.aspx

A couple of notes on configuring CSM for SBS:

IIS:

CSM wants to use port 8080. During the installation process you’ll be given an opportunity to change this. Change to port any unused port you like. I use port 8090.

Not changing the default port will result in no clients being able to access the Internet, including the SBS server. Some also suggest creating a new website for CSM to reside in. I’ve not run into a problem using the default site and specifying a port other than 8080 for it to use.

ISA:

Load the firewall client on workstations. If you aren’t using the firewall clients yet, start now. Doing so creates ISA logs and reports listed by username rather than IP address. This makes troubleshooting much easier. Add port 4343 to the SSL tunnel list as described above.

Exchange:

Pay special attention to the portion of Les’ instructions on separating your SBS server from the workstation by creating a separate “domain” in CSM for your server. Once you’ve created a separate space for your server then you can set directory exclusions to prevent particular folders and files from being scanned. You do not want CSM to scan your Exchange database, queues or the Trend folders. By default CSM will scan your Exchange database and this could end up costing you data. At a minimum you should exclude these folders and files:

C:\Program Files\Exchsrvr\Mailroot\vs 1\PickUp
C:\Program Files\Exchsrvr\Mailroot\vs 1\Queue
C:\Program Files\Exchsrvr\MDBData
C:\pagefile.sys


There are separate exclusion lists for Scheduled scans, manual scans and automatic scans so you may need to enter your list of exclusions up to 3 times depending on which types of scans you are going to be running on the server.

I’ve left the how to configure CSM to catch the most virus, spam, malware, and prohibited content purposely out of this article. There are as many opinions on this topic as there are spammers and hackers in cyberspace. Once you’ve done the installation as above CSM will play nice on your SBS server and is ready for you to configure as you wish.

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=014334 and post a message.

If you would like us to email you when Amy Babinchak releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top