ISA Firewall SP 2 Branch Office Features - Turn 'em Off!
I’ve seen a number of reports about alerts and errors generated by features included with the ISA firewall’s SP2. The Service Pack 2 Branch Office features are the primary offenders. The errors are causing a lot of stress and strain in the ISA firewall admin community because these ISA firewall admin’s don’t completely understand what the Branch Office improvements do and when they should be enabled or disabled.
The first thing you should do it go to http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sp2.mspx and read the ISA firewall SP2 white paper. This white paper is an excellent review of the new features included with SP2 and will give you a lot of insight into what’s happening under the hood with SP2.
The Branch Office features included with SP2 were designed with a very specific branch office scenario in mind, and there are a lot more components to this branch office scenario than just a site to site VPN link. In fact, you don’t even need a site to site VPN link to get the most out of the ISA SP2 Branch Office feature set. The reason for this is that the Branch Office features are keyed to the ISA firewall’s Web proxy filter features and capabilities. This means you’ll get your biggest bang for the buck in forward and reverse proxy scenarios.
If you don’t have a branch office setup, or you’re using SBS and trying to extend the SBS organization using a site to site VPN, or even if you have a site to site VPN without SBS, but don’t understand how the Branch Office updates work or know that your Branch Office scenario doesn’t mirror the assumptions in the ISA SP2 Branch Office updates scenario, then you should disable those features on your ISA firewall(s).
Specifically, you should disable the following Web filters:
- DiffServ Filter
- Compression Filter
- Caching Compress Content Filter
In the figure below, you’ll see that these filters are disabled. In fact, you should disable all filters that you’re not using to get the best performance and stability out of your ISA firewall. In the figure below you’ll see that I’ve disabled the Branch Office Updates filters and the SecurID filter, since I’m not using SecurID authentication on this ISA firewall.
The figure below shows the Application Filters installed on my ISA firewall. I’ve also disabled a number of filters here that I don’t use. If you don’t use SOCKS4, H.323, or the SMTP filter, make sure you disable them.
I’ll do a more detailed article in the future regarding the Branch Office Updates and discuss in detail the supported scenarios. I’ll include network diagrams and examples of where you’ll get significant performance improvements with the SP2 Branch Office Update features, and also include example where you get nothing out of the updates. Stay tuned to this channel for more information! Thanks! --Tom.