ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration – Post Installation Tasks, Part 2

Installing ISA Server 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration – Post Installation Tasks, Part 2

If you would like to read the other parts in this article series, then check them out at:

• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration – Post Installation Tasks
• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration – Post Installation Tasks (Part 3)
• ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration – Post Installation Tasks Part 4

Configure Connectivity Monitors

Connectivity Monitors are a useful tool you can use to alert you when connectivity to key network infrastructure services becomes unavailable. For example, you can set connectivity monitors for your Internet gateway, published Web servers, DHCP servers, domain controllers and DNS servers. When the ISA firewall detects that connectivity to these services is broken, an e-mail alert can be sent to you notifying you of this condition.

Click on the Connectivity Verifiers tab. Then perform the following steps to create a connectivity verifier:

1. On the Tasks tab in the Task Pane, click the Create a New Connectivity Verifier link.

Figure 1

2. On the Welcome to the New Connectivity Verifier Wizard page, enter a name for the connectivity verifier. In this example we’ll configure a connectivity verifier that pings the WAN interface of our Internet gateway router, so we’ll name it Internet Gateway. Click Next.

Figure 2

3. On the Connectivity Verification Details page, enter the IP address or the URL for the device for which you want to test connectivity. In this example we want to test the connectivity status of the WAN interface of our Internet gateway router, so we’ll enter the IP address. If you’re testing Web site connectivity, you might wish to enter a URL. In the Group type used to categorize this connectivity verifier drop down box, select the type of connectivity verifier group this belongs to. I selected Other since none of the groups provided neatly fit into Internet gateway testing. In the Verification method section, select the method used to test connectivity. You can choose Send an HTTP “GET” request, Send a Ping request, or Establish a TCP connection to port. In this example we’ll select the Send a Ping request option. If you want to test for Web services, use the HTTP GET option. If you’re publishing a TCP based service, use the Establish a TCP connection to port option. Click Next.

Figure 3

4. Click Finish on the last page of the wizard.

Configure Firewall and Web Proxy Logging

Right out of the box, the ISA firewall is ready to log all connections moving to and through the ISA firewall. However, there are still several options you might want to consider before accepting the out of the box logging configuration. To start configuring these options, click the Logging tab in the middle pane of the console and then perform the following steps:

1. Click the Tasks tab in the Task Pane and then click the Configure Firewall Logging link.

Figure 4

2. In the Firewall Logging Properties dialog box, click the Log tab. Here you have the option to change the log storage format. If you used the default options when installing the ISA firewall software, MSDE logging will be your log storage format. You have the option to change to either SQL Database or text File format logging.

   MDSE logging provides you the opportunity to get the most out of the ISA firewall’s built in log query feature, file based logging gives you the best performance, and SQL logging provides for off-box logging, but the worst performance.
   
   

Figure 5

3. Click the Fields tab. Most of the fields are selected and enabled as part of the default logging configuration. However, there are still a number of fields that are not selected. You should examine the unselected fields to see if you might want to have those enabled so that you capture this information. If the field isn’t enabled, then the ISA firewall will not log and store the data in that field. Click OK to save the changes.

Figure 6

4. Click the Configure Web Proxy Logging link on the Tasks tab. Here you’ll see the same log storage options you had for the Firewall service logging. One thing to make note here that I didn’t point out earlier is the Enable logging for this service option. If you want to completely turn off logging for the Firewall service, or Web proxy filter, then you can remove the checkmark from this checkbox. I don’t recommend doing this, but I suppose if you’re trying to do something illicit and you don’t want anyone to find out what you’ve done, you can turn off logging. Of course, someone will later come back to you and ask for an explanation of the “gaps” in the log files. Honesty and accountability is the best policy, so don’t disable logging.

Figure 7

5. If you choose to deploy MSDE logging, then click the Options button to the right of that option. Here you can choose where to save the ISA firewall’s log files. The default location is the ISALogs folder in the Microsoft ISA Server 2006 folder hierarchy. You can change the folder location, but in circumstances where you have a multiple server array (a situation we’re not confronted with in our current single server array example), then you must make sure the same folder location is available on all array machines.

   You also have the option to set Log file storage limits. The default total size of all log files is 8 GB. You can also set a limit on the minimum free disk space, which is 512 MB by default. You might want to set this a little higher if you have available disk space, as you might need more than that under certain disaster recovery operations. To maintain your storage limits, you can choose either Deleting older log files as necessary or Discarding new log entries. I highly recommend that you accept the former option, as its likely that you already have log summaries created to enable report creation.
   
   

Figure 8

This is just a basic overview of the logging features and functions. Make sure to check the Help file, future articles, and of course our book (when it comes out later this year) for much more comprehensive coverage of these subjects. Keep in mind that logging is a key post-installation task, so the sooner you know about the options, the better.

Create and Export Frequently Used Filter Definitions

One thing that hasn’t received enough attention on the ISAserver.org Web site is how to use ISA firewall filter definitions to query the MSDE logs. Filter Definitions make it easy to drill down on the log data you’re interested in and get answers you need fast. This is one of the major advantages you have with MSDE logging over file based logging and SQL logging. While you can use third party tools to query the text files, or SQL queries to query the SQL database, neither of these approaches are as intuitive or as user friendly as using the ISA firewall’s built-in log query functions.

To get to the ISA firewall’s log query interface, click on the Logging tab and then click the Edit Filter link on the Tasks tab of the Task Pane.

Figure 9

This brings up the Edit Filter dialog box. In the Edit Filter dialog box you chose the following options:

• Filter by
• Condition
• Value

For example, suppose we want to “eyeball” a live logging session to see what’s happening on the wire, but we want to filter out “noisy” protocols and communications. NetBIOS protocols are aboutthe biggest noise makers on your network. How about removing all references to NetBIOS protocols while you’re watching the real time log viewer? You can do that by filtering by Protocol, setting the Condition as Not Contains, and set the Value as NetBIOS.

You also probably aren’t interested in any communications sent to the limited broadcast address (255.255.255.255). You can filter out those entries by filtering by Destination IP, setting the Condition as Equals, and enter 255.255.255.255 as the Value. The figure below shows the result of this configuration.

Figure 10

Now that you’ve taken the time to create a log Filter Definition, how about saving it so that you don’t have to configure the Filter Definition every time you want to filter the logs? That’s easy to do. All you need to do is click the Export Filter Definition link in the Tasks tab of the Task Pane, save the Filter Definition with a name that you’ll be able to easily recognize, and save it, as seen in the figure below.

Figure 11

I have a couple dozen Filter Definitions defined that I use on a regular basis. Whenever you create a Filter Definition to query the ISA firewall’s log files, think about whether you’ll ever want to use that Definition again. If so, save it. It’ll save you a lot of time in the future.

Enter IP Addresses of Remote Management Computers

Remote Management computers are machines that have the ISA firewall console installed on them. Remote Management computers must have access to a number of protocols when connecting to the ISA firewall’s array member’s Local Host ISA firewall Network. Examples of these protocols include MS Firewall Control Protocol, NetBIOS datagram, NetBIOS Name Service, NetBIOS Session Service, and all RPC interfaces.

In addition, Remote Management computers must also be able to access MS CIFS, and MS Firewall Storage. For this reason, you must be extremely careful as to what computers are allowed to remotely manage the ISA firewall array. The remote management station must be exceptionally secure to prevent potential compromise by an otherwise trusted machine.

You can get a good view of what protocols and services Remote Management computers need to access on the ISA firewall’s Local Host ISA firewall Network by viewing the System Policy Rules in the Firewall Policy node in the left pane of the ISA firewall console.

To enter the IP addresses of the Remote Management computers, click on the Firewall Policy node in the left pane of the console, then click the Toolbox tab. On the Toolbox tab, click the Computer Sets folder and then double click on the Remote Management Computers entry. You’ll see the Remote Management Computer Properties dialog box as it appears in the figure below. Note that the IP address of the ISA firewall itself is automatically included in the list.

Figure 12

Click the Add button and select Computer. In the new Computer Rule Element dialog box, enter a name for the Remote Management station computer, and the IP address and a description. Click OK and then click OK again. Remember that configuration isn’t saved to the CSS until you hit the Apply button.

Configure Direct Access List

Direct Access, when it comes to Web proxy deployments, is a bit of a misnomer. The reason for this is that it’s unlikely that you’ll ever “directly access” any computers on the Internet. Instead, the Web proxy Direct Access list is a list of IP addresses and Internet host names for which you want to bypass the Web proxy client configuration. When the Web proxy client configuration is bypassed, the client computer must use a method other than its Web proxy client configuration to reach the destination site.

In the example of the unihomed Web proxy only ISA firewall that were covering in this article series, that means clients must leverage the default gateway configuration to reach the destination site (since the Firewall client configuration is not supported in a unihomed Web proxy only ISA firewall configuration).

The Direct Access list should be populated with sites that are well known for being non-compliant with authenticating Web proxies. Unfortunately, most of the Microsoft Web properties are non-compliant and need to be configured for Direct Access. This includes, but is not exclusive to: hotmail.com, passport.com, passport.net, Windows updates sites, and msn.com. While this may be true of this writing, there’s always a chance that Microsoft will update their network infrastructure to support clients located behind authenticating Web proxies.

For more information on Direct Access for both Web proxy and Firewall clients, see my articles at:

http://www.isaserver.org/articles/2004directaccessp1.html

and

http://www.isaserver.org/articles/2004directaccessp2.html

To configure the Web proxy Direct Access list, click the Networks node located under the Configuration node in the left pane of the ISA firewall console. Click the Networks tab in the middle pane of the console, and then double click the Internal entry. In the Internal Properties dialog box, click the Web Browser tab. You’ll see something that looks like the figure below.

On the Web Browser tab, you have the following options:

• Bypass proxy for Web servers in this network This is a very deception description for this setting, as it implies that the ISA firewall magically knows the servers “on this network”. That is not the case. What happens when this setting is enabled is that access to servers via single label name will be done via Direct Access. For example, https://OWASERVER is a single label name. On this other hand, https://owa.msfirewall.org is not a single label name.
• Directly access computers specified in the Domains tab The Domains tab is used by the Firewall client to configure Direct Access connections for Firewall clients. In the unihomed Web proxy only ISA firewall configuration, you would never use the Domains tab, so you can ignore this setting. It is useful in a full ISA firewall deployment.
• Direct access these servers or domains This section allows you to add servers and IP addresses to the Direct Access list. Here is where you add the names of servers that do not support Web proxy or authenticating Web proxy connections. As I mentioned earlier, Microsoft Web properties are notorious for not supporting connections through authenticating Web proxy or Web proxies at all. Java sites are also well known for breaking when clients are located behind Web proxy servers. Use the Add button to bring up the Add Server dialog box to add these entries. Note that you can use wildcards if you need to configure an entire domain for Direct Access.
• If ISA is unavailable, use this backup route to connect to the Internet This option enables the Web proxy client to bypass the unihomed Web proxy only ISA firewall when the ISA firewall is unavailable. In this case, the Web proxy client can reach the Internet via its default gateway configuration. However, if the clients are not configured with a default gateway configuration that will allow them Internet access, then you have the alternative to configure the Web proxy clients to use an alternate ISA firewall as a Web proxy.

Note that all of these options apply only to machines configured as Web proxy clients, and those Web proxy clients must be able to access the ISA firewall’s autconfiguration script. You can assign the autoconfiguration script via Group Policy, via wpad autodiscovery, by manually configuring the clients to use it, or by setting Web proxy client configuration settings during Firewall client installation (note that this option is not available in the unihomed Web proxy only ISA firewall configuration.

Figure 13

Have Questions about the article?  Ask at: http://tinyurl.com/mvl2w

Summary

In this article we continued our review of post-installation tasks for unihomed Web proxy only ISA firewalls configured in a single member ISA Server 2006 Enterprise Edition array. In part 3 of this article series we’ll complete our review of post installation tasks.