ISAServer.org Chat Transcript — May 29 2003

By /

 

ISAServer.org Chat Transcript

May 29, 2003

Note: The Chat Room is always open! We have scheduled chats once a week but you’re welcome to visit the chat room at any time to discuss ISA Server related issues. The Chat Room is at:

http://groups.msn.com/ISAServerorgChat/chat.msnw

 

Please wait, connecting to server…

Connected!

 

 

DrTom : Hey guys, sorry I’m late!

Stefaan : Ha…. I’m living now for more than 25 years in the networking world. So, I would say experiences…

frihani : Hey DrTom

Stefaan : Hi Tom!

DrTom : Hi Frihani!

DrTom : Hi Stefaan!

DrTom : What are you guys talking about today?

frihani : 25+ years.. Ah ha! now i know your secret

DrTom : Stefaan — I really appreciate your protocol approach to solving ISA Server config and connection problems

frihani : Should we start a topic?

DrTom : What is a popular topic that everyone seems to have problems with?

frihani : Dr Tom, What have you been currently working on vis a vis vmware lab?

Stefaan : Well I was and am still very interested in how all those protocols really work: tty, bsync, x25, tcp/ip ……..

DrTom : How about publishing OWA?

DrTom :

DrTom : Frihani — I have been working on VPN client setups for all versions of Windows

frihani : ohh! good one.. actually i need to publich RPC and have just found your article Dr.

DrTom : Using the new L2TP/IPSec client too!

DrTom : Publishing Exchange RPC is pretty easy, as long as you get the name resolution issues handled correctly

DrTom : Although, I hear there are a lot of problems with Windows XP SP1. I don’t use XP SP1, so I haven’t had a chance to test it, it works fine without SP1

frihani : interesting.. I only recently became interested in vpn configs.. quite powerful

DrTom : Stefaan — yes, protocol level understanding is key to really understanding how these things work, your analysis is always very interesting and enlightening!

Stefaan : Tom, thanks! Did you already test ISA on W2K3 as VPN endpoint for L2TP/IPSec NAT-T?

DrTom : Frihani — yes, the VPN configs are very interesting. I’m putting together a very comprehensive VPN deployment kit on VPN client setup, VPN server setup, VPN gateway setup and Certificate Server setup

DrTom : It will be very easy to find the information you need, when you need it

DrTom : And its hard to do that now! It won’t be hard when I’m done

DrTom : I hope

DrTom : Stefaan — I have tested the L2TIP/IPSec client and it works great!

frihani : that is quite a monster.. btw. your books have become the one stop resource of all isa server admins

DrTom : Stefaan — I tested the Win9x and the Win2k L2TP/IPSec VPN client with the client behind an ISA/Win2003 server and the clients were connecting to a ISA/VPN/Win2003 server. Works great!

Stefaan : Tom, which packet filters do we need on ISA UDP 500 and 4500 for sure, but is UDP 1701 also needed?

frihani : Dr tom, are you using traversal (UDP ?)

DrTom : Frihani — Yes! The VPN deployment kit is going to be really big — it it will be easily managable because there will be a doc at the beginning that will guide you through the docs you need to go through

frihani : ecnapsulating the data packets and all that.

DrTom : Stefaan — NO protocol rules are required for UDP 1701. However, a packet filter is required for UDP 1701 on the Win2003 VPN Server.

DrTom : You need to create packet filters for UDP 500 receive/send and UDP 4500 receive/send and UDP 1701 receive/send.

DrTom : You need to create Protocol Rules for UDP 500 send/recieve and UDP 4500 send/recieve

DrTom : That’s all you need.

DrTom : The ESP header is encapsulated in the UDP 4500 header

frihani : Do you have problems dropping the line?

DrTom : Frihani — no problems with dropping the line

DrTom : When the ESP header is removed, it exposes UDP 1701, and at this point its not exposes to the ISA Server packet filters

frihani : So you could basically set it up once and have it run continuously?

frihani : I thought that was IP Protocol 51 or something like that

DrTom : Frihani — yes! Once it setup, it just works.

frihani : interesting.. quite valuable knowledge

DrTom : Frihani — you don’t need to allow any IP protocols through because the IPSec policy agent handles the packet before the packet filters see it

DrTom : Check out the VPN server and VPN gateway docs for Windows 2003 over at the www.microsoft.com/vpn site — they are very very good!

frihani : As you see it now, is the configuration difficult, i mean, are there lots of room for problems

DrTom : because, how does the UDP header become exposed? We don’t need to open a packet filter for IP Protocol 51!

frihani : have you seen any industry shifts with regard to vpn and firewalls?

DrTom : Stefaan — perhaps the ISA Server packet filters “see” IP Protocol

frihani : like checkpoint, symantec etc

DrTom : Sorry that’s IP Protocol 50

DrTom : Frihani — what type of shifts are you thinking of?

DrTom : I know that they are getting more interested in layer 7 — which they’ve essentially ignored in the past

DrTom : I think they see Microsoft biting at their heels in this area — and I’m sure subsequent versions of ISA Server will have even more powerful layer seven inspection

frihani : Well checkpoints solutions ie: vpn client had good intention but is just too messy to work with

frihani : I wonder if any improvements have been mad

DrTom : Frihani — third party VPN clients are really paradoxical to me. Here you have a VPN client, the MS VPN client, built into every Windows operating system. It works great, and connects to MS VPN server with no problem and the client is so, so very easy!

frihani : Can you point to a reference regarding the “layer” idea

DrTom : I’ll never understand why people want to use 3rd party VPN!

frihani : well people normally responded with that the other end had limited requirements (specific firewall version)

DrTom : Frihani — the layer 7 idea? There were some front page articles on CNET a few weeks ago that they were getting into “advanced layer 7 filtering” when ISA Server already does this and can be easily extended by 3rd parties or even yourself if you’re good

DrTom : with C++

frihani : Has anyone worked with C++ filters etc? Like the SOCKS5 build?

DrTom : frihani — yes. I think price is the thing. You can get a “SOHOware” or FireBox or something like that with a limited number of connections for less than a Win2k/Win2003 box. And businesses that are price sensitive will go with those solutions

DrTom : Frihani — the SOCKS 5 filter in the SDK was just an example, I don’t believe it actually works

frihani : With regard to price.. the proven features of ISA are certainly worth it…

frihani : Yea i have not heard any positive response from SOCK5

DrTom : Frihani — yes, I agree. What is a challange is that people want to put it on things like SBS server! That immediately reduces the functionality and protection provided by the firewall

Stefaan : Tom, do you have any news about when the updated L2TP/IPSec client with NAT-T will be available again?

DrTom : Stefaan — I was able to get the NAT-T client for Win2k yesterday, but I still haven’t found the NAT-T client for WinXP — no information yet on when it will come back

DrTom : It seems that the problem was with interoperability with Symantec firewalls — that doesn’t seem like a bug to me

DrTom :

Stefaan : Haha… that’s a good one

Stefaan : Can you install ISA server on W2K3 web edition or isn’t that possible?

frihani : I dont think that is possible…

DrTom : I think one thing ISA Server has a problem with is that it sees the world in terms of “internal” and “external”. Most firewall admins want to use the firewall as a “firewall/router”

frihani : Have you tried W2k3 with isa at all?

DrTom : Stefaan — I haven’t tried on Web Edition yet! That would be interesting. I’ll put it on my list of things to check.

DrTom : Frihani — I’ve been using ISA Server on Win2003 for a couple of months

frihani : production serveR?

DrTom : Very, VERY stable in my limited experience (limited in that I have no customers using it on Win2003 yet)

frihani : when willl you feel comfortable migrating your clients?

DrTom : Production in that my own business depends on it and it handles about 20-25 GB of traffic/month

DrTom : Frihani –YES. I feel very comfortable moving my clients to an ISA/Win2003 solution. More stable, more secure, and some neat features like NetBIOS proxy for the smaller businesses

frihani : “Very, VERY stable” sounds quite convincing… and behind the firewall? Exchange, services etc on w2k3?

DrTom : Frihani — no problem publishing Exchange RPC, SMTP, POP3, IMAP4 or SSL

Stefaan : Tom, when will the hotfix be public available for the UDP publishing issue?

frihani : what about running exchange on w2k3

DrTom : It does it all without a hitch. Same as Win2k, but I almost forget about it in Win2003 because services never seem to get “hung up”

DrTom : Stefaan — its available now. Check out the latest fixpack. Hold on and I’ll point you to it.

DrTom : Here is it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;810493

frihani : Has anyone worked with intrusion detection systems? I’ve worked with Snort,

frihani : but after ISA, i never caught anything

DrTom : Frihani — I’ve not found the ISA Server IDS very useful

Stefaan : Tom, I saw that KB, but you have to contact MS to get it. So, no free download yet?

DrTom : Stefaan — that’s true. Jim told me it was a fix for the problem, but I haven’t installed it yet to confirm

DrTom : Maybe we can post to the ISAServer.org mailing list and someone will make it available?

Stefaan : Good idea!

DrTom : I hate sitting on the phone, and even though I don’t have to pay for it, it still takes a good amount of my time to get it.

frihani : hehe

DrTom : Anyone use the SMTP filter?

Stefaan : Can Jim not publish it on isatools.org?

DrTom : I find that it can be very useful, but its very difficult to manage

frihani : Dr Tom, I’ve tried it but it was rejecting exchange to exchange communication

frihani : and had to disable it

DrTom : Most people don’t want to spend hours and hours comes up with keywords and domains and then not have an easy mechanism to back up and restore this information

frihani : Isnt there scripting for that?

DrTom : Frihani — what type of Exchange to Exchange? SMTP messages from one Exchange Server to another?

DrTom : Frihani — if there is scripting for that, I haven’t found it!

frihani : I think it was some sort of Auth smtp command that was getting blocked

DrTom : Frihani — Oh! Yes, the original release of the SMTP filter did not support AUTH. That meant that you couldn’t use credentials based authentication

frihani : right.. why has that been fixed?

DrTom : But if you install ISA Server Feature Pack 1 — the SMTP filter works! You can now authentication when the SMTP filter is enabled

frihani : oh boy

DrTom : You might need to create a entry in commands list for : AUTH and the size should be 1024 bytes

frihani : I have installed FP1

DrTom : Frihani — then it should work, just make sure to add the entry to the command list. AUTH and 1024 bytes for the size

frihani : I’ll have to test it.. thanks for the info

frihani : my bosses will be pleased

DrTom : Frihani — you bet! Let me know how it works out for you!

DrTom : Frihani — tell them you figured it out yourself, then you’ll get a raise in pay

frihani : I think spam (keywords and all that ) are a bit difficult to manage…

frihani : maybe someone should bribe Jim to write a script to import export smtp settings

DrTom : Frihani — interesting you say that. I used keywords only. I have a very extensive keyword list that works well for out business

Stefaan : Tom, does RainWall support an ISA trihomed DMZ configuration?

DrTom : It catches about 99% of all spam and a very very very low false positive rate, because I whitelist legit domains so that they bypass the keyword rules

DrTom : Frihani — LOL! I’ll ask him about that

DrTom : Stefaan — good question. I haven’t check out that scenario yet. Are you wanting to load balance and failover the DMZ interfaces too?

DrTom : I’ve only tried RainWall with machines that have 2 network interfaces, internal and external

frihani : DR Tom, where do you get your kw list from?

Stefaan : Yep, a customer have asked that one!

DrTom : Frihani — I’ve created my own over the years. Its very extensive.

DrTom : Stefaan — ouch! I can ask for you. Do you know Reiko Sato? She is very smart, very friendly and very helpful on RainWall and RainConnect questions!

frihani : Dr Tom, you were right, the AUTH Command is set for 500 length

DrTom : Frihani — 500 might be enough in some circumstances, but MS recommends 1024

Stefaan : No, I have not worked with Rainfinity yet, but have just emailed them for some price info. We have some interest in their products.

DrTom : I have tested it out myself using 1024 and it works nicely!

frihani : What about the other commands, should i review them against real mail occurances or are they ok as is?

DrTom : Stefaan — they are very very helpful. I have always been impressed with their professionalism and willingness to work with customers on solving problems

DrTom : Frihani — I don’t find any compelling reason to remove any other commands. I’ve not had problems with the current command list and I haven’t run across anyone who’s had problems (other than the AUTH issue)

frihani : good news.

DrTom : Actually, there is one other issue: STARTTLS. But I think this will be fixed in the future

frihani : TLS security ?

DrTom : Frihani –YES. It would be very good to have that feature for SMTP from your private SMTP clients that are on the road

frihani : right.. well i wanted to move all external clients to Exchange RPC.. but i cant get it working

Stefaan : Tom – good to hear that! I will contact them (probably in the UK I suppose).

DrTom : Frihani — you can’t get RPC working? Do you know what the problem is?

DrTom : Steffan — yes! Let them know that I sent you and that you are very active on ISAServer.org and with MS too – and that you’re an MVP — they know what MVP’s are

frihani : Well it may just be my inexperinece with client settings in outlook. What i thought to do was add the ms Exchange server service in outlook services and point to the external mail dns

frihani : but the syn gets blocked

frihani : also, the rpc port is listening on 0.0.0.0

DrTom : Frihani — there are some issues with the various builds of Outlook

Stefaan : Hey guys, I have to leave. Thanks for the nice talk!

DrTom : Stefaan — good to have you here!

frihani : Stefaan, thansk again!

DrTom : Let us know what Raininfity has to tell you

DrTom : Frihani — is the Exchange Server on the ISA Server? If so, RPC publishing will not work

frihani : exchange is behind ISA

DrTom : Name resolution is very important. Also, don’t force encryption until you get the basics working

frihani : oh good thinking

frihani : name resolution meaning the mailboc name or fqdn

DrTom : Once thing you can do to help is to put a HOSTS file entry on the clients to confirm name resolution is not the issue

DrTom : Exchange depends on the NetBIOS name, it really doesn’t use the entire FQDN

DrTom : So, the host portion of the FQDN must be the same as the NetBIOS name

DrTom : For example, if the NetBIOS name is BLAH, you have to make a FQ

DrTom : sorry — you have to make the FQDN blah.domain.com

DrTom : and have the resolve to the external IP address that’s listening for the RPC publishing rule

DrTom : You can do this in your DNS, or you can create a HOSTS file entry

frihani : oh i see.. Netbois name is the same for the mahine i was testing@

DrTom : It gets trickly too, because not all clients will resolve the unqualfied request correctly!

DrTom : For example, since Outlook only cares about the NetBIOS name, it uses a single label name for the name query

frihani : Well exchange features are used mosltly in the intranet, but for those who want to pust the limits…

DrTom : If the query is sent to DNS, the query has to be “fully qualified” which means a domain name has to be appended

DrTom : That name is usually the same as the name of the domain the computer belongs to, now you see the problem?

DrTom : There are ways around this, such as using adapter specific settings, etc.

frihani : right… the HOSTS file overrides the dns resolution then

DrTom : Frihani — perhaps the HOSTS file entry would be the best place the start, then you can reengineeer your public DNS after you get things working the way you want them to

frihani : I am glad i have the auth to make site wide changes then

DrTom : Frihani — that’s right! The entries in the HOSTS file are automatically placed in the DNS client cache immediately after you save the HOSTS file

DrTom : Frihani — LOL! Yes, you will need that!

DrTom : OK guys, I’m going to have to leave. I turn into a pumpkin at NOON and I’ve been a pumpkin now for four minutes

DrTom : I appreciate everyone who had a chance to visit and I hope you can come next week. Let everyone know that you can actually learn something at these chats!

frihani : Thanks for the confidence Tom!

DrTom : Frihani — you bet! See you next week!

DrTom : Bye!

frihani : Ciao.

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top