SolutionBase: More secrets of an ISA firewall professional

Picking up where the other two ISA Firewall articles left off, this article supplies an additional twelve tips to get the most out of ISA Server 2004 when using it as a firewall.

There are many things ISA firewall (ISA Server 2004) professionals do out of habit that improve the performance, reliability and security of their firewall implementations, but nobody ever thinks to write them down. In this last installment on the series on ISA firewall best practices, we've been going over a number of practices, tips and tricks that experienced ISA firewall administrators use to get the most out of their ISA firewalls. We'll finish up the list in this article.

Quarantine VPN clients

The ISA firewall includes an exceptional remote access VPN server and VPN gateway. The ISA firewall's remote access VPN server enables you to enforce very granular user/group/server/protocol/time-of-day/content-based access controls over what VPN clients can access on the corporate network after establishing the VPN connection. In addition to the fine-tuned access control you have over VPN clients, the ISA firewall includes, out of the box, a VPN quarantine solution that allows you to place VPN clients in a special Quarantine Network until they prove they meet corporate network security requirements for client health.

The ISA firewall leverages the built-in support included with Windows Server 2003 Service Pack 1 for VPN quarantine and extends that support by allowing you to create sophisticated access controls over quarantined VPN clients. The only drawback to the ISA firewall's VPN quarantine feature is that you need to have either advanced scripting skills or be a programmer to create a fully functional VPN quarantine solution. If you don't have these scripting or programming resources available, you can still take advantage of the ISA firewall's VPN quarantine capabilities by using Frederic Esnouf's Quarantine Security Suite (QSS).

Quarantine Control is enabled via the Quarantined VPN Clients properties dialog box as shown in Figure A.

Figure A:

Configuring VPN Client Quarantine settings on the ISA firewall

Hard code the NIC settings and update NIC drivers

There are a handful of issues that can cause poor ISA firewall performance. One of the most common performance related issues is not related to the ISA firewall software itself, but to the settings on the ISA firewall's NIC driver. Often a NIC doesn't correctly autonegotiate with the switch to which it connects. Instead of depending on autonegotiation, configure the NIC at the maximum speed supported by both the NIC and the switch (for example, 100BaseT Full Duplex).

This is done via the Advanced tab on the NIC's properties sheet, as shown in Figure B.

Figure B:

Hard coding the NIC speed in the NIC driver's Properties dialog box

Keep in mind that the ISA firewall will be momentarily disconnected from the switch after you make this change. This will cause all sessions to be disconnected. However, you will not need to restart the ISA firewall device for the changes to take effect.

Use the firewall client tool to troubleshoot firewall client connection problems

ISA firewall administrators sometimes encounter problems with the Firewall client software installed on user computers. While the Firewall client is highly reliable and adds a significant level of security and flexibility to any ISA firewall implementation, there will be times when you need to troubleshoot Firewall client issues. The best way to start is to use the Firewall client tool, which you can download from Microsoft's Web site.

This tool, FwcTool.exe, is a command line utility with which you can test the availability of the ISA Server, test the autodetection feature, apply settings for users and applications and print a copy of the Firewall client configuration settings that can be helpful in troubleshooting.

Configure the DNS settings correctly

The ISA firewall must be able to resolve host names on the corporate network and on the Internet in order to provide the highest level of security. The ISA firewall must be able to resolve Internet host names so that users cannot subvert firewall policy by entering IP addresses instead of host names to connect to Internet resources.

The ISA firewall must also be able to resolve names on the corporate network so that it can authenticate users. The key to DNS success is to configure the internal interface of the ISA firewall with the IP address of a DNS server that can resolve both internal and external names. Also, you should never configure any interface of the ISA firewall with an external DNS server. This has the potential of breaking the ISA firewall's connectivity to your internal network domain.

Use to help with troubleshooting

It seems as if very few days go by without an ISA firewall administrator asking about a problem related to inbound access to published Web sites or SMTP servers. More often than not, the problem is related to a name resolution (DNS) issue.

The best place to start troubleshooting these types of problems is by determining whether external users can correctly resolve the names of your published sites. The problem is that it's sometimes difficult to get to an external connection to these things when you're trying to troubleshoot from inside the LAN. One of the best and easiest ways to check out public DNS issues is to use the DNS Stuff Web site.

This site contains all sorts of useful testing tools, including the following:

  • DNS Report, which detects problems with your DNS hosting
  • DNS Timing, which lets you check the speed of your DNS hosting
  • WHOIS Lookup, for finding registration information for domains
  • Domain Info, which shows you server type and other information about a Web site
  • DNS Lookup, for looking up an A, MX, NS, SOA or other DNS record
  • Reverse DNS Lookup, for looking up domains by IP address
  • City from IP, which lets you find the city or country of origin for an IP address
  • IP Routing Lookup, for determining IP routing information

Best of all, it's all free.

Use for SMTP troubleshooting

Many ISA firewall administrators publish one or more SMTP servers to allow inbound access for Internet e-mail. Troubleshooting inbound SMTP problems can be difficult.

You can use the ZoneEdit Web site to test how your SMTP server is responding to inbound SMTP connections. You can also use this site to determine whether your published SMTP servers are configured as anonymous inbound SMTP relays that spammers could use to relay spam to users all over the Internet.

Use Telnet and the Winsock tool to troubleshoot publishing rules

For all Web and Server Publishing problems, the first step is to determine if the published server or the Web listener is actually accepting inbound connections. The quickest and easiest way to test basic connectivity is to use Telnet.

From an external client, open a command prompt and enter the command Telnet <ip_address> <port_number> and press ENTER. If you see the banner for the service, then you know it is accepting inbound connections. However, not all services provide you with a banner that identifies them. In this case, you can use Jim Harrison's Winsock Tool to test connectivity to the published server. You'll find a large number of tools at the ISA Server Tools Repository site to make it easier to manage and troubleshoot your ISA Server firewall.

Use connectivity verifiers

ISA firewall connectivity verifiers can be used to monitor the firewall's connectivity to important servers and infrastructure services on your network. Connectivity Verifiers monitor the health of various services, such as Web, SMTP, DNS and file servers. If a server or service is unreachable, the connectivity verifier will send an e-mail message and log an Alert.

You specify the server whose connection you want to monitor, by server name or IP address, as shown in Figure C.

Figure C:

Configuring a connectivity verifier

You can also specify what method will be used to verify the connection:

  • HTTP "GET" request (to verify that a Web server is up and running and reachable by your ISA firewall)
  • PING request (to verify that any server is up and running and reachable by the ISA firewall)
  • TCP connection to a specified port (to verify that a particular service is running on the server and reachable by the ISA firewall).

Use encryption for the firewall clients

The Firewall client software communicates directly with the ISA firewall's Firewall Service to enable the ISA firewall to dynamically open and close ports that enable access to resources on the Internet and other ISA firewall Networks. User credentials, protocols and site names are included in these communications.

You can improve your overall level of security by forcing these Firewall client communications to be encrypted. You can force encrypted communications by going into the ISA firewall console, expanding the Configuration node, then clicking the General node and clicking the Define Firewall Client Settings link. This displays the Firewall Client Settings dialog box as shown in Figure D. Ensure that the box labeled "Allow non-encrypted Firewall client connections" is unchecked.

Figure D:

Configuring Firewall Client Settings to force encrypted communications

Create user-defined protocol definitions to remove the Unidentified IP Traffic entries from logs and reports

The ISA Server firewall can record all communications moving to and through the ISA firewall and include that information in the firewall's logs and reports. However, the ISA firewall will log any network protocol or port traffic as "Unidentified IP Traffic" if the ISA firewall does not have knowledge about that protocol.

The ISA firewall identifies protocols based on entries included in the firewall's Protocol Definitions. For example, if you want Web proxy client communications to not appear as "Unidentified IP Traffic", you can create a Protocol Definition for Web proxy client communications as shown in Figure E. The Protocol Definition then defines Web proxy client traffic as traffic moving over TCP port 8080 and it appears in the logs with the name you assign to the Protocol Definition.

Figure E:

Creating a Protocol Definition for the Web proxy client protocol

Always use SSL to SSL bridging to publish SharePoint sites (and all other secure sites, for that matter)

The ISA firewall supports protocol redirection for SSL connections. For example, you might want users to establish an SSL connection to the ISA firewall's external interface, and then have the ISA firewall forward the connection as an HTTP connection.

There are two major problems with redirecting SSL connections as HTTP connections:

  1. The user expects a secured connection from end to end, and the user cannot assume that the network(s) in the path between the internal interface of the ISA firewall and the Web server are adequately secured
  2. Some Web services do not work properly with SSL protocol redirection. SharePoint sites are well-known for this type of problem, and it cannot be corrected using the ISA firewall's Link Translation feature.

The solution is to always use SSL to SSL bridging for SharePoint sites. In fact, you should always use SSL to SSL bridging to optimize the security the ISA firewall provides to your externally accessible Web servers.

Configure clients as firewall and Web proxy clients

Configuring your client computers as Firewall clients and Web Proxy clients is one of the most important things you can do to increase both the security and flexibility of your ISA firewall solution.

Firewall clients support all network protocols, including protocols that require secondary connections. The Firewall client also enables you to force users to authenticate before accessing the Internet and the Firewall client enables you to block, at the ISA firewall, specific user applications so that if you don't want users to use a specific application to connect to the Internet, you can block the application at the ISA firewall.

To make a computer a Firewall client, you must install the Firewall client software and then ensure that it is enabled as shown in Figure F.

Figure F:

The Firewall Client Configuration dialog box

The Web proxy client configuration enables the Web browser to communicate directly with the ISA firewall's Web proxy filter, which improves performance and allows you to enforce user/group based authentication for all Web site access. You don't have to install any extra software to make a computer a Web proxy client; you just configure its proxy settings in the Web browser.