General discussion

  • Creator
  • #2178195

    ISA in SBS


    by amy ·

    blog root

All Comments

  • Author
    • #3121603

      ISA in SBS

      by amy ·

      In reply to ISA in SBS

      How to’s and other configurations relevent to using ISA on an SBS server.

    • #3114057

      ISA2004 Installation Fails during SBS 2003 SP1 Install

      by amy ·

      In reply to ISA in SBS

      Subtitle: In which Amy spends 5+ hours on the phone with PSS on a Service Pack installation problem and the issue doesn’t get resolved. Or, in which after 3 days and 5 different support specialists the problem is mostly resolved.

      Here’s the situation:

      It was a dark but otherwise lovely week night evening and the SBS 2003 SP1 installation was humming along. I was only 3 hours into the installation and ready to install ISA2004. Record time! 27 PC’s already had the old ISA2000 client removed and were awaiting the new client. Then it happened.

      “The wizard cannot install ISA Server 2004. Try to install it again by restarting this wizard. If the problem persists, see for additional help and support.”

      From the sbsisa2k log:

      SBSISA2K4SETUP: CreateProcess returned OK
      SBSISA2K4SETUP: ISA2k4 setup completed before post config
      SBSISA2K4SETUP: *** WaitingForMultipleObjects returned ERROR 0x80004005
      SBSISA2K4SETUP: *** LaunchISA2k4NativeSetup returned ERROR 0x80004005
      SBSISA2K4SETUP: *** Running ISA2k4 setup unattended returned ERROR 0x80004005
      SBSISA2K4SETUP: Entering IsISA2k4Installed
      IsISA2k4Installed returned FALSE
      SBSISA2K4SETUP: ISA2k4 is NOT installed
      SBSISA2K4SETUP: *** CSbsIsa2k4SetupCommit::CommitEx returned ERROR 0x80004005
      SBSISA2K4SETUP: *** CommitEx returned ERROR 0x80004005
      SBSISA2K4SETUP: Committer failed
      SBSISA2K4SETUP: (error message is generic.)
      SBSISA2K4SETUP: *** Commit returned ERROR 0x80004005
      SBSISA2K4SETUP: *** Commit returned ERROR 0x80004005
      SBSISA2K4SETUP: Setting the event to signal post setup
      SBSISA2K4SETUP: *** InstallISA2k4 returned ERROR 0x80004005
      SBSISA2K4SETUP: *** Installing ISA2k4 returned ERROR 0x80004005
      SBSISA2K4SETUP: Exiting

      This story could go on and on for about 3 days but I’ll keep it short and to the point. The problem was that the ISA setup couldn’t load the performace monitor counters. This resulted in MSDE not be able to load and although the base of ISA installed the failures were noted and the install rolled back and rebooted the server with having removed ISA2000 but failed to install ISA2004. When this happened I thought, oh no, my ISA2000 settings! I wasn’t smart enough to have made a backup of ISA2000 first. The complancy of many successful upgrades had gotten the best of me. So PSS directed me to go to C:\program files\Microsoft Small Business Server\Support\Premium and save the .xml file that the upgrade process had created of my ISA2000 settings. This particular client had a few that I didn’t want to have to recreate. The thought was that we could import this xml file later.

      This is where the first 2 support specialists left me. The next day I emailed the most helpful Jim Harrison and he said what do the ISA detailed install logs say? Where are they, says I? The detail ISA install logs live in C:\windows\temp and are called ISAWRAP_number.log, ISAMDSE_number.og and ISAFWSV_number.log. The installation process uses verbose logging so there are a lot of log files with a lot of text in them. I pulled out this error message: Setup failed. Error returned: 0x643
      MSDE Installation failed, hr=80070643 and then emailed it to the support technician. He passed it on to yet another technician who got an MSDE support specialist on the line and he solved the problem.

      Here’s how to resolve this problem. If you are getting this error message, open up Performance Monitor on the server. Click the + sign to add a new counter. If your counters are numbers rather than friendly descriptions, then you have corrupt performance counters, just like this server did.

      Open a command prompt and running the following:

      lodctr /r:perfstringbackup.ini

      Now go back into Performance Monitor and verify that the counters have friendly names and descriptions. Commence to install ISA2004.

      Unfortunately this story has no ending as I’ve not yet been able to import the xml file with my ISA2000 settings in it. Apparently the unattended install of ISA2004 uses a password to protect this file and no one has been able to tell me what that password is.

      Good news: ISA2004 is installed and working.
      Bad news: My ISA2000 settings are locked in a password protected file…

      A solution to the missing password has been found! Thanks, yet again to Jim Harrison and the SBS Team.

      ..and the answer is:

      %programfiles%\microsoft windows small business server\support\sbsisa2k4setuplog.txt

      ..has the password embedded in it.

      This log file and it’s associated XML file give anyone a complete view of your Firewall configuration. Leaving this information exposed for anyone to view is not recommended. Take care not to change any of the security settings on these files. The SBS team as protected this information by setting the ACLs on this resource to admin / system by default. Be sure to keep it that way.

    • #3114058

      The missing xml password has been found!

      by amy ·

      In reply to ISA in SBS

      The post titled ISA2004 Installation Fails during SBS 2003 SP1 Install has been amended to include the solution to the missing password. Thanks once again to Jim Harrison for digging this information up, when PSS was unable to.

      ..and the answer is:

      %programfiles%\microsoft windows small business server\support\sbsisa2k4setuplog.txt

      ..has the password embedded in it.

    • #3114059

      ISA2004 and Macintosh Computers

      by amy ·

      In reply to ISA in SBS

      Eriq Neale has written a couple of nice blog entries recently on issues involved in connecting MAC’s through ISA2004.

      Instructions on how to allow Macintosh computers to work through ISA2004 as securenat clients. A securenat client is a non-Windows operating system client computer that wishes to access the Internet while not having ISA 2004 act as a Proxy for them.

      Internet Access for Macintoshes behind ISA 2004

      Comment: I’d prefer that the Macintosh computers be configured as Web Proxy Clients and use a browser that supports proxy settings. Any other apps on the Mac that do not support proxy can be handled as any non-authenticating application.

      How to Publish Timbuktu to one Internal Client:
      Publishing Timbuktu through ISA 2004

    • #3114054

      Silent Install of ISA2004 Firewall Client

      by amy ·

      In reply to ISA in SBS

      In his blog, Tom Shinder makes note of and expands upon an excellent Member Board post from Ben on how to install the ISA2004 Firewall Client without user interaction. Pair this with WPAD and you’ve got a real nice way to automatically deploy and configure the Firewall Client on all of your workstations.

      Tom’s Blog

    • #3114055

      Allowing the HP Indigo Press to Phone Home

      by amy ·

      In reply to ISA in SBS

      Clients that own the HP Indigo printing press are billed by Hewlett Packard on a per page basis. Maintenance costs and print costs are based on usage. To get this information up to HP so they can bill the client a software package runs several times a day and phones (or rather Internets) home how much the press has printed. This traffic occurs on a specific range of ports. Fortunately for me, HP provided good documentation on which ports their software requires.

      Ports Required: 40000-40199 out and 6055 out.

      Before beginning I started live logging on ISA and watched the packets get denied. I really didn’t want to enable such a large grouping of ports so I watched to see what the software was actually trying to do. As it turns out the software sends a small packet of information over a large number of ports simultaneously.

      We have a limitation in that the HP press can’t join the domain and it won’t authenticate. The HP tech set it up as a SecureNat client on the network, in a workgroup called workgroup. Being a SecureNat client really limits our ability to control access. Since the HP press isn’t capable of telling us who it is, we’ll have to allow these ports out for everyone. At least we don’t have to allow access to any additional ports in to make this work.

      Here’s how I did it. Open ISA Management. Click on Firewall Policy. Click Create New Access Rule. Name the rule HP Indigo 40000-41999. Click Next. Choose Allow. Click Next. Leave This Rule Applies to Outbound Traffic and click the Ports button. Click on Limit Traffic to This range of Source Ports and enter 40000 in the From box and 40199 in the To box. Click OK. Click Next. Click the Add button, expand Networks and choose Internal. Click Close. Click Next. Leave this rule applies to All Users and click Next. Click Finish. Follow the same procedure to allow outbound traffic over port 6055.

      Apply the rule and fire up live logging and have the press operator send data to HP. You should now see only successful packets in the log.

    • #3114056

      MSDE Loggging Memory Use KB

      by amy ·

      In reply to ISA in SBS

      You may experience high memory usage on an ISA Server 2004-based computer that logs messages to an MSDE database

      This information has been around for a while in the newsgroups. Now it’s available as a knowledgebase article. Interestingly of all of the ISA servers that I manage, only 1 has come down with this problem. I be interested to know what triggers it.

    • #3114053

      ISA2004 Recorded Live Meeting Available

      by amy ·

      In reply to ISA in SBS

      On Saturday morning I gave a presentation via Live Meeting to the San Antonio geeks. These guys have been getting together for years on Saturday morning to each tacos, study for exams or just plain IT knowledge and eat more tacos. Pretty cool concept. We all need time to just sit and learn something new and having a group of friends/collegues that you can do it with would make it all the more fun. So they’ve been studying ISA 2004 for a few months now and asked if I would do a presentation for them. So I did; lingering cold and all.

      My presentation was recorded for your viewing pleasure. It can be accessed by the public for the next month or so here. After that it’ll only be available to SBS User Group Leads for use at the local SBS User Group Meetings.

      It’s not exactly an introduction. It’s not exactly advanced. I’d put it somewhere in the middle. It assumes that you’ve at least seen the Management console and have been poking around in a bit.

      As this is the first live meeting recording done for the user groups, the beginning is a little rough and sometimes the sounds isn’t the best. But I listened to it and it works. Enjoy!

    • #3130096

      Interesting PodCasts

      by amy ·

      In reply to ISA in SBS

      Here are a couple of interesting podcasts:

      Eriq Neale knows how to run a show. Each is less than 15 minutes long, very professional sound, just plain excellent.

      What it’s like to write a technical book (specifically SBS 2003 Unleashed)
      Part 1
      Part 2

      SBS CSS Team will Podcast on ISA 2004 on Friday. The podcast will be here once recorded. Unlike Eriq’s, these podcasts are rough through and through and will soak you for an hour of your time. Still there’s bound to be good content from the guru’s at CSS.

    • #3129834

      Article: Basic ISA 2004 Troubleshooting

      by amy ·

      In reply to ISA in SBS

      I’ve written a new article for titled Basic ISA 2004 Troubleshooting. It’s an introduction to configuring ISA logs and using the log information to determine whether or not ISA is blocking traffic that you might need to allow.

      Enjoy! Feedback on the article can be posted on the ISA 2004 SBS forum.

    • #3094581

      Authentication Problems

      by amy ·

      In reply to ISA in SBS

      Microsoft has addressed the most common question about ISA Server. “Why won’t my ________ app go through ISA?” Because it won’t authenticate and our SBS installations of ISA are setup to require authentication to get access to the Internet. If someone or something is using your Internet access, you want to know who and from where.

      Check out this TechNet article:

      Troubleshooting Client Authentication on Access Rules in ISA Server 2004

    • #3096016

      ISA Product Team Blog

      by amy ·

      In reply to ISA in SBS

      The ISA Product Team has finally started blogging. We should see some interesting posts once they get rolling. Those of us running ISA as an SBS component this blog offers special opportunity to get to the heart of ISA and make sure our voices are heard when it comes to improving ISA’s support on SBS. Keep them honest. SBS sales of ISA make up a large portion of the total ISA deployments in the market.

      ISA Product Team

    • #3080194

      NEW ISA MVP’s Awarded

      by amy ·

      In reply to ISA in SBS

      Tom Shinder blogs that several new ISA Server MVP’s have been awarded. Here’s reprinter of his blog entry.

      Hey folks,

      I had no idea until today how many new ISA firewall MVPs we have! Check
      this out:

      Amy Babinchak — Amy enters the ISA firewall space via SBS 2003 SP1. Amy is the leading contributor of ISA firewall information on the SBS platform over at

      Jason Fossen — new MVP and he’s located here in my neck of the woods — Dallas, Texas. Jason runs the ISA firewall scripting Web site

      Moez Mezghani — new MVP from North Africa

      Martin Pavlis — MVP from the Czech Republic

      Alessandro Perilli — MVP from Italy and the genius who taught me how to support four NICs in a VMware virtual machine :))

      Meibo Zhang — a friend of mine from China who has a tremendous Chinese language ISA firewall site at

      Hong Zhi Zhu — another new MVP from China, Chong Qing. He’s active in the Windows IT Pro magazine web boards and has written a number of articles on the ISA firewall

      Hopefully one day all the ISA firewall MVPs will be able to get together at the same time in the Redmond world wide MVP conference.

      Welcome them to the club!



      Thomas W Shinder, M.D.
      MVP — ISA Firewalls
      **Who is John Galt?**

    • #3080193

      All Port Scan False Positives Explained

      by amy ·

      In reply to ISA in SBS

      The security column of the month has produced a whammy of an article on Technet titled
      ISA Server Port Scan Alerts. Not a catchy title but it is a must read. Here’s a little snip from the beginning of the article:

      Since the dawn of ISA Server time (2000, if you haven?t been watching), ISA Server administrators have received practical but often confusing notifications of ?all port scan? and ?port scan? intrusion attempt alerts.

      Although the ability to notify administrators when potentially malicious traffic is detected is a useful feature of any firewall, these alerts in particular seem to cause more confusion than do other ISA Server alerts. It?s this confusion that we?ll try to eliminate today.

      To keep things simple (and short), we?ll limit our examples to ISA Server 2004. The same general principles apply to ISA Server 2000, but the ISA Server user interface and log review examples differ greatly.”

    • #3097559

      Access Policy or Server Policy? Which one do I use?

      by amy ·

      In reply to ISA in SBS

      The ISA Product Team put out a nice blog entry titled Access Rules vs Server Publishing Rules. The article is written in an easy to read numbered list format. I think this take some of the sting out of a subject that has caused so much confusion. Most firewalls don’t make a distinction between different types of rules (because most of them don’t offer different type of rules) and the reasons for this distinction are well explained by the product guys in this blog entry.

      For what it’s worth, I use this rule of thumb (which of course has exceptions):

      If I need to grant access out of my network use Access Rules.
      If I need to grant access into my network use Server or Web Publishing rules.

      That latter statement particularily refers to allowing users on the outside of your network access to websites or applications hosted on your non-SBS server sitting next to your SBS. For example an SQL, Web, or Video server.

    • #3099162

      Free Securing SBS with ISA Training

      by amy ·

      In reply to ISA in SBS

      I have not taken this course myself so I can’t speak as to how well the content is delivered but the description sounds good.

      Securing Small Business Server 2003 using ISA Server 2004

      Event Date:

      Beatrice Mulzer

      Event Time:
      11:00 AM Pacific, USA & Canada (DST) = GMT – 08:00

      90 minutes

      The course material will consist of advanced features

    • #3258694

      How to Allow Schwab Portfolio Center

      by amy ·

      In reply to ISA in SBS

      There are two components to making Schwab Performance Technologies Portfolio Center work with ISA 2004, 1 workstation and 1 server. Portfolio Center uses DCOM to communicate between the clients and the server. DCOM must be allowed on both ends for it to work. This means changing the firewall configuration on both the workstation and the server.

      On the workstation you need to allow DCOM through the XP SP2 firewall. Schwab has created a little utility that you can download from the support tools site on their website here. You’ll need your customer ID.

      On the server, we’ve also got to allow DCOM communications. By default ISA 2004 is configured with strict RPC compliance in the system policy. This will have to be turned off. Open the ISA Management MMC, Click on Firewall Policy. Click View, System Policy. The System Policy will be displayed above the Firewall Policy. Look for the system policy item called Allow RPC from ISA to Trusted Servers. Right click on it and select edit System Policy. Uncheck Enforce Strict RPC Compliance. This will allow the DCOM communications between the workstations and the server that Portfolio Center requires.

    • #3258421

      Allowing ADP through ISA 2004

      by amy ·

      In reply to ISA in SBS

      Using ADP for payroll and need to allow it to communicate out of your network with the ADP servers? Here’s how:

      1. Open the ISA 2004 Management Console (start->programs->Microsoft ISA Serer->ISA Server Management)
      2. Expand the node and select the ?Firewall Policy? tab.
      3. Select the Tasks tab on the right side of the console.
      4. Select Create New Access Rule.
      5. Name: ADP. Pick next.
      6. Allow rule. Click next.
      7. Chose Selected Protocols form the applies to box and click Add.
      a. Expand ?Web?
      b. Select ?HTTP? and click add.
      c. Select ?HTTPS? and click add.
      d. Click close.
      8. In the ?rule applies to traffic from these sources? click add.
      a. Expand network sets.
      b. Select All Protected Networks and click add.
      c. Click close.
      d. Click next.
      9. In the ?rule applies to traffic sent to these destinations? click add.
      a. Select New from the top menu and select ?Domain Name Set?
      1. Name: ADP
      2. Click New and enter: *
      3. Click Ok.
      b. Expand Domain Name Sets and click ADP. Click Add.
      c. Click Close.
      d. Click next.
      10. Leave the setting for All Users and click next.
      11. Click Finish.
      12. Click apply in the ISA management snapin.

    • #3109542

      Allowing Lacerte

      by amy ·

      In reply to ISA in SBS

      There’s a kb article out there that appears to be providing incorrect information as to how to allow Lacerte to work with ISA. It’s KB 839503. In fairness it is written for ISA 2000, but even when translated into ISA 2004 lanuage it still appears incorrect. Jim Barr found a rule that works. Here’s how to create it.

      1. Click Create New Access Rule, call it Lacerte Outbound and make it an Allow rule.

      2. Apply the rule to All Outbound traffic.

      3. Traffic will be from the Internal Network Set.

      4. The rule applies to traffic to these two Address Sets: and

      5. This rules applies to all users.

      Click on Apply to let the rule take effect.

    • #3109541

      The best explanation of why ISA Logs always contain Anonymous connections

      by amy ·

      In reply to ISA in SBS

      Jim Harrison does it again! This is by far the best explanation of why the ISA logs always contain anonymous entries even when our SBS ISA is configured by default to require authenticated access.

      Tom Shinder beat me to posting it so click .here to read Jim’s excellent explanation

    • #3109431

      What we do after installing ISA 2004

      by amy ·

      In reply to ISA in SBS

      Configuring ISA 2004 To Do List

      1. Increase Client Connection Limits to 160 for everyone. Adjust for individual workstations upward if necessary.

      2. Enable Intrusion Detection and DNS Attack Detection, except DNS Zone Transfer.

      3. Change Web Proxy and Firewall Logging limits to 4 GB, retain for 30 days, minimum disk space 512MB, maximum log size 4GB and convert to MSDE. Double check that the log files are stored on the data drive.

      4. Configure Report, publish report to folder

      5. Adjust Cache Size. Add 1MB per user and round up.

      6. Turn off Logging on System Policy #19, Allow Access from Trusted Computer to the Firewall Client Installation share on the ISA Server.

      7. Change Alert for Log Failure to stop Firewall Service

      8. Change Alert for Connection Limit Exceeded to Immediately.

    • #3134723

      ISA in SBS – yes, it

      by amy ·

      In reply to ISA in SBS

      Articles of Interest to SBS.

      Troubleshooting Unsupported Configurations
      This article provides a quick look-up resource for some common unsupported
      configuration scenarios that customers may encounter.

      Deployment Recommendations for Connection Limits in ISA Server 2004
      This paper explains the connection limit quota mechanism, and how to define
      custom limits. It also includes information on troubleshooting connection

      Logging Best Practices
      This article provides tips for configuring ISA Server 2004 logging. It
      includes recommendations for logging formats, and capacity guidelines.

    • #3103067

      Allowing MetaGraph

      by amy ·

      In reply to ISA in SBS

      ISA in SBS – yes, it’s secure

      MetaGraph is a client server medical billing application. It FTP’s files out of your server AND client workstations as part of it’s licensing verification. By default this behavior is not allowed in ISA 2004. Here’s how to configure ISA to allow this application through your ISA server.

      1. Open ISA Management and click on Firewall Policy.
      2. Right click on the SBS Internet Access rule and select Configure FTP.
      3. Uncheck the Read Only box. Click OK.

      Follow the same procedure for the SBS FTP Outbound Access Rule. This rule change is needed for the client setup portion.

      The server and workstation appear to always be connecting to the same destination server ( You may wish to undo these rule changes after initial setup of the application is complete or create a new FTP rule only allowing FTP out to the above IP address.

      Commentary: With all of the new HIPPA regulations that medical institutions must comply with a software package that is FTPing anything out of the server and workstations is just asking for trouble.

    • #3103068

      Allowing NOAH

      by amy ·

      In reply to ISA in SBS

      ISA in SBS – yes, it’s secure

      NOAH is a client server application used in medical facilities. It uses DCOM to communicate from client to server. New in ISA 2004 is a system policy that requires strict RPC compliance. You’ll quickly find out which application comply and which ones don’t now that this is by default requirement in ISA 2004.

      To enable NOAH to communicate we need to not require it to adhere to strict RPC compliance.

      1. Open ISA 2004 Management and select Firewall Policy.
      2. Click on View and select Show System Policy Rules.

      System Policy Rules detemine how traffic is allowed to get to the ISA server. We need to change what kind of traffic is allow to speak to the ISA server.

      3. Right click on Allow RPC from ISA Server to trusted servers and select Edit System Policy.
      4. Uncheck Enforce Strict RPC Compliance.
      5. Click OK.

      Press the Apply button to have your changes take effect.

    • #3103066

      There’s a new Website in town

      by amy ·

      In reply to ISA in SBS

      ISA in SBS – yes, it’s secure

      Steve Moffat

      You’ve seen him on the sbs2k yahoo site. He also hangs out on the site. Add it to your favorites.

    • #3103065

      Enable This App

      by amy ·

      In reply to ISA in SBS

      I’ve created a new section of links on the blog site called Enable This App. It’s a simple list of applications that you can click and go directly to instructions for configuring ISA to work with that particular application.

      Thought you might find it a handy reference. I know I will.

    • #3101620

      ISA in SBS – yes, it’s secure

      by amy ·

      In reply to ISA in SBS

      Articles of Interest to SBS.

      Troubleshooting Unsupported Configurations
      This article provides a quick look-up resource for some common unsupported
      configuration scenarios that customers may encounter.

      Deployment Recommendations for Connection Limits in ISA Server 2004
      This paper explains the connection limit quota mechanism, and how to define
      custom limits. It also includes information on troubleshooting connection

      Logging Best Practices
      This article provides tips for configuring ISA Server 2004 logging. It
      includes recommendations for logging formats, and capacity guidelines.

    • #3101621

      There’s a New ISA website in town

      by amy ·

      In reply to ISA in SBS

      ISA in SBS – yes, it’s secure

      Steve Moffat

      You’ve seen him on the sbs2k yahoo site. He also hangs out on the site. Add it to your favorites.

    • #3100615

      ISA Team Blog on Http Filtering

      by amy ·

      In reply to ISA in SBS

      The ISA team has started blogging and today’s post inparticulr is an interesting one. ISA Server Product Team Blog Because it’s a short post I’ve copied it below but do be sure to check out their blog directly as well. What I like about this post is it describes how easy it is to use one of the most over looked features of ISA, Http Filtering. Http Filtering lets you block unwanted applications. You simply add the applications signature to the filter and you’ll never see that app again on your network. It works for file types to as several people pointed out during the .WMF scare.

      Application Signatures for HTTP Filtering
      You allow your internal clients to access the Internet, but want to limit their use of some applications. You can block their use of applications that run over HTTP by using the HTTP filtering capability of ISA Server 2004. But to block the application, you need the application signature. Here’s how you find the signature:

      Use a network traffic capturing utility, such as Network Monitor (known affectionately in some circles as NetMon). Install the utility on ISA Server. Best to do this sort of thing in a lab, unless you’re completely comfortable about the security effects of the utility you use. Configure the utility to capture packets from a specific client.

      On that client, access the application you’re interested in. In the monitoring utility, find the HTTP request packet from the client (usually follows handshake packets) and look for a signature in the packet. A little finesse is needed, because you want to pick a signature that is general enough to always block the application, but not so specific that it blocks everything. For example, the signature “a” is a little too generic.

      Once you’ve located a signature, you can add it to the Signatures tab of the HTTP policy for the access rule, and test it in production.

      You can read more about this in the document “HTTP Filtering in ISA Server 2004”, at

      Nathan Bigman, ISA Server Product Team

    • #3085871

      Information on SP2

      by amy ·

      In reply to ISA in SBS

      As you know, there has been a flurry of information on whether or not to install ISA 2004 SP2 and what happens afterwards.

      Here’s the situation, SP2 contains some new features which add to the security that ISA can provide to our networks. Therefore after you install SP2 you might come across a few websites that will error out. While it might look like it’s SP2 causing the problem it’s actually the website causing the problem by not following the rules.

      There are two things that are causing headaches for those that rushed to install SP2, compression filtering and HTTP Request Smuggling. The new compression filter is “on” by default under SP2. If you access a website that attempts to place a compressed file on your box using anything other than gzip encoding, it will fail. Most, but not all websites use gzip encoding. If you need to use a website that doesn’t you’ll have to disable compression filtering. For an explanation of HTTP Request Smuggling protection, we turn now to our guru, Jim Harrison…

      Disabling filters may not help with, or any
      site that causes ISA 2004 SP2 to generate the following message:

      Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)

      The reason for the behavior youre seeing is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling The process for this attack is a bit involved but the short story is that HRS depends on sending response headers that include both Content-length: and transfer-encoding: chunked.

      A whitepaper on the subject is available here:

      RFC-2616 defines those two headers for the purpose of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response.

      If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body.

      This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can’t be quantitatively validated until the transfcompletedeted. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

      The reason those sites are either failing outright ( or rendering poorly ( is because we chose to reject those responses out of hand. Since RFC-2616 clearly states don’t combine those headers and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.

      As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.

      PSS will have a public fix available shortly.

      There’s going to be a hotfix. Not because ISA did anything wrong but because there are enough sites out there causing pain for MS customers, that they are going to change things accommodate them.

      I for one, am not disappointed by SP2. The security improvements are significant, I just wish we didn’t have to dilute security to accommodate a few sites not playing by the rules. It’s really the same thing we do for Java apps that won’t authenticate or workstation apps that won’t run as anything but local admin. It’s a compromise and it’s one we should be complaining about loudly. This time, not at Microsoft but at the legions of others not playing by the rules.

    • #3158635

      Internet Proxies can by-pass your ISA settings

      by amy ·

      In reply to ISA in SBS

      Today I learned from Steve Moffat about Internet Proxies. The type of proxy we’re talking about here are websites that filter the Internet for you. Traditionally these were used by schools to filter the Internet in a manner appropriate for children. When I was in the educational tech support business most schools subscribed to a service to filter the Internet for them. On the tech end we’d redirect all Internet requests to the site we subscribed to and simply didn’t allow any other sites. Worked great.

      Of course, someone figured out, and about 700 or so people copied the idea, that they could put up an Internet proxy that does no filtering. Why? To get around the URL blocking that you’ve put in place of course. Say you’re blocking users from getting to yahoo mail, if the user can get to the proxy site they can enter and bring up yahoo mail and your URL blocker is none the wiser because the mail site is being viewed from within the proxy site. Fun!

      The solution is to get Steve’s proxy site block list.

    • #3158636

      Install CRM SBE on SBS 2003 Premium with ISA 2004

      by amy ·

      In reply to ISA in SBS

      Handy Andy over at SBS Rocks has written a step by step how to titled Install CRM SBE on SBS 2003 Premium with ISA 2004. I have not used it myself but after watching a live install during our last SBS user group meeting and reading Andy’s article I now feel ready to give it a go. Check out his article if you’ll be installing CRM.

      There’s couple of tweaks you need to make and the unmake after the installation. Be sure to also read the manual on this one. CRM is going to put its hooks into every nook and cranny of your SBS server and you’ll need to be aware of what’s going on.

    • #3158637

      ISA SP2 Update Released

      by amy ·

      In reply to ISA in SBS

      ISA in SBS – yes, it’s secure: Information on SP2

      How off the press! ISA SP2 update has been released. This update replaces the previous hotfix for these issues:

      This update addresses the following HTTP issues for ISA Server 2004 Standard and Enterprise Editions with Service Pack 2 (SP2):

      ? KB 915045: Error 502 “The HTTP request includes a non-supported Header” when accessing certain web servers. This occurs when accessing certain Web servers that return headers that are incompatible with each other.

      ? KB 915421: Errors 11001 or 400 when accessing certain web servers. This is caused by a misinterpretation of spaces in headers provided by ISA Server, and results in a corrupted URL and failure to load the Web page.

      ? KB 915422: Event ID 23004 when accessing web sites that respond with compressed content. Some Web servers always return compressed content, which is denied by ISA Server when it did not request compressed content.

      ? KB 916573: Error 500 (Internal Server Error. Not implemented (-2147467263)) when trying to download zip attachments from an Outlook Web Access server. The header returned by Outlook Web Access causes ISA Server to deny the response.

      ? KB 917134: Grayed out checkbox ?Enable caching of content received through the BITS service?

      System Requirements
      Supported Operating Systems: Windows Server 2003
      ? ISA Server 2004 Standard Edition with Service Pack 2

      You can download it here or it’s available in WSUS.

    • #3158638

      KB: How to configure ISA Server 2004 after you add a new network adapter or you replace a network adapter

      by amy ·

      In reply to ISA in SBS

      How to configure ISA Server 2004 after you add a new network adapter or you replace a network adapter is handy kb article but it needs a little modification for SBS.

      Be sure to interpret step 7. Configure the TCP/IP configuration as configure the new Network card TCP/IP settings exactly as they were on the old Network card.

      and step 9 c. Manually configure the network and add any rules, or select a network template from the right pane to specify your new configuration as run the Connect to the Internet Wizard.

    • #3158639

      DNS Related Performace Problems for ISA

      by amy ·

      In reply to ISA in SBS

      Tom Shinder has a nice little blog post on DNS related performance problems for ISA. If your Internet access seems slower than it should be, check your DNS server configuration first.

    • #3158640

      DMZ – SBS special considerations

      by amy ·

      In reply to ISA in SBS

      So you’d like to create a DMZ? It’s easy to do with ISA 2004 but don’t forget that you’ve got pre-defined rules in SBS that are going to open up your DMZ to more that you might want.

      Step 1: Create the DMZ. To do this use this article but start at the section titled Create The Anonymous DMZ and continue through the section titled Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network, then stop.

      If this were a non-SBS implementation of ISA you’d have a DMZ with no rules defining access to it. But we live in a pre-configured world so the next step is to add a new rule to the ISA 2004 Firewall Policy to exclude the DMZ network from our pre-existing rule set.

      Step 2: Open up the ISA 2004 management console and expand Configuration. Click on Networks. Move to the Network Sets tab. Click on Create new Network Set. Call it something like All Protected, Except DMZ. Make this network set look just like All Protected Networks except add your DMZ network to the exclusions list.

      Step 3: Move to the Firewall Policy and edit the SBS Protected Networks Access Rule. Move to the From tab and replace All Protected Networks with the network set that you just created. This will prevent all traffic from the DMZ reaching your internal network. Now you’ve isolated the DMZ from your Internal network.

      Step 4: Create a Rule so that the server in the DMZ can communicate with the other servers in your network. (this assumes that the server in the DMZ is a member server) Open up the ISA 2004 management console and click on Firewall Policy. Scroll down to the bottom. Highlight the SBS Protected Networks Access Rule. In the taskpad click New Access Rule. Call it something like DMZ Server Communications. Allow traffic from the DMZ to Internal Network with the following protocols: DNA, Kerberos-Sec (UDP), Kerberos – Sec (TCP), LDAP, Microsoft CIFS (TCP) Netbios Datagram, Netbios Name Service, Netbios Session, RPC (all interfaces), LDAP (UDP), Kerberos-ADM, ping and NTP. Make sure that this rule is placed just ahead of the SBS Protected Networks Rule.

      Step 4: Create a Rule for any additional ports that the application running on the server in the DMZ requires. Place this rule above the SBS Protected Networks Rule as well.

    • #3158641

      Force Reboot, Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

      by amy ·

      In reply to ISA in SBS

      From the SBS Product Team blog.

      We’ve seen a few cases now where ISA Hotfix 916106 does not prompt for a reboot, as the hotfix indicates it should. The hotfix does, however, successfully install. In addition, after the hotfix is installed the following services will be in a stopped state:

      Microsoft Firewall
      Exchange Routing Engine
      Simple Mail Transfer Protocol (SMTP)
      World Wide Web Publishing Service

      The Microsoft Firewall service not restarting will throw ISA in to lockdown mode, which can potentially prevent remote administrators from being able to connect to manually reboot the server. In either case, the server should be rebooted.

      A knowledgebase article is now available.

      If you use a computer that is running Microsoft Small Business Server
      2003 Premium Edition with ISA 2004, you may not be prompted for reboot.

      See the rest of the knowledgebase article for a suggested solution.

    • #3156090

      Update to SBS WPAD available

      by amy ·

      In reply to ISA in SBS

      From Jim Harrison:

      Thanx to Jonathon Howey for a bug report in the _2 version to the list and playing guinea pig for my troubleshooting.

      Short story: WinHTTP proxy configuration (or auto-proxy behavior) can cause the script to make the wpad request as a CERN proxy request instead of a direct request.
      Needless to say, this causes the mechanism to fail.

      I’ve fixed this and stashed it as

      I’ll post this update into the original WPAD blog entry as well.

    • #3142378

      Enable this App: Lacerte

      by amy ·

      In reply to ISA in SBS

      How to Allow Lacerte. This information comes from Jim Page. My comments are in italics. However, take my comments with a grain of salt because I have no clients using Lacerte to test them.

      Basically create an “New Access Rule”, “ALLOW”, “PROTOCOLS” create OUTBOUND TCP for 10010,10020,10030,10040,10050-10052,10060,10070,10099, and I did 1275,1277,1278 (was in the MS 839503 article. Not sure if it’s needed) Workstations running the Firewall client should be able to request use of any outbound protocol. So this step should not be necessary if you have installed the Firewall Client.
      FROM=”All Protected Networks”
      TO= Created two sets, 1 is range the other is just

      Users= “All users” Can’t get it to work if I pick anything else. This means that Lacerte doesn’t authenticate to the server when it requests access to the Internet.


      Content Types=”All content types”

      Now I have seen that Lacerte is using other ports to communicate to, and ISA denies access. These ports so far are 3106,3130,3132, and some in the 8000 range (didn’t right them all down) I have a call into Lacerte to see if they do anything.

      The mistakes that I have seen in other articles: They say to setup INBOUND and that the FROM and TO objects were incorrect.

    • #3142379

      Walking the Line – A New Blog

      by amy ·

      In reply to ISA in SBS

      Walking the Line is my new blog on small business security. While this blog is exclusively about configuring ISA, the other blog will cover a wide variety of security topics. It also won’t be purely technical but will contain opinion. I’m a small business consultant out there in the field with my techs maintaining real life small business networks. If you’re into keeping it real and want to know what happens to your clients when you implement “best practices”, then this blog will be the place to be. I also plan to call out security screw ups by vendors. Yep, sometimes I’ll rant a bit.

      I expect to post to Walking the Line a couple of times a month. So please check it out and subscribe.

Viewing 39 reply threads