Accessing FTP sites using IE 7.0 and ISA Server

by Shijaz Abdulla on 22.04.2008 at 07:37

There is an issue with Internet Explorer 7. 0 while accessing FTP sites through ISA Server 2004/2006 web proxy.

You will be unable to open FTP sites from Web Proxy clients if the username or password contains special characters that need encoding. IE 7.0 has a problem that affects the encoding of characters in URLs in this scenario. To fix this problem, install this hotfix.

If you cannot install the hotfix right away, consider changing the username and password to something that doesn’t contain special characters, as a workaround.

The problem doesnt affect IE 7.0 on SecureNAT or Firewall clients.

Failure in its many forms

by Shijaz Abdulla on 23.03.2008 at 14:34

I was fiddling around with ISA Server in my test lab, when I came across this rather unusual and unexpected error message:


Puzzled, I decided to click the ‘Details’ button, with the intention of getting a closer look.


No further comments. 🙂

Microsoft Technology Day: Kuwait

by Shijaz Abdulla on 09.03.2008 at 19:23

Microsoft Technology Day is being conducted by the Microsoft Experts Community (MSExperts.net) at Kuwait on March 30, 2008.

The event will consist of a total of 42 sessions by 20 speakers. Keynote speakers from Microsoft Gulf will be Vimal Sethi, Group Manager – Developer & Platform and Amr El Garhy, Developer Evangelist & MVP TechLead.

The speakers for this event will consist of MVPs from across Middle East and Africa, Microsoft consultants, and MCTs. The event will be held at Infocenter – Duwalia, Kuwait.

I will be presenting at the event on the following topics:

10:15 to 11:15 – System Center Virtual Machine Manager 2007
I will be giving an overview of the core virtualization technologies available today, the DSI initiative, virtualization management, and a live demo of System Center Virtual Machine Manager 2007.

11:30 to 12:30 – Windows Server 2008 Server Core
I will be explaining what server core is all about and intend to do a live demo on how to set up a DHCP server using Windows Server 2008 Server Core.

13:15 to 14:15 – Top 10 mistakes while configuring ISA Server
I will be taking you to a tour on some of the most common mistakes committed by administrators while configuring ISA Server 2004/2006.

14:30 to 15:30 – Identity Lifecycle Manager 2007
I will be explaining the key concepts of Identity Lifecycle Management and what it can do for your organization.

For a list of sessions by the other notable speakers, please check the MSexperts website.

Click here to register for the event. See you in Kuwait insha allah!

“Setup failed to install ADAM in replica mode”

by Shijaz Abdulla on 05.02.2008 at 08:14

If you have already have ISA Server 2006 Enterprise Edition installed and you are trying to installing ISA Server on another server and configuring it as a replica of the Configuration store, you may get the following error on Windows Server 2003 R2:

“Setup failed to install ADAM in replica mode.”

Setup then exits and you are unable to complete the installation. This usually happens if there was a previous failed installation from the machine that you’re trying to join to the array. You will need to cleanup the values related to the server you’re installing from the ADAM installed on your first configuration store, which stores config information for the array.

A simple solution to this is to ensure that both nodes are running Windows Server 2003 R2 and then edit the ADAM to remove the orphaned server on which installation is failing:

  1. Open WindowsADAMADAM-ADSIEDIT.msc on the existing ISA Config Storage server.
  2. Navigate to CN=Configuration, CN=Sites, CN=Default-First-Site-Name,CN=Servers.
  3. Delete the server on which you have the installation problem.

Re-run the installation, it should succeed now.

FWX_E_NO_BACKLOG_PACKET_DROPPED – What does that mean?

by Shijaz Abdulla on 29.11.2007 at 12:23

If you find that ISA Server 2004/2006 is denying connections, seemingly for no particular reason, and logs the following error:

FWX_E_NO_BACKLOG_PACKET_DROPPED

…it simply means that ISA Server does not have enough resources to do the logging. Check the CPU and hardware utilization. Also see if your disks are fast enough.

A workaround would be to disable logging for “high-volume” rules like SMTP and DNS.

“Nitrogen” Beta 1

by Shijaz Abdulla on 31.10.2007 at 08:59

I’ve just been informed by the Microsoft Connect team that they are shipping my “Nitrogen” Beta 1 DVD!

“Nitrogen” is the code-name for the next generation of ISA Server/ForeFront Edge Security server. I can’t wait to get my hands on it!

Unfortunately, the Nitrogen Beta is not public yet and is under NDA. So I will not be blogging about my experiences with the product for now.

Wildcard Certificates: My frivolous antics

by Shijaz Abdulla on 01.10.2007 at 09:31

A client wanted to publish two web services on SSL using ISA Server 2006: Outlook Web Access and Sharepoint Portal Server.

We know that ISA Server can only bind one SSL certificate per socket. This translates to one HTTPS URL/website per socket. What does this mean? Lets say I have my OWA at https://owa.shijaz.com/ and I have an SSL certificate issued to owa.shijaz.com. I also have my Sharepoint portal at https://portal.shijaz.com/ for which I have acquired a certificate with common name portal.shijaz.com.

While publishing, I can have only one web listener per socket and a web listener can accept at most ONE SSL certificate. If I apply the owa.shijaz.com certificate on my web listener, OWA will work fine, but users browsing to portal.shijaz.com will get a certificate warning/error. If I apply the portal.shijaz.com certificate, users browsing to owa.shijaz.com will get a certificate warning/error.

So what’s the solution? Wouldn’t it be great if we could order a certificate with common name *.shijaz.com and use the same certificate for both (or more) websites? Yes, you can! That’s called the WILDCARD Certificate!

Ordering a wildcard certificate is fairly simple, if you know how to order a normal SSL certificate. While generating an SSL request, simply enter *.yourdomain.com as the common name for the new certificate.


Wildcard certificates have a limitation that they are not available in 128-bit SGC and available only in standard encryption. The encryption level is decided by the user’s browser, rather than the certificate. So, if you’re securing a electronic payment website or a finance-related website, a wildcard certificate may not be what you should be looking at.

ISA Server 2006 Supportability Update

by Shijaz Abdulla on 30.09.2007 at 10:26

In my earlier post regarding Service Pack 3 for ISA Server 2004, I mentioned about some of the really cool troubleshooting and monitoring features that have been introduced.

The same features are now available for ISA Server 2006. However, this is not a service pack, it is called the ISA Server 2006 Supportability Update. To download the update, click here.

Monitoring enchancements in ISA 2004 SP3

by Shijaz Abdulla on 19.09.2007 at 11:26

OK – I know I havent been posting for some time. My excuses – the coming of Ramadan and my travel to UAE on a personal trip. 🙂

So here’s your piece of technology from me for the whole week.

ISA 2004 Service Pack 3 adds a bunch of new logging functionality, i.e. detailed logging and diagnostic logging.

The detailed logging features helps you troubleshoot configuration problems by providing you additional information for every entry that is displayed in the Logging tab.

Here’s a screenshot:

The mystery of blocked audio/video in MSN Messenger/Windows Live Messenger

by Shijaz Abdulla on 29.08.2007 at 09:02

On the ISA Server forums and newsgroups, a common query we see is regarding blocking/unblocking Windows Live Messenger or MSN Messenger using the ISA firewall.

Blocking is easy. Microsoft has also come up with a KB article which explains how you can do just that, using either ISA Server 2004 or ISA Server 2006.

Now how about “unblocking”? Let me be more specific. Firewall administrators often post queries that they can’t seem to be able to ‘allow’ audio and video in MSN/Windows Live Messenger through the ISA firewall. “Why not? Just allow the protocols/’open the ports’!” I hear you say.

Lets take a closer look on what these ports are:

This table is extracted from KB927847. *Legacy means MSN Messenger 5.0 or Windows Messenger only, and not Windows Live Messenger.

Pay attention to the highlighted text. This means, you will have to ‘open’ over 60,000 UDP ports just to get the audio and video working! Clearly, MSN Messenger and Windows Live Messenger were not designed to work behind ISA Server, or any other proxy for that matter.

< Previous postsNext posts >