by
Shijaz Abdulla on 24.08.2007 at 13:46
Outlook Web Access (OWA) on Exchange Server 2007 now supports direct file access, which means users can connect to internal file servers over the web using the standard OWA interface.
Readers of my earlier posting on Intelligent Application Gateway 2007 will agree that, if SSL is configured on Outlook Web Access (OWA) with internal file server access enabled, and it is published using ISA Server 2006, this gives you the equivalent of a browser-based SSL-VPN connection to the file server! Think about it.
This is good news for organizations who want to publish their file servers securely for home users but cannot afford a secure VPN solution.
Similarly, users can access internal Sharepoint sites from OWA if this is enabled on Exchange Server 2007. Certainly good news for organizations that tried to publish both OWA and SharePoint server over SSL on the same ISA Server installation — and then daunted away because it meant replacing the SSL certificate a wildcard certificate (which offers weaker encryption than a normal SSL certificate).
For step-by-step instructions on how to configure direct file access, see my article Configuring direct file server access from Outlook Web Access in Exchange Server 2007
by
Shijaz Abdulla on 17.08.2007 at 15:31
If you use virtualization technologies like Virtual Server or Virtual PC and have virtual machines that are exposed to the internet, you might want to use ISA Server to protect them. While it is possible (and recommended) to have ISA Server on a separate machine to protect all your infrastructure, you might have a scenario wherein you’d like to run ISA Server on the host machine (i.e. the physical machine that has Virtual Server/Virtual PC installed and hosts the guest virtual machines).
If you have only one network card on that host machine and you install ISA Server on the host machine, you would expect it to protect all guest machines hosted on that host computer, right? Wrong!
Microsoft Virtual Server uses an NDIS driver to route traffic to its guest machines, based on their assigned MAC addresses. Since NDIS drivers are located “below” ISA’s driver (i.e. fweng.sys), the traffic is routed before ISA even sees it!! However, ISA will still protect any other applications or OS services running directly on the host machine.
In the diagrams, the dotted lines represent traffic that has been screened by ISA.
One way to overcome this difficulty is to have another network card on the host machine (the “Internal” card), and connect all guest machines to this network. The first network card will connect to the cruel world outside (the “external” card). Of course the internal network now has to be on a different subnet and you have to take into account all the hassles of having two networks.
In this configuration, all the traffic coming in from the external network will be routed to the internal NIC only through NAT/Route relationships that you have configured on the ISA Server. However, it is important that you make sure all your virtual machines are never connected to the external NIC in order to secure them.
If you don’t have a spare physical NIC on the host hardware, you can also use a ‘virtual’ Loopback adapter for the internal network. I have described the loopback adapter in a previous post.
by
Shijaz Abdulla on 16.08.2007 at 18:29
An excellent post has been made by Jim Harrison on the ISA Server team blog on how to troubleshoot issues with RPC over HTTPS while publishing these services using ISA Server.
I’ve had a chance to skim through some of the content and I think it will be really helpful. Check it out.
Thanks Jim!
by
Shijaz Abdulla on 15.08.2007 at 08:06
To start off, do not implement ISA Server in a workgroup, unless you really, really want to. I would prefer to leave it part of the domain in most scenarios. This post is not to debate “To Join or Not to Join” the domain. ISA Server MVP Tom Shinder has written a beautiful article listing out good reasons why ISA Server SHOULD be a domain member.
Now, what if you went ahead and deployed your ISA Server in a workgroup due to technical/security (aww come on)/nagging manager reasons and had to set up LDAPS for authentication between your ISA Server and domain controller? Of course the normal Active Directory authentication will not work from the ISA Server computer because it is not a member of the domain, hence we need to use LDAP or LDAPS (Secure LDAP).
For certain features like the ISA Server 2006 FBA Change Password option to work, configuring LDAPS properly is a must.
To use LDAPS, you need to install a server certificate on the LDAP server (domain controller in this case), and the root certificate from the CA that issued the server certificate should be installed on the computer running ISA Server. Here’s an article on how to do that (yes, it applies to Microsoft CA as well).
Once you’ve done all this stuff, you can check if all is well by trying to run the LDP.exe tool from ISA Server as mentioned in the article. Pay special attention to the issues section at the end of the article.
If you still face problems, and suspect the certificates may be the problem, open Internet Explorer on the ISA Server computer, and browse to https://myldapserver.domain.local:636. If you have configured everything correctly, you should not receive any certificate errors. Of course, you will eventually get ‘Page cannot be displayed’. In addition, The following warning can be ignored:
However, if you get an error regarding a name mismatch or expiry of certificate, you need to sort these out first.
Once this works without errors, and you still face problems, run the ISA Server Best Practices Analyzer and look for any certificate related issues and resolve them.
by
Shijaz Abdulla on 13.08.2007 at 08:13
If you have published Outlook Web Access (OWA) using ISA Server 2006 Forms-based authentication (FBA) and decided to use the new Password Management features on ISA Server 2006 FBA instead of the conventional OWA change password feature, you need to read this.
When you have install Windows Server 2003 Service Pack 2 or the
Scalable Networking Pack on the computer running ISA Server 2006, you will probably face issues when you enabled ISA Server 2006 Password management features. Users may report that the login process takes a long time (15 seconds or more) when you turn on the password management feature, even if they choose not to change their password while logging on.
I have written an article for a workaround to this, the KB article is now available on the Microsoft Knowledge Base (
KB555958) and also on
my website.
by
Shijaz Abdulla on 04.08.2007 at 17:23
ISA Server 2006 Standard & Enterprise editions are currently being evaluated for Common Criteria EAL4+ certification. The certification is done by BSI, an agency of the German government, and is recognized in all countries that accept the Common Criteria.
ISA Server 2004 is also fully certified by BSI at the Common Criteria EAL4+ level for security. More information on Common Criteria here. Also see the list of products that are certified.
by
Shijaz Abdulla on 03.08.2007 at 10:40
One of my customers came across a rather strange problem with ISA Server 2006 Standard Edition. A report configured to generate automatically sometimes shows status as “Generating” on the Reports tab of the ISA Management Console.
The ISA Server Job Scheduler service makes sure that scheduled ISA jobs (such as generating reports) run on time.
I suggested that the ISA Server Job Scheduler service be restarted, and the problem went away. I guess the ISA reporting needs a little oiling from Microsoft (perhaps in SP1).
by
Shijaz Abdulla on 09.07.2007 at 07:44
A problem has been found in the new Vista-compatible version of ISA Firewall client that was made available for download recently on the Microsoft website. [Read about it on my blog]
Programs like mobile phone connection optimizer software may install the Winsock Base Service Provider (BSP). BSPs sometimes bypass the Firewall client. To raise an alarm about the situation, ISA Firewall client displays one of those ugly yellow exclamation marks on the system tray icon. If you hover your mouse over it, it shouts “Firewall client is not installed properly”. An example of software that causes this condition is AT&T Comms Manager.
If this is too annoying for you, you can get rid of the warning:
- Download and Install the hotfix
- Open REGEDIT, find the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Firewall Client 2004\Policies” and add a new “DWORD” value “UiEnableCatalogValidation” and set it to “0″ (zero).
by
Shijaz Abdulla on 06.05.2007 at 15:11
ISA Server 2004 Service Pack 3 has been released on May 1, 2007.
- All software updates issued since ISA Server 2004 was released to manufacturing.
- Fixes for common issues reported by customers through Microsoft Customer Service and Support.
- Improved log viewer functionality, including an enhanced details pane view, text coloring, and new log filtering functionality.
- Updated ISA Server Microsoft Management Console (MMC) snap-in functionality that provides access to troubleshooting tools and options available directly from the ISA Server Management console.
- Integration with the Microsoft ISA Server Best Practices Analyzer Tool. More information.
- New diagnostic logging functionality.
- Support for publishing computers running Microsoft Exchange Server 2007 both to receive and send Internet e-mail messages.
Failed Service Pack 3 installation?!
If you went ahead with the SP3 installation and it failed for some reason, see the rollback failure and temporary resolution on the ISA Server Product Team Blog.
by
Shijaz Abdulla on 18.01.2007 at 14:20
Microsoft has just unveiled a new patch… (ahem, yeah)… ‘update’ for publishing Exchange Server 2007 on ISA Server 2006. Upon installation of this update on your ISA Server computer, you should be able to create publishing rules for Exchange Server 2007 on your ISA.
The update is available automatically by Microsoft Update and also for
download.
Some points worth noting:
- You can’t block attachments anymore on ISA. You need to do that from Exchange itself.
- This hotfix updates the ISA MMC, so you might want to install it on your remote management clients as well.
- This hotfix is for enabling Exchange 2007 publishing features on ISA 2006. They haven’t said anything about ISA 2004
This hotfix is definitely a must-have if you’re running/planning to run Exchange 2007 in your organization and use ISA 2006 to protect it.
< Previous postsNext posts >
