ISA Concepts

ISA is different than what most small business consultants are used to seeing. It is an enterprise class firewall with features well beyond those seen in any other firewall deployed in a small business setting. It is necessary to understand some basic concepts before attempting to troubleshoot or customize the configuration.

Understanding ISA Client Types

Probably one of most confusing things about ISA server for new administrators is client types. ISA recognizes three different types of clients: SecureNat, Web Proxy, and Firewall. Windows-based computers can be all three.

The SecureNat Client

A SecureNat client is one that is configured with its gateway address pointing at the internal IP address of the SBS server. Servers on your network are configured as SecureNat clients as will be non-Microsoft operating systems. The SecureNat client can only access protocols that are in the protocol list and don't require any secondary connections. This is also the only client type that can use non-TCP or UDP connections such as ICMP (ping). A typical workstation in an SBS network running a Windows operating system such as Windows XP will access the ISA server as a SecureNat client only when using non-tcp or udp connections.

To configure a non-Microsoft operating system computer or a server as a SecureNat client simply configure the gateway address in your TCP/IP settings with the internal IP address of your SBS server.

In the ISA logs, traffic being sent from SecureNat clients is logged with the originating IP address only because there is no mechanism for passing the username and password along to ISA. This limits your ability to control Internet access for these clients.

The Web Proxy Client

A Web Proxy client is one that is configured to send requests to ISA's web proxy feature using a particular port. In the case of SBS, this port is 8080. This client type supports only http, https and ftp downloads. The username and password are passed from Windows to the ISA Server for access control purposes. Follow these steps to configure a Web Proxy client:

To configure a computer using Internet Explorer as a Web Proxy client, open Internet Explorer and select Tools, Internet Options from the menu.

Click the Connections tab and then click the LAN Settings button.

Under Proxy Server, check the Use a Proxy Server for Your LAN box. In the Address box type the name of your server. In the Port box type, 8080. Check Bypass Proxy Server for Local Address. Your settings should look like those in Figure 23.8. Click OK. Click OK again to exit Internet Options. You must close your browser for the settings to take effect.

Figure 23.8. These settings allow Internet Explorer to use ISA's proxy capabilities.

The Firewall Client

A Firewall Client is one in which the ISA Firewall Client software has been installed, configured, and enabled. The Firewall Client is a powerful tool and should be installed wherever possible. The Firewall Client does not require that a protocol definition be defined on the ISA Server for the client to use that protocol. It can send username and password credentials from Windows and from any Winsock-enabled application to the ISA Server. Installing the Firewall Client often eliminates any problems that users are having accessing a particular website or using a web-enabled application. When installed the Firewall Client intercepts any tcp or udp traffic and sends it on to the proxy with credentials included. Further, this information is sent as encrypted data using Kerberos, thwarting the sniffing of username and passwords of web-enabled applications. Considering that many small businesses use web applications for payroll, 401k management and deposits, and online banking, encrypting the transmission is an excellent idea.

Best Practice: Always Install the Firewall Client

The ISA Firewall Client is such a powerful tool both for ease of access to the Internet and for Internet management purposes that every permanent Windows workstation on your network should have it installed.

The Firewall Client software is found on your SBS server under c:\program files\Microsoft ISA Server\clients. The firewall client folder is shared by default as mspclnt. To install the Firewall Client run Setup.exe from this folder. The installer walks you through the installation process. It is a straightforward process. When the installation is complete, a reboot is recommended, and you'll notice the Firewall Client icon in the system tray.

Note

You need to be logged in with local administrator rights to perform the installation of the Firewall Client.

Note

If you are upgrading from ISA 2000 and your clients have the Firewall Client already installed, you'll need to uninstall the ISA 2000 Firewall Client before installing the ISA 2004 Firewall Client. Fortunately, the icons in the system are different so you'll be able to easily spot whether a particular workstation has been updated.

By default ISA Server accepts either the ISA 2000 Firewall Client or the new ISA 2004 Firewall Client. However, if you want to be sure that the data sent via Firewall Client is always encrypted data, you can set ISA to require the new client.

Open ISA Management and Expand Configuration. Click on General. In the right pane click Define Firewall Client Settings.

In the dialog box that opens uncheck Allow Non-Encrypted Firewall Client Connections as in Figure 23.9.

Figure 23.9. If this box is checked ISA allows ISA 2000 and proxy clients to connect; unchecked, only clients using the client capable of encryption, ISA 2004 Firewall Client, is allowed.

Unless you have already set up automatic configuration for your Firewall Client application, you'll need to specify the name of your SBS server in the Configuration tab of the client on each computer. Follow these steps to configure the Firewall Client on each workstation:

Right-click on the Firewall Client icon in the system tray of the workstation and select Configure. Verify that the Enable Microsoft Firewall Client for ISA 2004 Server is checked.

Click Manually Select ISA Server (see Figure 23.10). Enter the name of your SBS server in the box and click the Test Server button. You should see a pop-up window indicating that the server was found, and it replied. Both boxes should report the same server name.

Figure 23.10. The Firewall Client can be manually configured to connect to your ISA Server.

Close the pop-up windows and then click OK to accept your Firewall Client configuration changes.

To see the various clients in action on your network, open the ISA Management MMC. Follow these steps:

1.	Expand your Server Name and Click on Monitoring. Click on the Logging tab.
2.	Click Start Query to launch the predefined traffic Query. It takes a moment to launch and then you are treated to a live look at the traffic on your network. Here you can see the source IP, protocol being used, whether the client is the authenticated type, and much more.

Follow these steps to assign the Firewall Client to client computers:

1.	Open Server Management. Click Computers and then click the Set Up Client Applications link.
2.	On the Available Applications page, click Add.
3.	In the Application Name box, type `Firewall Client`; then in the Location of Setup Executable for This Application box, type `\\SBS\Mspclnt\Setup.exe/v"SBS=ServerName ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=1 /qn"` where `SBS` is the name of your server. Click Finish.
4.	Choose Yes when prompted to assign the application to client computer to open the Assign Applications Wizard.

As Figure 23.11 demonstrates, when you are finished, the Firewall Client is listed as an application that can be assigned to your client computers.

Figure 23.11. The Firewall Client is not configured for automatic deployment to the client computers by default but can be added.

Managing Log Information

ISA logs a lot of information. When you are attempting to troubleshoot a problem and watching for traffic of a particular type you'll quickly realize that there is a lot of NETBIOS-related traffic diverting your attention.

Best Practice: Use Logs for Troubleshooting

By default every rule in the Firewall Policy will be logged. For monitoring purposes this is great because it gives you a full and complete picture of what's going on. However, for troubleshooting this means that the log will contain a lot of information that you don't need to see. You'll want to stop logging for some rules to make it easier to see the problem area. The procedure described here applies to logging for any rule.

In particular, the rule Allow Access from Trusted Computers to the Firewall Client Installation Share on ISA Server generates a huge number of log events. This rule is a system rule and can't be altered except through system policy, but you can turn off logging for this rule in the Firewall Policy. Doing so not only makes your log easier to read but also reduces the space requirements for log storage and the RAM that the SQL Server instance for ISA logging requires.

To turn off logging for this rule you first have to be able to select it in Firewall Policy. By default all the System Policy rules are hidden from view. At the top of the page, click the View menu and select Show System Policy Rules (see Figure 23.12). This exposes the System Policy rules in the Firewall Policy window. These rules are created by the predefined SBS security template applied during installation.

Figure 23.12. The Show System Policy Rules option is found under View and also as a button in the Task list.

To disable logging for a particular rule, follow these steps:

In the center pane scroll down to the rule, Allow Access from Trusted Computers to the Firewall Client Installation Share on ISA Server. Right-click on this rule and select Properties.

Move to the Action tab. Uncheck the Log Requests Matching this Rule box as shown in Figure 23.13. Click Apply and click OK.

Figure 23.13. Unchecking this box stops ISA from logging requests for this rule.

Click Apply at the top of the Firewall Policy window, and this rule takes effect immediately for new sessions.

Note

If you would rather not disable logging for this policy but want to reduce the amount of RAM that the log generation uses, there is another option: You can reduce the amount of RAM that the SQL Server instance is allowed to use for firewall logging. For a good tutorial on this, see http://www.smallbizserver.net/Default.aspx?tabid=247.

Maintaining ISA Log Files

By default ISA keeps up to 16GB of log files on your server. Storage space on SBS servers is almost always at a premium, and small businesses would probably rather use that 16GB for something other than ISA Server logs. Fortunately, ISA has a log maintenance feature buried under the Monitoring section of ISA Management where you can change not only how much space the logs take up but also where the logs are stored, and you can force them to leave some free space on the drive. To adjust the amount of space that logs may potentially take up on your server follow these steps:

1.	In ISA Management click on Monitoring. Then select the Logging tab. On the Task pad click Configure Firewall Logging. The Firewall Logging Properties box opens.
2.	Click the Options button. Figure 23.14 displays the Options screen where a number of log settings can be modified. Figure 23.14. The log size limits are tucked away under the Options button.
3.	To move the firewall logs to another folder or drive, select the This Folder (Enter Full Path) radio button and enter the path where you want the logs stored. It would be a good idea to keep the logs off the system partition. It's better to store them on a data partition.
4.	To limit the size of log files make sure that the Limit Total Size of Log Files box is checked and enter a number in gigabytes. The smallest ISA allows is 4GB.
5.	To make sure that some free space is maintained on the drive where the logs are stored, make sure that the Maintain Free Disk Space box is checked and enter a number in megabytes. The default, 512MB, is probably sufficient.
6.	Click OK when finished with your selections.
7.	Follow the same procedure for taming the logs for the web proxy and SMTP message screener.

Note

The SMTP message filter is disabled by default in SBS, so unless you've enabled it, it isn't really necessary to modify the log settings here.

Best Practice: Reduce the Space That ISA Logs Use

By default ISA uses up to 16GB of space on your hard drive before starting to overwrite logs. For the small business this represents a large time span. Limiting the space that ISA uses for log storage is reasonable for small businesses.

ISA Lockdown Mode

SBS 2003 SP1 comes prehardened, so in general there is no need to make changes typical of hardening, such as stopping services or moving them from automatic to manual. This has already been done for you. However, you may want to implement safeguard: an alert that puts ISA Server into Lockdown mode if the firewall fails to log events.

ISA 2004 Server Firewall Service fails closed. This means that if the Firewall Service stops, the ISA Server launches into Lockdown mode. Lockdown mode leaves the ISA Server isolated but still connected to the Internet. You'll want to review the Help file for a complete list of exactly what happens when your server enters Lockdown mode, but in summary: ping from internal is allowed, outgoing web requests are allowed, remote management is allowed, no incoming web requests are allowed, and VPN connections are not allowed. This combination allows an administrator to access the server, review the logs for troubleshooting and/or investigative work, and restart the Firewall Service when the problem is resolved.

Note

While in Lockdown mode any changes that you make to the Firewall Policy do not take effect until the Firewall Service is restarted.

Microsoft's hardening guide recommends that you set up an alert if your ISA Server is unable to log events. A failure to log events would mean that in the event of an intrusion you'd be flying blind in your attempts to determine when the intrusion occurred and by what means.

In SBS the Logging alert is already set up for you. If you want to have this alert trigger Lockdown mode, you will need to edit the alert. To edit the alert, follow these steps:

1.	In ISA Monitoring, select Alerts. In the Taskpad choose Configure Alert Definitions .
2.	In the Alerts Properties dialog box, shown in Figure 23.15, scroll down to Log Failure, select Log Failure, and click Edit. Figure 23.15. The Alerts Properties box lists all the currently configured alerts, and each can be edited from here.
3.	Move to the Action tab, check the Stop Selected Service box, and click the Select button.
4.	In the Select ISA Server Services dialog box, shown in Figure 23.16, check Microsoft Firewall and click OK. Click OK two more times until you are back at the Monitoring screen; then click the Apply button when you are ready to have the policy change take effect. Figure 23.16. With this configuration a failure of the ISA Server to log activities results in the firewall service shutting down.

Caution

Should the drive that ISA is logging to fill or ISA become unable to reach its location, this alert will be triggered. Therefore, make sure that your logs have plenty of room, and choose a local drive if possible.

Client Connections

ISA 2004 can be installed on your server as an upgrade from ISA 2000 or as a new install. As of this writing, few differences have been noticed. The upgrade option actually exports your settings, translates them to ISA 2004, and imports the settings leaving you with an identically functioning network. One difference that has caught the attention of locations that use secure websites extensively is client connections.

Client connections are limited to 160 in a new installation of ISA 2004 and 40 in an upgrade from ISA 2000. The purpose of limiting client connections is to prevent a single workstation from flooding the network. Speaking from experience, having a Trojan-infected computer show up on your network, in this case a roaming laptop, and take up all the bandwidth to the Internet by generating thousands of connections is a bad thing. It brings your network to its knees, and it's difficult to track without a high-quality firewall such as ISA 2004. The company in question went through several different consulting companies and spent thousands of dollars before getting the problem resolved. If the company had had an ISA 2004 server, it would not have even had a problem; the infected laptop would have been identified in the logs as having exceeded its connection allotment. Having as few client connections as your clients need to work is a good thing. When the client connections are exceeded, that client won't be able to open any additional connections, and an alert will be triggered.

Best Practice: Limit Client Connections

Keep the limit on client connections as low as possible for good network performance. This number varies depending on which sites and Internet applications you use. Limiting client connections prevents network flooding in the event of a Trojan or similar type of attack.

If you have performed an upgrade of ISA 2000 to ISA 2004, you may find that you need to increase the number of client connections. To increase the number of connections allowed per client, follow these steps:

In ISA Management, under Configuration click General. Then select Define Connection Limits. Figure 23.17 shows this window.

Figure 23.17. The Connection Limit per Client is set unusually low after upgrading from ISA 2000.

In the Connection Limit Per Client (TCP and non-TCP) item, select a number between 40 and 160. When a client exceeds the number that you have selected, it will not be able to create any new TCP connections and in the case of non-TCP connections the oldest ones will be dropped. From users' perspective, they'll notice that they are unable to do everything that they are attempting on the Internet and may be unable to reach websites.

Click OK and then click Apply when you are ready to have the changes take effect.

Internet Acceleration

Acceleration of the Internet is a big part of the name of ISA Server, but in reality it's a small part of what it does. It's kind of funny really, because one of the criticisms of ISA by those who haven't investigated it, since its forerunner Proxy 1.0 came out, is that it's just a cache server.

Small businesses are enjoying greater bandwidth than ever. Not that long ago T1 speeds were reserved for those with big budgets, but thanks to advances in DSL and cable Internet technologies even the smallest business can afford the Internet at high speed. Even so, the use of the Internet by employees at small businesses demands efficient use of the bandwidth. This is what caching does for your business; it makes efficient use of your bandwidth.

The default cache size is set at 100MB on the drive that ISA is installed. This is the minimum recommended setting. An additional .5MB for each web proxy client is recommended. Because Microsoft doesn't know how many clients you have at the time of installation, this configuration item is left for you to do. To adjust the cache settings, follow these steps:

1.	In ISA Management, Expand Configuration and click on Cache.
2.	On the Tasks pane click Define Cache Drives (Enable Cache). The Define Cache Drives window opens as in Figure 23.18. Figure 23.18. The cache is set at the recommended minimum by default.
3.	In the Define Cache Drives windows, increase the number in the Maximum Cache Size (MB) by .5MB for each web proxy client on your network; then round up to the nearest whole number.
4.	Click the Set button. Notice that you may also move where the cache is stored. Click OK when finished.

Best Practice: When to Set an Even Larger Cache

Depending on the type of business, you may find that a large cache yields benefits. Real estate and travel agencies are but two of many possible examples where Internet usage is intense. Users at these types of businesses would appreciate a larger cache size. A 500MB cache for a small business of this type would not be out of line. However, the Microsoft recommended cache size is 100MB + 0.5MB per web proxy client computer.

Controlling Cache Free Memory Use

ISA can get carried away and use up more free memory than would be best considering all the applications that your SBS server has to run simultaneously. To adjust the amount of free memory that ISA uses for caching, follow these steps:

1.	In the same cache Task pane, click Configure Cache Settings. In the Cache Settings window click the Advanced tab.
2.	As Figure 23.19 shows, in the Percentage of Free Memory to Use for Caching box you are given the option of changing the amount of free memory allocated for caching purposes. The default configuration is 50%. Figure 23.19. Depending on the capabilities of your server you may need to force ISA to use less free memory for caching.
3.	Taking into consideration how much memory you have on your server and the amount of Internet usage you are expecting, you may modify this number down to save memory for other applications. Enter the percentage and click OK. Then Click Apply when you are ready to have the change take effect.
4.	You are prompted to restart the Firewall Service either now or later.

Understanding ISA Client Types

The SecureNat Client

The Web Proxy Client

Figure 23.8. These settings allow Internet Explorer to use ISA's proxy capabilities.

The Firewall Client

Best Practice: Always Install the Firewall Client

Figure 23.9. If this box is checked ISA allows ISA 2000 and proxy clients to connect; unchecked, only clients using the client capable of encryption, ISA 2004 Firewall Client, is allowed.

Figure 23.10. The Firewall Client can be manually configured to connect to your ISA Server.

Figure 23.11. The Firewall Client is not configured for automatic deployment to the client computers by default but can be added.

Managing Log Information

Best Practice: Use Logs for Troubleshooting

Figure 23.12. The Show System Policy Rules option is found under View and also as a button in the Task list.

Figure 23.13. Unchecking this box stops ISA from logging requests for this rule.

Maintaining ISA Log Files

Figure 23.14. The log size limits are tucked away under the Options button.

Best Practice: Reduce the Space That ISA Logs Use

ISA Lockdown Mode

Figure 23.15. The Alerts Properties box lists all the currently configured alerts, and each can be edited from here.

Figure 23.16. With this configuration a failure of the ISA Server to log activities results in the firewall service shutting down.

Client Connections

Best Practice: Limit Client Connections

Figure 23.17. The Connection Limit per Client is set unusually low after upgrading from ISA 2000.

Internet Acceleration

Figure 23.18. The cache is set at the recommended minimum by default.

Best Practice: When to Set an Even Larger Cache

Controlling Cache Free Memory Use

Figure 23.19. Depending on the capabilities of your server you may need to force ISA to use less free memory for caching.