February 28, 2009

Unsupported Configurations in ISA server

1.ISA Server Should Not Be Installed on a 64-Bit Operating System

Installing ISA Server on 64-bit versions of Microsoft Windows Server 2003 operating systems is not supported.

2.ISA Server 2004 Enterprise Edition Should Not Be Installed on Windows 2000 Server

ISA Server 2004 Enterprise Edition should only be installed on computers running Windows Server 2003.

3. ISA Server 2004 Enterprise Edition Should Not Be Installed in a Windows NT Server 4.0 Domain

ISA Server 2004 Enterprise Edition should not be installed as a domain member in a Windows NT Server 4.0 domain.

4. Firewall Client for ISA Server Should Not Be Installed on a Domain Controller

Installing ISA Server Firewall Client software on a computer configured as an Active Directory domain controller is not supported.

If Firewall Client software is installed, the domain controller may not function as expected.

5. Installing other firewall products on an ISA Server computer is not supported. Attempting to create a layered firewall deployment on a single server by adding additional firewall products will result in unpredictable behavior and may cause the server to fail.

6. ISA Server Does Not Support Multiple External Interfaces

7. ISA Server Does Not Support Multiple Default Gateways

Set a default gateway on only one of the ISA Server network adapters. Do not configure more than one default gateway on that adapter. The default gateway is usually set on the network adapter associated with the ISA Server default External network.

8. ISA Server Does Not Support a Network-Behind-Network Configuration

There cannot be two network adapters in the same subnet. This may manifest itself in a number of ways:

* Error 15108. ISA Server detected a spoof attack from Internet Protocol (IP) address IP_address, when trying to access a network resource.

Cause: When you define IP address ranges for a network, ISA Server checks all network adapters. When ISA Server finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by ISA Server through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), ISA Server tries to locate an adapter with an IP address of the network object, and fails. ISA Server assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.

9. ISA Server does not support intradomain communications between networks with a network address translation (NAT) relationship.

10. There are a number of issues associated with the configuration of ISA Server on a computer with a single network adapter.

* Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
* Application layer inspection. Application level filtering does not function, except for Web Proxy Filter for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP.
* Server publishing. Server publishing is not supported. Because there is no separation of Internal and External networks, ISA Server cannot provide the NAT functionality required in a server publishing scenario.
* Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and Firewall Client requests are not supported.
* SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and SecureNAT client requests are not supported.
* Virtual private networking. Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario. Remote client VPN access is supported in a single network adapter scenario.

11 ISA Server 2004 Standard Edition does not support NLB.ISA Server 2004 Standard Edition does not support NLB functionality.

Support for NLB is targeted at ISA Server 2004 Enterprise Edition, which addresses the concept of an array of ISA Server to share traffic and load.

To use NLB, install ISA Server 2004 Enterprise Edition.
NLB Limitations in Enterprise Edition on a Single Network Adapter Computer

12 ISA Server 2004 Standard Edition (without Service Pack 1) does not support Internet access requests from remote VPN clients through Web proxy on the ISA Server computer to which VPN remote clients are connecting. This issue is fixed in ISA Server 2004 Standard Edition Service Pack 1 and ISA Server 2004 Enterprise Edition.

Cause: Such client requests come from the VPN tunnel interface, and not from the Internal network interface. Web proxy NAT functionality cannot handle such requests.

Solution: Install ISA Server 2004 Standard Edition Service Pack 1.

13. DHCP Address Allocation for VPN Remote Clients Not Supported in ISA Server 2004 Enterprise Edition

In ISA Server 2004 Enterprise Edition, using a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses for VPN remote clients is only available in a single server ISA Server array.

This option is only available in ISA Server 2004 Standard Edition, or in ISA Server 2004 Enterprise Edition with a single array member. This limitation applies for the following reasons:

13. Outbound L2TP connections without IPsec are not supported when ISA Server is configured as a VPN server that uses the L2TP/IPsec protocol.

Cause: By default the following settings apply:

* Network address translation (NAT) is applied to outbound traffic from the Internal, VPN Clients and Quarantine VPN Clients networks to the External network.
* When ISA Server is configured as a VPN server that uses the L2TP/IPsec protocol, traffic to and from the L2TP protocol port (UDP port 1701) is secured by IPsec.

With these default settings, the outbound L2TP client request is sent from the NAT address (usually the address of the ISA Server external network adapter) and the external VPN server responds to this address. ISA Server does not forward the L2TP traffic from the external VPN server to the client because no matching IPsec policy exists.

Solution: Use PPTP for outbound VPN connections, or do not use the L2TP/IPsec protocol when ISA Server is configured as a VPN server.

14. Customization of forms-based authentication pages is not supported in ISA Server 2004.

Cause: Forms-based authentication can be enabled on the Microsoft Office Outlook Web Access Web site, or on the ISA Server computer. When you enable this authentication method on ISA Server, the Logon.asp form runs on the ISA Server computer. It is possible to customize the form for specific requirements, but such customization is not supported on ISA Server 2004. Modifying pages on the Exchange server running Outlook Web Access will have no effect on forms-based authentication enabled on the ISA Server computer.

Solution: If problems arise as a result of such customization in ISA Server 2004, the original files should be restored.

15 Cannot Use Multiple Server Certificates for a Single SSL Listener

Problem: Only one SSL server certificate can be bound to a Web listener.

Cause: The name of the Web site specified in the external user request must use the name of the site listed on the common name of the certificate. For example, if users will access www.contoso.com, the common name on the certificate must be www.contoso.com. If you try to use the listener to publish another secure site, it will not succeed because the certificate name will not match the user request name.

Solution: To publish multiple SSL sites using the same IP address and port where all sites published use the same domain name, you can use a wildcard character certificate. For example, to publish sites OWA, WebSite1, and WebSite2 at contoso.com, you can acquire a wildcard character certificate (*.contoso.com) for the ISA Server computer. Note that ISA Server only supports wildcard character certificates on the ISA Server computer. In an HTTPS-to-HTTPS bridging scenario, you cannot use a wildcard character certificate to authenticate to the back-end Web server.

16. RPC-Over-HTTP Traffic Not Inspected

Problem: RPC over HTTP traffic encrypts the RPC data in HTTP. RPC over HTTP data is not inspected by ISA Server 2004.

Cause: In regular Web publishing scenarios, ISA Server can inspect the HTTP headers and body. However, the RPC filter designed to inspect RPC traffic cannot inspect RPC over HTTP requests, and does not protect against RPC exploits reaching the Exchange server. In outbound scenarios, RPC over HTTP requests over SSL are tunneled, and no inspection takes place of the HTTP headers or body following the initial connection.

Solution: Deploy RPC over HTTP with this limitation in mind. For configuration information for this scenario, see the Knowledge Base article 884506, "How to configure ISA Server 2004 to allow for RPC over HTTP client connections from Office Outlook 2003 to Exchange Server 2003.

16. Live Communications Server Should Not Be Located on the ISA Server Computer

Problem: Running Live Communications Server on the ISA Server computer is not supported.

Cause: This is an untested scenario.

17 Live Communications Server Has Limited Functionality through ISA Server

Problem: Not all Live Communications Server functionality works through ISA Server 2004.

Cause: The following limitations apply:

* Communication between two clients on the same side of the ISA Server computer should work in a simple internal network configuration.
* Presence and instant message is essentially a client/server application, where the server mediates the communication between the two clients. This avoids NAT issues that arise when an external client needs the IP address of the internal client. Instant text messaging from an internal client to an external client can go out through Web proxy.
* Audio, video, and whiteboard features use SIP/SIMPLE. ISA Server does not have a SIP application filter at this time to handle such traffic. The only exception is if the session is initiated by an external Internet client that is not behind a NAT device.

18. Secure FTP Support

Problem: The following limitations apply:

* ISA Server cannot publish secure File Transfer Protocol (FTP).
* ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections.

Cause: The following causes apply:

* FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP application filter to monitor FTP communications between the client and the server. Outbound SSL connections, such as FTPS, cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
* Server publishing tunnels SSL traffic, and therefore such traffic is not inspected by ISA Server.

Solution: There is a specific workaround available that allows you to publish secure FTP. For more information, see Publishing Secure FTP Servers behind ISA Firewalls at the ISAserver.org Web site.

19. FTP Limitations for Web Proxy Clients

Problem: The following limitations apply:

* You cannot use FTP upload from a Web Proxy client. Remote directory and file management actions also fail.
* You cannot use third-party, non-browser FTP applications or command-line FTP tools. Web Proxy clients tunnel FTP requests over port 80. You require SecureNAT clients or Firewall clients to use these tools.
* To access FTP sites that are not anonymous, you will need to enable folder view in Internet Explorer. This causes Internet Explorer to prompt for credentials. Credentials should be specified in the following format: ftp//username:password@FTP_Server_Name.
* By default, ISA Server uses PASV mode for FTP requests. If this mode is not supported by the FTP server you want to reach, you will need to disable folder view in Internet Explorer. This allows Internet Explorer to send PORT commands.

Cause: FTP uploads are not supported for client computers configured as Web Proxy clients only.

21 ISA Server Does Not Support Routing Protocols

Problem: ISA Server is not a router and does not directly support routing protocols such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Cause: ISA Server has no built-in support for these dynamic routing protocols.

Solution: You can install Routing and Remote Access on the ISA Server computer as a LAN router, to allow it to listen for OSPF announcements and handle routing protocols communications. You will need to create access rules to allow such traffic. Create a custom protocol object for the routing protocol, and then allow traffic for the protocols to and from neighboring routers, and the ISA Server computer. OSPF supports fragmented packets, and you should not filter IP fragments on ISA Server.

22. ISA Server Support in a Virtual Environment

Microsoft ISA Server and Forefront TMG are supported on hardware virtualization in accordance with the following programs:

* Microsoft Support Lifecycle
* Microsoft ISA Server system requirements
* Forefront TMG system requirements
* Microsoft Server Virtualization Validation Program (SVVP)
* Support Policy for Microsoft software running on non-Microsoft hardware virtualization software

* Desktop virtualization, such as Microsoft Virtual PC or similar 3rd-party product: supported for demonstration and educational use only
* Server Virtualization, such as Microsoft Virtual Server or similar 3rd-party product: supported, but not recommended for production use

Message Screener Does Not Work with Exchange Server 2003

Problem: The ISA Server SMTP Message Screener component may interfere with Exchange Server 2003 functionality.

Cause: The ISA Server SMTP Message Screener component is designed for filtering e-mail messages based on keywords or attachments, or blocking e-mail messages from specific senders or domains. It works together with the SMTP filter to intercept all SMTP traffic arriving on TCP port 25 of the ISA Server computer. We do not recommend that you use the Message Screener component with Exchange Server 2003. Message Screener may interfere with the functioning of the Exchange Server 2003 Connection and Recipient Filtering function.

Solution: The SMTP filter can be used with Exchange Server 2003. For more information, see Installation and configuration of the SMTP filter and Message Screener are described in the document Using the ISA Server 2004 Enterprise Edition SMTP Filter and Message Screener.

23. ISA Server Does Not Handle IPv6 Traffic

Problem: IPv6 traffic passes through ISA Server firewall regardless of firewall policy.

Cause: Filtering of IPv6 traffic is not supported.

24.The Web Cache Communication Protocol (WCCP) and the Internet Cache Protocol (ICP) are not supported in ISA Server.

25. A Web Proxy client browser cannot connect to the Web listener over an SSL connection.

Cause: This is a browser limitation. Internet Explorer does not support certificate authentication to a Web proxy. On the Web Proxy tab of a network’s properties page, there is an option to Enable SSL. This option is only for use in a Web Proxy chaining scenario. In this case, you can configure a downstream ISA Server computer to forward Web requests to an upstream proxy over an SSL connection. This allows you to bridge HTTP traffic as HTTPS to the upstream server.

Solution: Do not use an SSL connection.
Requests from Web Proxy Clients Cannot Be Authenticated Using a Client Certificate

26. LDAP authentication is not supported in outbound Web access scenarios.

Cause: In ISA Server 2006, LDAP authentication is available only as an authentication method in reverse proxy Web publishing scenarios. LDAP authentication is not available in ISA Server 2004.

January 3, 2009

VPN Connections

There are two types of VPN connections:

* Remote access VPN connection
* Site-to-site VPN connection

Remote Access VPN Connection

A remote access client makes a remote access VPN connection to a VPN server that connects the remote access client to a private network. ISA Server provides access to the entire network to which the VPN server is attached.By using the ISA Server computer as the VPN server, you can manage VPN client access to the corporate network. VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your ISA Server firewall access policy, so that you can control VPN client access to network resources.

Site-to-Site VPN Connection

A site-to-site VPN connection connects two separate private networks. ISA Server provides a connection to the network to which the ISA Server array is attached.

There are three VPN protocols for site-to-site connections:

* L2TP over IPsec
* IPsec tunnel mode


Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiple protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
L2TP over IPsec

Layer Two Tunneling Protocol (L2TP) is an industry standard tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPsec) encryption to protect the data stream from one VPN server to the other VPN server. IPsec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP over IPsec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates or a preshared key.

IPsec tunnel mode

When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling

January 2, 2009

VPN Concepts in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition and ISA Server 2006 Enterprise Edition provide secure site-to-site virtual private network (VPN) functionality and secure VPN client access. In ISA Server 2006 Enterprise Edition, this functionality works with the ISA Server Network Load Balancing (NLB) functionality to provide redundancy and failover capacity for VPN.


A VPN is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers or two networks across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a VPN.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From a user's perspective, you are connected to the corporate network, and do not consider that you are communicating over a public infrastructure. The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations or branch offices over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. These connections are made over the Internet using a site-to-site VPN connection. Companies are changing from leased lines to standard Internet connections, because of the higher costs of leased lines, the complexities of maintaining these leased lines, and time required to have leased lines installed.

By using ISA Server, you can manage site-to-site VPN connections and VPN client access to the corporate network. All VPN connections to the ISA Server array are logged to the Firewall log, so that you can monitor VPN connections.