ISA Server 2004 Standard Edition
September 1, 2004
Published: September 6, 2004
Please note: Portions of this transcript have been edited for clarity
Introduction
Chat_Moderator (Microsoft)
Welcome to today’s ISA Server 2004 Standard Edition Chat. I will ask the hosts to introduce themselves.
Host: Oren (Microsoft)
Hi, I'm Oren Trutner, a program manager on the ISA Server team. I've accompanied ISA Server 2004 since its inception, and I'll be glad to answer your questions regarding policy, web proxy, caching, filtering and using the product.
Host: Adina (Microsoft)
My name is Adina Hagege, and I’m the documentation lead for ISA Server. We look forward to hearing your questions, and making sure that were answering them appropriately on the ISA Server Guidance Center.
Host: itaia (Microsoft)
Hi all, I'm Itai Almog, a developer of the ISA Server 2004 monitoring. Feel free to ask questions and I'll do my best to answer :-)
Host: EmilyF (Microsoft)
Welcome to today’s chat. Our topic is ISA Server 2004 Standard Edition Questions, comments, and suggestions are welcome
Host: urih (Microsoft)
Hi, I'm Uri Habush, dev lead in ISA team. I'll glad to answer your question regarding monitoring, logging, upgrade and any other question related to ISA 2004 EE
Start of Chat
Host: Oren (Microsoft)
A: CRM 1.2: actually, I don't know. I assume it is. We'll check and get back to you on that
Host: Adina (Microsoft)
Q: in ISA 2K we used to have cachedir.exe to check / clear cache. Is there any such tools in ISA 2K4 ?
A: This tool should be available in the very near future. Stay tuned to the Coding Corner (http://www.microsoft.com/technet/isa/2004/default.mspx
Host: Oren (Microsoft)
Q: is there an upgrade Communication Configuration wizard for ISA 2004 with SBS2003, and can SBS2003 users upgrade to ISA 2004 under their existing license?
A: An update to SBS2003 that include ISA Server 2004 is in the works. I assume you don't need a new license, but can't verify at the moment
Host: Oren (Microsoft)
Q: Can ISA 2004 be run on the domain controller in for example a SBS2003 configuration?
A: Yes
Host: Oren (Microsoft)
A: Keep in mind that it's not always a recommend practice due to security considerations. You might want to have a look at the security hardening guide
Host: itaia (Microsoft)
Q: What exactly happened when we apply changes concerning internal clients ?
A: If you mean what happens with active connections then they are kept alive. The new policy will effect only new connections.
Host: Oren (Microsoft)
Q: I'm running ISA 2004 beta2 but I'm sure it's been over 180 days, should I check the event logs because it's filtering like it should.
A: Once the beta expires, ISA services might not start. You should check the services pane of the monitoring section
Host: Oren (Microsoft)
Q: Should Windows XP SP2 Windows Firewall be fully enabled along with ISA 2004?
A: I'm assuming you're referring to the personal firewall on Windows Server 2003. The personal firewall should be disabled when ISA is installed. It is not providing
Host: itaia (Microsoft)
Q: Is there any existing tools that allow to read / decode exported XML configuration ?
A: We don't provide such a tool but since it's in XML format you could use any XML reader to view it. 3rd party vendors may develop such a tool in the future...
Host: Oren (Microsoft)
A: additional value
Host: Oren (Microsoft)
Q: still running Proxy 2.0. What is incentive in moving to ISA 2004?
A: a *lot* has changed. You might want to take a look at http://www.microsoft.com/technet/isa/2004/development/default.mspx
Host: Oren (Microsoft)
Q: Can ISA 2004 run on the same Windows Server 2003 machine as Exchange?
A: Yes
Host: Oren (Microsoft)
Q: Is there a release date planned for the enterprise edition?
A: Unfortunately we cannot comment on the enterprise edition release date at this point
Host: urih (Microsoft)
Q: concerning active connexion, it means changes aren’t apply to active connexion but only to incoming ones ?
A: Yes all the existing connection still alive and allow the traffic. The new policy will be applied only for new connection
Host: itaia (Microsoft)
Q: concerning active connexion, it means changes aren’t apply to active connexion but only to incoming ones ?
A: That is correct. You can use the sessions viewer tool to disconnect your old sessions or simply restart the firewall service.
Host: Oren (Microsoft)
Q: Well all services are running but I was just wondering what is the expected behavior when it reaches the end of it's license period
A: ISA services should stop and refuse to start
Host: Oren (Microsoft)
Q: With 1.5 - 3.0 M Cable modem and ADSL connections being fairly inexpensive, and a small user all multiple cable modem connections through ISA 2004 and gain in increase in through put?
A: are you asking about utilizing increased bandwidth, or about multiple cable modems?
Host: Oren (Microsoft)
Q: Can we use multiple listeners with only one external IP ?
A: yes -- you can have listeners on different ports of a single IP address
Host: Oren (Microsoft)
Q: What's the limit you reached as a test concerning incoming VPN request with ISA Server 2004?
A: I don't have the numbers available. It was stress-tested to the same scale that VPN support in Windows RRAS was tested
Host: itaia (Microsoft)
Q: What is your take with ISA server being used between a router to the internet and a firewall? Is this redundant?
A: You could use ISA 2004 as a front end firewall and you other firewall as a back end firewall. It's a very common configuration. You even have a wizard for it :-)
Host: Oren (Microsoft)
Q: May I use the same MSDE instance of ISA 2004 to store filter data of my own? Or is this not recommended due to performance?
A: Not recommended -- MSDE has various scalability limits, and has to keep up with the log. You'd be better off using a separate instance of MSDE
Host: Oren (Microsoft)
Q: Oren, it was like 5000~ ?
A: I don't have figures available. We can check and get back to you
Host: itaia (Microsoft)
Q: The export/import xml configuration from beta2...
A: I'm sorry but we don't support upgrade from beta2 to the final released version.
Host: Oren (Microsoft)
Q: Is it possible to map AD groups to Radius group when configuring authentication ? I think I saw it was user to user
A: ISA accepts RADIUS user and group names in the dialog box for RADIUS principals
Host: Oren (Microsoft)
Q: Which protocol definition gets applied first if they handle the same primary port? The predefined one or the user defined one?
A: the protocol definition that is used in the first matching rule will be the one used
Host: itaia (Microsoft)
Q: Just wanted to know if MS has/is going to ship...
A: Look at beta_procrastinator's answer, he is right!
Host: Oren (Microsoft)
Q: Is it possible to move the MSDE instance to a remote SQL server, or also not recommended?
A: It's possible to log to a SQL server or any other ODBC enable database
Host: urih (Microsoft)
Q: is there an upgrade from 2000 to 2004?
A: Yes. We support 2 upgrade methods. In place upgrade that upgrade the current machine from ISA 2000 to ISA 2004. The second method allows you to upgrade the ISA 2000 configuration and use it on a new ISA 2004 mac
Host: Oren (Microsoft)
Q: is the upgrade option on the regular ISA 2004 software
A: yes
Host: Adina (Microsoft)
Q: having a VPN server in a DMZ and an edge ISA Server 2004. How can I publish the VPN server (pptp would be ok). TCP1723 would be enough ?
A: Check out the Publishing VPN paper on http://www.microsoft.com/isaserver/techinfo/default.mspx. This has prescriptive directions on exactly what you need to do.
Host: Oren (Microsoft)
Q: Having two Win 2003 Server machines, one Win 2000 machine, what is the recommended setup (if one exists) to fit ISA 2004, SQL 2000, Exchange, Great Plains 8.0, CRM 1.2, SharePoint 2.0, and Business Portal 2.5 on those three machines?
A: You would want to have ISA Server all on its own on one Windows Server 2003 machine, to protect all of the others. You can split the other products on the remaining machines as it makes sense to you.
Host: Oren (Microsoft)
Q: Hello, which is the size maximum of the files Cache * cdat
A: the cdat file grow up to 4GB. ISA rolls out multiple cdat files to accommodate the cache size you select
Host: Oren (Microsoft)
Q: Anyone one know why an audio/video deny rule using content groups would deny audio/video but also would return blank web pages on .asp/.aspx web forms that use HTTP POST Method or/and when the hosting web server returns HTTP Status 302?
A: The audio and video content types on ISA merely list file extensions. You might want to review those file extensions to ensure they don't match any of the pages you're trying to access -- or objects in them.
Host: itaia (Microsoft)
Q: what encryption is used with the firewall client?
A: We use Kerberos authentication (with fall back to NTLM) as for encryption we use standard windows SSPI platform. I'll check to see exactly which protocol is used there and post the answer.
Host: itaia (Microsoft)
Q: what encryption is used with the firewall client?
A: We use Kerberos authentication (with fall back to NTLM) as for encryption we use standard windows SSPI platform. I'll check to see exactly which protocol is used there and post the answer.