ISA Server 2004 FAQ: Adminstering

  • Article

This frequently asked questions (FAQ) document provides answers to questions commonly asked during adminstration and management of Microsoft® Internet Security and Acceleration (ISA) Server 2004.

Q

How can I allow someone to perform specific tasks, but not all tasks, in ISA Server?

A

ISA Server provides role-based administration, to allow user permissions for specific tasks, using Windows users and groups. You can assign Full Administrator role to allow users to perform all tasks. Use Extended Monitoring role to allow users to perform monitoring, log configuration, alert definition, and export and import secret configuration information. Use Basic Monitoring role to allow users to view monitoring, but not configure.

Q

How can I remotely administer my ISA Server computer?

A

You can use Terminal Services or Remote Desktop to connect to the ISA Server computer. Alternatively, you can install the ISA Server Management Microsoft Management Console (MMC) and use that for remote administration. There are two system policy rules that allow remote management of the ISA Server computer - one for MMC management, the other for Terminal Server (Remote Desktop) management. Add the computer you want to use for remote administration to the predefined Remote Management Computers set used by these rules.

Q

What is the difference between import and export, and backup and restore?

A

The import and export feature, and the backup and restore feature are similar. But generally you would use them for different purposes. You can use the export and import to save and then import the entire ISA Server configuration, or parts of it. For example the entire firewall policy, the system policy, or a selected rule. Confidential information is encrypted. Information is exported to an .xml file, and then imported from that file. The export and import feature are used primarily to clone server settings, or for exporting configuration settings to a file for troubleshooting purposes.

The backup and restore feature enables you to save and restore most configuration information. ISA Server backs up a server€™s general configuration information, cache configuration, and VPN configuration. The configuration parameters are stored locally in an .xml file. The primary use of this feature is for disaster recovery, and we recommend that you back up the configuration after any major changes. For example, after changes to network definitions, cache configuration, or system policy rules.

Q

What services does ISA Server use?

A

When you install ISA Server, the following Microsoft® Windows® operating system services are also installed:

  • Microsoft Firewall service. Wspsrv.exe (fwsrv). Windows service supporting requests from Firewall and SecureNAT clients.
  • Microsoft ISA Server Control service. Mspadmin (isactrl). Windows service responsible for restarting other ISA Server services, generating alerts, running actions, and deleting log files.  
  • Microsoft ISA Server Job Scheduler service. W3Prefch.exe (isasched). Windows service that downloads cache content from Web servers.
  • Microsoft Data Engine (MSDE). Used to save log information in MSDE format.
  • ISA Server Storage service. Isastg.exe (isastg). Windows service used to manage read and write access to the ISA Server configuration store, which is registry based, with some file storage.

Q

When does ISA Server go into lockdown mode?

A

Lockdown mode is triggered when an event triggers the Firewall service to shut down, or if the Firewall service is manually shut down.

When the Firewall service restarts, ISA Server exits lockdown mode and continues functioning, as previously. The effects of lockdown mode are documented in ISA Server online Help. When the Firewall service restarts, ISA Server exits lockdown mode. Any changes made to the ISA Server configuration are applied after ISA Server exits lockdown mode.

Q

What system account does the Firewall Service run under?

A

The Firewall Service (and ISA Server service) runs under the Network Service account.

Q

Does the Network Service account require any special permissions?

A

For SecurID to work in ISA Server on a computer running Windows Server 2003, the NetworkService account requires the following permissions:

  • Read/write access on HKEY_LOCAL_MACHINE\Software\SDTI\ACECLIENT
  • Read permission on %SystemRoot%\system32\sdconf.rec

Q

I have just created a rule denying specific traffic. I had a previous rule allowing such traffic, and when I check, it seems that the deny rule is not working, and that the traffic is still getting through. What is wrong?

A

This behavior is by design. When you create a new rule, the rule is applied to new connections, and not existing ones. If an existing connection is still active, you might see the behavior described. You can wait a few minutes for the connection state to time out, close existing sessions, or restart the service to force the removal of old connection states.

Q

When I install ISA Server in my network environment (with IPSec enforced), the ISA Server can be managed remotely for a short time, but after the existing IPSec session expires, the ISA Server computer is not available for remote access. What happened?

A

The ISA Server does not allow Internet Key Exchange (IKE) traffic, and thus the IPSec session cannot be renewed. As a workaround, to allow remote management of ISA Server in an IPSec environment, you must create a rule that allows IKE protocol traffic to the Local Host network. There is a predefined protocol definition for IKE, available in Toolbox, Protocols (VPN and IPSec protocols) in ISA Server Management. The IKE Client protocol definition defines a primary connection for UDP port 500 (SendReceive).

Q

I have NLB set up for ISA Server. How can I ensure that each ISA Server computer can communicate with the other?

A

At each ISA Server computer, you need to include the IP address of the other ISA Server computer within one of its networks. For example, include the IP address of ISAServer1€™s internal adapter in the Internal network of ISAServer2. Also at time of writing, you need Multicast mode.

Q

I cannot use DCOM from a computer in the Remote Management Computers set to the ISA Server computer. Why not?

A

In the system policy rule, there is no option to configure remote management to allow non-strict RPC traffic. All DCOM traffic between Remote Management computers to the Local Host computer will be dropped. The RPC filter cannot be configured not to enforce RPC filtering, allowing DCOM. As a workaround, remove the computer from the Remote Management Computer set, and create an additional policy rule for the same traffic as the system policy rule. Then right-click the rule, click Configure RPC Protocol, and clear Enforce strict RPC compliance for this rule.

Q

What is the significance of NAT and Route relationships between networks?

A

If you have a network rule that defines a network address translation (NAT) relationship between two networks (for example Internal and External), the following will apply:

  • Internal to External traffic will be defined by access rules.
  • External to Internal traffic will be defined by publishing rules.

If you have a route relationship, you can use access rules in both directions.

Q

What is the Local Host network?

A

The Local Host network represents the ISA Server computer. That is, all traffic that comes from or to ISA Server is considered to have passed by way of the Local Host network. It includes all the IP addresses of the ISA Server computer, and the reserved loopback IP address 127.0.0.1.

Q

How can I filter undesirable sites?

A

The HTTP filter in ISA Server 2004 allows you to block content based on URL length, strings, file name extensions, and other means. You can specify the HTTP filter settings per access rule or Web publishing rule. Select the rule, and then on the Tasks tab, click Edit Selected Rule. On the Traffic tab (Web publishing), or Protocols tab (access rules), click Configure HTTP. For more information, see the HTTP Filter topic in online Help.

Q

Certain attacks use a large amount of data in the HTTP header for security exploits. How can I limit the length of HTTP headers?

A

Setting a maximum length for request headers is done by the HTTP filter, and applies to all rules. There is a default length of 32,768 bytes. To modify the default value, in the details pane of the Firewall Policy node, right-click the required rule, and then click Configure HTTP. You can also modify the value using a script provided in the Configuring Add-Ins topic of the ISA Server SDK Help.

Limiting the length of response headers is global, and is controlled by admin COM property FPCWebProxy.MaxHeadersSize.

Q

I want to configure an inbound access rule, but I cannot select an inbound protocol for the rule. What is wrong?

A

In ISA Server 2004 inbound protocols are only used for publishing rules. For access rules, protocols are outbound.

Q

In a localized language environment, chained requests using Integrated authentication are failing. What is the cause?

A

The problem is in the translation of credentials. Integrated authentication fails, and the downstream proxy is identified as a guest account on the upstream proxy.

Q

Is bidirectional affinity (BDA) supported when using network load balancing (NLB) with ISA Server?

A

No, BDA is not supported.

Q

I see the Startls command in the SMTP command list. Does that means that SMTP TLS encrypted connections are allowed by the SMTP filter?

A

The SMTP filter works in passthrough mode if you are using the STARTTLS command, and no filtering of SMTP traffic is performed.

[Topic Last Modified: 12/16/2008]