Tag: isa

Installing Live Writer behind a ISA firewall

I like Live Writer a lot but it is very hard to install when you are behind Microsoft’s ISA firewall. I spent a couple of hours trying to figure out what ports I needed to open in the firewall so that the Live Writer install program would install. All of my attempts ended with the “Try Later” message. I finally gave up and added the computer temporarily to my Linux firewall rule to complete the install.

Then I set about writing this post. When I opened the post properties to add some keywords, the keywords field was not there. Hmm.. The Live Writer version on my laptop works has the keywords field so I was befuddled. After a little searching I found this post, Add Tags To WordPress 2.3 Posts From Windows Live Writer 2008. I am running the latest version of WordPress so I was not surprised to see that I already had the code changes. I was missing the wlwmanifest.xml file. After downloading the zip file, uploading it to the “wp-includes” directory, and then updating my weblog style, I was back in business.

WSUS 3.0 and ISA 2004 SP3 Updates

Windows Server Update Services(WSUS)

I was feeling a little adventurous yesterday and decided to update the Windows Server Update Services(WSUS). This package is a great tool for managing and tracking the updates to windows computers in a small business server environment. There are other products that may do a little better job but you cannot beat the price(Free). My version of WSUS was working okay but the console had always been very slow and occasionally I yearned for a little custom reporting. I could read between the lines, too. Microsoft really wants us to upgrade to 3.0 so you better be ready soon! I opted to get it done when it fit in my schedule. I cannot really complain about the slowness since I am running it on a server with less than the recommended CPU power. Before I could upgrade I had to install two packages:

  1. Microsoft .Net Framework Version 2.0
  2. Microsoft Report Viewer 2005 SP1

Although my version of WSUS had been migrated over to SQL Server, I did not need to alter the registry as indicated in the README file. With all of the prerequisites in place, I invoked the upgrade. The inplace upgrade took a long time but it completed without error. That is always a good sign. The only part of the upgrade I had not paid attention to was that the new console had completely replaced the old web-based console. The old console was no longer available. The good news is that I could run the upgrade on my workstation and I could install the new console as long as I had met the prerequisites(i.e. .Net 2.0 and Report Viewer 2005). After looking it was finished I went back to see what it had left behind. The SUSDB was gone. I did find a new SQL Server instance called “Microsoft ##SSEE” that was visible in Server Management console. It probably is a SQL Server 2005 Express database since it wants the SQL Server Management Studio to manage it.

Internet Security and Acceleration Server 2004 SP3

This service pack was released today, 5/1/2007. I did not see any advance warning in the mailing lists. Since I started updating the server yesterday and it was still in good condition for more updates, I went ahead and applied this one. This one installed without problems. I will add a new server configuration report for my records.
[tags]sbs, isa 2004, wsus[/tags]

Publishing ISA Reports on your Sharepoint site

Here’s the problem. You want to look at your firewall reports regularly. You have gone so far as to set up ISA to publish the daily and monthly reports to a directory on the server but getting to yesterday’s report is a real pain in the butt. It would be nice to send the report via email as a pdf like Trend does or to have it appear on the home page of your sharepoint site. Although I may do the email option in the nearby future I have already completed the second option. Here is how I did it.

  1. Publish the ISA reports you are interested in to a directory if you have not already done it.
  2. Add a virtual directory to your default web site and point it at your report directory. For this example I will use srv1 as the server name and isa as the virtual directory name. This virtual directory points to my ISA reports directory located at h:\reports. To get to the Daily report for 4/25/2007 I would use the following URL, http://srv1/isa/Daily_(4.25.2007-4.25.2007)/report.htm. As you can see entering this URL can get pretty tedious.
  3. To solve this problem I created a small web page with some javascript that calculates the URL to yesterday’s ISA report and then redirects you there. I called that page, daily.htm, and put it in the Reports directory. So if I wanted to see yesterday’s ISA report, I would enter the following URL into my browser, http://srv1/isa/daily.htm, and the latest ISA daily report would pop up.
  4. Now since we have a URL that will always point to the latest ISA daily report, the Page Viewer Web Part becomes a simple solution to the problem. The Page Viewer Web Part gives me a peak at the Daily report and it makes it easy for me to browse the rest of the report. I created a similar web page that produces Monthly report. I put links to both pages and the directory in my Sharepoint Links list and My Favorites.

Although I used this technique for looking at firewall reports it could be easily modified to show a web page with key business indicators that you create daily, weekly, or monthly.

Here is the code for the daily.htm web page.

< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US">
<head>
<meta name="generator" content="HTML Tidy" />
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
//< !&#91;CDATA&#91;
function getRptDate()
{
var now = new Date();
var ydate = new Date(now.getTime() - 86400000);
var yday = ydate.getDate();
var ymon = ydate.getMonth() + 1;
var yyear = ydate.getFullYear();
var datetext = ymon + '.' + yday + '.' + yyear + '-' + ymon + '.' + yday + '.' + yyear;
return datetext;
}
//&#93;&#93;>
</script>
</head>
<body>
<script type="text/javascript">
<!--
var d = getRptDate();
var path = 'http://srv1/isa/';
window.location = path +'Daily_(' + d + ')/report.htm';
//-->
</script>
</body>
</html>

Cleaning up ISA routes

ISA Server detected routes through adapter WAN that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 172.16.255.255-172.16.255.255;.

While I was fixing problems I decided to clean up this configuration error. I have a DMZ that uses IP addresses, 172.16.0.0 through 172.16.0.255. Evidently ISA needs 172.16.255.255 so it inserts a route on the WAN adapter for it and then complains about the route being in the wrong place. I added this single address to the DMZ network and this configuration error went away.

Microsoft ISA 2004 crashes and burns

Yesterday was a miserable day. We lost power for eight hours due to an ice storm and I spent most of the day taking care of business in the barn since our employees were not going to make it in. When I finally got some time to look at my server, it was complaining that it was running low on disk space on the OS partition and that an external drive I was storing volume snaps had been forced down. Microsoft had just let loose gobs of patches. So late in the day I decided to clean up the server.

  1. I deleted the tmp files that had caused the disk space problem.
  2. I deleted the old apps I have been meaning to remove but hadn’t got around to it.
  3. I applied the patches and reboot.

Then the fun began. The Firewall service crashed with the following message.

Event Type: Error
Event Source: Microsoft ISA Server 2004
Event Category: None
Event ID: 1000
Date: 2/15/2007
Time: 11:03:56 AM
User: N/A
Computer: myserver
Description: Faulting application wspsrv.exe, version 4.0.2165.610, stamp 442d48f1, faulting module w3filter.dll, version 4.0.2165.610, stamp 442d48dd, debug? 0, fault address 0x00094cff.

This did not seem too serious until I realized that my workstation could no longer see the server. My search of the internet came up with nothing so I removed the most recent patches and rebooted. It still failed. The server’s browser could not get to local https sites and the LAN card was showing no incoming traffic. This was getting pretty ugly.

The symptoms on my workstation were ugly, too. All of the programs(e.g. TrendMicro and Firewall client) that regularly communicate with the server were not communicating with the server. When I ran ipconfig, it showed that DHCP was not working. The LAN card status showed that there were no incoming packets. Fortunately I can let this server be down for awhile, so I went to bed.

Today I searched the internet for some more clues. I found a reference for a similar problem that pointed me in the direction of the ISA cache and it recomended disabling BITS on the ISA Cache rules. That didn’t work. Since I was out of ideas I decided to disable the cache. I started the firewall service and it worked. Just for kicks I enabled the cache and started the firewall service again. It worked! It must have been something in the cache.

Outlook by the sound : RPC server is unavailable since SP1

 

I finally called Tech Support and we found out that there is a hotfix out related to RPC Issues in ISA 2004, also there is an “SBS Protected Networks Access Rule” . Rt click it and “configure RPC protocol and uncheck the “Enforce strict RPC compliance”. This will allow DCOM to pass.

Source: Outlook by the sound : RPC server is unavailable since SP1

Okay this should not be that difficult but I found a way to screw it up. I started to suffer these problems when I installed SP1 for SBS Premium  in 2005(?). The most prominent symptom of this problem is that you suffer Autoenrollment errors on the client and 537 login audit failures on the server. The 537 errors are kerberos errors but they are particularly ambiguous. This was an annoying problem in my case but surprisingly everything still works. From a different source than the one listed above, I unchecked the “Enforce strict RPC compliance” box. The problem is that there are two boxes, one in the System Policy and another the box on the “SBS Protected Networks Access Rule”. I unchecked the box in the System Policy and it did not fix my problem. So I spent a lot of hours after installing SP1 trying to figure out why I was still getting errors. Over the last two days I have been rebuilding my desktop computer so I made another attempt to clear up this problem. Lo and behold, I found this in one of my searches. Unchecking the box on “SBS Protected Networks Access Rule” appears to have fixed the Autoenrollment errors and 10009 DCOM errors on the client. It also fixes the 537 audit failures on the server.

Changing over to a 3 leg network layout

3 Leg Perimeter Network LayoutI had been curious about implementing a DMZ for some time but I really did not have a use for one. My previous network layout was a standard edge network with two firewalls, a router/firewall and a ISA firewall. Recently I have been playing with a variety of linux packages who eventually will need constant exposure to the internet so a DMZ would became a logical upgrade. Since I had recently installed a third NIC on my SBS server, I could use ISA to manage the perimeter network.

To setup this network I went to Tom Shindler’s ISAServer.org site and browsed his documentation on setting up a DMZ using a ISA server. Although there are several documents on setting up DMZ segments, the document I used was Publishing Servers on a ISA Server 2004 Firewall Public Address DMZ Segment. I followed the directions and only changed the outbound protocols. For my network I want to pass ftp, http, https, ntp, ping, and smtp from the DMZ to Internet. At this point in time I do not need to allow inbound internet access to the DMZ but I will allow full inbound access from the internal network. I will leave that as a future project. I did change my access rule for the Protected Networks as recommended by Amy in DMZ – SBS special considerations.

The DMZ network is now up and running. I have one linux server running on the DMZ. It is running Groundworks and is connected via the ultimate low cost hub, a cross-over cable. So far there are no gotchas!