This is very nice except the fact that I can't find the group policy settings for http 1.1 or I am going blind -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, May 27, 2005 5:28 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: ISA 2004 tips and tricks http://www.ISAserver.org Inspired by Jim Harrison's Web cast (which I was listening to on my Rio Player during the plane ride from Heck) -- I compiled this list. It'll end up being an article series or mini-book or something. If you have ideas on some things to add, let me know. Thanks! ISA firewall Best Practices * Configure clients as Web proxy and Firewall clients * DNS server settings -- configure to use internal interface; do not enter the same DNS server on multiple interfaces * www.arin.net <http://www.arin.net> -- helpful to determine netblock of attackers, etc. * Network within a network scenario -- my article and Clint's article * Plan deployment Confirm protocol usage Confirm per user/group access policies Confirm loggging requirements * Use DMZs to segment security zones * Don't install Server services on the firewall * Harden the server using Win2003 SCW or the ISA firewall hardening guides * Install Network monitor for troubleshooting * Single default gateway * Disable NetBT on the external interface. Might need it on the Internal interfaces * Disable the Server Service on the external interface * Disable the Alerter and Messenger service (might not need to if you use Win2003/SCW) * Don't browse from the Firewall. Don't disable enhanced IE security on the ISA firewall * Configure Web Proxy clients to use HTTP 1.1 through proxy connections * Configure local addresses for Direct Access * Patch the OS before installing the ISA firewall * Configure the ISA firewall to use WSUS * Rename the connections on the ISA firewall's interfaces * Configure the interface to show the icon in the system tray * Use ipconfig, netstat -na, arp -g for troubleshooting * Use DHCP for WPAD with WinXP SP2 * Don't use the firewall as a workstation --- never run client apps * Don't allow connections to the Local Host Network * Set connection limits * Prevent remoting of Firewall client ports (EE only) * Use remote desktop for server management * Don't connect to the Internet when installing the ISA firewall * Consider the type of logging you want to perform and what features you need * Don't use the ISA firewall as a router -- its a stateful firewall, so request and response paths must be the same * Remove the all-subnets broadcast network entry from the definition of the ISA firewall Network * Be aware that policy changes take place only for new connections. State table isn't changed for existing connections unless you restart the service * Put the ISA firewall in the path to increase security * Learn to use ISA firewall's log filtering to solve problems, track users, etc. * Plan your route relationships * Create ISA firewall Networks for all known Networks * Turn on the cache feature if you need it * Turn off the RPC filter for autoenrollment and MMC certificate requests * Put network servers and services on a dedicated network services segment * Configure certificate revocation settings that are appropriate for your network * Make the ISA firewall a domain member * Order ARs appropriately * Configure separate listeners for HTTP and SSL * Configure System Policy to meet YOUR network's requirements * Configure Web Proxy clients to use the autoconfiguration script or autodiscovery * Install the Firewall client share on a file server * Store the WPAD file on a Web Server (must update when making changes on the ISA firewall) * Create Network Objects for granular access control * Avoid the SecureNAT configuration whenver possible * Avoid creating Dney Rules * Use the ISA Protected Networks Network Object when applicable * Use RADIUS authentication only when required * Name commonly used or appearing protocols to identify them in reports and logs * Use FWENGMON to determine port bindings -- netstat won't work * Disable the HTTP Security Filter to enable Direct Access * Use PerfMon to troubleshoot performance issues * Don't publish sites using an IP address as the Public Name * Use HTTPWatch 3.1 to monitor HTTP communications for troubleshooting * Check the Windows Event Viewer to troubleshoot problems * Check the ISA Events tab for detailed infomation on troubleshooting issues * Solve MTU issues with an upstream router for hobbiest networks * Dedicate different ISA firewalls for inbound and outbound connections * Force firewall policy on VPN clients * Quarantine VPN clients * Use the Firewall client tool to troubleshoot Firewall client connection problems * DNSreports.com heps with troubleshooting * SMTP site for SMTP troubleshooting * Use Telnet to troubleshoot publishing rules * Use Connectivity Verifiers * Use encryption for the Firewall clients Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx Attention: This message, including any attachment(s), is intended only for the use of the individual(s) to which it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete this message including any attachment(s), without reading it or making a copy. Any outgoing message has been scanned for possible harmful file(s) or script(s), but it is your sole responsibility to run detection tools as we won't guarantee the safety of message(s).