Inspired by Jim Harrison's Web cast (which I was listening to on my Rio Player during the plane ride from Heck) -- I compiled this list. It'll end up being an article series or mini-book or something. If you have ideas on some things to add, let me know. Thanks! ISA firewall Best Practices * Configure clients as Web proxy and Firewall clients * DNS server settings -- configure to use internal interface; do not enter the same DNS server on multiple interfaces * www.arin.net <http://www.arin.net> -- helpful to determine netblock of attackers, etc. * Network within a network scenario -- my article and Clint's article * Plan deployment Confirm protocol usage Confirm per user/group access policies Confirm loggging requirements * Use DMZs to segment security zones * Don't install Server services on the firewall * Harden the server using Win2003 SCW or the ISA firewall hardening guides * Install Network monitor for troubleshooting * Single default gateway * Disable NetBT on the external interface. Might need it on the Internal interfaces * Disable the Server Service on the external interface * Disable the Alerter and Messenger service (might not need to if you use Win2003/SCW) * Don't browse from the Firewall. Don't disable enhanced IE security on the ISA firewall * Configure Web Proxy clients to use HTTP 1.1 through proxy connections * Configure local addresses for Direct Access * Patch the OS before installing the ISA firewall * Configure the ISA firewall to use WSUS * Rename the connections on the ISA firewall's interfaces * Configure the interface to show the icon in the system tray * Use ipconfig, netstat -na, arp -g for troubleshooting * Use DHCP for WPAD with WinXP SP2 * Don't use the firewall as a workstation --- never run client apps * Don't allow connections to the Local Host Network * Set connection limits * Prevent remoting of Firewall client ports (EE only) * Use remote desktop for server management * Don't connect to the Internet when installing the ISA firewall * Consider the type of logging you want to perform and what features you need * Don't use the ISA firewall as a router -- its a stateful firewall, so request and response paths must be the same * Remove the all-subnets broadcast network entry from the definition of the ISA firewall Network * Be aware that policy changes take place only for new connections. State table isn't changed for existing connections unless you restart the service * Put the ISA firewall in the path to increase security * Learn to use ISA firewall's log filtering to solve problems, track users, etc. * Plan your route relationships * Create ISA firewall Networks for all known Networks * Turn on the cache feature if you need it * Turn off the RPC filter for autoenrollment and MMC certificate requests * Put network servers and services on a dedicated network services segment * Configure certificate revocation settings that are appropriate for your network * Make the ISA firewall a domain member * Order ARs appropriately * Configure separate listeners for HTTP and SSL * Configure System Policy to meet YOUR network's requirements * Configure Web Proxy clients to use the autoconfiguration script or autodiscovery * Install the Firewall client share on a file server * Store the WPAD file on a Web Server (must update when making changes on the ISA firewall) * Create Network Objects for granular access control * Avoid the SecureNAT configuration whenver possible * Avoid creating Dney Rules * Use the ISA Protected Networks Network Object when applicable * Use RADIUS authentication only when required * Name commonly used or appearing protocols to identify them in reports and logs * Use FWENGMON to determine port bindings -- netstat won't work * Disable the HTTP Security Filter to enable Direct Access * Use PerfMon to troubleshoot performance issues * Don't publish sites using an IP address as the Public Name * Use HTTPWatch 3.1 to monitor HTTP communications for troubleshooting * Check the Windows Event Viewer to troubleshoot problems * Check the ISA Events tab for detailed infomation on troubleshooting issues * Solve MTU issues with an upstream router for hobbiest networks * Dedicate different ISA firewalls for inbound and outbound connections * Force firewall policy on VPN clients * Quarantine VPN clients * Use the Firewall client tool to troubleshoot Firewall client connection problems * DNSreports.com heps with troubleshooting * SMTP site for SMTP troubleshooting * Use Telnet to troubleshoot publishing rules * Use Connectivity Verifiers * Use encryption for the Firewall clients Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls