FW: ISA 2004 tips and tricks

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 27 May 2005 07:27:48 -0500

Inspired by Jim Harrison's Web cast (which I was listening to on my Rio
Player during the plane ride from Heck) -- I compiled this list. It'll
end up being an article series or mini-book or something. If you have
ideas on some things to add, let me know.
Thanks!

ISA firewall Best Practices
 
* Configure clients as Web proxy and Firewall clients
* DNS server settings -- configure to use internal interface; do not
enter the same DNS server on multiple interfaces
* www.arin.net <http://www.arin.net>  -- helpful to determine netblock
of attackers, etc.
* Network within a network scenario -- my article and Clint's article
* Plan deployment
    Confirm protocol usage
    Confirm per user/group access policies
    Confirm loggging requirements
* Use DMZs to segment security zones
* Don't install Server services on the firewall
* Harden the server using Win2003 SCW or the ISA firewall hardening
guides
* Install Network monitor for troubleshooting
* Single default gateway
* Disable NetBT on the external interface. Might need it on the Internal
interfaces
* Disable the Server Service on the external interface
* Disable the Alerter and Messenger service (might not need to if you
use Win2003/SCW)
* Don't browse from the Firewall. Don't disable enhanced IE security on
the ISA firewall
* Configure Web Proxy clients to use HTTP 1.1 through proxy connections
* Configure local addresses for Direct Access
* Patch the OS before installing the ISA firewall
* Configure the ISA firewall to use WSUS
* Rename the connections on the ISA firewall's interfaces
* Configure the interface to show the icon in the system tray
* Use ipconfig, netstat -na, arp -g for troubleshooting
* Use DHCP for WPAD with WinXP SP2
* Don't use the firewall as a workstation --- never run client apps
* Don't allow connections to the Local Host Network
* Set connection limits
* Prevent remoting of Firewall client ports (EE only)
* Use remote desktop for server management
* Don't connect to the Internet when installing the ISA firewall
* Consider the type of logging you want to perform and what features you
need
* Don't use the ISA firewall as a router -- its a stateful firewall, so
request and response paths must be the same
* Remove the all-subnets broadcast network entry from the definition of
the ISA firewall Network
* Be aware that policy changes take place only for new connections.
State table isn't changed for existing connections unless you restart
the service
* Put the ISA firewall in the path to increase security
* Learn to use ISA firewall's log filtering to solve problems, track
users, etc.
* Plan your route relationships
* Create ISA firewall Networks for all known Networks
* Turn on the cache feature if you need it
* Turn off the RPC filter for autoenrollment and MMC certificate
requests
* Put network servers and services on a dedicated network services
segment
* Configure certificate revocation settings that are appropriate for
your network
* Make the ISA firewall a domain member 
* Order ARs appropriately
* Configure separate listeners for HTTP and SSL
* Configure System Policy to meet YOUR network's requirements
* Configure Web Proxy clients to use the autoconfiguration script or
autodiscovery
* Install the Firewall client share on a file server
* Store the WPAD file on a Web Server (must update when making changes
on the ISA firewall)
* Create Network Objects for granular access control
* Avoid the SecureNAT configuration whenver possible
* Avoid creating Dney Rules
* Use the ISA Protected Networks Network Object when applicable
* Use RADIUS authentication only when required
* Name commonly used or appearing protocols to identify them in reports
and logs
* Use FWENGMON to determine port bindings -- netstat won't work
* Disable the HTTP Security Filter to enable Direct Access
* Use PerfMon to troubleshoot performance issues
* Don't publish sites using an IP address as the Public Name
* Use HTTPWatch 3.1 to monitor HTTP communications for troubleshooting
* Check the Windows Event Viewer to troubleshoot problems
* Check the ISA Events tab for detailed infomation on troubleshooting
issues
* Solve MTU issues with an upstream router for hobbiest networks
* Dedicate different ISA firewalls for inbound and outbound connections
* Force firewall policy on VPN clients
* Quarantine VPN clients
* Use the Firewall client tool to troubleshoot Firewall client
connection problems
* DNSreports.com heps with troubleshooting
* SMTP site for SMTP troubleshooting
* Use Telnet to troubleshoot publishing rules
* Use Connectivity Verifiers 
* Use encryption for the Firewall clients

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Other related posts:

• » FW: ISA 2004 tips and tricks
• » RE: FW: ISA 2004 tips and tricks

1. Home
2. isalist
3. Archive
4. 05-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---