The Lazyadmin.com

In Part 1 of the ISA to Forefront TMG Migration post we covered exporting the settings from the ISA 2004/2006 server so that we could import them on the TMG Server.  After the export you should have two files:

• Exported network configuration – in our example it was saved as ISA_Net_Config.txt
• Exported ISA configuration – in our example it was saved as export.xml

The first step is to import the network configuration.  Before I do this one thing I’ll do is rename all the network adapters on the new server to match the old server.  With that done we can import the ISA_Net_Config.txt with the following command:

netsh –f C:\ISA_Net_Config.txt

Once that process completes open the TMG Management Console, select the server and right-click.  Select Import (Restore) to start the Import Wizard.

Once the Import Wizard has opened up click Next to start the process.

Enter or browse to the path

Continue reading ISA to Forefront TMG Migration–Part 2

Forefront Threat Management Gateway (TMG) has been released for a while now and you might be considering upgrading your current ISA 2004 or ISA 2006 server to TMG.  To quote Microsoft…

TMG MBE builds on top of existing ISA Server functionality and delivers a 64-bit Windows Server 2008 compatible product with new protection capabilities, including optional Web antimalware, as well as enhancements to the UI, management, and reporting. TMG plays a critical role in the overall Forefront vision of providing protection across client, server, and edge.

The key thing to pick up from that quote as it relates to this article is “64-bit Windows Server 2008 compatible”.  Since it is 64-bit there are no upgrade paths available.  Thankfully there is a great migration path.  Step one of the migration path is to export our network configuration and we can do this with the Netsh command:

netsh –c interface dump > C:\ISA_Net_Config.txt

Exporting the

Continue reading ISA to Forefront TMG Migration–Part 1

It might seem a bit weird to be writing on how to install a service pack but there is a small issue with installing SP1 for Forefront Threat Management Gateway.  If you are installing TMG SP1 on a standalone server you might get the following error:

Error 1402. Could not open key:HKEY _LOACL_MACHINE\SOFTWARE\Microsoft\FPC\SQM Veify that you have have sufficient access to that key.

You will get this even logged on as a domain administrator.  In order to get this to install you must do the following:

This will launch the updater with full administrator privileges and the install will proceed as expected.

In the same way that you can delegate control over Acitve Directory, Exchange, and other Microsoft servers, ISA also supports administrative delegation. By delegating control over your ISA server, you can specify the amount of control your IT staff has over the ISA server(s).

Configuring delegation is pretty straightforward, but before we get into that, lets look at the different levels of control available. ISA Basic Monitoring – This is the lowest level of permissions you can delegate and allows the user to monitor the ISA server and network activity, but the user cannot add/remove/modify the configuration. ISA Extended Monitoring – The next step up allows the user all the rights of the ISA Basic Monitoring user and adds the rights to configure logging and alerts as well as all other monitoring related tasks. ISA Full Administrator – A user with this priveledge has full control over the ISA server.

Continue reading ISA 2004 Administrative Delegation

Finally! With the release of ISA Server 2004 Service Pack 2 comes support for HTTP compression. HTTP compression is used to reduce file size by using the industry standard GZIP and Deflate algorithms. These algorithms are built into Windows 2000 Server and up, work with Internet Explorer 4.0 and up, as well as any other HTTP 1.1 compliant browser.

The algorithms compress static files, and can do on-demand compression of dynamically content before the data is sent over the network. The browser uses the same algorithms to decompress the data. The HTTP compression feature in ISA Server 2004 SP2 is a global HTTP policy that applies to all HTTP traffic passing through the ISA server. It does not compress HTTPS traffic. Two web filters are used to provide HTTP compression:

• Compression Filter – The Compression filter handles the compression and decompression of HTTP requests and responses. This filter

  Continue reading Enabling HTTP Compression in ISA 2004

The Background Intelligent Transfer Service (BITS) allows the transfer of large amounts of data without impacting network performance. It is able to dothis by transferring data in smaller chunks, using unused bandwidth when available, and then reassembling the data when it has all been recieved. One of the most popular uses for BITS is Microsoft Update.

BITS caching is useful in a scenario where there is no WSUS server, and all clients are going out to Microsoft Update to download and install hotfixes. Normally, each computer on the LAN would go out to the Microsoft Update site and each download there own set of hotfixes to be installed. If you have 20 clients and 1MB worth of hotfixes to download that equals 20MB of data. By enabling BITS caching, ISA server will cache the data downloaded from Microsoft Update and the LAN clients will retrieve the data from the cache,

Continue reading Enable BITS Caching In ISA 2004

One of the new features in ISA 2004 SP2 is Diffserv. Diffserv is a method of packet prioritization that applies to all web traffic passing through an ISA 2004 SP2 Server. Using the Diffserv Web filter, the ISA server can scan the Uniform Resource Locator (URL) or domain name and apply packet priority using DiffServ bits.

The Diffserv web filter has been given a high priority, and is near the top in the list of Web filters. The Diffserv web filter must be made aware of the size of the request/response being sent and has to inspect the data when it is being sent/recieved by the ISA server. It is crucial that you do not change the priority of the Diffserv web filter. Before we get started configuring this, you should be aware of the following: – Diffserv prioritization only applys to HTTP and HTTPS traffic – ISA may strip

Continue reading Providing QoS with Diffserv in ISA 2004

In Part 1 of Using ISA 2004 as a PPTP VPN Server, we went over the server configuration to enable ISA 2004 to act as a VPN server. All that is left is to configure the access rules, and test the connection out!

To configure the access rules, open up the ISA 2004 Management MMC, right-click the Firewall Policy node and select New –> Access Rule. The New Access Rule Wizard will start. Begin by entering a name for the rule and clicking Next.

Select Allow for the Rule Option.

On the Protocols page, select All Outbound Protocols and click Next.

On the Access Rule Source page, add VPN Clients to the list and click Next to proceed.

On the Access Rule Destination page, add Internal to the List. Click Next to continue.

Setting up a PPTP VPN server on ISA 2004 is easy, requires no Client Access Licences (CALs) and secure. Instead of letting traffic through your firewall to the VPN server and then authenticating, no traffic gets through until the user has authenticated. ISA 2004 also supports Remote Access Quarantine, increasing security even more.

ISA 2004 includes a VPN server that supports PPTP and L2TP/IPSec VPN connections. It is compatible with most VPN clients including, of course, the built in Microsoft VPN client. It is not enabled by default, but it is simple enough to get going. Note: All the configuration is done through the ISA Management MMC. Do not configure anything via the RRAS MMC as these settings will get over written! To begin, open up the ISA 2004 Management MMC and drill down to the VPN node. In the task pane on the right, click Configure VPN Access