Questions[isa-server](server)

I was asked to segregate the testing environment in our network to improve our security.

Our structure includes:

• 1 switch Dell Power Connect 3448
• 1 switch Dell Power Connect 2748
• A few 5 ports Star Tech switches (work around to expand our cabling structure)
• 1 ISA Server 2006 firewall

To accomplish this task I am planning to do the following:

• Create a VLAN for the testing environment and include the necessary ports on that VLAN
• Let all the other ports in the default VLAN 1 (keep the packets Untagged), except the port where ISA Server is plugged
• Configure the port where ISA Server is plugged as Trunk
• Configure a virtual interface on ISA Server network card to allow it to communicate with the VLAN
• Configure firewall rules on ISA Server to allow only the desired traffic between the LANs, Internet, and VPN Clients.

Is what I've planned the best way to do what I was asked to?

One of our clients is having an issue where POSTBACK seems to be broken when they connect to our Sharepoint application.

When they navigate to a URL, an erroneous query string gets appended to the URL, so the end of the URL becomes:

.../default.aspx&AuthResend1908BC2350124b5095AB75012FA405BA

this isn't something that appears on any other clients computers or ours internally. This is the only difference and it seems to be breaking their pages.

I had a quick Google and it seems that it's to do with a Microsoft ISA server, but I have no experience with that.

Is this a bug or setting on their ISA server?

I am gonna throw this problem out into the wild.

We have just started using a proxy to log users internet usage against login names. This is setup on ISA Server 2004 (which is on our Internet gateway server). Integrated and basic forms of authentication are enabled along with reuiqring all users to authenticate. I have ticked and enabled an array of settings on ISA so that it ignores internal addresses and domains.

To point our users to our Proxy server I have used a Detect with DHCPINFORM on our DHCP server to point clients at the network location of the proxy.pac file (Described here). I also have setup the wpad.dat in the same area as the proxy.pac (both files are identical).

Current proxy.pac file I am playing around with:

function FindProxyForURL(url, host)
{       
// Trying to save localhost
   if (localHostOrDomainIs(host, "localhost")) return "DIRECT";
   if shExpMatch (url, "http://localhost*") return "DIRECT";
// If specific URL needs to bypass proxy, send traffic direct.
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, "172.22.145.0",  "255.255.255.0") ||
    isInNet(resolved_ip, "192.168.1.0", "255.255.255.0") ||
    isInNet(resolved_ip, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
return "PROXY ^gatewaynamehere^.baytech.local:8080; DIRECT";
}

(Our internal IP is the 172.22.145.* range)

Now the issues I am having is that the proxy.pac file makes the browser go to the proxy whenever localhost or 127.0.0.1 is requested. I can see the requests on the ISA Server when I monitor my IP address. I can request other servers in our Intranet and it doesn't touch the proxy (which is correct). But I suspect that this because of settings on ISA Server and not because of the proxy.pac file (I could be wrong).

A side issue is that we need to point Firefox to the proxy.pac file manually to make it work for Firefox. Also a minority of IE users also need to be pointed manually as well. The best thing to have is to set our browsers to auto detect (Both IE and FF) and have everything just work no matter where the user is.

Setting it manually via group policy or browser settings is not ideal because it causes problems for people who have laptops that get taken home.

I have also tried disabling the IE proxy cache as described here: http://support.microsoft.com/kb/271361

Some Proxy info sites I have looked at:

• Pac file Functions
• homepages.tesco.net/~J.deBoynePollard/FGA/web-browser-auto-proxy-configuration.html
• www.findproxyforurl.com

Thanks in advance.

Third-party security professional is recommending we run a reverse proxy in front of the web server (all hosted in the DMZ) as a best practice security measure.

I know this is a typical recommended architecture as it provides another level of security in front of a web application to prevent hackers.

However, as a reverse proxy is cheerfully shuttling HTTP back and forth between the user and the internal web server, it will not provide any measure of prevention of hacking on the web server itself. In other words, if your web app has a security hole, the proxy is not going to provide any meaningful amount of security.

And given that the risk of an attack on a web application is much much higher than that of an attack on the proxy, is there really much gained by adding an extra box in the middle? We would not be using any of the caching capabilities of a reverse proxy - just a dumb tool to shuttle packets back and forth.

Is there something else I'm missing here? Has reverse proxy HTTP packet inspection got so good it can detect meaningful attacks without major performance bottlenecks, or is this just another example of Security Theater?

Reverse proxy is MS ISA fwiw.

We're running SBS 2003 SP2 and I'm wondering if there's any easy way to find out were traffic during specific time is generated from?

In my case, the overall traffic consumption per day is roughly 8GB. I'm not concerned about the general traffic (those 8GB mostly include transfering backup files during the night) but in a specific time frame.

Just an example: suddenly at 10:30 a.m. the internet connection slows does very notably. I checked our automated backup and other transfer services and none of them is running. I still have a network with about 15 PCs scattered around the building which could potentially generate the traffic.

We only have a small 2MBit line, thus the line can be quickly saturated during office hours. I'm not suspected any user doing something wrong, I think there's some software automated thing going on, but I'm not sure. Maybe it's the Windows or Adobe automated downloads, but how can I know for sure?

I was looking at the generated report from ISA 2004 already and see a lot of numbers, but I can't tell for sure between which time frame which client generated the traffic.

I can see the peak on the Server itself by going to the network tab in the task-manager and I see that the external 100Mbit interface is at 2% == 2Mbit, but I can't figure out where it's actually coming from exactly.

I think I can rule out that it is the Server itself generating the traffic, because the traffic graph from the external interface matches the LAN interface which serves my users (our DMZ interface, which contains our automated backup services, is at 0 at that time).

How can I further tackle the problem?