Welcome to Stefaan Pouseele's Section

Stefaan Pouseele's Latest Contributions

How to enable ESP Null Encryption on ISA 2004 in a site-to-site VPN scenario

Date - Apr 06, 2006

Section - Tutorials / Configuration - Security

This document explains how to enable ESP Null Encryption on ISA 2004 in a site-to-site VPN scenario.

Update to Understanding the Web Proxy and Firewall Client Automatic Configuration article

Date - Feb 13, 2006

Section - News

New KB article that solves the excessive delays in the DHCP part of the automatic discovery has been published.

How to work around an issue with VPN clients and split DNS

Date - Jan 26, 2006

Section - Tutorials / Configuration - General

In the past I have read a lot about VPN users having problems accessing internal resources which are also published on the same ISA server. I had never fully understood those problems because I had never experienced them myself. Recently I was lucky to see the problem with my own eyes and investigate it further. Now, I would like to share a nice workaround to that problem.

Update to Understanding the Web Proxy and Firewall Client Automatic Configuration article

Date - Jan 13, 2006

Section - News

Implement the hotfix and correct the DHCP issue we discovered within the article.

Security Update MS05-034 might break outbound Web access on ISA Server 2000

Date - Jun 16, 2005

Section - News

Applying the security update MS05-034 might break outbound Web access on ISA Server 2000.

Understanding the Web Proxy and Firewall Client Automatic Configuration

Date - Jun 11, 2005

Section - Articles

In this article we will explore how the ISA Server 2004 Web Proxy and Firewall Client Automatic Configuration really works from a client point of view. With that knowledge you should be able to decide which method is the most appropriate for your specific environment. Although this article is written with the ISA Server 2004 in mind, most of the principles apply also to an ISA Server 2000 environment because the Web Proxy and Firewall Client Automatic Configuration is mainly a client feature, not an ISA Server issue.

The Mystery of the failing POP3 Access with ISA 2000

Date - May 16, 2005

Section - Articles

You have configured your ISA 2000 server and internal clients according to best practices. Everything is running smoothly except that a lot of users are complaining about connection problems when accessing an external POP3 server. If you want to know why this can happen and how to solve that problem, read on.

Understanding the ISA 2004 Connectivity Verifiers

Date - Mar 11, 2005

Section - Articles

A very nice feature of the ISA Server 2004 is the ability to verify the connectivity by regularly monitoring connections from the ISA Server computer to any specific computer or URL on any network. To accomplish that you have to configure connectivity verifiers. However, did you ever wonder how they exactly work, which access rules are involved and how this activity is logged? If you are interested in that kind of stuff, this article might give you some more background information.

Understanding the ISA 2004 Access Rule Processing

Date - Feb 25, 2005

Section - Articles

In contrast to the simple trusted and untrusted ISA Server 2000 networking model, the ISA Server 2004 uses a far more sophisticated and flexible networking model. As a consequence the way you define your network and firewall policy in ISA Server 2004 is completely different and therefore also the logic behind the access rule processing done by ISA Server 2004. Because the result is not always what you might expect, we will explore in this article how ISA Server 2004 process the different rule lists and how a particular rule is chosen to validate a particular outgoing request.

Announcing update of the 'How to pass IPSec traffic through ISA Server' article

Date - Jan 29, 2005

Section - Site News

As from january 2005 the IPSec NAT-T solution is fully standarized by the IETF IPSec Working Group and published as the RFC's 3947 and 3948. This is an important milestone to remove the last barrier to deploy the IPSec protocol in a client-to-gateway VPN scenario.

How to build an ISA firewall lab with Virtual PC 2004

Date - Jan 02, 2005

Section - Articles

You bought yourself or convinced your boss to buy for you a new desktop or laptop with a fast processor, plenty of disk space and 2 Gbyte of memory. You have already installed Windows XP SP2 and Virtual PC 2004 SP1 on the box and now you wonder how to use that nice piece of hardware and software to implement an ISA firewall lab. If you want to know how to make use of the advanced networking features of Virtual PC 2004, read on.

How to pass IPSec traffic through ISA Server

Date - Apr 11, 2003

Section - Articles

A much asked question on the message boards is how to pass an IPSec VPN client through the ISA Server. It can be done if and only if the IPSec implementation supports a feature called NAT Traversal. If you want to know why, how it works and how you can pass it through ISA Server, read on.

How to Implement VPN Off-Subnet IP Addresses

Date - Mar 22, 2003

Section - Articles

In his article about VPN client security - Part 1: Split Tunneling Issues, Tom Shinder talks about the use of off-subnet IP addresses to improve the safety of your internal network by assigning the VPN clients off-subnet IP addresses. In this short article I will show you how to implement off-subnet IP addresses without having the limitation you can't use DHCP assigned IP addresses for the VPN clients.

The Mystery of the HTTP Redirector and Site&Content Rules

Date - Nov 18, 2002

Section - Tutorials / Configuration - Security

You have created that huge destination set in order to block malicious sites. You think it is working great because Web Proxy clients can't access those sites. However, someday you discover that Firewall and SecureNAT clients still have access to those sites, despite the fact there is a proper Site&Content rule in place. If you want to know why this can happen, read on.

Using NetMeeting and the H.323 Gatekeeper as a HelpDesk tool

Date - Nov 01, 2002

Section - Articles

Are you looking for a working and cheap HelpDesk solution? Need something useful to do with that H.323 Gatekeeper on the ISA server? Ever explored the possibilities of NetMeeting? Check out this article to see how we put together a HelpDesk tool using NetMeeting and the H.323 Gatekeeper on the ISA server.

How the FTP protocol Challenges Firewall Security

Date - Nov 01, 2002

Section - Articles

In this article I discuss the FTP protocol and how it works with Firewalls in general, and ISA Server in particular. If you're having problems with inbound or outbound FTP, check this out before moving on to the next step.

Securing FTP with TLS

Date - Nov 01, 2002

Section - Articles

Reprint of the IETF document "draft-murray-auth-ftp-ssl-09.txt"

FTP/TLS Friendly Firewalls

Date - Nov 01, 2002

Section - Articles

Reprint of the IETF document "draft-fordh-ftp-ssl-firewall-01.txt"

Understanding the Firewall Client Control Channel

Date - Oct 31, 2002

Section - Articles

One of the least understood, and more feared aspects of ISA Server is the Firewall client. While Jim Harrison did a great job of explaining how the Firewall client .ini files works, there is little documentation on how the Firewall client talks to the ISA Server. In this article I show you the insides of the Firewall Client Control Channel.