Kent Nordström

ISA 2006 SP1 - Traffic Simulator

One of the new interesting features of SP1 is the Traffic Simulator.

Using the Traffic Simulator you will be able to try out your rules to see if they match your intentions.

The Traffic Simulator is a new tab in the Troubleshooting node.


The way it works is that it "injects" the scenario into the actual engine, and therefore we can only run the simulations on a server where firewall service is running. So it's not possible to do this remote.

The result is in my opinion still a bit "short". It simply states the result and show the rule causing the result. If I for example have a rule that requires authentication to access internet. The results will be.
1: Traffic sent from this user:

2: Traffic sent from anonymous user:

And as you can see the information you get from the denied is only that it got stuck on the rule, but it is so far up to you to realize that it is because of authentication requirements. I have filed a change request for more info in this case, hopefully it will make it into RTM.

In all this is yet another great new feature of SP1 that i believe many customers have wanted for some time.

ISA 2006 SP1 - NEW Features

To give you all a quick overview of the new features in ISA 2006 SP1 here is a quick list. I will cover some the features in more detail in some upcoming articles. As always, since this is a beta everything is subject to change, so let's say this is features we are "likely" to see.

When it comes to release date for SP1, the official timeframe is "late summer 2008". And since this is built in Israel where the summer never ends (compared to here in Sweden)... Who knows how long this summer will be...I hope it will be the shortest summer in mankind so that SP1 becomes available to all of you a.s.a.p.

The list below is not ordered in any way just a list, but WHAT A LIST!!!!

1.	Configuration Change Tracking	Registers all configuration changes applied to ISA Server configuration to help you assess issues that may occur as a result of these changes
2.	Test Button	Tests the consistency of a Web publishing rule between the published server and ISA Server.
3.	Traffic Simulator	Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.
4.	Diagnostic Logging Viewer	Now integrated as a tab into the Management console, this feature displays detailed events about the status of your ISA Server computer, as well as configuration and policy issues.
5.	NLB Multicast	NLB now supports all three modes, Unicast, Multicast and Multicast with IGMP.
6.	Cross domain KCD	Kerberos Constrained Delegation (KCD) now works in both cross-domain and cross-forest trust environments.
7.	SAN certificates	Improved support for certificate with multiple SAN entries.
8.	Filter RPC by UUID	Supports filtering for RPC traffic by UUID for an access rule. Previously, an access rule to RPC traffic would not be restricted by RPC interface UUID.
9.	Monitor virtual memory	A new event has been created that monitors the virtual memory of the WSPSRV process.

There are more in SP1 but i believe these are the most important ones.

When i look at this it is almost more interesting then the one we could see as news in RTM of 2006 when we compared it to 2004 SP2 (and later SP3).

Ones again... To all of you in the ISA team... Congratulations, nice work!

ISA 2006 SP1 - Change Tracking

So finally I can share with you some features of ISA 2006 SP1.
One of the great new features we will see is Change Tracking.
I have sent the product team my love for introducing this, this feature alone will make everyone hurry to get ISA2006 SP1. I also think that this will make selling ISA as a "serious" Firewall will be much easier.

In Enterprise Edition this feature is enabled on the Enterprise level.
You also have the option to require a description for all changes made.
I would suggest that you enable this as soon as the basic configuration of ISA is done and we are moving into production.

Even though you might feel tempted to raise the number of entries to a huge number, be aware that this might cause the Change Tracking, search and filtering function to be real slow.

With Change Tracking you will be able to track every change made to ISA configuration.

I will just LOVE this feature, it will make my life working with ISA so much easier. Imagine having solid proof when the customer complains that ISA "just stopped working" and they "haven't done anything".

If you drill down into the change you want to check out you will then see a very detailed view on what was changed.


One of the things this feature will make me stress to my customers is to use individual accounts when working with ISA, in this way we will always know "who" made this change. If we all use the administrator account, that part will be lost.

This is the first in the series of blogs I plan on SP1 features, stay in touch for more.

ISA2006 SP1 - coming soon

So finally i got my hands on SP1 of ISA 2006.

Havent had any time to test it yet, but i can promise you all a happy moment when you are able to run it.

Still NDA on the exact featurelist but let me just give you some hints about what's in the current build.
Hopefully none of them will be removed, but as always. You never know.
- Change tracking possibility
- Multi domain/forest KCD
- Improved support for SAN certs
- Heavy improvements on troubleshooting
and much much more...

In some parts SP1 contains more news than 2006 RTM did compared to 2004 SP2.

Stay in touch and i will tell you more as soon as possible.
The Beta period is planned to be a short one, but no release date so far.

Forefront Threat Management Gateway. Part 1 – Web Access Policy

After trying hard for a while.. and failed...to make this article readable on the web.
I decided to just give it to you as pdf until i figured out how to format it, to fit the blog page sizes.

So please download:
http://www.konab.com/tmg/TMG%20Blogg%20-%20Web%20Access%20Policy.pdf

/Kent