ISA Server Content Newsletter: June 2007

What's New at the ISA Server TechCenter

There are a number of new documents available at the Microsoft® Internet Security and Acceleration (ISA) Server TechCenter:

Kerberos Constrained Delegation in ISA Server 2006. Kerberos constrained delegation allows ISA Server to delegate client credentials with a variety of different authentication methods. This paper describes how ISA Server uses Kerberos constrained delegation, and how to set up Kerberos constrained delegation with Microsoft Outlook® Web Access publishing.

ISA Server Operations Guide. This document discusses ISA Server operations tasks that should be performed on a daily, weekly, monthly, and quarterly basis.

Events Help. This downloadable Help file provides in-depth information about the most common ISA Server events.

ISA Server Downloads

ISA Server 2004 Service Pack 3 (SP3) is available from the Microsoft Download Center.

For information about the service pack features, see ISA Server 2004 Service Pack 3.

ISA Server Blog

The ISA Server Product Team Blog is updated on a regular basis. Latest entries include:

RPC Filter and “Enable strict RPC compliance”.
Provides an overview of how the RPC filter works, and how to avoid issues with the strict RPC setting.

HTTP to HTTPS Redirection Options in ISA Server 2006. Explains how to redirect client HTTP requests for HTTPS resources to HTTPS.

ISA Server 2004 Service Pack 3. Lists a number of known SP3 issues.

ForeFront Edge Security Forums

Discuss ISA Server at the new Microsoft Forefront™ Edge Security forums, available at TechCenter

Recent KB Articles

935767: The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition . Describes two workarounds for this issue.

934608: ADAM storage may not work correctly in an ISA Server 2004 installation after you install Windows Server 2003 Service Pack 2. Describes the installation order that should be followed to avoid this issue.

934583: ISA Server 2006 cannot delegate authentication to a back-end server from a published Web server. Describes an issue solved by the hotfix referenced in article 934587.

933617: ISA Server 2006 indefinitely displays the report status as “Generating” on “Reports” tab. Describes a workaround for this issue.

931951: Hosts that are listed in the client CARP exceptions list in ISA Server 2004 may resolve to different array member nodes and cause unexpected behavior for multi-host Web sites. Describes an issue that can be fixed by either installing ISA Server 2004 Service Pack 3, or by installing the hotfix described in article 933524.

930700: ISA Server 2004 returns reverse-proxy custom error pages, even in forward-proxy situations. Describes an issue with SecureNAT clients. The workaround is to configure hosts as Web proxy clients instead of SecureNAT clients.

929102: How to configure a firewall rule to let you deploy the System Center Data Protection Manager 2006 agent to a computer that is running ISA Server 2004. Describes procedures for configuring System Center Data Protection Manager on the ISA Server computer.

927265: Authentication fails when client computers use Internet Explorer 7 to authenticate with an upstream ISA Server computer through a downstream ISA Server computer that does not require authentication. Describes a hotfix for this issue.

926846: Description of the ISA Server 2006 hotfix package that is dated October 23, 2006. Provides information about a hotfix to address issues in articles 925691 and 926845.

926845: ISA Server takes a long time to apply changes to the firewall configuration, or changes may not be applied to members of the array in ISA Server 2006 Enterprise Edition. Describes an issue addressed by the hotfix described in article 926846.

925883: Error message when you re-install ISA Server 2004 and CSS on a computer that is a member of an ISA Server array. Describes an issue that occurs if configuration data from an earlier install exists in the Active Directory® Application Mode (ADAM) data store. The workaround describes how to remove this inconsistent data from ADAM.

925882: Error message when you try to access a Web site that is published through ISA Server 2004 SP2: “HTTP 400—Bad Request” or “Error Code: 500 Internal Server Error”. Describes an issue that occurs when ISA Server Service Pack 2 (SP2) adds an additional space between some headers and their values. The article provides a link to article 919106, which documents hotfix details for this issue.

925881: An ISA Server requests credentials when client computers in the same domain use Internet Explorer to access Web sites that contain Java programs. Documents an issue that occurs when a Java Virtual Machine (JVM) is running on the client computer. A workaround is included in the article.

925880: Error message when a client computer tries to access an FTP site through ISA Server 2004: “Error Code: 502 Proxy Error”. Describes a workaround for an issue that occurs when a client logs on to an external FTP server and specifies credentials in an incorrect format. The article describes the correct credentials format.

925733: Event ID 14148 occurs and client computers cannot communicate with ISA Server after a network outage. The issue described in this article may occur when you are running ISA Server on the computer with a single network adapter, and the Windows TCP/IP Media Sense feature is enabled. The article describes a workaround for this issue.

925691: The ISA Server Management snap-in stops responding when you create a new connectivity verifier or modify the parameters of an existing connectivity verifier in ISA Server 2006. Describes an issue addressed by the hotfix described in article 926846.

925403: Update is available that supports publishing Microsoft Exchange Server 2007 behind ISA Server 2006. Points to a download that enables you to publish the release version of Microsoft Exchange Server 2007.

925289: Description of the ISA Server 2006 hotfix package: October 02, 2006. Describes the issues fixed by this hotfix package, and provides file information.

925287: ISA Server 2006 includes the host header together with the port number of the Web server after you publish a Web site. Points to article 925289, which describes a hotfix for this issue.

925232: Description of the ISA Server 2004 hotfix package: September 20 2006. Describes the issues fixed by this hotfix package, and provides file information.

925231: Error message when you access Outlook Web Access through ISA Server 2004: “Error Code: 500 Internal Server error. The data area passed to a system call is too small”. Points to article 925232, which describes a hotfix for this issue.

925230: Error message when internal SecureNAT client computers access a Web site that is published by ISA Server 2004: “Cannot find server or DNS error”. Points to the hotfix described in article 925232.

925165: User authentication does not work after you select the RSA SecurID option in ISA Server 2006. Includes troubleshooting steps to resolve this issue.

925120: How to block MSN Messenger traffic and Windows Live Messenger traffic by using ISA Server. Describes how to configure access rules and HTTP policy to block the traffic.

925003: The HTML pages that correspond to error code 12221 and to error code 12222 appear in English in a non-English language version of ISA Server 2006. Points to an updated version of the 12221r.htm and 12222r.htm files available from the Microsoft Download Center.

924406: List of problems that are fixed in ISA Server 2004 Service Pack 3. Provides a list of Knowledge Base articles fixed in SP3.

924380: RSA SecurID authentication may be unsuccessful in ISA Server 2006 when the user name includes a space. Describes an issue when using RSA Authentication Agent 5.3. The article provides a link to an RSA SecurCare hotfix.

924375: You are repeatedly prompted for credentials when you use SecurID authentication to access a document or program that is published by ISA Server 2006. Describes an issue that occurs when you use Microsoft Internet Explorer® to access a download site published by ISA Server 2006. The article describes a workaround to add the URL of the published Web site to Internet Explorer trusted sites.

924374: Client requests to access a published Web site are blocked when you configure ISA Server 2006 to use pass-through authentication to access a published Web server. Provides a number of workarounds for this issue.

924373: Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server 2006. Includes a workaround to add explicit mapping to the link translation dictionary to prevent the loop from occurring.

924146: The installation fails and you receive error events in the Application log when you try to install ISA Server 2004 Service Pack 2. Describes the errors that may occur due to an ordering issue in the application filter priority. The article includes a script to fix the problem.

923766: A client computer may not be authenticated by ISA Server 2004 when you use integrated Windows authentication. Details of a hotfix for this issue in ISA Server 2004, documented in article 923330, and provides a script that must be run after installing the hotfix.

Customer Feedback

Contact the ISA Server User Education Team with ideas for articles, comments about existing content, or feedback about this newsletter.

Rayne Wiselman

ISA Server Team