At The Beach

I’ll be without connectivity on and off for a while, so stone tablet production at this location is likely to halt until mid-January.


To all three loyal readers (plus the surprisingly attentive bot net) – thanks for your comments, feedback and general lunacy, have a happy and safe Christmas and New Year, (or whatever bots celebrate at this time of year, #n00bnet. I’ll miss you most of all.)

Slow DNS = Slow Proxy (or: How To Skip Name Resolution)

Today’s tip: When your rules require any degree of name resolution (which typically means that an access, routing or publishing rule is filtered by some kind of computer or domain set), you’re a slave to the speed of DNS’ response, at least until the response is cached.


ISA Server 2000 and ISA Server 2004 require DNS resolution for any rules that contain a specific destination set – whether a reverse lookup to work out where a SecureNAT client is trying to go (IP -> Name), or a forward lookup to work out where a Web Proxy client is trying to go (Name -> IP), or some other mix.


Inside a corporate network, it’s even money whether hosts can do Internet name resolution, and if your ISA box doesn’t have a direct line to the Internet, it’ll typically be reliant on your corporate DNS infrastructure.


And if your only source of DNS cheerfully (or worse, slowly and falteringly) answers “nope, never heard of him” about a given domain name, browsing to that domain is going to suck.


Just Skip It, Barry


If DNS and/or reliable enforcement of access policy isn’t your problem (using this setting, you’re essentially abdicating control of your access policy to the next hop in the chain – if you don’t want to do that, you need to ensure ISA can do DNS quickly and properly), you can use the SkipNameResolutionForAccessAndRoutingRules property for your respective version of ISA Server, which somewhat predictably tells ISA to skip name resolution for access rules and routing rules.


ISA 2000: 292018 Slow Response from Downstream ISA Server Using Web Proxy Chaining
http://support.microsoft.com/default.aspx?scid=kb;EN-US;292018


ISA 2004: 891244 How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration
http://support.microsoft.com/default.aspx?scid=kb;EN-US;891244


 

ISA Server and RADIUS: Two Domains And No Trust, But This Time ISA’s A Member Of One

Following on from yesterday’s post where the ISA Server wasn’t a member of either domain, this time we’re looking at how you’d configure a more seamless (eg, not prompted for credentials left and right) experience for the users in Domain A, while making the poor users in DomainB provide their credentials every time they tried to use the proxy.


[Aside: I’ll call it out here: for the best browsing experience for the users in both domains (outside of disabling proxy authentication altogether), you really want a Trust relationship between Domain A and B – that way, everyone can use Integrated authentication, and nobody gets prompted. If you’re pretty sure the other domain are out to get you (remember, a Trust doesn’t necessarily confer any permissions, but does increase the breadth of Authenticated Users), a resource domain model (ISA Server is the resource, the user domains are trusted by the resource) would probably work.]


Anyway, today, ISA’s a member of Domain A, which means that Integrated Authentication is on the cards for users from that domain.


We’re still going to have to use RADIUS for users from the other domain, because there’s no trust. (There are “account mirroring” solutions to this type of problem, but they’re a pain in the bum, so I’m not going to go into them.)


If you plonk one network adapter (or NIC, or network interface card) in each network, you can configure different authentication properties for each NIC’s Web Proxy listener.


This time around, ISA is a common point of access to the Internet, and could also be used as a router between the two internal networks, but we’re just focusing on the web proxy case for now.



The arrows on the Internal listener aren’t indicating confusion, just that the machine can also be authenticated against, as well as using the secure channel to talk to a DC.

ISA Server and RADIUS: Two Domains And No Trust

A question from Ashok:



I’ve been trying to find out if one can use RADIUS to authenticate web proxy clients on another domain that is not a member of ISA domain. So I have an ISA 2004 Std with SP1 on domain A, say, and then have another internal network which connects to domain B. The question is: can I use RADIUS authentication to authenticate clients in domain B, as ISA is not part of this domain?


Short version: Yes! ISA Server 2004 Standard and Enterprise Editions both do RADIUS authentication, so it’s possible.


Long version: I’ve covered this type of setup before to some extent, but doing it again with a real-world example might be useful.


I’d consider using the RADIUS authentication method as the authentication scheme for the Web Listener that the clients are connecting to.


The RADIUS server(s) you specify will be used to authenticate users that hit that listener. (Microsoft’s RADIUS server implementation is called Internet Authentication Service, or IAS).


Horrific And Strained ISA Server Metaphors #287: ISA Server Authentication. As A Monk.


If you use any of the non-RADIUS authentication methods, ISA will try to “look within itself” to authenticate a Web Proxy client, which means that when RADIUS/IAS is not being used:



  • when standalone (not domain joined), the local account database, or
  • when a domain member, the local account database and domain accounts from its domain (and any trusted domains), or
  • when a DC, the local machine database is the domain, plus any trusted domain accounts

ISA Server will look within itself and seek answers within its Order (nudge nudge, domain hierarchy), but will not consider outside opinions. If there is no trust between the domain of the client and the Order of the ISA Server, ISA Server cannot trust that client.


So: the RADIUS authentication method gives ISA a “forget the introspection and just ask someone else” option when authenticating a client, and instead of looking within itself, ISA asks the RADIUS server to tell it whether the client is legit or not. It doesn’t look within itself (or its Order) at all, it essentially becomes a slave to the RADIUS infrastructure while it makes its request.


For the actual mechanics involved (which have popped my brain every time I’ve tried to read them today), see this KB article.


Okay, Let’s Forget That Metaphor


A helpful* picture – all clients are configured to use the ISA Server. There is no trust between these domains (which would mean that you could use Integrated auth, not be prompted for credentials every time) but they share an Internet link.



On the prompting: ISA doesn’t tell the client that it’s using RADIUS as such, it asks for the client credentials using Basic authentication, then takes those credentials and makes a RADIUS message with them, and fires them off at its currently preferred RADIUS server. As soon as RADIUS is in the picture on the client listener, it doesn’t matter that the machine is a domain member – RADIUS will be used.


Because it’s Basic authentication from the client’s perspective, IE will always stop and ask the user to confirm they want to actually send their credentials to the proxy server. For this reason, a domain with trusts is a better setup from a user experience perspective for forward proxy (web browsing) users.


For web publishing, it’s much more acceptable to ask for a username and password.


ISA needs all RADIUS servers it’s configured to use to have the same “world view” – the same question asked of all the servers in its list must produce the same response. This makes it a little like the DNS server list on one adapter.


If your server is standalone (eg, not a domain member at all), then you’ll need to configure the local IAS Server’s Connection Request Policies (aka RADIUS proxying) to forward authentication requests to another IAS server in the target domain.


My God, It’s Full Of RADIUS Messages


RADIUS authentication happens per request. That’s chatty. One HTTP verb through the proxy equals one authentication check hitting the RADIUS infrastructure. There’s a property that can be toggled to reduce the load to per-connection rather than per-request, naturally called SingleRADIUSServerAuthPerSession. There’s a sample VBScript that’ll toggle the property here.


Other RADIUS-related posts


(Questions? Leave them in the comments, and I’ll try to unvagueify).

Dare Obasanjo: MetaWeblog API Now on MSN Spaces

From Dare: MSN or Windows Live Spaces is now postable from blogging tools, cunningly using the “secret word” technique rather than trying to bolt Passport into the scheme.



Our implementation of the MetaWeblog API for MSN Spaces is now publicly available. You can use the API to create, edit and delete blog posts on your space. The following blogging applications either currently work with our implementation of the MetaWeblog API or will in their next release


I use a private Space (eg, Contact list membership required) to keep my family abreast of what I’m doing in real life (so it’s very infrequently updated, chortle), but I dislike the email post method (for no obvious reason, except when I’m out and about with the email-only Smartphone), and I don’t like the inertia of browsing somewhere to create a new post. W.Bloggar it is, then…

ISABPA: The ISA Server Best Practices Analyzer

The ISA Server team released the ISA Server 2004 Best Practices Analyzer! There’s an exclamation mark because it’s cool!



Overview

The ISA Server Best Practices Analyzer is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server 2004 computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

If you have an ISA Server 2004 installation, you should give it a try, even if everything’s running fine at the moment. It’s worth the once-over to be on the safe side, and to identify any obvious gotchas. The Help explains the checks it performs, which also helps you configure a better box.


I played a bit with the beta versions, and I’m going to give this one a whirl when I next have a chance.
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

Vocab Corner: Bing

Another wonderful word suggestion to add to your custom.dic, from the mind that brought you “Fnjorkel“.


The Suggestion


IM has become ubiquitous, but there’s no widely accepted way of easily saying “IM me” in a non-vendor-specific manner without using more than two syllables.

Therefore, I move that “bing” be used in place of any given term for “instant message”.


Bing!

Synonymous with “instant message”.

verb: “Bing me!”
noun: “I got a bing from Dennis…”


The Rationale


Two-syllable words like “message” or “IM” or “MSN me” or “in Windows Live Messenger, double click me as a contact and then send me an instant message” are cumbersome and slow.

A commonly accepted verb meaning “to IM”, such as “bing” would greatly enhance productivity and create a synergistic win/win opportunity for diversified consolidation.

A Change Is As Good As A Holiday

And just to be on the safe side, I’m going to “nuke the site from orbit” and do both.


I’m taking a nice, long Christmas vacation (almost a month!), bits of which will actually be spent outdoors at a beach (I know, I feel like I’m letting the side down too). (Tip for confused Northern Hemispherers (can we call them all Geordies?) – it’s summer here in the South).


And when I return, I’ll be joining the (evil) Internet/eBiz support team here in the Sydney GTSC, part of the larger (sneaky) Developer Tools and Internet group.


The Platforms support team has been my home for the last four-ish years, and I’m a little sad to be leaving my friends and colleagues in that team, but stoked to be joining the Inet group.


Teh intarweb is teh future. It’s an exciting time.