Release Notes

Microsoft Internet Security and Acceleration Server 2004 Beta 2

1. Setup and System Requirements	6. Authentication
2. Administration	7. Monitoring Issues
3. Firewall Client	8. Security
4. Firewall Policy	9. Documentation
5. VPN and VPN-Authentication

Read this First

Be sure to read the Microsoft® Internet Security and Acceleration (ISA) Server 2004 Installation and Feature Guide (Isastart.htm). This guide provides installation instructions, describes new ISA Server 2004 features, and details walk-throughs highlighting these features. Also, read the operating system requirements document (Setup_prerequisites.htm). Both of these documents are located in the root folder of the ISA Server 2004 CD. You can also find this information and additional documentation on the Web site (http://go.microsoft.com/fwlink/?LinkId=21242).

Before installing this software, refer to any additional release notes that may have accompanied the CD.

This is a beta release of Microsoft ISA Server 2004. As such, not all features are complete, and the following sections describe some issues and limitations related to this release.

Important: We recommend that you do not deploy ISA Server 2004 Beta 2 in a production environment.

Back to Contents

1. Setup and System Requirements

ISA Server 2004 Beta 2 can only be installed as follows:
- On computers running Windows® 2000 Server, Service Pack 4 (SP4). For this beta release, installation is not supported on Windows 2000 Advanced Server, or Windows 2000 Datacenter Server.
- On computers running Microsoft Windows Server 2003, Standard Edition.
For further details, read the operating system requirements document, (Setup_prerequisites.htm), available from Autorun.exe.
The following scenarios are not supported in ISA Server 2004 Beta 2:

Upgrading ISA Server 2000 or any other previous version to ISA Server 2004 Beta 2. Before installing ISA Server 2004 Beta 2, remove all previous versions of ISA Server installed on the computer.
Upgrading ISA Server 2004 Beta 2 to future releases.

ISA Server 2004 Beta 2 should not be installed on multi-processor computers with more than 4 processors.
During installation, if you enable Add the following private IP ranges, and duplicate any of these private IP ranges in the range definition for an internal network adapter, Setup will fail. To avoid this issue, disable Add the following private IP ranges, or select an internal network adapter that does not duplicate the range.

Back to Contents

2. Administration

To administer a remote ISA Server computer from ISA Server Management console on your local ISA Server computer, create an access rule on the local ISA Server computer, to allow traffic between the LocalHost network and the remote computer.
For this beta release, you cannot modify the default SecurID configuration on your local ISA Server computer from a remote ISA Server Management console. Instead, either configure SecurID directly on the ISA Server computer, or use Terminal Services for remote management of the local ISA Server.
For this beta release, you must restart all ISA Server services to apply changes made using the Administration Delegations Wizard.

3. Firewall Client

On the Firewall client computer, if you remove the Firewall Client icon from the Windows taskbar, you can restore it. To do so, click Start, point to All Programs, point to Start Up, and then click Microsoft Firewall Client Management. To open the Firewall Client Configuration dialog box, double-click the Firewall Client icon.

Back to Contents

4. Firewall Policy

ISA Server only performs link translation on HTML document strings, such as internal computer names, that are specified in UTF-8 format.
For this beta release, you must restart the Firewall service for changes to take effect when you do the following:

Modify a protocol definition used in a server publishing rule.
Modify the number of concurrent Secure Sockets Layer (SSL) client connections on a Web listener.

For this beta release, there may be some issues playing .jpg files over Real Time Streaming Protocol with User Datagram Protocol (RTSPU).
To allow DCOM (and other remote procedure call (RPC) traffic), create an access rule that allows the RPC protocol. Then, modify the access rule as follows:

Right-click the access rule, and then click Configure RPC protocol.
On the Protocol tab, verify that Enforce Strict RPC compliance is not selected.

For this beta release, DCOM client/server communications between applications running on the ISA Server computer and the Internal network may not function as expected.
Configure the prefetcher system policy rule as follows:

The prefetcher system policy rule is disabled by default. Enable it to allow access from the LocalHost network to all networks for the Local System and Network Service accounts only.
To allow SecureNAT access from the LocalHost network to all networks, create an access rule to allow all HTTP traffic from the LocalHost network to all networks (this will include the Local System and Network Service accounts). Do not enable the prefetcher system policy rule.

Back to Contents

5. VPN and VPN-Authentication

For this beta release, implementing an Internet Protocol security (IPSec) site-to-site virtual private network (VPN) with ISA Server is not supported on computers running Windows 2000 Server.
When you enable Extensible Authentication Protocol (EAP), the following occurs:
- On computers running Windows Server 2003, both EAP-TLS and EAP-MD5 are enabled.
- On computers running Windows 2000, only EAP-TLS is enabled.
To enable other EAP types, set up a RADIUS server for authentication.
VPN clients cannot use a modem dial-up connection to establish a VPN client session with ISA Server.
For VPN clients, IP Filter attributes are ignored. Client access to the network is subject to ISA Server access policy, and this can affect the security policy for user accounts. For example if an account is changed, but changes are not yet replicated in Active Directory, a user may pass RADIUS authentication with the new credentials, but have access to ISA Server resources based on the old credentials.
For this beta release, when there is a network address translation (NAT) relationship between the VPN Clients network and other networks, VPN clients cannot access published servers.
For this beta release, ISA Server assumes that the RADIUS accounting port is equal to authentication port + 1. You should configure the RADIUS server accordingly.
When ISA Server is installed on a computer running Windows 2000 Server, then running Internet Authentication Service (IAS) on the same computer may cause problems with VPN client firewall authentication. We recommend that you disable the IAS service. If IAS is required to act as a RADIUS server for VPN clients, then we recommend that you configure the IAS service on a separate machine.
If you stop or restart the IPSec PolicyAgent service, all dynamic IPSec configuration information is lost, including ISA Server VPN site-to-site IPSec configuration settings. To restore settings, either start the PolicyAgent service and restart the Firewall service, or restart the computer.
When using IAS as your RADIUS server for Web Proxy clients, verify the following:

Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication is enabled in the dial-in profile of the IAS Remote Access Policy.
A shared secret key is specified.

VPN client computers configured as Firewall clients will present Firewall client credentials (logged on user) for authentication, rather than the VPN session credentials. The effect of this is that access rules based on VPN credentials will not take effect.

Back to Contents

6. Authentication

For this beta release, if you publish Microsoft Exchange 5.5 using forms-based authentication, and authentication is also required on the Web Proxy listener, the user may have to enter credentials multiple times.
For this beta release, Web Proxy RADIUS authentication has only been tested with an IAS server running on Windows 2000. Other types of RADIUS servers have not been tested.

Back to Contents

7. Monitoring Issues

For this beta release, ISA Server reporting functionality from SQL Server logs is not complete.
If you are not running the Simple Mail Transfer Protocol (SMTP) Message Screener component on the ISA Server computer, and in ISA Server Management (on the ISA Server computer), you specify a folder location for the Message Screener log that does not exist on the computer running the Message Screener component, the folder will only be created on that computer after it is restarted.
For this beta release, text strings logged to an MSDE database using non-English characters may not display as expected in the log viewer, or in reports generated from the log.

Back to Contents

8. Security

In this beta release, virus infected clients (VPN, internal) are not automatically blocked from flooding the ISA Server computer or servers protected by ISA Server. To prevent this scenario, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected client computer is identified, create an access rule to deny traffic from that computer. To exclude a specific user or users from VPN clients with access to the ISA Server computer, do the following:
- To restrict by user name, control access using the Remote Access Policy (RAP) to exclude the user from the allowed VPN clients.
- To restrict by IP address, create a new network and move the IP address out of the External network to the new network.

Back to Contents

9. Documentation

Application programming interface (API) names are subject to change in future releases.
The software development kit (SDK) documentation may contain topics related to ISA Server Enterprise Edition functionality that is not supported in ISA Server Standard Edition.
The documentation included with this beta release is preliminary. Updated versions of the product documentation will be available on the Web site (http://go.microsoft.com/fwlink/?LinkId=21242).
The context-sensitive help, available when you click ? on a dialog box or property sheet, is still preliminary. For more information about a specific feature, refer to the on-line help or to the documentation available on the Web site.

Back to Contents

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

Back to Contents