Release Notes

Microsoft Internet Security and Acceleration Server 2004 Release Notes


Contents

1. Installing
5. Publishing
2. Administering
6. Monitoring
3. Firewall Client
7. Localization
4. VPN
8. Upgrading

Read this First

Be sure to read the Microsoft® Internet Security and Acceleration (ISA) Server 2004 Installation and Feature Guide (Isastart.htm). This guide provides installation instructions and setup prerequisites, describes new ISA Server 2004 features, and details walk-throughs highlighting these features. This document is available when you run Setup, and is located in the root folder of the ISA Server 2004 CD. In addition, refer to the solution documents, available on the ISA Server Guides and Articles website, for deployment instructions and information about common scenarios.

Before installing this software, refer to any additional release notes that may have accompanied the CD, and check the website for any last minute release notes.

Back to Contents


1. Installing

  1. For best security practice, always install the latest updates for your operating system and ISA Server. For information on recent updates you may need to install, see ISA Server Security Update Center.
  2. ISA Server 2004 should be installed on computers running Microsoft Windows Server™ 2003, or Windows® 2000 Server, Service Pack 4 (SP4). On computers running Windows® XP, you can install ISA Server Management only, and use it to manage a remote ISA Server. For further details, read the Installation and Feature Guide (Isastart.htm), available when you run Setup.
  3. When ISA Server is uninstalled there are a number of files not completely removed. These files may be in use by other applications and you should not remove them. For a full list of these files, see ISA Server online help.

Back to Contents


2. Administering

  1. When you remotely manage ISA Server from a computer installed in Workgroup mode running ISA Server Management console, do not specify a value in the Domain field when you connect to the ISA Server computer.
  2. Active caching is always disabled, regardless of configuration changes made in ISA Server Management or using the Admin COM.
  3. A port can have more that one protocol definition associated with it. Note the following behavior when creating rules that exclude specific protocols:
  4. If you create a new protocol definition for a virus, do not add the protocol definition you create to the exception list of a rule allowing access. Instead, create a rule denying access to the protocol definition, and ensure that the rule is placed above any access rules that allow protocols on any ports you have referenced in your deny rule.
  5. If you need to remove logged on ISA Server administrators from a security group, and add them into a new group, complete these steps in the following order:
    1. Add the administrator account into the new group.
    2. Log off and on with the administrator account, so that the new settings take effect.
    3. Remove the administrator account from the original group.

Back to Contents


3. Firewall Client

  1. If Internet Protocol security (IPSec) transport mode is enabled for a network, functionality for Firewall clients in that network may be impaired. If Firewall clients in the network do not behave as expected, disable IP routing. To do this, in the Configuration node of ISA Server Management, click General. In the details pane, click Define IP Preferences. On the IP Routing tab, verify that the Enable IP Routing checkbox is not selected.
  2. When you install Firewall Client, settings you specify during Setup apply to all user accounts on the client computer. However, changes you make in the Firewall Client dialog following installation are only applied to applications running under the logged-on account. Changes are not applied to applications running for other users, or to applications running under system accounts. Following installation, to make a change in Firewall Client settings for all accounts, modify settings in the Common.ini and Management.ini files, located in the Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder. After modifying Common.ini you must restart the Firewall Client (FwcAgent) service on computers running Windows Server 2003, Windows XP, Windows 2000, and Windows NT®. On computers running Windows 98 or Windows Millennium Edition, you must restart the computer. Changes to Management.ini do not require a service or computer restart.

Back to Contents


4. VPN

  1. When ISA Server is installed on a computer running Windows 2000 Server, if you run Internet Authentication Service (IAS) on the same computer, it may cause problems with VPN client authentication. We recommend that you disable IAS. If IAS is required to act as a RADIUS server for VPN clients, configure IAS on a separate computer.
  2. Enabling user mapping for VPN clients who authenticate using Extensible Authentication Protocol (EAP) is not supported. As a result, access rules applied to Windows user groups cannot be applied for these clients.
  3. When you disconnect a L2TP VPN site-to-site connection through Routing and Remote Access Service management or ISA Server Management, ISA Server may stop responding. To resolve, restart the ISA Server computer.
  4. When configuring a remote L2TP site-to-site network, if you select Allow pre-shared key IPSec authentication as a secondary (backup) authentication method on the Protocol tab of the remote site network properties, the pre-shared key is always used as the authentication method. Certificate authentication is not used, although the dialog and the online documentation might imply that this is the case.

Back to Contents


5. Publishing

  1. To enable SecurID authentication on an ISA Server computer configured with multiple network adapters, you should explicitly configure the IP address with which ISA Server identifies itself to the RSA ACE/Server. If SecurID authentication is enabled but the required registry key is missing, the SecurID authentication process might fail. Specify the IP address configured in Network address, on the Host properties dialog on the ACE Server, as a string value in registry key HKEY_LOCAL_MACHINE\SOFTWARE\SDTI\AceClient\PrimaryInterfaceIP.
  2. When a secure connection is established with ISA Server, ISA Server checks a Certificate Revocation List (CRL). By default a CRL check is enabled when ISA server is configured to connect using SSL to an upstream Web proxy, or a Web server. Ensure that certificate revocation requests are not routed through a secure connection, so that they do not trigger a CRL check.

Back to Contents


6. Monitoring

  1. We recommend that you allow a minimum of 4 gigabytes (GB) disk space for logging.
  2. When the Advanced Logging component (MSDE) is installed during ISA Server Setup, a number of 16-bit *.dll files are installed, including Ds16gt.dll, and Odbc16gt.dll. This is an optional component, installed by default.
  3. The log maintenance feature does not apply to the SMTP filter log. For more information on log maintenance, see the Log Storage format topic in the ISA Server help.
  4. Administrators who have Extended Monitoring role permissions can configure all report properties with the following exceptions: For more information on administrative roles, see ISA Server help.
  5. If you delete an MSDE database file without first detaching it from MSDE, the offline log viewer might not run queries as expected. ISA Server supports an automatic clean up of database files, but to delete a file manually, detach it from MSDE before deletion.

Back to Contents


7. Localization

  1. When you upgrade to ISA Server 2004 from ISA Server 2000, messages and alerts displayed during the upgrade might not be localized, and may be displayed in English only.
  2. Upgrading from ISA Server 2000 in one language to ISA Server 2004 in a different language is not supported.
  3. In a Web Proxy chaining scenario, usernames and passwords can be specified using 7-bit characters only. Otherwise, Integrated Windows authentication will fail on the downstream proxy server.
  4. SMTP filter log entries are not localized, and are displayed in English.

Back to Contents


8. Upgrading

  1. To familiarize yourself with how ISA Server 2000 configuration is upgraded, read the "Upgrading from Microsoft Internet Security and Acceleration (ISA) Server 2000 Standard Edition" document (ISA2000migrate.htm), available from ISA Server 2004 Autorun.
  2. We recommend that when upgrading ISA Server 2000 to ISA Server 2004 on a different computer, you install all necessary certificates on that computer before importing the ISA Server 2000 configuration file.
  3. ISA Server 2000 included an HTTP redirector filter, which could be configured by the user. However, none of the configuration settings are migrated to ISA Server 2004. To configure ISA Server 2004 with the ISA Server 2000 settings, do the following: By default on ISA Server 2004, all requests are directed to the Web Proxy filter.
  4. During migration, if Ask unauthenticated users for identification is selected on the Outgoing Web Listener properties page of ISA Server 2000, this setting is migrated and Require all users to authenticate will be enabled on the Web Proxy properties of the Internal network in ISA Server 2004. Following the upgrade, ISA Server 2004 will not be accessible for HTTP requests from SecureNAT clients in the Internal network, even if you have chosen to maintain your existing ISA Server 2000 policy during the upgrade. To solve this issue, do the following:
  5. During migration, a network set ("Internal Network Set") is created. This network set includes the Internal network, the Local Host network, and the VPN Clients network, and is used as the Internal network in migrated access rules. After upgrading, to ensure that migrated rules behave as they did in ISA Server 2000, modify the access rules created from migrated ISA Server 2000 Protocol rules and Site and Content rules, as follows:

Back to Contents


Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© Microsoft Corporation 2004. All rights reserved.

Microsoft, Active Directory, Outlook, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

Back to Contents