Connecting the world…

internet

Internet in Argentina

I don’t know if people from Argentina read my blog, but if they do I would like to thank them for their wireless coverage throughout the country. I am traveling for some time through Argentina and I slept in multiple hotels and hostels. Every single hotel and hostel offers some kind of internet connection. Mostly I have the option to use my iPhone and my iBook without extra fees to pay.

Many (public) places broadcast a wireless network, even in places you wouldn’t suspect a wireless network, like a baker or take the little town El Chaltén. El Chaltén doesn’t have an ATM machine. You cannot use your credit card, but there is a wireless internet connection via a satellite uplink. Some wireless networks are open and some have a captive portal configuration to log in. However most wireless networks are protected with a WPA(2) key. I only need to ask for the key and they directly write it down for me.

Security is something the Argentineans are less familiar with. I guess it’s a hobby, but every time I join a  wireless network, I always try to access the router / default gateway. When trying to access the router, in most cases you get some kind of login page or basic authentication popup. These kind of pages mostly tell me what kind of router is used. A quick search on the internet for some default passwords already gave me access to three routers. Not so clever to use default password!!!

Internet speeds are also decent. You cannot compare it to the speed in the Netherlands, but I made some SIP phone calls without any problems. Internet access makes the holiday a lot easier, because I have to book multiple hostels and hotel along the ride and I can upload my picture from the camera to the iBook and from there to my NAS at home.

You Argentineans are doing a great job. I hope your friends in Chili are like you, because that is the next stop in a couple of days.

ISA 2006 Web Chaining

ISA Web Chaining rules define how traffic will be handled by the proxy server. Web request to specific destination can be handled in different ways by ISA:

  1. Retrieve directly from the destination / internet;
  2. Forward to an upstream proxy server;
  3. Redirect the request to a specific server / web page;

The most popular use for Web Chaining is to chain branch office ISA firewalls with main office ISA firewalls. But also combining two ISP connections is a commonly used scenario for Web Chaining. I often use Web Chaining from ISA server with some kind of upstream proxy server. A lot of organizations use ISA as proxy server and some kind of dedicated appliance (maybe in DMZ environment) as content scanner.

With Web Chaining you can forward all request to the upstream proxy server, which will retrieve the specified destination from the internet. Specific website could have problems with being forwarded to the upstream server. I normally use Web Chaining to directly retrieve these website from the internet without being forwarded to the upstream proxy.

To create a Web Chaing Rule, open the ISA Management Console and navigate to Networks. In the center of the Management Console you will find a tab called Web Chaining. The default Web Chaining rule is configured to forward all request to an upstream proxy server.

The following screenshots tell you how to configure an additional Web Chaining rule to directly retrieve the destination (www.4ip.nl) from the internet.

create_wct Start the creation of a Web Chaining rule by clicking on Task – Create new Web Chaining rule.

This will start the New Web Chaining Rule Wizard.

Enter a valid name for the newly created Web Chaining Rule.

destination_wct Select the destination to which this Web Chaining Rule will apply.

I configured an URL set containing the URL: http://www.4ip.nl/*

action_wct On the Request Action page, you configure how you want the Web requests to that particular destination routed by the ISA firewall.

The default setting is to route the request directly to the destination Web site. This is exactly what I would like to accomplish.

The last step is Finishing the New Web Chaining Rule Wizard.

The newly created Web Chaining Rule is placed above the Default Web Chaining rule in the Web Chaining tab. The rules are matched sequentially, so now all traffic matching the configured URL set will be retrieved directly from the internet. All other traffic will be forwarded to the upstream proxy server.

Where is the Internet Authentication Service?

Microsoft IAS server is often used as RADIUS server to authenticate VPN users or in conjunction with ISA reverse proxy to authenticate OWA users or PDA synchronization.

Today I had to install an ISA reverse proxy server with ISA 2006 Standard and Exchange 2007. I wanted to install Microsoft IAS as RADIUS server to authenticate the OWA users. Normally I install IAS on one, but preferably, on two domain controllers. I logged in on a domain controller through RDP. I noticed that the OS of the domain controller was Windows Server 2008.

Cool, finally working with a Windows Server 2008. After getting familiarized with the new view and layout, I started to search for a way to add the needed Windows component IAS. After searching for a while I found how to add Windows component. Looking at the complete list, I couldn’t find the Internet Authentication Service.

Oops, did Microsoft remove the IAS functionality from its server platform??? After googling for a second, I found that IAS has been replaced by Network Policy and Access Server service in Windows 2008.

Microsoft TechNet told me the following:

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2008. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003.

 

As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers. NPS also acts as a health evaluation server for Network Access Protection (NAP). Source

After installing NPS, I started the configuration. You really have to get familiar with the way Windows Server 2008 works. There are a lot of different wizard and multiple configuration options to choose from. Everything looks a bit more fancy. NPS is not only a replacement for IAS, but has also many enhancements.

More information about installing and configuration Network Policy Server can be found in the article Understanding the new Windows Server 2008 Network Policy Server on WindowsNetworking.com. Here you can read that NPS has a lot of functions related to Network Access Protocol (NAP). A very detailed example of using NPS to perform NAP can be found in Brian Posey’s series An Introduction to Network Access Protoction.