ISAserver.org Monthly Newsletter of November 2011
Sponsored by: GFI Software
<http://landmar.gfi.com/outlook-pst-file-sm/>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. Eight Expert Configuration Decisions for the TMG Firewall
--------------------------------------------------------------
I have a list of things that I do when configuring my TMG firewalls, which I try to do at each TMG firewall installation I perform. I call these my "Expert Configuration Decisions." These are the tasks that I make sure to get done before going into full production. Here's my list:
Install the Threat Management Gateway (TMG) Client on Client OSs
The TMG client enables you to require authentication for almost all UDP and TCP protocols for Winsock applications. In addition to requiring authentication, you also can record user information in the TMG Firewall's log files. All secure TMG firewall installations have the TMG client installed on the client systems so this is an important component in deploying a new TMG installation.
Configure All Clients as Web Proxy Clients
A computer is a Web proxy client when the web browser is configured to use the TMG firewall as a Web proxy server. You can use Group Policy or autoconfiguration to automatically configure the clients as Web proxy clients, so you will never need to "touch" the clients to configure them. Web proxy clients improve security and performance for client side web applications.
Set Up Separate Inbound and Outbound Access Firewalls
To increase security, performance and reliability, you should use separate TMG Firewalls (or firewall arrays) for inbound and outbound connections. The inbound TMG firewall might accept connections for published Web sites, remote access VPN connections, or inbound SMTP mail. Outbound connections are those that are initiated by internal users and go out to the Internet.
Join the TMG Firewall to the Domain
One of the most important things you can do to improve the level of security the TMG Firewall can provide is to join the TMG firewall to your user domain. It's a common misconception that joining the TMG Firewall to a workgroup is more secure. The truth is that workgroup ISA Firewalls are less secure. For details on the enhanced security provided by domain membership, check out this article: http://isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
Use SSL to SSL Bridging
When an external user establishes an SSL connection to one of your published servers, that user has a reasonable expectation that you have secured the SSL connection from end to end. If you use so-called "SSL offloading" by using SSL to HTTP bridging, then you've violated that implicit agreement and potentially opened yourself up to legal liabilities if information is stolen on the non-secured channel. That's why you should be smart and use SSL to SSL bridging to provide end to end security. If you have performance issues, upgrade your hardware. Try an SSL encryption card first.
Use a Split DNS Infrastructure
A split DNS infrastructure allows you and your users to use the same names to access resources regardless of the users' locations. A split DNS requires that you have at least two DNS servers for the same DNS zone: one that is used exclusively by external users and one that is used exclusively by internal users. For more information about how to create a split DNS infrastructure, check out the articles posted at http://isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html and http://isaserver.org/tutorials/2004illegaltldsplitdns.html
Create Allow Rules, Avoid Deny Rules
The ideal network security configuration is based on the principle of least privilege. Least privilege provides users with access to what they need to get their work done, and nothing more. When the principle of least privilege is applied to the ISA Firewall configuration, you create only Allow Rules that allow users access to what they need and everything else, by default, is excluded. In a perfect least privilege world, you would only need to create Allow Rules and no Deny Rules, since everything that is not explicitly allowed is denied.
Inspect Outbound SSL Connections
Probably the biggest threat to your networks today is what's coming into them over encrypted channels. That is one of the reasons you shouldn't allow outbound VPN connections from your network to any external network; the traditional firewall can't inspect what's being transferred over the encrypted VPN channel. The same situation is found with SSL encrypted sessions - the firewall can't see what's being done over the encrypted channel. Malware can take advantage of this and import other malware components over the encrypted channel. You need a firewall that can inspect outbound SSL connections and the TMG Firewall is that firewall. For information on how to enable outbound SSL inspection on the TMG firewall, check out Tom's article at http://www.isaserver.org/tutorials/Outbound-SSL-Inspection-TMG-Firewalls-Part1.html
Do you have your own expert configurations that you use in your TMG firewall environments? If so, let me know and I'll share them in our Christmas edition of the ISAserver.org newsletter.
See you next month! - Deb.
dshinder@isaserver.org
=======================
Quote of the Month - "All things are difficult before they are easy." – Thomas Fuller
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* TechGenix launches MSPAnswers.com - Your guide to the world of Managed Services
http://www.isaserver.org/news/TechGenix-launches-MSPAnswers-com-guide-to-world-of-Managed-Services.html
* Selecting the best TMG Firewall Remote Access VPN Protocol for your network
http://www.isaserver.org/tutorials/Selecting-best-TMG-Firewall-Remote-Access-VPN-Protocol-network.html
* Microsoft Forefront TMG and UAG – A feature comparison
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-UAG-feature-comparison.html
* GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Monitoring & Administration
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Monitoring-Administration-GFI-WebMonitor-Sep11.html
* Configuring TMG Web Proxy Client Autodiscovery
http://www.isaserver.org/tutorials/Configuring-TMG-Web-Proxy-Client-Autodiscovery.html
* Configuring HTTPS Inspection with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Configuring-HTTPS-Inspection-Forefront-Threat-Management-Gateway-TMG-2010.html
* Secure CDP publishing with Forefront TMG and the HTTP-filter
http://www.isaserver.org/tutorials/Secure-CDP-publishing-Forefront-TMG-HTTP-filter.html
* Test Lab Guide: Demonstrate Site to Site VPN with Threat Management Gateway 2010 (Part 4)
http://www.isaserver.org/tutorials/Test-Lab-Guide-Demonstrate-Site-to-Site-VPN-Threat-Management-Gateway-2010-Part4.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Got problems with your TMG firewall? Need some help troubleshooting what seems to be an impossible problem? You've tried the forums, you've asked your friends, and you've read all the docs and there's just no answer? What should you do? Go to the Forefront Threat Management (TMG) 2010 Troubleshooting Survival Guide <http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx> on the TechNet wiki! Yuri Diogenes has done a great job at keeping this wiki page up to date. Check out the great sections:
Introduction
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#Intro
Troubleshooting Tools
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootTools
Troubleshooting Setup
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootSetup
Troubleshooting Outbound Access
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootOA
Troubleshooting Performance
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootPerf
Troubleshooting E-Mail Protection
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootEP
Troubleshooting VPN
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootVPN
Troubleshooting Report
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootReport
Troubleshooting Web Publishing
http://social.technet.microsoft.com/wiki/contents/articles/2702.aspx#TShootWP
And if you have information on how to solve a problem that's not on the wiki page, then add it! That's right – you can edit the pages on the wiki. Is that cool or what?
5. Tip of the Month
--------------------------------------------------------------
Why wait to download a service pack when you can slipstream it into the installation bits? No reason that I can think of. So, how about slipstreaming TMG firewall Service Pack 1 and Software Update 1 into the RTM bit? That will get you set up to install TMG firewall Service Pack 2. To find out more, head on over to the TechNet wiki at http://social.technet.microsoft.com/wiki/contents/articles/slipstreaming-tmg-server-2010-with-service-pack-1-amp-software-update-1.aspx and the answer is waiting for you there.
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
Tom has written a number of articles on UAG DirectAccess and ISATAP. One of the more interesting articles is the one where he says that he is going to have to eat crow because of some statement that he made regarding ISATAP and how it should be used in production networks. Now I think it's best to try to avoid ISATAP as much as possible on a production network because it really was designed as a temporary measure to bridge you to native IPv6, not as a permanent solution. However, until you get that native IPv6 network, ISATAP can be very useful for manage-out scenarios. There are several ways you can enable ISATAP on a select number of hosts, and in this article, Forefront Edge MVP Jason Jones shares a way you can do this through Group Policy. Check it out in the article Limiting ISATAP Services to UAG DirectAccess Manage Out Clients.
<http://blog.msedge.org.uk/2011/11/limiting-isatap-services-to-uag.html>
7. Blog Posts
--------------------------------------------------------------
* Five Reasons to Install TMG Firewall Service Pack 2
http://blogs.isaserver.org/shinder/2011/10/31/five-reasons-to-install-tmg-firewall-service-pack-2/
* Release Notes for TMG Firewall Service Pack 2
http://blogs.isaserver.org/shinder/2011/10/31/release-notes-for-tmg-firewall-service-pack-2/
* How to Install TMG Firewall Service Packs
http://blogs.isaserver.org/shinder/2011/10/31/how-to-install-tmg-firewall-service-packs/
* Configuring HTTPS Inspection with Forefront Threat Management Gateway (TMG) 2010
http://blogs.isaserver.org/shinder/2011/10/31/configuring-https-inspection-with-forefront-threat-management-gateway-tmg-2010/
* Deploy Windows Server Updates Services (WSUS) 3 SP2 on a DMZ Protected by
Forefront TMG 2010 SP2
http://blogs.isaserver.org/shinder/2011/10/31/deploy-windows-server-updates-services-wsus-3-sp2-on-a-dmz-protected-by-forefront-tmg-2010-sp2/
* TMG Firewall Service Starts and Stops
http://blogs.isaserver.org/shinder/2011/10/31/tmg-firewall-service-starts-and-stops/
* Single-Label DNS Domain Names and Forefront UAG DirectAccess SP1
http://blogs.isaserver.org/shinder/2011/10/31/single-label-dns-domain-names-and-forefront-uag-directaccess-sp1/
* Use System Center to Monitor the TMG Firewall
http://blogs.isaserver.org/shinder/2011/10/31/use-system-center-to-monitor-the-tmg-firewall/
* Use the TMG Firewall as a Wifi Gateway with Collective Software Captivate
http://blogs.isaserver.org/shinder/2011/10/31/use-the-tmg-firewall-as-a-wifi-gateway-with-collective-software-captivate/
* UAG and stateless clients
http://blogs.isaserver.org/shinder/2011/10/31/uag-and-stateless-clients/
8. Ask Sgt Deb
--------------------------------------------------------------
* QUESTION:
Hi Debra,
Sorry firstly for emailing you directly, however I am not sure who to turn to now as I have an issue with my Radius Server and authenticating over TMG 2010. The following is the errors I am receiving on my VPN dial in to my company network depending on the settings I select
On the VPN dialup:
Error 619: "A connection to the remote computer could not be established."
Error 741: "Client doesn't support the required data encryption type."
I can see clearly that the authentication goes through okay and that the user is approved and signed in from the RADIUS Server event logs, but I don't know why the TMG seems to decide to disconnect the client once the authentication process Is complete?
I have setup a Radius Server on my AD Server and have activated the Radius with Active Directory as well as created rules For the Radius dial in from VPN clients and setup the TMG 2010 Server as a Radius client with NAP enforcement. I have also set the EAP Quarantine Enforcement Client to enabled on both the Windows 7 client and on the GPO on the Radius Server.
Please if you are able to assist me somehow as I have been trying to figure this out for the past week with no success. Do you need more details on my setup or is there a forum which perhaps I can go to on ISAserver.org and post my issue?
Thanks! --Adrian
ANSWER:
Hi Adrian!
I think you're running into a common problem people have when working with the TMG firewall and RADIUS. There is an option for user mapping, where you can map non-Active Directory users to Active Directory groups. However, in order for that to work, the TMG firewall must be a member of the domain so that it can consume the Active Directory groups. You didn't mention whether the TMG firewall was a domain member, but (unfortunately) many organizations do not join the firewall to the domain. If your firewall is not a domain member, make sure to disable user mapping, as seen in the figure below.
<http://www.isaserver.org/img/ISA-MWN-November11-1.jpg>
Have fun! – Deb.
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.
No comments:
Post a Comment