Wednesday, December 21, 2011

ISAserver.org Monthly Newsletter of December 2011

-------------------------------------------------------
ISAserver.org Monthly Newsletter of December 2011
Sponsored by: Wavecrest Computing
<http://landmar.gfi.com/outlook-pst-file-sm/>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Have the reports of TMG's death been greatly exaggerated?
--------------------------------------------------------------

Back last spring, we reported – with more than a little concern – Gartner's Magic Quadrant Report that stirred up a tempest in a teapot when they said Microsoft had informed them that they wouldn't be shipping another full version of TMG and no longer intended to compete head-to-head with other vendors in the secure web gateway/firewall space. I wrote about it in my blog on this site and even did an editorial about it over on TechRepublic. In case you missed it, you'll find it here:

http://www.techrepublic.com/blog/window-on-windows/the-demise-of-threat-management-gateway-is-microsoft-backing-away-from-the-edge/4387?tag=content;siu-container

The whole thing was exacerbated by the fact that Microsoft would neither confirm nor deny all the rumors that were swirling around in response to Gartner's statement. As time has gone on, the confusion and consternation has deepened. Customers and MVPs have been asking questions about the future of TMG and not getting many answers. In some ways that seems ominous – but some of us have started wondering if maybe it's actually a good sign.

Certainly there have been some encouraging developments. In October, Microsoft released Service Pack 2 for TMG 2010, which was more than just a bug fix; it introduced several new functionalities, with a new Site Activity report, new look and feel for error pages, and the ability to use Kerberos authentication when deploying an array using NLB.

Why would Microsoft come out with a Service Pack for a product that had been declared "as good as dead" months before? As with all Microsoft products, the company will continue to support TMG for at least ten years from the date of this service pack, so it seems there's some life in the old gal yet.

Last month, Richard Hicks reminded us that TMG was celebrating its second birthday:

http://tmgblog.richardhicks.com/2011/11/16/forefront-tmg-2010-turns-two-years-old-2/

But it's important to remember that number refers only to the product named Threat Management Gateway. TMG actually has a much longer history than that, as the successor to the very popular ISA Server 2006, which itself evolved out of Microsoft Proxy Server. So saying it's two years old is, in some ways, like saying that if you go to court and get a name change, you can reset your age to zero and start all over again. Much as some of us who are getting up in years might wish we could do that, it really doesn't work that way. TMG has been around for a while and it has matured into an excellent product. Abandoning it at this point wouldn't be like dumping the Kin because you realize you've made a mistake.

But this whole name change thing has me wondering if maybe we didn't take Gartner's statement literally enough. Just because Microsoft might have said they wouldn't be shipping another full version of their Threat Management Gateway, does that mean the product itself is necessarily going away? They could have said they weren't going to ship another version of ISA Server after 2006, too – and that would have been technically correct.

Who knows? Maybe TMG is just getting ready to undergo another evolutionary cycle. It's hard for me to believe that Microsoft would really just throw away the technology after working so hard to get it right. That would be almost like suddenly deciding to get out of the web browser business after coming from behind to overtake Netscape.

Another thing that has me rethinking the "demise of TMG" is Microsoft's all-in commitment to the cloud. There have been a number of security breaches this past year that have thrown concerns over cloud security into the limelight. If Microsoft hopes to be a serious contender for top cloud provider status, it's imperative that they demonstrate their commitment to security. And they already have the technology, in TMG, to do that.

Now, I don't have any inside information on this; if Tom knows anything, he's sworn to secrecy. So it's all speculation on my part, and maybe it's just wishful thinking during a season when wishes rule, but sometimes no news really is good news. And it wouldn't be unthinkable if all the outcry from those otherwise happy TMG customers (and potential customers who were considering deploying TMG) over the Gartner report caused Microsoft to take a second look at the decision (if there ever was a decision to begin with). So, at least while 'tis the season to be jolly (and optimistic), I'm going to dare to hope that we'll eventually find out that TMG is next year's comeback kid.

Happy holidays to all who celebrate.

See you next month (or should I say "next year"?) – Deb.
dshinder@isaserver.org


=======================
Quote of the Month - "A creative man is motivated by the desire to achieve, not by the desire to beat others." – Ayn Rand
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Reasons to upgrade from ISA Server to Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Reasons-Upgrade-ISA-Server-Forefront-Threat-Management-Gateway-TMG-2010.html

* How to configure Forefront TMG logging into a central Microsoft SQL Server database
http://www.isaserver.org/tutorials/How-configure-Forefront-TMG-logging-into-central-Microsoft-SQL-Server-database.html

* Product review: Fastvue Dashboard
http://www.isaserver.org/tutorials/Product-Review-Fastvue-Dashboard.html

* A Deeper Dive into the TMG Firewall Network Templates
http://www.isaserver.org/tutorials/Deeper-Dive-TMG-Firewall-Network-Templates.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

There's nothing more frustrating than to get a new feature configured and find that instead of adding great new functionality, instead you've broken something else. That's the situation encountered by some TMG admins who have configured TMG 2010 to support Kerberos authentication with NLB and then discovered that the Forefront TMG management console is no longer able to communicate with the members of the array.

In this scenario, you get an error message that says "Unable to retrieve data from [TMG servers] and if you take a peek at the System event log, you'll see an error message there pertaining to the Kerberos client. What's up with that?

In this blog post, Richard Hicks explains why this happens and what you can do to fix it, and you'll likely smack yourself in the forehead over the simplicity of the resolution:
http://tmgblog.richardhicks.com/2011/12/13/unable-to-retrieve-data-from-array-member-fails-after-enabling-kerberos-authentication-with-nlb-on-forefront-tmg-2010/


5. Tip of the Month
--------------------------------------------------------------

The TMG firewall provides you with two methods for authenticating outbound web requests:

* Via a global configuration setting on the outbound web proxy listener
* On a firewall rule by rule basis

At the Web listener level, you can specify the authentication method, while at the firewall rule level you can specify the user or group that is allowed outbound access. When the TMG firewall receives the user's request, if authentication is required from the Network to which the user sent the request, the TMG firewall evaluates the firewall policy set to find a rule that is a match with the request. At that point, if the user's credentials are denied by the authentication repository (for example, Active Directory) the request is denied and no other rules will be evaluated.

To find out how to configure the authentication options in TMG, see my article:
http://www.isaserver.org/tutorials/Authenticating-Outbound-Web-Traffic-TMG-Firewall-Protected-Networks.html


6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------

*Forefront TMG/UAG: Useful Tools and Scripts*
We all pick up various software tools and useful scripts for deploying and managing TMG as we work with the product, but wouldn't it be nice to not have to go hunting for them in a hit-or-miss fashion – usually when you're in panic mode because you're trying to solve a problem? Well, Jason Jones has made it easier for you by compiling a list of the core tools he installs and the scripts that he runs whenever he implements TMG/UAG for a customer. Check it out here:
http://blog.msedge.org.uk/2011/12/forefront-tmguag-useful-tools-and.html

*McAfee on TMG: Not a good idea*
Running TMG and having problems after you installed McAfee on the TMG Server? If it includes the McAfee Host Intrusion Prevention product, which is their personal host firewall, be aware that Microsoft has warned that installing other firewall products on a TMG computer is not supported. They go so far as to say that trying to create this kind of "layered" firewall deployment on a single server can cause the server to fail.
https://kc.mcafee.com/corporate/index?page=content&id=KB70930&actp=LIST

*Win a copy of the TMG Administrator's Companion*
Time's running out but you can still get your name in the running for a free copy of the Microsoft Forefront Threat Management Gateway (TMG) Administrator's Companion by Jim Harrison, Yuri Diogenes, Mohit Saxena and my husband, Tom Shinder. Even better, it's signed so it's a true collector's item. The giveaway is courtesy of Richard Hicks, who deserves a big "thank you" for his ongoing participation in and support of the Forefront community. Check out his blog to find out how you can enter.
http://tmgblog.richardhicks.com/2011/12/06/win_a_signed_copy_of_forefront_tmg_2010_administrators_companion/


7. Blog Posts
--------------------------------------------------------------

* Forefront TMG: Antivirus Exclusions Process Path Correction
http://blog.msedge.org.uk/2011/12/forefront-tmg-antivirus-exclusions.html

* Forefront UAG: The DirectAccess NLB Helper Driver Cannot be Activated Error
http://blog.msedge.org.uk/2011/12/forefront-uag-directaccess-nlb-helper.html

* Default IP address selection on TMG Firewall
http://blogs.isaserver.org/shinder/2011/11/30/default-ip-address-selection-on-the-tmg-firewall/

* How to generate alternative Subject Alternative Names (SAN) Certificates
http://blogs.isaserver.org/shinder/2011/11/30/how-to-generate-subject-alternative-names-san-certificates/

* RPC port number issues may affect TMG firewalls and UAG servers
http://blogs.isaserver.org/shinder/2011/11/30/rpc-port-number-issues-may-affect-tmg-firewalls-and-uag-servers/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hey, Deb. I love the idea of SSL tunneling and I was excited when Microsoft came up with SSTP as an option for VPNs. But here's my problem. I keep trying to configure it on my UAG server, and I'm getting error messages all over the place. What am I doing wrong? – Larry K.

ANSWER:

I hate it when I try to deploy a technology that I'm particularly excited about, and can't seem to make it work. It's especially frustrating when you're deluged with different error events and messages and have to try to pick through them all to figure out exactly what the problem is, let alone how to fix it. But you're in luck on this one because Ben Ari just recently encountered the same situation – activation was failing when attempting to enable SSTP on UAG. He worked through it and figured out that it was actually related to the IPv6 stack being disabled on at least one of the network interfaces. He provides a step-by-step for resolving the problem here:
http://blogs.technet.com/b/ben/archive/2011/11/11/problems-with-uag-activation-after-enabling-sstp.aspx

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

No comments:

Post a Comment