ISAserver.org Monthly Newsletter of March 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201202.lockoutguard>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. TMG Firewalls Keep the Bits Flowing
--------------------------------------------------------------
Anyone who works in IT knows that if the Internet is down, many workers just give it up for the day. Unfortunately, we don't see many cases where people say "Oh, the Internet is down, let me see what I can do without it". In many of today's modern information-driven occupations, connectivity is everything, so you need to make sure that you do not have a single point of failure that will bring productivity to an abrupt halt.
With ISA firewalls, the Internet connection was that single point of failure. Sure, you can deploy an enterprise array and have multiple ISA firewalls that use NLB, so that if one of the servers goes down, you can still connect to the Internet, but if the Internet connection that the array uses should fail, then you are out of luck.
The TMG firewall fixed this problem. With TMG, you can have what is called ISP Redundancy, although I think it should be called "dual ISP support" since the term "multi" seems to imply more than two. TMG does not support more than two ISPs. However, two ISPs are still a lot better than one and will work for most of us. The TMG multi-ISP feature allows you to use your two Internet connections in one of two ways: failover and load balancing or just failover.
When you use failover and load balancing, the TMG firewall will use both Internet connections and balance the load for the connections among the two ISPs, depending on the weighting you assign to each of the connections. If one of the connections fails, then all the connections will be routing through the remaining ISP. When the failed ISP comes back online, connections will be routed through the link again.
Failover mode allows you to configure TMG to use one Internet connection at a time. If the preferred connection fails, then the TMG firewall hands over the connection to the secondary ISP. When the preferred ISP comes back online, then the TMG firewall will failback to the preferred ISP. This is useful if you want fault tolerance for the connection, but you're being charged on a per MB or GB basis and you do not want to pay bandwidth costs for both of the ISPs.
There are some other things you can do with the multi-ISP feature. If there are connections to a particular server that you always want to go through one of the ISPs, you can create a policy to control that. For example, if you always want your mail server to forward SMTP messages through one particular ISP, then mail will always go out through that ISP. However, if that ISP fails, the connection would not fail over to the remaining ISP, and you would have to wait for it to come back.
Another example of a scenario in which you might want to use this feature is when you are using DNS forwarders. Suppose you are using two DNS forwarders, one located at ISP1 and the other at ISP2. In that case, you will want to make sure that connections to the DNS forwarder at ISP1 will always go through the ISP1 connection and connections to the ISP2 forwarder to the ISP2 connection. That's because most ISPs will accept DNS queries only from machines located on their own networks. This helps reduce the risk of DoS attacks on DNS servers from botnets located throughout the Internet.
One thing to keep in mind regarding ISP support is that if you are using the new Enhanced NAT feature to control which IP address on the external interface of the TMG firewall an outbound connection will show as source IP address, that IP address would not fail over to a secondary ISP connection, because it will be bound to an address associated with a single ISP.
You can connect to your two ISPs using two separate NICs - one for each ISP – or you can bind addresses for both ISPs to a single NIC. I suspect the latter scenario will be more common, since most organizations will be using CPE (Customer Premises Equipment) provided by their ISPs to connect to the Internet and therefore will use NAT for outbound connections from the TMG firewall.
See you next month! – Deb.
dshinder@isaserver.org
=======================
Quote of the Month - Everything in the universe has a purpose. Indeed, the invisible intelligence that flows through everything in a purposeful fashion is also flowing through you. - Wayne Dyer
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* Troubleshooting TMG SecureNAT Clients (Part 1)
http://www.isaserver.org/tutorials/Troubleshooting-TMG-SecureNAT-Clients-Part1.html
* Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 2)
http://www.isaserver.org/tutorials/Publishing-Microsoft-SharePoint-2010-Forefront-TMG-different-authentication-options-Part2.html
* Celestix MSA Threat Management Gateway Series Voted ISAserver.org Readers' Choice Award Winner - Hardware Appliances
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Celestix-MSA-Threat-Management-Gateway-Series-Jan12.html
* Roles TMG Plays
http://www.isaserver.org/tutorials/Roles-TMG-Plays.html
* Forefront Threat Management Gateway (TMG) 2010 Web Proxy Client Redundancy Deep Dive (Part 1) - DNS Configuration
http://www.isaserver.org/tutorials/Forefront-Threat-Management-Gateway-TMG-2010-Web-Proxy-Client-Redundancy-Deep-Dive-Part1.html
* TMG Firewall Flood Mitigation (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewall-Flood-Mitigation-Part1.html
* Publishing Microsoft SharePoint 2010 with Forefront TMG and different authentication options (Part 1)
http://www.isaserver.org/tutorials/Publishing-Microsoft-SharePoint-2010-Forefront-TMG-different-authentication-options-Part1.html
* How to Publish an RDP Server on an Alternate Port using the TMG Firewall
http://www.isaserver.org/tutorials/How-Publish-RDP-Server-Alternate-Port-using-TMG-Firewall.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Once upon a time, Tom and I believed it wasn't a good idea to virtualize ISA or TMG firewalls. That time was a long time ago, before virtualization technology matured into the robust and reliable platform that it has become today. And almost every TMG firewall I install lives happily in a virtual environment. However, just because I install TMG in VMs all the time doesn't mean that I do everything the same way I do when I install the firewall on a physical computer. What do I do differently? I take Jim Harrisons's advice on virtualizing TMG. You can hear that advice first hand in this video over at TechNet Edge:
http://technet.microsoft.com/en-us/edge/video/virtualize-your-isa-or-forefront-tmg-servers
5. Tip of the Month
--------------------------------------------------------------
Faster is almost always better – at least when it comes to connectivity. You can speed up your TMG firewall's performance by changing its NetBIOS Node Type. There are two advantages of this: first, name lookup failures return faster because you don't have to wait for broadcast failures and the firewall no long wastes time logging NeBIOS broadcasts from itself. For more information, check out:
http://www.tech-archive.net/Archive/ISA/microsoft.public.isa.configuration/2007-02/msg00007.html
6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------
URL filtering is one of the outstanding features in TMG 2010, helping you protect your network and reduce legal liability for your organization by giving you control over the web sites that users can access. As with any software feature, however, sometimes things can go wrong. You might find issues related to URL filtering can include slow access, incorrect site categorizations, or users being able to access sites that are supposed to be blocked. This great article over on the TechNet Wiki helps you troubleshoot these and other URL filtering-related problems.
7. Blog Posts
--------------------------------------------------------------
* ESET Security Gateway Inspects HTTP FTP SMTP IMAP POP3
http://blogs.isaserver.org/shinder/2012/02/29/eset-security-gateway-inspects-http-ftp-smtp-imap-pop3/
* Use SQL Management Studio to Query TMG Firewall Logs
http://blogs.isaserver.org/shinder/2012/02/29/use-sql-management-studio-to-query-tmg-firewall-logs/
* Ben Ari on the Differences Between TMG and UAG
http://blogs.isaserver.org/shinder/2012/02/29/ben-ari-on-the-differences-between-tmg-and-uag/
* TMG Service Pack 2 Setup Fails Due to ADAM Issue
http://blogs.isaserver.org/shinder/2012/02/29/tmg-service-pack-2-setup-fails-due-to-adam-issue/
* Cannot Assign Port 2171 Error Causes TMG Installation Fail
http://blogs.isaserver.org/shinder/2012/02/29/cannot-assign-port-2171-error-causes-tmg-installation-fail/
* Dumping On UAG Dump Files
http://blogs.isaserver.org/shinder/2012/02/29/dumping-on-uag-dump-files/
* Five Reasons you Should Consider DirectAccess
http://blogs.isaserver.org/shinder/2012/02/28/five-reasons-you-should-consider-directaccess/
* Forefront Threat Management Gateway 2010 Web Proxy Client Redundancy Deep Dive - DNS Configuration
http://blogs.isaserver.org/shinder/2012/02/28/forefront-threat-management-gateway-2010-web-proxy-client-redundancy-deep-dive-dns-configuration/
* Log Firewall Client URL Requests in TMG Firewall Logs
http://blogs.isaserver.org/shinder/2012/02/28/log-firewall-client-url-requests-in-tmg-firewall-logs/
* How to configure an L2TP/IPsec server behind a NAT-T device in Modern Windows Clients
http://blogs.isaserver.org/shinder/2012/02/28/how-to-configure-an-l2tpipsec-server-behind-a-nat-t-device-in-modern-windows-clients/
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hi Deb,
I'm thinking about putting a TMG firewall in each of my branch offices. Since that will be introducing Windows Server 2008 R2 into each office, I'm wondering if I can make the TMG firewall a BranchCache server as well. Thanks! –Ricard.
ANSWER:
Hi Ricard,
Yes, you can make the TMG firewall a BranchCache server. This is a great way to improve performance for both web access and file share access. For web access, the TMG firewall will cache content for Internet web server content. For intranet web access and file share access, the BranchCache server will cache that content. Remember, you need have to client systems running Windows 7. For more information, check out http://technet.microsoft.com/en-us/library/ff685650.aspx
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.
No comments:
Post a Comment