Wednesday, January 30, 2013

ISAserver.org Monthly Newsletter - January 2013

-------------------------------------------------------
ISAserver.org Monthly Newsletter - January 2013
Sponsored by: Fastvue
<http://go.fastvue.co/?id=15>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Random Tips and Tricks
-----------------------------------------------------------

Recently, most of our editorial feature articles have been commentary, analysis and/or opinion pieces pertaining to ISA, TMG and Forefront products. This month I thought I'd share with you some random tips and tricks that will help you get the most out of your TMG firewall.

TMG source IP address tip

The first one has to do with how the TMG firewall decides which IP address to use for the source address for outgoing communications. With the ISA firewall, it was always the primary IP address on the external interface of the firewall. However, that all changed with the introduction of Windows Server 2008. Windows Server 2008 uses a method that was described in RFC 3484 to determine which source IP address to use for outgoing communications. However, if you don't want to use that (because it can cause unpredictable results), then you can use a netsh command to fix it.

The relevant commands are:

Server 2008:
Netsh int ipv4 add address skipassource=true

Server 2008 R2:

Netsh int ipv4 add address skipassource=true

Cache-control header tip

One of the most popular features in the TMG firewall is web caching. We use it all the time and it really does speed things up. But what if there's a web site that you want cached but it doesn't seem to cache? Is TMG not working properly?

It may not be TMG's fault. What you need to do is get yourself a copy of HTTPWatch (www.httpwatch.com) and then look for the "cache-control" header. If the cache-control header contains the value "no-cache" or "private, max-age=0" then you'll know that the problem is with the web server, not with the TMG firewall.

Tip for moving from the eval version of TMG

While it's a little late in the game to start evaluating the TMG firewall, according to my email there are still a few people out there who are interested in using the TMG firewall before it goes out of business and want to know how to move from the evaluation version of the TMG firewall to a full version. Try this out:

1. Export your server configuration (Make sure to include the confidential information as well as the user permission settings).
2. Uninstall the TMG product from the server by going into Programs and Features, highlighting Microsoft Forefront Threat Management Gateway, and choosing Uninstall.
3. Install Threat Management Gateway utilizing the RTM bits you have purchased.
4. Import your configuration you saved from step 1 above.

Creating a private SAN certificate

A large number of TMG firewalls are configured as reverse proxy servers and many of those are configured to accept incoming SSL connections. Furthermore, many of these secure web publishing scenarios need to take advantage of SAN certificates so that a single certificate can support multiple site names. But how do you create a private SAN certificate?

Well, you can use PowerShell, but who wants to memorize yet another PowerShell command that you're only going to use once? Better to use the user interface! Here's a great article that shows you an easy way to create a SAN certificate - http://blogs.technet.com/b/isablog/archive/2011/10/09/how-to-generate-a-certificate-with-subject-alternative-names-san.aspx

Large file limitations

One of my favorite features of the TMG firewall is its web anti-malware capability. It's nice to be able to let the TMG firewall do the heavy lifting when it comes to scanning for malware. But sometimes I run into a problem when I want to download very large files. The problem is that they seem to get stuck! What's up with that?

The cause is that there is a quota set on how large files can be when being inspected. If they're too big, they are not inspected and you'll see an error that says "The disk space allowed for malware inspection is currently full". ACK!

The default settings:

Disk storage threshold: Specifies the amount of memory used, in kilobytes, at which temporary storage will switch to disk. Its default value is 64 kilobytes, and its range of permissible values is from 4 through 256.

Maximum total storage size: Specifies the maximum total disk space, in gigabytes, that may be used for temporary storage. Its default value is 40 gigabytes, and its smallest permissible value is 4.

Client storage limit: Specifies the maximum disk space, in megabytes, that may be allocated for temporary storage for a single client. Its default value is 50 megabytes, and its smallest permissible value is 0.

Extended client storage limit: Specifies the maximum disk space, in megabytes, that may be allocated for temporary storage for a single client that has been granted the extended disk space storage limit. Its default value is 1024 megabytes, and its smallest permissible value is 0.

Extended limit pool size: Specifies the maximum number of clients that may be granted the extended disk space storage limit concurrently. Its default value is 20 clients, and its smallest permissible value is 0.

You can modify these settings by running a script that is supplied at http://technet.microsoft.com/en-us/library/cc995049.aspx Run the script on the TMG firewall itself or from a management station.

That's all for this month! Let me know if you have some favorite tips and tricks that you use on your TMG firewall and I'll share them with everyone in next month's newsletter.

See you next month! – Deb.

dshinder@isaserver.org

=======================
Quote of the Month - The future masters of technology will have to be light-hearted and intelligent. The machine easily masters the grim and the dumb. – Marshall McLuhan
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 3)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Configuring-Forefront-UAG-DirectAccess-Server-Part3.html

- Chaperon for ISA 2004/06 Voted ISAserver.org Readers' Choice Award Winner - Content Security
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-Chaperon-for-ISA-200406-Nov12.html

- Considerations for Replacing your TMG Firewall (Part 2)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part2.html

- Troubleshooting Reporting Issues with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Troubleshooting-Reporting-Issues-Forefront-Threat-Management-Gateway-TMG-2010.html

- Considerations for Replacing your TMG Firewall (Part 1)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part1.html

- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 2)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Configuring-Forefront-UAG-DirectAccess-Server-Part2.html

- Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 10)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part10.html

- Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 2)
http://www.isaserver.org/tutorials/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Most of us think that the TMG firewall, like its predecessor the ISA firewall, is the Swiss army knife of firewalls. That's because it can act in so many different roles. But I bet there's one role that you never thought the TMG firewall could perform – that of a BranchCache server. That's right; the TMG firewall can host the BranchCache server role in your branch offices. This is a real boon, because it saves you from having to install another server. For information on how to do this, check out the article Interoperability with BranchCache Solution Guide. <http://technet.microsoft.com/en-us/library/ee658159.aspx>


5. Tip of the Month
--------------------------------------------------------------

Extra! Extra! Read all about it! Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 is now available. This new rollup has a ton of new fixes that you'll definitely want to get installed. Head on over to http://support.microsoft.com/kb/2498770 and download it and install it. You'll be glad you did.


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

A nice feature included with the TMG firewall is its change tracking capability. In his article Forefront TMG 2010 Configuration Change Tracking Quick Tip, Richard Hicks shares with you a nice tip on how to use this feature. <http://tmgblog.richardhicks.com/2012/12/05/forefront-tmg-2010-configuration-change-tracking-description-quick-tip/>

7. Blog Posts
--------------------------------------------------------------

- External Load Balancers May Break NAT64 Access for DirectAccess Clients
http://blogs.isaserver.org/shinder/2012/12/29/external-load-balancers-may-break-nat64-access-for-directaccess-clients/

- Windows Server 2012 Unified Remote Access Planning and Deployment
http://blogs.isaserver.org/shinder/2012/12/27/windows-server-2012-unified-remote-access-planning-and-deployment/

- Windows Server 2012 Unified Remote Access Book Now Available
http://blogs.isaserver.org/shinder/2012/12/27/windows-server-2012-unified-remote-access-book-now-available/

- UAG Service Pack 3 Coming Soon
http://blogs.isaserver.org/shinder/2012/12/20/uag-service-pack-3-coming-soon/

- Troubleshooting Reporting Issues in the TMG Firewall
http://blogs.isaserver.org/shinder/2012/12/19/troubleshooting-reporting-issues-in-the-tmg-firewall/

- Delegating Credentials from the TMG Firewall by Sending only Username
http://blogs.isaserver.org/shinder/2012/12/12/delegating-credentials-from-the-tmg-firewall-by-sending-only-username/

- TMG Futures
http://blogs.isaserver.org/shinder/2012/12/12/tmg-futures/

- UAG DirectAccess Gateway Crashes with Code 0xD1
http://blogs.isaserver.org/shinder/2012/12/10/uag-directaccess-gateway-crashes-with-code-0xd1/

- Breathing Life into the PPTP VPN Protocol
http://blogs.isaserver.org/shinder/2012/12/10/breathing-life-into-the-pptp-vpn-protocol/

- What To Do When Windows Server 2012 DirectAccess Stops Working
http://blogs.isaserver.org/shinder/2012/12/07/what-to-do-when-windows-server-2012-directaccess-stops-working/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hello Deb,

I've read through your articles and I believe I've stumbled into a Catch-22.

So that BYOD devices incapable of secure proxy will function, I've established anonymous paths through TMG (all users). I turned on SafeSearch for All Users but added user group exceptions. The anonymous user fails because there is no userid. The anonymous user works fine if the exceptions are eliminated.

Can you shed any light on this or direct me to forum/blog entries that might help.

Thanks! –Jeremy.


ANSWER:

Hi Jeremy,

That's correct. If you create a rule that requires authentication, which happens when you create a group based exception, then all users who do not authenticate are considered to be failing authentication. To solve this problem, you could create a dedicated network for the untrusted devices and create a rule that applies to devices on the untrusted network. That way, you can have a rule that applies to the trusted devices, which applies only to those connections from the corporate network and one rule that applies to devices that are located on the untrusted network. In this way, the rules won't step on each other.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

No comments:

Post a Comment