Search This Blog

Wednesday, July 31, 2013

ISAserver.org - Monthly Newsletter - July 2013

ISAserver.org - Monthly Newsletter - July 2013

Hi Security World,

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Firewalls in Hybrid IT
-----------------------------------------------------------

If you had a chance to go to TechEd this year, or watch the recorded sessions online, you probably noticed that it was a very "cloudy" event. While this was also the case to a large extent with TechEd last year, there was a discernible difference. The cloud talk has changed from discussions about private cloud and public cloud to one that is focused on hybrid cloud. Indeed, most of this year's sessions included at least a mention of hybrid cloud. It was clear that Microsoft sees the future of IT as a hybrid IT environment, where some of your computing assets will be on-premises and some of them will be located in a public cloud service provider's network.

I agree with Microsoft that this movement toward hybrid IT is inevitable. While some small and midsized organizations might be able to move all of their IT infrastructure to a public cloud infrastructure services provider or a SaaS provider, enterprise IT organizations are likely going to need to keep much of their data and computing resources on-premises. However, enterprise IT will actively seek out opportunities to save money and increase agility by adopting public cloud service provider offerings.

But what about network security? Especially when considering the user of a public cloud infrastructure service provider's IaaS offering, you need to consider the security implications of connecting your network to the public cloud infrastructure service provider's network. Before you connect your network to the public cloud network, there are some things you need to think about and questions you need to answer, which include the following:

- Are you going to allow all traffic from the on-premises network to the IaaS network, or are you going to limit which resources and protocols can be used to connect to the IaaS network?
- Are you going to allow all traffic from the public cloud infrastructure service provider's network to your on-premises network? If not, which compute resources and protocols will you allow access to your on-premises network?
- How are you going to handle name resolution? Do you plan to use DNS services provided by your IaaS provider or DNS services on the corporate network that you will extend to the public cloud service providers network?

Of course, these are only a few of the many questions that you need to ask â€" but the key takeaway here is that you will need to consider some type of network access control between the on-premises network and the public cloud infrastructure service provider's network. That means you'll likely want to configure your firewall, whether it's a TMG firewall or a replacement, on your on-premises network to make sure that only that traffic you want is able to move to and from the public cloud infrastructure services provider's network.

There are a number of other firewall, access control and networking issues that you need to consider when designing a hybrid IT environment, as well. If you'd like to know more about the subject, check out the Hybrid IT Infrastructure Design Considerations Guide for Enterprise IT <http://social.technet.microsoft.com/wiki/contents/articles/18120.hybrid-it-infrastructure-design-considerations-for-enterprise-it.aspx>, over on the TechNet Wiki, which was written by none other than my husband, Tom Shinder.

See you next month! â€" Deb.

dshinder@isaserver.org

=======================
Quote of the Month - We are not even close to finishing the basic dream of what the PC can be. - Bill Gates
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

Understanding TMG Logging (Part 4)
http://www.isaserver.org/articles-tutorials/general/understanding-tmg-logging-part4.html

Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 2)
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html

Understanding TMG Logging (Part 3)
http://www.isaserver.org/articles-tutorials/general/understanding-tmg-logging-part3.html

Monitoring and Blocking Network Access Based on Geographic Location using Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/articles-tutorials/configuration-security/monitoring-blocking-network-access-based-geographic-location-using-forefront-threat-management-gateway-tmg-2010.html

Understanding TMG Logging (Part 2)
http://www.isaserver.org/articles-tutorials/general/understanding-tmg-logging-part2.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

DirectAccess is one of the sterling remote access technologies that you get with Windows Server 2008 R2 and Windows Server 2012. With DirectAccess, users don't have to start a VPN client to get access to the corporate network. All they need to do is start the computer â€" they don't even need to log on. Similarly, corporate IT can access all the DirectAccess clients so that they can be managed and serviced without having to wait for the user to come to the corporate network or connect via VPN. However, if you have a TMG firewall at the edge of your network, there are going to be some things you'll need to consider when deploying DirectAccess. Marc Grote discusses these issues in his article that's titled Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 2).
<http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part2.html>


5. Tip of the Month
--------------------------------------------------------------

High availability for your TMG firewall is job one. If your firewall is down, then your users are going to be out of commission until you get things fixed. We know that you can ensure HA by using NLB and putting together a network load balanced array of TMG firewalls. But did you know that you can also have high availability for your Internet connectivity too? You bet! The TMG firewall supports multiple ISP connections for your TMG firewall, so that if one of the connections goes down, you're still up and running. Check out the article Keeping High Availability with Forefront TMG's ISP Redundancy Feature for the details:
http://blogs.technet.com/b/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

I've always found the TMG firewall to be very stable. Rarely has the firewall service gone down and I can't think of a time where it's failed on several consecutive occasions. But, different deployment configurations may be more or less stable. If you've had the unfortunate experience of having the TMG firewall service fail on you more than three times, you might have noticed that it doesn't restart the service a fourth time, in spite of the fact that if you look at the Recovery tab for the service it says that it should keep on restarting. What's up with that? To find out about this phenomenon, check out the TMG Firewall Team's blog post at http://blogs.technet.com/b/isablog/archive/2013/06/10/tmg-service-recovery-actions.aspx


7. Blog Posts
--------------------------------------------------------------

Is this what tomorrow's firewall logs will look like?
http://www.isaserver.org/blogs/shinder/what-tomorrows-firewall-logs-will-look.html

The Future of the Firewall
http://www.isaserver.org/blogs/shinder/future-firewall.html

U.S. Military moving away from firewalls
http://www.isaserver.org/blogs/shinder/us-military-moving-away-firewalls.html

GFI WebMonitor puts your TMG firewall into overdrive
http://www.isaserver.org/blogs/shinder/gfi-webmonitor-puts-your-tmg-firewall-overdrive.html

Tune up your TMG firewall with the TMG Firewall Toolkit
http://www.isaserver.org/blogs/shinder/tune-your-tmg-firewall-tmg-firewall-toolkit.html

Using IIS ARR as a TMG Replacement with Lync 2013
http://www.isaserver.org/blogs/shinder/using-iis-arr-tmg-replacement-lync-2013.html

TMG Firewalls can let you know if cyberslacers are costing you money
http://www.isaserver.org/blogs/shinder/isa-central/tmg-firewalls-can-let-you-know-if-cyberslacers-are-costing-you-money.html

Polls now open for voting for your favorite TMG Firewall Appliance
http://www.isaserver.org/blogs/shinder/polls-now-open-voting-your-favorite-tmg-firewall-appliance.html

Monitoring and Blocking Geographical Regions using the TMG Firewall
http://www.isaserver.org/blogs/shinder/monitoring-and-blocking-geographical-regions-using-tmg-firewall.html

TMG Logging Basics
http://www.isaserver.org/blogs/shinder/tmg-logging-basics.html


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hello Deb,

I have a number of VPN clients behind my TMG firewall and recently started having problems with them. They used to be able to connect to external PPTP VPN servers, but recently they stopped being able to connect. I have no idea why this is happening! Can you throw me a clue stick? Thanks! â€"Ronald P.

ANSWER:

Hi, Ron.

This isn't something that I've seen very often. However, there is one situation that I once saw that is related to setting up a site to site VPN connection using IPsec tunnel mode. If the TMG firewall is configured to connect to another VPN gateway using IPsec tunnel mode, you might find that the PPTP VPN client will no longer be able to connect to external VPN servers. If you recently configured the TMG firewall to establish a site to site VPN connection using IPsec tunnel mode, then you'll need to install Rollup 3 for TMG Service Pack 2. For more details, check out http://support.microsoft.com/kb/2780562

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.



ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments: