Search This Blog

Wednesday, February 25, 2009

ISAserver.org - February 2009 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of February 2009
Sponsored by: Wavecrest Computing
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. Forefront TMG Beta 2 Released to the Public
--------------------------------------------------------------

You have been waiting for it, and now you got it! The Beta 2 version of the Forefront TMG firewall is now available to the public. This is indeed good news to all ISA firewall fans. If you had a chance to check out the Beta 1 of the TMG firewall, or had a look at the TMG Medium Business Edition of the TMG firewall, you might have been a little disappointed, because those versions looked a lot more like ISA 2006 R2 than a new version of the firewall.

Nope, the Beta 2 is not an R2 of the ISA 2006 firewall. It is a completely new rewrite, and major rewrite it is. The first thing you will notice is that TMG Beta 2 firewall installs only on 64bit Windows Server 2008. This is no small change. By running on 64bit systems, the TMG firewall will be able to take advantage of the enormous ability to scale the hardware to support the most demanding environments you can imagine. Just image it, an array of TMG firewalls with 8-way processors with 32 GB of memory each, equipped with 10 Gbps NICs, all at commodity prices. Compare the performance you will get with that configuration compared with the weakling configurations you will get with significantly higher prices, and lower security, "hardware" firewalls.

What about new features? What do we have in the new TMG Beta 2 firewall that we did not have with ISA 2006 or even TMG Beta 1 and TMG MBE?

While not an exhaustive list of new features, here are some things you can look forward to when you start kicking the tires on the TMG Beta 2 firewall:

* Support for multiple ISPs. You can now use two ISPs with the TMG Beta 2 firewall. You can load balance the ISPs, or configure them for failover and failback

* Network Inspection System (NIS) which is a true IPS based on Microsoft security bulletins. This feature leverages the Generic Application Protocol Analyzer (GAPA). You can find out more about GAPA here <http://research.microsoft.com/en-us/um/people/jdunagan/gapa-ndss-2007.pdf>.

* Enhanced malware detection for Web downloads. ISA firewall admins have been frustrated for years by the requirement to use third-party applications to plug in Web anti-malware detection. Now it&#146;s built right into the TMG Beta 2 firewall

* Integrated Mail Protection using Exchange Edge and Forefront Security for Exchange. The TMG Beta 2 firewall now can be used for your inbound and outbound SMTP relay and perform strong e-mail hygiene protection against spam and malware. TMG simplifies the configuration with built in wizards to get you up and running

* Enhanced NAT. For years we have been dealing with complications of not being able to control the source IP address for outbound connections through the ISA firewall. With TMG Beta 2, you will be able to bind a specific IP address on the external interface of the firewall, instead of being forced to use the default IP address on the external interface

* Support for stand alone arrays and simplified array management. Do not want to set up an enterprise configuration to support a single array at your site? You just want to set up a couple of TMG firewalls in a simple array? Well, you got it! Standalone arrays allow you to stand up an array without having to deal with the full court press of a CSS. And it is as easy a click of a button to get the arrays working. You will like what you see here in terms of ease of deployment

* What about the SSL security hole? You know, the one that your users use to hide what they are downloading from the firewall? TMG Beta 2 firewalls close the SSL security hole. That&#146;s right. The days when your users download copyrighted materials and malware over a secured SSL connection are over. Now the TMG firewall will be able to inspect the SSL sessions and block malware, and undesirable material from entering your network.

* How about SIP? You know the problems we have had with getting SIP VoIP gateways to work from behind the ISA firewall. Those days are over with the new TMG Beta 2. Make sure to check out the new SIP wizards included in the Beta 2.

In addition to these new capabilities are improvements in the user interface. The Forefront TMG firewall team spent a ton of time updating the user interface, making it more intuitive and even easier to use than ever before. There have also been enhancements to logging and reporting that I am sure you will enjoy.

And that's not all. Even though we are at Beta 2 now, there are still more features that will be included in the RTM that are not included in the Beta 2. So, enjoy what you have now, but rest assured that the TMG firewall team is not done yet - they have got a few more goodies in store for you that will appear in subsequent builds. Unfortunately, I can't tell you about these yet, but once I get the green light, I will let you know what they are.

Before I end, I wanted to thank everyone for writing in about last month&#146;s newsletter editorial on the importance of a name. About 80% said that it was important to refer to the TMG firewall as a firewall, so that it gets the respect as an enterprise network firewall that it deserves. About 20% of you said that calling the TMG firewall a firewall was actually dumbing down the TMG&#146;s ability to protect that network, and that the TMG should be referred to as a security gateway, instead of a firewall, because of the limited amount of security that traditional "hardware" firewalls can provide compared to a TMG security gateway.

Bottom line, no matter what you call it, the TMG is a major leap forward for protecting our networks!

Tom
tshinder@isaserver.org

For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month - "It is not advisable, James, to venture unsolicited opinions. You should spare yourself the embarrassing discovery of their exact value to your listener." - Ayn Rand (Atlas Shrugged)
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)
<http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.html>

* GFI WebMonitor Voted ISAserver.org Readers&#146; Choice Award Winner - Content Security
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-GFI-WebMonitor-Nov08.html>

* Explaining the Microsoft Forefront TMG Firewall Lockdown Mode
<http://www.isaserver.org/tutorials/Explaining-Microsoft-Forefront-TMG-Firewall-Lockdown-Mode.html>

* Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)
<http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part2.html>

* Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)
<http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part3.html>

* How to use the ISA Server 2006 Network Templates
<http://www.isaserver.org/tutorials/ISA-Server-2006-Network-Templates.html>

* Enabling Secure FTP Access Through ISA 2006 Firewalls (Part 1)
<http://www.isaserver.org/tutorials/Enabling-Secure-FTP-Access-Through-ISA-2006-Firewalls-Part1.html>

* Enabling Secure FTP Access Through ISA 2006 Firewalls (Part 2)
<http://www.isaserver.org/tutorials/Enabling-Secure-FTP-Access-Through-ISA-2006-Firewalls-Part2.html>


4. KB Article of the Month
---------------------------------------------------------------

As I mentioned last month, the MCP KB search site I have been using for the last year or so to find new KB articles is dead. It is gone, it has no DNS records. That site was our last and best hope to find the latest KB articles.

Since I can not provide that service anymore, this section changes to "the KB Article of the Month"

Here is this month's KB article:

*How ISA Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway, Medium Business Edition handles client Web requests and how to bypass network address translation*

In Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition, and TMG Beta 2, client Web requests are handled by the Web proxy filter. The Web proxy filter works at the program level on behalf of the following clients:

* Clients that reside in networks that are protected by ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition

* Clients that request HTTP and Secure HTTP (HTTPS) objects

Web proxy client requests are passed to the Web proxy filter on client computers that have ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition specified as a proxy server in the browser settings.

This article discusses network address translation (NAT) and how ISA Server 2004, ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition handles client Web requests. This article also discusses how to disable NAT.

Go here <http://support.microsoft.com/kb/838368> and find out how to bypass NAT in this scenario.


5. Tip of the Month
--------------------------------------------------------------

Every few months someone comes along asking about how to get a Polycomm or H.323 gateway to work from behind an ISA or TMG firewall. If you find yourself in that position, then you will find this thread <http://forums.isaserver.org/m_2002044000/mpage_1/key_/tm.htm#2002081151> very useful.

One great thing about hanging around the ISAserver.org Web boards every day is that you learn about interesting configurations that you might never think about. In this thread <http://forums.isaserver.org/m_2002081098/mpage_1/key_/tm.htm#2002081365> you will see that someone wants to put two NICs on the same ISA Firewall Network. As Jason Jones points out, you can not do that. He even includes a KB link to prove his point. Check it out!

Thinking about modifying the FBA page delivered by the ISA or TMG firewall? Then check out this thread <http://forums.isaserver.org/m_2002079901/mpage_1/key_/tm.htm#2002081338> for some very useful tips and tricks.


6. ISA/TMG/IAG Links of the Month
--------------------------------------------------------------

* Forefront Threat Management Gateway Beta 2
<http://www.microsoft.com/downloads/details.aspx?FamilyID=e05aecbc-d0eb-4e0f-a5db-8f236995bccd&displaylang=en>

* Microsoft Forefront codename "Stirling" Beta
<http://www.microsoft.com/downloads/details.aspx?familyid=65BD5F8A-D94C-457A-9F88-2046597130E1&displaylang=en>

* Intelligent Application Gateway 2007 Virtual Machine Trial Version (Registration Required)
<http://www.microsoft.com/downloads/details.aspx?familyid=558B262B-F953-435C-A255-53E9D450527D&displaylang=en>

* Virtualize your ISA or Forefront TMG firewalls
<http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/>

* Troubleshooting Forms Base Authentication using Secure LDAP Authentication on ISA Server 2006
<http://technet.microsoft.com/en-us/library/dd316279.aspx>

7. Blog Posts
--------------------------------------------------------------

* 64 Bit TMG Firewall - Not a Hardware Firewall Weakling
<http://blogs.isaserver.org/shinder/2009/02/21/64-bit-tmg-firewall-not-a-hardware-firewall-weakling/>

* How to enable multicast routing with ISA Firewalls
<http://blogs.isaserver.org/shinder/2009/02/20/how-to-enable-multicast-routing-with-isa-firewalls/>

* The Forefront TMG Firewall's "BIG 6"
<http://blogs.isaserver.org/shinder/2009/02/19/the-forefront-tmg-firewalls-big-6/>

* Why Do You Need to Create a Deny Rule to Support Some Custom Protocol Configurations?
<http://blogs.isaserver.org/shinder/2009/02/18/why-do-you-need-to-create-a-deny-rule-to-support-some-custom-protocol-configurations/>

* Keeping High Availability with Forefront TMG's ISP Redundancy Feature
<http://blogs.isaserver.org/shinder/2009/02/17/keeping-high-availability-with-forefront-tmgs-isp-redundancy-feature/>

* Forefront Threat Management Gateway (TMG) PM video
<http://blogs.isaserver.org/shinder/2009/02/15/forefront-threat-management-gateway-tmg-pm-video/>

* Installing Forefront Threat Management Gateway (TMG) Beta 2
<http://www.elmajdal.net/ISAServer/Installing_Forefront_Threat_Management_Gateway_Beta_2.aspx>

* Customising ISA Server 2006 HTML Forms - Part 2: Restructuring the Default RSA SecurID Form
<http://blog.msfirewall.org.uk/2009/02/customising-isa-server-2006-html-forms.html>

* Resource Guide for Microsoft Active Directory Communications and ISA Firewalls
<http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html>


8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Hello Tom,

First, thanks for the 3 parts article: Teaching the Boss and Network Guys about ISA Firewall. I would like to make a humble request. May I ask me to send me a few points on Access Rules vs Publishing Rules in ISA.

a) In what way does an Access Rule differ from a Publishing Rule?
b) At the ISA core level how does these rules get processed?
c) If I create an access rule: Allow HTTP from External To Web Server in DMZ --- how will this rule differ from publishing a HTTP website on ISA Server in terms of security that ISA provides?
d) If I have a Deny Rule immediately below an Allow Rule; what will happen?
Allow HTTP --- Internal to External --- for domain User A --- all HTTP websites
Deny HTTP --- Internal to External --- for domain User A --- all HTTP websites

Will User A be allowed to access websites or will he be denied? Why? Can ISA understand that User A has both Allow & Deny access to all web sites. Hence the net effect should be Deny?

Thank you for your attention

Monimoy Sanyal

* ANSWER:

Hi Monimoy,

To answer your questions:

a) Access rules are typically used for outbound connections. An outbound connection has a source on an ISA or TMG Protected Network and the destination is to another ISA or TMG firewall Protected Network or to the default External Network.
b) Rules are processed from the top, downwards, starting with the System Policy Rules which are hidden by default
c) Web Publishing Rules have different features compared to Access Rules. In general, you have more fine tuned options available when using Web Publishing Rules compared to Access Rules
d) Since the Allow rule is above the Deny rule, the allow rules will allow domain user A outbound access to all HTTP Web sites

Since the Firewall policy is evaluated from the top downwards, the Allow rule will be triggered and the deny rule will not even be evaluated since the ISA or TMG firewall stops processing the rules once it finds a match.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2009. All rights reserved.

No comments: