Wednesday, May 26, 2010

ISAserver.org - May 2010 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of May 2010
Sponsored by: Wavecrest Computing
<http://www.wavecrest.net/searchad/ISA/ioe_isa_general.html?utm_source=isaserver_org&utm_medium=email&utm_campaign=ioe_june10>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Branch Office of the Future - Site to Site VPN Need Not Apply
--------------------------------------------------------------

Recently I was thinking about how it was when Tom and I were writing our ISA 2000 book. We were really excited about the product and we thought it had the potential to be a big success. While it had its heritage in Proxy Server 2.0, it was a completely different product and admin experience. It was, after all, the first Microsoft firewall! The policy model was a bit challenging to understand, but it was worth the time to figure it out, because it allowed a level of policy based access control that you just couldn&#146;t find anywhere else. But even more, it was a great remote access VPN client VPN server and site to site VPN server. In fact, it was the site to site VPN server that we liked the most out of all those we tried.

Site to site VPNs, using ISA 2000, ISA 2004, ISA 2006 and even TMG are relatively easy to set up. The purpose of site to site VPNs is to free you from the expense of dedicated WAN links by creating a "virtual dedicated WAN link" between two site to site VPN gateways. Site to site VPN solved the problem of up-front costs related to the dedicated WAN links, but some of that savings was lost due to the administrative complexity for anything but the most simple site to site VPN networks.

In spite of the complexity, it seemed that site to site VPN was the best solution. How else could you connect your entire branch office to the main office, where most of the data your users need are at the main office datacenter? What if you could get all the advantages of a site to site VPN connection to the main office and simultaneously get rid of the complexity of managing site to site VPNs, so that your branch offices need nothing more than a NAT router with an Internet connection? For a long time, such a thing was only a dream.

But when I was talking to Tom about DirectAccess the other day, he mentioned that this vision of the future may not be far away, and in fact, is something that you can start planning for now. What are the requirements?

* Branch offices need Windows 7 Enterprise or Ultimate (or above) clients
* Branch offices need Windows Server 2008 R2 (or above) servers
* Branch offices should have BranchCache enabled in either distributed or hosted mode
* Branch office clients should use IPsec to secure connections between each other and branch office servers
* Branch office clients are configured as DirectAccess clients to a DirectAccess server at the main office network

With this configuration, you no longer need a site to site VPN connection to connect to information resources at the main office. Each client establishes a DirectAccess connection to the main office and users transparently access the information at the main office; the users don&#146;t have to do anything, and you don&#146;t even need an IT pro to manage the Internet connection or site to site VPN. All the branch office needs is a NAT router connected to the Internet.

In addition, the branch office networks are secured by IPsec when connecting to local resources, such as content stored by BranchCache on other Windows 7 clients or on a hosted mode BranchCache server. Although you might consider putting a domain controller at the branch office, with DirectAccess, you really don't need to do that anymore. Users will be able to log on with cached credentials and there is always a way to get users connected to the Internet. For example, even if the Internet connection the users typically use goes down, it's easy to set up a WWAN connection that users can use as an alternative so that they're all again connected to the main office over DirectAccess.

Another thing to consider is that you will be able to create ad hoc and mobile branch offices using DirectAccess. A "branch office in a box" scenario is easily enabled, and can be moved from place to place, or it can even be moving continuously, if your Internet link is a wireless provider or a satellite connection. DirectAccess does not care what the Internet connection method is; as long as the DirectAccess clients can connect to the DirectAccess server, they can reach the resources they need. And they can reach local resources using local name resolution, so there is not even any need to put up a DNS server at the branch office.

So what's the catch? (There's always a catch, isn't there?) Well, for more complex branch offices, the concept of "site" becomes more important - and defining sites for DirectAccess clients, while it can be done, isn't as elegant as what you might find in a site to site VPN setup. DirectAccess clients aren't assigned different network IDs. Instead, they all use the same prefix that is assigned by the DirectAccess servers to which they connect. But in the future, those problems will be solvable too.

I can tell you that the folks at Microsoft are thinking about these things a lot and the end result is that network management is going to be simpler and more cost effective. The current version of DirectAccess you see in Windows Server 2008 R2 and Windows 7 and UAG 2010 is just the beginning. Future versions will be more flexible, more configurable and support more scenarios so that the VPN will slowly fade into the past as a legacy technology that was great at the time, but no longer meets the needs of an enterprise network that requires users to have anywhere, anytime connectivity while enabling IT around the clock control of all their information assets.

So while the UAG star looks bright right now, what about TMG? Remember, TMG&#146;s future is no longer remote access. The current VPN, web publishing and server publishing features you see are all you're going to get - don't expect anything new in these areas in the future, because remote access efforts are all being funneled into UAG. If you're using ISA or TMG for remote access now, you need to check into UAG and make plans for a UAG remote access future.

What do you think? Does getting rid of site to site VPNs by using DirectAccess sound like a good thing? Would it be great to not worry about unstable site to site VPNs and just use a simple NAT router? Will DirectAccess meet all your branch office connectivity requirements? Let me know! Write to me at dshinder@isaserver.org and I'll share your input with Microsoft and talk about it in the next newsletter.

See you next month!

Deb
dshinder@isaserver.org

=======================
Quote of the Month - "I hate when that happens" - Anonymous.
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Checking Out the TMG 2010 Virtual Private Network Server - Part 1: Overview of VPN Configuration
<http://www.isaserver.org/tutorials/Checking-Out-TMG-2010-Virtual-Private-Network-Server-Part1.html>

* Microsoft Forefront TMG - Role based Administration
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Role-based-Administration.html>

* Checking Out the TMG 2010 Virtual Private Network Server - Part 2: Configuring the TMG Firewall as a PPTP Remote Access VPN Server
<http://www.isaserver.org/tutorials/Checking-Out-TMG-2010-Virtual-Private-Network-Server-Part2.html>

* ISAserver.org Readers' Choice Awards Yearly Round Up 2009
<http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2009.html>

* GFI WebMonitor for ISA Server Voted ISAserver.org Readers&#146; Choice Award Winner - Access Control
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-GFI-WebMonitor-Mar10.html>

* Exploring ISP Redundancy in Forefront Threat Management Gateway (TMG) 2010
<http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html>

* Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall &#150; Part 5: Configuring Edge Subscription and Testing
<http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part5.html>

* Microsoft Forefront TMG - TMG Storage 101
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Storage-101.html>

4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

There are a lot of new things in the TMG firewall that make it better than the ISA firewall. The most significant feature is the web anti-malware feature. With built-in web anti-malware, there's no need to buy third party solutions like Websense. However, as with Websense, you still have to license the TMG firewall&#146;s web anti-malware features after the complimentary license runs out. While it&#146;s hard to find how much this anti-malware subscription costs, we found a link that might help you figure it out. If you head on over to Microsoft&#146;s website <http://www.microsoft.com/forefront/threat-management-gateway/en/us/tmg-mbe-pricing-licensing.aspx> you'll find that the anti-malware subscription is about $8 US/user/year. No mention of volume discounts, although for all things regarding licensing, you should call your Microsoft representative and find out the best price you can get.


5. Tip of the Month
--------------------------------------------------------------

If you installed the TMG firewall evaluation version from a network share, you cannot upgrade to the licensed version of TMG RTM firewall directly from the TMG DVD. In this scenario, to upgrade to the licensed version of Forefront TMG RTM, you must copy the RTM version to a share folder and run the upgrade from the folder. This should solve the installation problem a few of you have written to me about in the last few months.

6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------

* Network Monitor 3.3 RWS Parser Basics, Part 1: Introduction to RWS Protocol Analysis
<http://technet.microsoft.com/en-us/library/ff423691.aspx>

* Network Monitor 3.3 RWS Parser Basics, Part 2: Observing single-connection HTTP traffic
<http://technet.microsoft.com/en-us/library/ff536096.aspx>

* Network Monitor 3.3 RWS Parser Basics, Part 3: Observing single-connection DNS traffic
<http://technet.microsoft.com/en-us/library/ff628788.aspx>

* Overview of the Logging Improvements in Forefront Threat Management Gateway (TMG)
<http://technet.microsoft.com/en-us/library/dd183731.aspx>

* Understanding the Re-Injection Mechanism Improvement on Forefront TMG
<http://technet.microsoft.com/en-us/library/ff432667.aspx>


7. Blog Posts
--------------------------------------------------------------

* Configuring External Load Balancing for a UAG DA Array in Front of an IPv4 Network <http://blogs.isaserver.org/shinder/2010/05/19/configuring-external-load-balancing-for-a-uag-da-array-in-front-of-an-ipv4-network/>

* Forefront Edge MVP Richard Hicks in TechNet Edge Video <http://blogs.isaserver.org/shinder/2010/05/18/forefront-edge-mvp-richard-hicks-in-technet-edge-video/>

* Split DNS: Configuring DirectAccess for Office Communications Server (OCS) <http://blogs.isaserver.org/shinder/2010/05/13/split-dns-configuring-directaccess-for-office-communications-server-ocs/>

* How Disk Bottlenecks Affect TMG Performance <http://blogs.isaserver.org/shinder/2010/05/13/how-disk-bottlenecks-affect-tmg-performance/>

* The Mystery of the IP-HTTPS Listener, an Outlook Client and an IPv4 Only Network <http://blogs.isaserver.org/shinder/2010/05/11/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network/>

* Forefront Edge Team Newsletter <http://blogs.isaserver.org/shinder/2010/05/11/forefront-edge-team-newsletter/>

* UAG DirectAccess Manage Out Not Working - Check the DNS Settings <http://blogs.isaserver.org/shinder/2010/05/03/uag-directaccess-manage-out-not-working-check-the-dns-settings/>

* Security Considerations with Forefront Edge Virtual Deployments <http://blogs.isaserver.org/shinder/2010/05/03/security-considerations-with-forefront-edge-virtual-deployments-2/>

* Network Inspection System (NIS) adds signatures to help in SQL injection and Cross-site scripting prevention <http://blogs.isaserver.org/shinder/2010/05/03/network-inspection-system-nis-adds-signatures-to-help-in-sql-injection-and-cross-site-scripting-prevention/>

* 10 reasons to use DirectAccess and Unified Access Gateway (UAG) 2010 <http://blogs.isaserver.org/shinder/2010/04/29/10-reasons-to-use-directaccess-and-unified-access-gateway-uag-2010/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb,

I see that you are getting onto the virtualization train and I was wondering about an interesting combination of client side virtualization and DirectAccess. What I have "What I want to do for our users is give them all the power they need by fully enabling the capabilities of a rich client platform. This means that VDI won't work for my users because I never can guarantee that they will have enough bandwidth to make it a viable solution for them (my users are knowledge workers who need a wide array of applications that can have significant processing or video requirements). So, what I would like to do is configure a "corporate image" on the client computers &#150; which are actually virtual machines. I haven&#146;t decided whether to use VMware or Windows Virtual PC yet, but that's not critical in the question I have for you. What I'm wondering is; if I configure the virtual machine to be a DirectAccess client, will that work? The VMs would be domain members but the host OS would be a BYOC computer (my users can buy any computer they want, as long as it meets the specs we set so that it can power the corporate VM image and has Intel VT support). I figure that with DirectAccess, we can always be in control of the virtual machine, update it and manage it in the same way as the corpnet located machines, and make sure that it always meets our configuration and security requirements. What do you think?

Thanks! - Larry S.

* ANSWER:

Hi Larry,

The answer is yes - you can make your DVC virtual machine a DirectAccess client. Even though the host OS is not a domain member, as long as the virtual machine is a domain member, and has the network connectivity required for Teredo, IP-HTTPS or 6to4 to work, you shouldn't have any problems. The VM should work the same as any physical machine that's acting as a DirectAccess client. However, there is one downside compared to the physical DirectAccess machine. With a physical DirectAccess machine, as soon as the machine is turned on, even if the user hasn't logged on yet, or the computer is locked, you have complete control over that computer as an IT admin. This allows the computer to be always managed, always up to date, and always secure. In the DVC scenario, the VM will need to be started by the user before the DirectAccess connections can be established. That means that you'll depend on the user to start the VM for the DirectAccess connection to be made - a scenario that is a bit like the VPN scenario in that if the user doesn't start the VM for a long period of time, the DirectAccess client VM might fall out of compliance like the VPN client. However, unlike the VPN client, it&#146;s likely that users will start the VM more often than a typical user will start a VPN client connection, so it's not too bad in that respect. For the rest of the solution, you should be able to get it to work without any special considerations for the virtual environment.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

Till next month!


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.

No comments:

Post a Comment