ISAserver.org Monthly Newsletter of June 2010
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201006.authlite>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. TechEd 2010 in New Orleans – TMG and UAG Admins Share Their Thoughts
--------------------------------------------------------------
Tom and I both spent last week in New Orleans, at TechEd North America 2010. It was great, getting to see so many people in the IT industry whom I usually only interact with online. The best part of these types of conferences is the opportunity to talk with so many folks who have expertise in so many technologies, and learn from them.
My primary job at TechEd was to answer questions about Remote Desktop Services in Windows Server 2008 R2. RDS is the new name for Windows Terminal Services, but this is not your father's TS. New features such as RemoteApp and Desktop Virtualization make it a whole new ballgame and one that's more complex but also much better able to compete with Citrix and other third party solutions. I had a great time at the booth, got to catch up with friends I hadn't seen in a while and met a lot of new people, many of whom greeted me with "I'm a loyal reader of your articles/newsletters." I wish I could meet all of my readers in person!
Tom did a couple of great presentations on DirectAccess with his fellow Microsoft employee, Ben Bernstein, but he spent most of his time at the TMG and UAG booth. He told me that this was one of the busiest booth experiences he's had in his history of attending TechEd. One of the reasons for this might be because the TMG booth used to be just the ISA booth but this year the same booth was used for TMG, UAG and Forefront Endpoint Detection. He said that was pretty cool as he didn't know a lot about FEP and talking to the FEP guys really helped him get on top of that new technology (which apparently is not even in public beta yet).
Anyhow, since ISA/TMG is the topic of this newsletter, I thought that you might want to hear from Tom about what his experiences were at the TMG and UAG booth, and some of the things he learned, so I'm turning the rest of this space over to him this week:
"Life was busy this year at TechEd. We had a lot of people attending the TMG and UAG booth this year. A special treat for me and the customers was that Jim Harrison was able to staff the booth this year. While I can answer about 95% of TMG firewall questions, it's that last 5% where Jim is a great asset. Whenever Jim was at the booth there was always a big crowd!
Some things I learned from TMG admins during my time at the booth:
* TMG admins really like the URL filtering feature and many of them are dumping Websense because TMG is much more cost effective.
* TMG admins also really like the web anti-malware feature and how convenient it is to have it working "right out of the box". However, there was a lot of confusion regarding licensing, and I have to say that the booth was full of tech guys, so we didn't have a good answer for the licensing issues – but we did take names to follow up with them.
* TMG admins like the idea of outbound SSL inspection but still have problems implementing it because of the Active Directory and certificate issues. We did a lot to help them understand how it works and how to deploy it, but it looks like we still need to put out more documentation on how to setup and manage the outbound SSL inspection feature.
* There was a lot of confusion regarding web and server publishing with TMG. Most of the admins who visited the booth had heard that they should use UAG, but they did not know whether they could still use TMG. We helped them understand that TMG has all the same features that ISA 2006 had when it comes to web and server publishing, but that the future of web and server publishing is with UAG.
* The Network Inspection System (NIS) is something many of the people interested in TMG did not know about. Once we gave them the details, they thought it was really cool, but a number of people wanted to know how to create their own signatures – and were disappointed that they can not do this (yet).
Some things I learned from admins about UAG:
* DirectAccess is HOT HOT HOT! People have been aware of DirectAccess, but they are interested in the features that UAG provides to make DirectAccess work in their production environments. We had a lot of discussions about network design considerations and how to integrate DirectAccess with their current infrastructures.
* There was some confusion about DirectAccess requirements, because the Windows DirectAccess requires a Windows Server 2008+ DC and DNS server. These are not requirements for the UAG DirectAccess, something which made people VERY happy!
* The portal and reverse proxy features of UAG continue to be of interest to UAG admins. We helped explain to customers that while DirectAccess is a great solution for managed, domain member clients, you'll still benefit from the SSL VPN features for unmanaged clients, partners and customers.
* Admins still think that the UAG interface looks immature and not consistent with the highly polished look and feel of the ISA/TMG interfaces. They also find UAG hard to configure and the documentation confusing – and are unhappy that we don't have documentation for key deployment scenarios, such as a multi-role UAG DirectAccess server that also acts as an SSL VPN server and network level SSTP VPN server.
Overall, the entire experience was great! I was only scheduled for about 10 hours at the booth, but I really enjoyed working with the TMG and UAG admins and helping them with their problems, so I ended up spending over 20 hours there, and would have done more time if I hadn't had 4 talks to deliver! That reminds me, we had a packed auditorium for the talk I did with Ben Bernstein on UAG DirectAccess. The crowd was great! We had a lot of information to share, so I think I went a little fast, but folks were generally happy and Ben did a great job on the demo!"
There you have it – Tom's experiences with UAG and TMG admins at TechEd. I'll tell you about my experiences at the Remote Desktop Services booth in this month's WindowsNetworking.com newsletter. :)
See you next month!
=======================
Quote of the Month - "Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds." - John Perry Barlow.
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* ISAserver.org Readers' Choice Awards Yearly Round Up 2009
<http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2009.html>
* GFI WebMonitor for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Access Control
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-GFI-WebMonitor-Mar10.html>
* Exploring ISP Redundancy in Forefront Threat Management Gateway (TMG) 2010
<http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html>
* Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 5: Configuring Edge Subscription and Testing
<http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part5.html>
* Microsoft Forefront TMG – TMG Storage 101
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Storage-101.html>
* Checking Out the TMG 2010 Virtual Private Network Server - Part 3: Configuring the TMG Firewall as a L2TP/IPsec Remote Access VPN Server
<http://www.isaserver.org/tutorials/Checking-Out-TMG-2010-Virtual-Private-Network-Server-Part3.html>
* A Closer Look at TMG 2010 Enterprise Edition Standalone Arrays
<http://www.isaserver.org/tutorials/Closer-Look-TMG-2010-Enterprise-Edition-Standalone-Arrays.html>
* Overview of the Threat Management Gateway Networking Node
<http://www.isaserver.org/tutorials/Overview-Threat-Management-Gateway-Networking-Node.html>
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
What about BranchCache? Have you heard of BranchCache? BranchCache is a relatively new technology included with Windows 7 and Windows Server 2008 R2. With BranchCache, you can put Windows 7 computers, Windows Server 2008 R2 computers, or a mix of Windows 7 and Windows Server 2008 R2 computers at the branch office and have content accessed from the main office automatically cached at the branch office, which can significantly speed up access to content, such as those 15 MB PowerPoint files and those 150 MB video files. You get file access at LAN speed instead of WAN speed with BranchCache enabled.
There are two modes available with BranchCache – distributed mode and hosted mode. With distributed mode, the cache is stored on all the client machines, and this is recommended for single segment offices of less than 50 clients. For branch offices with more than 50 clients, or more than a single segment, you will want to deploy in hosted mode – where the cache is stored on a server on the branch office network.
So where does TMG come in? Well, in a branch office scenario you usually want to keep the number of servers to a minimum, so why not put the BranchCache server on the TMG firewall? Great idea. The problem is that there are a number of System Policy Rules that will break BranchCache functionality. However, you can get around that. How? Check out the article: Forefront TMG and BranchCache Hosted Cache deployed on the same host <http://technet.microsoft.com/en-us/library/ee658158.aspx>.
5. Tip of the Month
--------------------------------------------------------------
As you probably know by now, UAG is all about DirectAccess. DirectAccess was a big hit at this year's TechEd North America in New Orleans last week. I think there were 5 presentations about DirectAccess, and Tom participated in 4 of them! Some of the talks had over 200 participants, which is pretty good for a technology like DirectAccess, which is only beginning to make its way into production environments. I went to all of Tom's talks and there were a tremendous number of tips and tricks being shared by Tom and his co-presenters, Ben Bernstein, John Morello, and Uri Lichtenfeld. One of the best tips I think they called out during their sessions was that you do not need a firewall in front of the UAG server, since the TMG firewall is already on the box – so that putting a firewall in front of the UAG DirectAccess server is like putting TWO firewalls in front of it, not something most people would do unless they had way too much money on their hands. Also, they said that there is no need for a back-end firewall either, since the TMG firewall is on the UAG DirectAccess server. However, if you do have firewalls that you want to use, you can always use them with the UAG DirectAccess server. The key thing here is that the UAG DirectAccess is very flexible and you can put it just about anywhere, as long as you can get those two public IP addresses on the external interface of the UAG DirectAccess server.
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
* Forefront TMG or ISA Server 2006 deployed as a network gateway
<http://technet.microsoft.com/en-us/library/ee658157.aspx>
* Configuring TMG to work with Network Access Protection
<http://technet.microsoft.com/en-us/library/dd440978.aspx>
* Forefront TMG is SIP Aware!
<http://technet.microsoft.com/en-us/library/ee690384.aspx>
* Using Mail Protection with Exchange EdgeSync on Forefront TMG
<http://technet.microsoft.com/en-us/library/ee513174.aspx>
* High Availability and Scalability Design Guide for Forefront TMG
<http://technet.microsoft.com/en-us/library/dd896997.aspx>
7. Blog Posts
--------------------------------------------------------------
* The Edge Man Talks Teredo
<http://blogs.isaserver.org/shinder/2010/05/31/the-edge-man-talks-teredo/>
* Hey Brother - that isn't an ISA Firewall Issue <http://blogs.isaserver.org/shinder/2010/05/31/hey-brother-that-isnt-an-isa-firewall-issue/>
* Why Upgrade from ISA 2006 to a TMG Firewall? <http://blogs.isaserver.org/shinder/2010/05/31/why-upgrade-from-isa-2006-to-a-tmg-firewall/>
* Going Down the Path to DirectAccess <http://blogs.isaserver.org/shinder/2010/05/26/going-down-the-path-to-directaccess/>
* Workgroup Deployment of TMG Enterprise Edition <http://blogs.isaserver.org/shinder/2010/05/26/workgroup-deployment-of-tmg-enterprise-edition/>
* What Version of UAG are Your Running? <http://blogs.isaserver.org/shinder/2010/05/26/what-version-of-uag-are-your-running/>
* Configuring External Load Balancing for a UAG DA Array in Front of an IPv4 Network
<http://blogs.isaserver.org/shinder/2010/05/19/configuring-external-load-balancing-for-a-uag-da-array-in-front-of-an-ipv4-network/>
* Forefront Edge MVP Richard Hicks in TechNet Edge Video <http://blogs.isaserver.org/shinder/2010/05/18/forefront-edge-mvp-richard-hicks-in-technet-edge-video/>
* Split DNS: Configuring DirectAccess for Office Communications Server (OCS) <http://blogs.isaserver.org/shinder/2010/05/13/split-dns-configuring-directaccess-for-office-communications-server-ocs/>
* How Disk Bottlenecks Affect TMG Performance <http://blogs.isaserver.org/shinder/2010/05/13/how-disk-bottlenecks-affect-tmg-performance/>
8. Ask Sgt Deb
--------------------------------------------------------------
* QUESTION:
Hi Deb,
I'm in the nuclear power industry and we have a lot of security issues that we have to deal with, as I'm sure that you can imagine. If I had it my way, there would be no Internet access from our facility, but for a number of reasons, we really can't do that. I've been looking at a number of edge network security solutions out there and was wondering what you think the TMG firewall would have to offer us. We're pretty sophisticated, so the "hardware firewall is more secure" chestnut doesn't play with us. However, we are very critical of our analysis of all solutions, and we're looking for a secure solution that will enable us not only a high level of security, but is cost effective too. So tell me, what can TMG do for us?
Thanks! –Boo Yah!
* ANSWER:
Hi Boo Yah!
Compared to the ISA firewall, the TMG firewall brings four significant improvements to secure your environment:
* Web anti-malware protection
* URL filtering
* Outbound SSL inspection
* Network Inspection System
With ISA firewalls, you had to use a third party solution to block viruses, worms and other forms of malware from being downloaded from web sites. With the TMG firewall, you get this feature right out of the box. The TMG firewall will automatically check for new signatures every 15 minutes to make sure you're up to date and protected from the latest malware threats.
Like anti-malware, the ISA firewall required that you use a third party solution like Websense or SurfControl to get URL filtering. With the TMG firewall, URL filtering is available right out of the box. TMG categorizes the web sites for you, and you can customize the site list if you like. Both the web anti-malware and the URL filtering are subscription services, so you need to license these features on a per-user basis.
One thing I like to remind people about is that you can have the best anti-malware and URL filtering available, but if you allow SSL connections from your users to go uninspected, those technologies won't be able to protect you. Why? Because malware writers take advantage of the fact that most security gateways can't examine the contents of an SSL connection, and therefore hide their malicious content within them to escape your security controls. Therefore, in order to complete the security circle, you need outbound SSL inspection. TMG includes SSL inspection, so that attackers will not be able to leverage the SSL Security Hole that cutting edge security admins have been aware of for quite a while. In the nuclear power industry, not having outbound SSL inspection puts your facility at significant risk.
The last important security improvement included with the TMG firewall is the Network Inspection System. The NIS is a new feature that represents a true IDS solution, with a primary focus on blocking network exploits against Microsoft operating systems and applications. This makes NIS especially useful for protecting your Microsoft infrastructure. NIS can buy your admins time. How? In most facilities, admins like to test patches before deploying them in production, just in case the patch breaks the operating system or application. When you deploy NIS on TMG, you are protected for the time interval required for testing the patch. This is a tremendous boon to your IT staff and keeps you protected and up and running.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.
No comments:
Post a Comment