Search This Blog

Wednesday, July 28, 2010

ISAserver.org - July 2010 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of July 2010
Sponsored by: Wavecrest Computing
<http://www.wavecrest.net/searchad/ISA/ioe_isa_general.html?utm_source=isaserver_org&utm_medium=email&utm_campaign=ioe_june10>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Why You Need both TMG and UAG on Your Networks
--------------------------------------------------------------

I've heard a number of questions this year from people wondering what they should do in the future regarding their edge devices. They have been running ISA firewalls for years and would like to continue to use ISA firewalls, now renamed to the TMG firewall. On the other hand, they're hearing that UAG is the technology of the future and so maybe they should go with that instead.

There is no easy answer here, but I think the safest answer is that if you like what you have with ISA, you should stay with TMG. TMG is the latest version of ISA and provides the same level of support for inbound access as the ISA firewall, but includes a lot of improvements for outbound access control and network security – so much so that you can even get rid of Websense on your network and use TMG firewall arrays and save a tremendous amount of money in the process.

Some people say that if you want the best option for inbound access, then you should consider UAG. That may or may not be true, depending on your particular scenario. UAG's web publishing methodology can be very difficult to understand, even more difficult to configure, and requires that you have a lot of HTML coding knowledge. You have to spend a lot of time picking at configuration files, all of which is reminiscent of Windows 3.1 or an open source Linux solution. Many folks have said they don't get the feeling that UAG is a finished product when it comes to its web publishing and portal feature set.

However, where the UAG does shine is in its enablement of a working and robust DirectAccess solution. The built-in Windows DirectAccess solution isn't something that really works on most of the networks we see out there today. If you actually want a DirectAccess solution that works with the network that you have today and the networks you plan for tomorrow, UAG DirectAccess is the only way to go. While it is possible to configure the TMG firewall to host the DirectAccess server role, that is still the Windows DirectAccess solution with all the limitations that come with it.

So what's the solution? I'll go out on a limb and provide you the following recommendations (keeping in mind that these are my personal opinions and don't represent the views of Microsoft or anyone else):

* If you're happy with the ISA web and server publishing solution you have now, then stay with it and upgrade to TMG.
* If you're not happy with the ISA web and server publishing you have now and see that UAG provides key features that you need, then consider bringing in a UAG server.
* If you want what is probably the best outbound access control device on the market today, then upgrade your ISA to TMG.
* If you want to derive all the benefits that DirectAccess has to offer, then bring a UAG DirectAccess server or UAG DirectAccess array into your network.

Given the above, I think in most cases, this means you'll end up wanting both a TMG and a UAG solution on your network. Now the big question is, where should you put them? I recommend that you put the TMG on the edge of the network as that is what it was designed for, it has been thoroughly penetration tested for this scenario, and it has a decade-long history as one of the most secure firewalls on the market today. On the other hand, the UAG should be behind the TMG firewall, as it does run IIS 7 on the box and doesn't use the time-tested web listeners used by TMG. I don't know whether or how much UAG has been pen-tested as an edge device, as I see a lot of conflicting information out there. That's the reason that, to be safe, I recommend that you put the UAG behind the TMG firewall for the time being.

See you next month! – Deb.
dshinder@isaserver.org

HOT OFF THE PRESSES:

Jason Jones TMG MVP has published a great blog post on What Happens When a Forefront TMG Array Manager Fails. Check it out <http://blog.msedge.org.uk/2010/07/what-happens-when-forefront-tmg-array.html>!

Richard Hicks TMG MVP has also published a great blog post on Load Balancing and Forefront TMG Firewall Clients. Check it out <http://tmgblog.richardhicks.com/2010/07/09/load-balancing-and-forefront-tmg-firewall-clients/>!

=======================
Quote of the Month - "In America the young are always ready to give to those who are older than themselves the full benefits of their experience." - Oscar Wilde.
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS) <http://www.isaserver.org/tutorials/Publishing-Exchange-Outlook-Web-App-OWA-

* Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html>
Microsoft Forefront TMG – Logging options in Forefront TMG <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Logging-options-
Forefront-TMG.html
>

* Overview of the TMG Firewall's Troubleshooting Node <http://www.isaserver.org/tutorials/Overview-TMG-Firewalls-Troubleshooting-Node.html>

* Kaspersky Anti-Virus Voted ISAserver.org Readers' Choice Award Winner - Anti Virus <http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-May10.html>

* What's New in Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 <http://www.isaserver.org/tutorials/Whats-New-Forefront-Threat-Management-Gateway-TMG-2010-Service-Pack1.html>

* Running the Web Access Policy Wizard <http://www.isaserver.org/tutorials/Running-Web-Access-Policy-Wizard.html>

* Overview of the Threat Management Gateway Networking Node <http://www.isaserver.org/tutorials/Overview-Threat-Management-Gateway-Networking-Node.html>

* A Closer Look at TMG 2010 Enterprise Edition Standalone Arrays <http://www.isaserver.org/tutorials/Closer-Look-TMG-2010-Enterprise-Edition-Standalone-Arrays.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

This month I have a great find for you! You might not have heard of it yet, but I'm going to tell you about it now! The new content is located on the new TechNet wiki. Did you know that TechNet had a wiki? They do now! And the cool thing about the wiki is that – in keeping with the wiki format - anyone can edit and contribute new content. For Microsoft, this is quite a break from the usual time-consuming editorial process that occurs before anything sees the light of day on their web site, and it makes for much more dynamic content. To see what's on the site already, you can check out the tag cloud here <http://social.technet.microsoft.com/wiki/contents/articles/tags/default.aspx>.

You'll find a lot of material on UAG and DirectAccess, but not so much on TMG. So if you want to see more material on TMG in the wiki, then write it! Let me know if you write a wiki article on TMG or UAG or DirectAccess and I'll publish the link in this newsletter.

Also, I wanted to point you to the two sessions Tom did on DirectAccess at TechEd, which are now up on the TechNet site. Check them out here <http://blogs.technet.com/b/tomshinder/archive/2010/06/30/solving-a-directaccess-client-blocked-6to4-connection.aspx>.


5. Tip of the Month
--------------------------------------------------------------

If you use NLB for your TMG or UAG deployment, there are some things you need to take into account. One of the most important decisions is whether you want to put TMG or UAG into a virtual deployment. Is the virtual deployment supported? Absolutely. However, if you use NLB, you have to make sure you configure the virtual interfaces to support it. In Windows Server 2008, NLB was supported in Hyper-V by default. However, if you are using Hyper-V in Windows Server 2008 R2, you'll need to enable it. You can look at the Properties of the virtual machine and click the interface and you'll see what appears in the figure below. If you want to enable NLB on the virtual machine, make sure that you put a checkmark in the Enable spoofing of MAC addresses checkbox.

<http://www.isaserver.org/img/upl/ISA-MWN-July10-1.jpg>


6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------

* DirectAccess Clearinghouse of Information
<http://technet.microsoft.com/en-us/network/dd420463.aspx>

* How Do I? DirectAccess
<http://technet.microsoft.com/en-us/windows/dd572177.aspx>

* The Forefront UAG DirectAccess Wizard Part 1
<http://www.windowsnetworking.com/articles_tutorials/Forefront-Unified-Access-Gateway-DirectAccess-Wizard-Part1.html>

* The Forefront UAG DirectAccess Wizard Part 2
<http://www.windowsnetworking.com/articles_tutorials/Forefront-Unified-Access-Gateway-DirectAccess-Wizard-Part2.html>


7. Blog Posts
--------------------------------------------------------------

* UAG DirectAccess Performance Information <http://blogs.isaserver.org/shinder/2010/07/22/uag-directaccess-performance-information/>

* The Edge Man Talks about DirectAccess and Ping Considerations <http://blogs.isaserver.org/shinder/2010/07/22/the-edge-man-talks-about-directaccess-and-ping-considerations/>

* Nice Video on TMG Firewall with NAP Enforcement <http://blogs.isaserver.org/shinder/2010/07/22/nice-video-on-tmg-firewall-with-nap-enforcement/>

* Navigating the Wilderness of CRL Checking <http://blogs.isaserver.org/shinder/2010/07/13/navigating-the-wilderness-of-crl-checking/>

* Microsoft Forefront Unified Access Gateway (UAG) 2010 Best Practices Analyzer Tool <http://blogs.isaserver.org/shinder/2010/07/13/microsoft-forefront-unified-access-gateway-uag-2010-best-practices-analyzer-tool/>

* Slipstream TMG Service Pack 1 <http://blogs.isaserver.org/shinder/2010/07/13/slipstream-tmg-service-pack-1/>

* Network Load Balancing and TMG Firewall Clients <http://blogs.isaserver.org/shinder/2010/07/13/network-load-balancing-and-tmg-firewall-clients/>

* Diogenes and Shinder Crank Out Three New Forefront Books <http://blogs.isaserver.org/shinder/2010/07/09/diogenes-and-shinder-crank-out-three-new-forefront-books/>

* TechEd 2010 Recordings on UAG DirectAccess <http://blogs.isaserver.org/shinder/2010/07/09/teched-2010-recordings-on-uag-directaccess/>

* The Edge Man Talks About DirectAccess and VPN <http://blogs.isaserver.org/shinder/2010/07/09/the-edge-man-talks-about-directaccess-and-vpn/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb,

I've got a large number of ISA firewalls that I want to upgrade to the TMG firewall. What are some of the things I need to be aware of before beginning the upgrade process?

Thanks! –Reginald B.


* ANSWER:

Hi Reginald,

Depending on what versions of ISA you have and what you want to upgrade them to, the upgrade process could be relatively easy or insanely difficult. However, if you want to upgrade to the same edition of TMG that you have for ISA, that will be a lot easier. In that case, all you need to do is export the ISA firewall's configuration to an XML file using the built in backup feature and then use the TMG import feature to import the settings to the new TMG firewall. However, there are a few other things that you should remember in addition:

* TMG is a 64 bit application - so you won't be able to do an in-place upgrade.
* Make sure you export the certificates used on the ISA firewall and import them into the TMG firewall so that you can create the same web publishing rules using the same certificates.
* Remember the VPN certificates too, such as those used by L2TP/IPsec connections.

For a detailed description of the migration process, check out Marc Grote's article over here <http://www.isaserver.org/tutorials/How-migrate-Microsoft-ISA-Server-2006-Microsoft-Forefront-TMG.html>.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.

No comments: