Search This Blog

Wednesday, August 25, 2010

ISAserver.org - August 2010 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of August 2010
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201006.authlite>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. UAG DirectAccess Test Lab Guides
--------------------------------------------------------------

I write a lot about DirectAccess these days and that's because I really do love DirectAccess. DirectAccess has changed the way that I work when I&#146;m away from the office. DirectAccess solves all the problems I ever had in the past with working remotely while maintaining tight control over computers that belong to my managed environment. This normally translates into stress and strain relief I used to have when in the process of getting a VPN connection to work. Even more important, I don&#146;t have to worry about all those application gateways I used to need in order to allow secure remote access to the services back at my office. DirectAccess has made me universally productive!

I found the pot of gold at the end of the path to DirectAccess. However, for many folks, that path may have some potholes and bumps along the way. DirectAccess is a new technology. In fact, it's not really a technology at all &#150; it&#146;s a collection of technologies that, when you wrap them all together, is called &#147;DirectAccess&#148;. And that&#146;s sort of the rub. There are a number of different technologies involved; some you may know a lot about (such as DNS) and some that you might not be as good with (such as PKI, IPsec, and IPv6). It's the latter group that can sometimes get you in trouble, since they all have to work together.

One thing that I&#146;ve always seen as making a big difference is test labs. Microsoft has a history of putting out test labs for some of its technologies and I found that if I worked through a test lab, things usually fell into place more quickly. A good example of that is NAP. If you just go through the NAP documentation, you may find it very confusing. There are many new terms and a lot of different services that have to work together before you can get NAP working. However, I went through the NAP step-by-step guide here <http://www.microsoft.com/downloads/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en> , and things started to make sense! Now I consider myself pretty good with NAP, although I wouldn&#146;t call myself a NAP expert.

The same thing happened when I was testing Tom&#146;s new Test Lab Guides for UAG DirectAccess. Test Lab Guides are like step-by-step guides, but they&#146;re step-by-step guides on steroids. One nice thing about the Test Lab Guides is that they all build on one another, so that I can use my Hyper-V server to save snapshots of each of the Test Lab Guides, and then test new configurations without having to build the labs each time. I've been able to test all the scenarios that Tom put together, and even came up with a few of my own, which I might put up as Test Lab Guide extensions on the TechNet wiki in the future.

If you&#146;re considering UAG DirectAccess, I highly recommend that you check out the UAG DirectAccess Test Lab Guides. Tom has written them for a number of scenarios, including UAG DirectAccess with Array and NLB deployment, DirectAccess with NAP, and troubleshooting Test Lab Guides for UAG DirectAccess and UAG DirectAccess with NAP. To give you a head&#146;s up, he's told me that he&#146;s going to create more UAG DirectAccess Test Lab Guides that include how to set up and configure the DirectAccess Connectivity Assistant (DCA) and a Test Lab Guide for how to configure UAG to support all the UAG server roles, which includes DirectAccess, SSL VPN (portal) and SSTP. Cool!

Let me know if you are interested in any other specific scenarios for UAG DirectAccess Test Lab Guides. I&#146;ll tell Tom (his office is 15 feet from me) and hopefully he&#146;ll get to work on it quickly. Also, I'm trying to get Tom to tell his team to create TMG Test Lab Guides, because TMG can be pretty complicated, too.

Check the "Content of the Month" section of this newsletter for the link to Test Lab Guides. Also, if you want to learn more about the entire Test Lab Guide concept and how it's going to be used at Microsoft, check out Tom&#146;s &#147;Edge Man&#148; blog post on the subject over here <http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx>.

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "The urge to save humanity is almost always only a false face for the urge to rule it." - H. L. Mencken.
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Microsoft Forefront TMG - Publishing RD Web Access with RD Gateway (Part 1)
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html>

* Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010 Part 2 - Configuring TMG
<http://www.isaserver.org/tutorials/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html>

* Controlling Internet Access: a Short Primer on TMG Access Rules (Part 1)
<http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part1.html>

* Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 - Preparing the Client Access Server (CAS)
<http://www.isaserver.org/tutorials/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html>

* Microsoft Forefront TMG - Logging options in Forefront TMG
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Logging-options-Forefront-TMG.html>

* Overview of the TMG Firewall's Troubleshooting Node
<http://www.isaserver.org/tutorials/Overview-TMG-Firewalls-Troubleshooting-Node.html>

* Kaspersky Anti-Virus Voted ISAserver.org Readers' Choice Award Winner - Anti Virus
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-May10.html>

* What's New in Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
<http://www.isaserver.org/tutorials/Whats-New-Forefront-Threat-Management-Gateway-TMG-2010-Service-Pack1.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Test Lab Guides! As I said in the editorial, you don't really know how to do things until you actually do them. So Test Lab Guides are the way to go. For a list of all the Test Lab Guides, head on over to the Test Lab Guide clearinghouse over here <http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx>.


5. Tip of the Month
--------------------------------------------------------------

There&#146;s no doubt that the TMG firewall provides one of the best VPN servers on the market. It&#146;s just so easy to set up and configure while at the same time, it enables powerful user/group/protocol/sites/source/destination/time-of-day and more access controls. If you've used the TMG firewall (or the ISA firewall in the past), you know that you need to enable the VPN server, configure the protocols you want to allow the VPN clients to use, and define the groups that you want to access the VPN. You get that all set up and click Apply and you think that's it, right? The next thing you know, users are calling you and wanting to know when the VPN server is going to be online. What&#146;s up with that? What's up with that is that you forgot to create access rules that allow the VPN clients access to the internal network. I've made that mistake before, so if you've made it, we're both in good company. Keep this in mind the next time you configure a TMG firewall as a remote access VPN server.


6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------

* TMG Deployment Checklist
<http://technet.microsoft.com/en-us/library/dd440986.aspx>

* Interoperability with BranchCache Solution Guide
<http://technet.microsoft.com/en-us/library/ee658159.aspx>

* Enabling NAP Protection for TMG VPN Clients
<http://technet.microsoft.com/en-us/library/dd440978.aspx>

* What is a Standalone Array?
<http://technet.microsoft.com/en-us/library/dd440981.aspx>

* Toxic Waste Configurations - Unsupported by TMG
<http://technet.microsoft.com/en-us/library/ee796231.aspx>


7. Blog Posts
--------------------------------------------------------------

* TMG Support Secure TLS Renegotiation Extension
<http://blogs.isaserver.org/shinder/2010/08/13/tmg-support-secure-tls-renegotiation-extension/>

* TMG &#150; Unable to Publish Web Sites on Alternate Ports
<http://blogs.isaserver.org/shinder/2010/08/13/tmg-unable-to-publish-web-sites-on-alternate-ports/>

* How to Publish Your Private CRL with UAG
<http://blogs.isaserver.org/shinder/2010/08/07/how-to-publish-your-private-crl-with-uag/>

* L2TP Connections Fail from Behind a NAT Device
<http://blogs.isaserver.org/shinder/2010/08/07/l2tp-connections-fail-from-behind-a-nat-device/>

* TMG Secure - ASA Not So Much
<http://blogs.isaserver.org/shinder/2010/08/07/tmg-secure-asa-not-so-much/>

* Enabling Hyper-V Management Through DirectAccess
<http://blogs.isaserver.org/shinder/2010/07/30/enabling-hyper-v-management-through-directaccess/>

* TMG and v3 Certificates
<http://blogs.isaserver.org/shinder/2010/07/29/tmg-and-v3-certificates/>

* Synchronous and Asynchronous Configuration Changes in ISA and TMG
<http://blogs.isaserver.org/shinder/2010/07/29/synchronous-and-asynchronous-configuration-changes-in-isa-and-tmg/>

* New UAG DirectAccess Lab Content Available
<http://blogs.isaserver.org/shinder/2010/07/29/new-uag-directaccess-lab-content-available/>

* UAG DirectAccess Performance Information
<http://blogs.isaserver.org/shinder/2010/07/22/uag-directaccess-performance-information/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb,

My name is Manoj. I read your blog that compares Microsoft UAG vs TMG. Thanks for clarifying the scenarios where you would use one versus the other.
If it is not too much of a trouble, could you please help me answer some of my questions on UAG?
I am looking for a reverse proxy solution for our web applications - some of the applications are for public customers (with and without authentication) while some of them are for employees only (with authentication). These applications will be deployed inside our network and the reverse proxy will be in the DMZ.

The questions that I have are:

1. Do you think UAG is a good solution for this or is there a better solution that you would recommend?
2. Based on a quick look at the docs, UAG seems to provide access to the backend app through a portal-type page. Is it possible to set it up so that it acts as a "passthrough" load balancer with caching support? (Basically, I don&#146;t want to route customers first to a UAG page; instead they should be able to go to the back end application in a transparent way)
3. Would you happen to know a ballpark pricing for UAG vs TMG (not looking for an exact number, just wanted to get a feel for the price)
4. From a performance/scalability stand point for the reverse proxy scenario, how does UAG fare against TMG?
5. I was also looking at a couple of non-Microsoft reverse proxy solution. Performance-wise, do you happen to know how UAG compares with Squid?

Thanks a lot in advance. -- Manoj


* ANSWER:

Hi Manoj,

Good questions! Here&#146;s my take on these issues:

1. UAG is a great solution for reverse proxy, especially if you have multiple authentication repositories that you want to use. TMG works fine too, but it doesn't support as many authentication providers as UAG.
2. UAG's focus is mainly on portal access, although you can configure applications to pass through like they do with the TMG firewall&#146;s reverse proxy solution. Both UAG and TMG provide integrated support for NLB, so you have high availability built into the box in both cases.
3. UAG is much more expensive than TMG. TMG is per-processor licensing while UAG is per-user licensing. For details on UAG licensing check out this page <http://www.microsoft.com/forefront/unified-access-gateway/en/us/licensing-faq.aspx>
4. It's difficult to get hard numbers for UAG and TMG performance, but TMG is a more mature product and the web listeners are different. TMG uses the TMG specific web listeners, whereas UAG uses ISATAP filters for IIS. Because TMG is the more mature product, if I had to guess, I would say that for reverse proxy purposes TMG will be more stable and more performant overall.
5. From tests I've seen comparing Squid with ISA, the results were that ISA turned out to be a higher performance solution. The same should hold true for TMG, which is the new ISA. Of course, this depends on the hardware on which you're going to run TMG. If you use NLB, there is a performance cut-off of around 500 Mbps, so if you need more bandwidth, you might want to consider an external load balancer. Reverse proxy on a single TMG firewall should be about 350Mbps.

I hope this helps answer your questions. Let me know what you decide to go with! &#150; Deb.


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.

No comments: