ISAserver.org Monthly Newsletter of September 2010
Sponsored by: Wavecrest Computing
<http://www.wavecrest.net/searchad/ISA/ioe_isa_general.html?utm_source=isaserver_org&utm_medium=email&utm_campaign=ioe_june10>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. What's New in TMG Service Pack 1
--------------------------------------------------------------
It's service pack time again - and this time it's for the TMG firewall. Service packs are always fun. Even though there have been times when Microsoft has said that they're not going to include any new features or capabilities with service packs, that just never seems to happen. So while there are no more Easter eggs in our software, at least we can look forward to new and fun things that come in with service packs.
TMG SP1 is no exception. There are several new things in the service pack that I think you'll like. Check out this list of new and improved features that you get with TMG SP1:
- A new user activity report that provides information about a particular user's activity. We've been asking for this for years!
- The TMG reports sport a new look and feel. You'll be proud to show your boss these professional looking reports.
- You can configure URL filtering in a way that allows users to choose whether or not they want to violate your access policy. Of course, as the administrator, you'll be notified of this when it happens, and then you can go to the user and find out why they felt the need to violate the access policy. This is also helpful in fine-tuning your URL filtering requirements.
- You can override URL filtering categories on an enterprise level, so that you don't need to configure the same settings over and over on a per-array basis.
- The pages that users see when they're denied access can be customized with your favorite message of love – whatever you want them to see when they decide that they just have to go to those "adult" sites they're so fascinated with.
- There's new support for BranchCache when the TMG firewall is installed on Windows Server 2008 SP1 or above.
- The TMG firewall can now be installed on a Read-only Domain Controller - making the TMG firewall an even more compelling branch office firewall solution.
- The SharePoint wizard has been updated so that it now supports publishing SharePoint 2010.
Overall, I've found the TMG SP1 experience to be a pretty good one. It is a little quirky when it comes to installation as you can't just double click the SP1 file and expect it to work (as with previous TMG service packs). Make sure to read the manual before running the service pack. However, outside of the need to read the instructions before installing SP1, it's a nice upgrade, especially the enhancements to reports.
While not related to TMG SP1, I do want to mention that if you're running the Exchange Edge role on the TMG firewall, you might NOT want to install Exchange Server 2010 SP1 on the TMG firewall. There are apparently some issues with the Exchange 2010 SP1 that can do some pretty unfortunate things to your TMG firewall email hygiene solution. So until you hear otherwise, stay clear of Exchange 2010 SP1 on your TMG firewall. For more information on this problem, check out the TMG firewall Team Blog <http://blogs.technet.com/b/isablog/archive/2010/09/01/problems-when-installing-exchange-2010-service-pack-1-on-a-tmg-configured-for-mail-protection.aspx>.
See you next month! - Deb.
dshinder@isaserver.org
=======================
Quote of the Month - "Most of what we call management consists of making it difficult for people to get their work done". - Peter Drucker
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* Internet Access Monitor for MS ISA Server Voted ISAserver.org Readers’ Choice Award Winner - Reporting
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-Internet-Access-Monitor-for-MS-ISA-Server-Jul10.html>
* Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics <http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part3.html>
* Controlling Internet Access: A Short Primer on TMG Access Rules (Part 2) <http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part2.html>
* Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1) <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html>
* Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010 Part 2 – Configuring TMG <http://www.isaserver.org/tutorials/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html>
* Controlling Internet Access: a Short Primer on TMG Access Rules (Part 1) <http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part1.html>
* Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS) <http://www.isaserver.org/tutorials/Publishing-Exchange-Outlook-Web-App-OWA-Microsoft-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html>
* Microsoft Forefront TMG – Logging options in Forefront TMG <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Logging-options-Forefront-TMG.html>
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Did you know that after you install Service Pack 1 on the TMG firewall that you also get some new functionality around BranchCache? That's right! With Service Pack 1, the TMG firewall can be configured as a BranchCache server in the branch office. There's a new wizard included in the TMG firewall console that makes it happen. For more information on TMG firewall BranchCache integration, check out the Interoperability of BranchCache solution guide <http://technet.microsoft.com/en-us/library/ee658159.aspx>.
5. Tip of the Month
--------------------------------------------------------------
Here's my tip of the month: RTFM - Read that fantastic manual! OK, you already knew that, but why I do bring up this issue now? Mostly because of TMG Service Pack 1. I know that over the years, we've taken it for granted that all you have to do is download the service pack, double click on the file, and away you go. Well, those were the good old days - and they're over. With TMG Service Pack 1, there's a lot of stuff you need to do before entering into the service pack game. If you haven't installed TMG Service Pack 1 yet, then don't. At least, don't install it until you've read Installing Forefront TMG SP1 <http://technet.microsoft.com/en-us/library/ff717843.aspx> on the Technet site.
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
* What's New in Forefront TMG 2010?
<http://technet.microsoft.com/en-us/library/ff686709.aspx>
* Release Notes for Forefront TMG 2010 SP1
<http://technet.microsoft.com/en-us/library/ff686708.aspx>
* Troubleshooting TMG NLB
<http://technet.microsoft.com/en-us/library/ff849728.aspx>
* Troubleshooting TMG Reporting
<http://technet.microsoft.com/en-us/library/ff849731.aspx>
* Forefront TMG is SIP-aware
<http://technet.microsoft.com/en-us/library/ee690384.aspx>
7. Blog Posts
--------------------------------------------------------------
* New Forefront UAG - TMG - FPE and FPSP Books Coming Soon <http://blogs.isaserver.org/shinder/2010/09/03/new-forefront-uag-tmg-fpe-and-fpsp-books-coming-soon/>
* Microsoft Forefront Unified Access Gateway (UAG) Administrator's Handbook - Pre-Order Now! <http://blogs.isaserver.org/shinder/2010/09/03/microsoft-forefront-unified-access-gateway-uag-administrators-handbook-pre-order-now/>
* Update Center for Microsoft Forefront and Related Technologies <http://blogs.isaserver.org/shinder/2010/09/03/update-center-for-microsoft-forefront-and-related-technologies/>
* Microsoft Operations Framework Reliability Workbook for UAG <http://blogs.isaserver.org/shinder/2010/08/31/microsoft-operations-framework-reliability-workbook-for-uag/>
* When to Put the TMG Firewall on Your Network Edge <http://blogs.isaserver.org/shinder/2010/08/31/microsoft-operations-framework-reliability-workbook-for-uag/>
* UAG DirectAccess Performance Information <http://blogs.isaserver.org/shinder/2010/08/28/uag-directaccess-performance-information-2/>
* Hyper-V Update Might Improve TMG Performance <http://blogs.isaserver.org/shinder/2010/08/27/hyper-v-update-might-improve-tmg-performance/>
* Running Windows Update on a TMG Firewall Fails with Result Code 80072EE2 <http://blogs.isaserver.org/shinder/2010/08/23/running-windows-update-on-a-tmg-firewall-fails-with-result-code-80072ee2/>
* TMG SP1 Reporting Improvements <http://blogs.isaserver.org/shinder/2010/08/23/tmg-sp1-reporting-improvements/>
* Speaking of Interface Binding Order - Performance Issues <http://blogs.isaserver.org/shinder/2010/08/20/speaking-of-interface-binding-order-performance-issues/>
8. Ask Sgt Deb
--------------------------------------------------------------
* QUESTION:
I just read about Direct Access in the monthly mail from ISAserver.org - interesting as always!
One issue that comes to my mind when reading about this new exciting way to connect to the company infrastructure is: split tunneling! Is this an issue that has to be considered?
We have the computer to establish a connection to internal resources but it also has direct access to the internet. If yes, then managing local firewall to enforce company rules and keeping anti-virus up-to-date will be more important than ever as there is no perimeter defense at all.
Or maybe there is a way to ensure all traffic will flow through company firewall?
I guess this could be the next show stopper for a Direct Access implementation, at least in my company. Maybe this is something you could write about as a follow up?
Cory
* ANSWER:
The issue of split tunneling was an important one in the past because of the nature of malware and how malware was constructed. However, now that we're into the second decade of the 21st century, the issues that were important in those discussions around split tunneling are no longer so significant. In fact, most network security analysts don't consider split tunneling to be a security issue any longer. This is especially true for DirectAccess clients. Tom did a nice piece on split tunneling and DirectAccess access in his "Edge Man" blog <http://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx> which you should check out.
This is why split tunneling is enabled by default for DirectAccess clients. However, all clients, not just DirectAccess clients, need to be fully managed and kept up to date with security fixes, anti-malware signatures, and it should be confirmed that they meet the security configuration requirements for your network. In this respect, DirectAccess clients are no different from any other client machines on your intranet. Just as with your intranet clients, you need to make sure that NAP is enabled, that two-factor authentication is required, and that all machines have BitLocker enabled.
However, if you absolutely can't deploy DirectAccess without disabling split tunneling, you do have the option to enable something that we call "force tunneling". With Force Tunneling, you can force all traffic through the DirectAccess connection and prevent the DirectAccess client from connecting directly to the Internet. However, Force Tunneling does require that you use IP-HTTPS, which is the least performant of all the IPv6 transition technologies that the DirectAccess client on the Internet can use. In addition, if you have an application that won't work over DirectAccess, you won't have a workaround (such as using an Internet application gateway) to enable the use of that application. There are some other requirements, which you can read about here <http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx> .
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.
No comments:
Post a Comment