Wednesday, October 27, 2010

ISAserver.org - October 2010 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of October 2010
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201010.authlite>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Certificates and UAG DirectAccess
--------------------------------------------------------------

One of the more common questions regarding the UAG DirectAccess server relates to certificate requirements. The reason for this is that PKI is an important component of a DirectAccess solution. There are basically three places where you need to plan for certificate deployment in your UAG DirectAccess solution.

These three general areas include:

* Computer certificates
* Network Location Server certificates
* IP-HTTPS listener certificates

Computer Certificates

Computer certificates are used for client and server authentication on the UAG DirectAccess server and the DirectAccess clients. These certificates are usually generated by your private PKI using your Microsoft Certificate Server and deployed using autoenrollment. The computer certificates allow the clients to prove their identity to the UAG DirectAccess server and allow the UAG DirectAccess server to prove its identity to the DirectAccess clients. The certificates are required for authenticating both the intranet and infrastructure tunnels.

Network Location Server Web Site Certificates

A Network Location Server (NLS) is used by the DirectAccess client to determine if the DirectAccess client is on the intranet. If the DirectAccess client can create an SSL session with a Network Location Server on the intranet, then it knows that it's on the intranet and the DirectAccess turns off the Name Resolution Policy Table and uses the DNS server configured on the network interface, which is typically assigned to the client over DHCP. In order for the Network Location Server to enable SSL connects to itself, it needs a web site certificate bound to the web site hosted by the Network Location Server. There are no special requirements for the Network Location Server - it can be any SSL site &#150; there is no specific or special content required.

IP-HTTPS Certificates

IP-HTTPS is an IPv6 transition protocol that allows the DirectAccess client to connect to the UAG DirectAccess server over the IPv4 Internet. IP-HTTPS encapsulates the IPv6 messages in an IPv4 header and then wraps that up in an HTTP header and then encrypts it with SSL. As you can imagine, there&#146;s a lot of overhead in the protocol, but it does allow the DirectAccess client to connect to the UAG DirectAccess server even when the client is located behind a port restricted firewall or even when the DirectAccess client is located behind a web proxy server. In order to create an IP-HTTPS listener on the UAG DirectAccess server, you need to acquire a certificate for the listener. In general, you should use a commercial certificate for this, since the DirectAccess client needs to be able to check the CRL for the IP-HTTPS certificate and commercial certificate providers have already built out a highly available CRL access infrastructure.

That's about it. The certificate requirements for UAG DirectAccess are not onerous or complex. There are no &#147;special&#148; certificates required, no special SAN entries, or any other &#147;off-label&#148; requirements. Most organizations will generate their own computer certificates and use autoenrollment, and most firms are going to create their own certificates for the Network Location Server. You could even use private certificates for the IP-HTTPS listener if you want, but you would then need to publish your private CRL. That&#146;s not too difficult, but you can make life easier using a commercial certificate, if for no other reason than that you don&#146;t need to create your own high availability solution for the CRL.

I hope you found this useful and that you'll find that PKI for UAG DirectAccess is pretty easy. If you have any questions on how to get your UAG DirectAccess PKI up and running, just let me know. Send me a note at dshinder@isaserver.org and I&#146;ll see what I can do to help you.

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "Most of what we call management consists of making it difficult for people to get their work done". - Peter Drucker
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Product Review: BNTC Software's Bandwidth Splitter
<http://www.isaserver.org/tutorials/Product-Review-BNTC-Softwares-Bandwidth-Splitter.html>

* More Basics: An Inside Look into TMG Firewall Networks
<http://www.isaserver.org/tutorials/More-Basics-Inside-Look-TMG-Firewall-Networks.html>

* Microsoft Forefront TMG - Using LDAP and RADIUS Authentication
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Using-LDAP-RADIUS-Authentication.html>

* Controlling Internet Access: A short Primer on TMG Access Rules - Part 4: TMG Networks and Network Rules
<http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part4.html>

* Microsoft Forefront TMG - Publishing RD Web Access with RD Gateway (Part 2)
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html>

* Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 1)
<http://www.isaserver.org/tutorials/Configuring-Web-Proxy-Chaining-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html>

* Internet Access Monitor for MS ISA Server Voted ISAserver.org Readers&#146; Choice Award Winner - Reporting
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-Internet-Access-Monitor-for-MS-ISA-Server-Jul10.html>

* Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics
<http://www.isaserver.org/tutorials/Controlling-Internet-Access-Short-Primer-TMG-Access-Rules-Part3.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Interesting collection of twitter posts on how to configure the TMG firewall in an SBS/ESB environment. While I didn't go through every rule or recommendation to make sure they were valid, it does look like a useful list overall.

Check it out at <http://msmvps.com/blogs/steveb/archive/2009/10/08/mark-s-rules-for-tmg-firewall-client-mrftfc.aspx>


5. Tip of the Month
--------------------------------------------------------------

Often there are performance issues with the ISA firewall. These can be due to DNS issues. For a good review of how to fix DNS issues related see <http://www.windowsnetworking.com/articles_tutorials/10-Ways-Troubleshoot-DNS-Resolution-Issues.html>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Download TMG 2010 120-day trial at <http://technet.microsoft.com/en-us/evalcenter/ee423778.aspx>


7. Blog Posts
--------------------------------------------------------------

* Want to Work for Microsoft as TMG and UAG Support Engineer
<http://blogs.isaserver.org/shinder/2010/10/15/want-to-work-for-microsoft-as-tmg-and-uag-support-engineer/>

* TMG Firewall Malware Inspection - Where Bigger Isn&#146;t Better
<http://blogs.isaserver.org/shinder/2010/10/15/tmg-firewall-malware-inspection-where-bigger-isnt-better/>

* Jason Jones Awarded Forefront MVP Again
<http://blogs.isaserver.org/shinder/2010/10/13/jason-jones-awarded-forefront-mvp-again/>

* Publishing OCS 2007 R2 Web Components using Forefront UAG
<http://blogs.isaserver.org/shinder/2010/10/13/publishing-ocs-2007-r2-web-components-using-forefront-uag/>

* Congratulations to Richard Hicks for Second Year as Forefront MVP
<http://blogs.isaserver.org/shinder/2010/10/06/congratulations-to-richard-hicks-for-second-year-as-forefront-mvp/>

* More Free TMG Firewall Training from Richard Hicks
<http://blogs.isaserver.org/shinder/2010/10/06/more-free-tmg-firewall-training-from-richard-hicks/>

* ISAserver.org Top Posters
<http://blogs.isaserver.org/shinder/2010/09/29/isaserverorg-top-posters/>

* More UAG Books For You
<http://blogs.isaserver.org/shinder/2010/09/28/more-uag-books-for-you/>

* New Forefront TMG UAG and Server Protection Books Available Soon
<http://blogs.isaserver.org/shinder/2010/09/27/new-forefront-tmg-uag-and-server-protection-books-available-soon/>

* Cool Task Pane in the TMG Firewall Console System Node
<http://blogs.isaserver.org/shinder/2010/09/27/cool-task-pane-in-the-tmg-firewall-console-system-node/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

I've read that when you install UAG there is also TMG installed on the same computer. Can I use both the UAG and the TMG components? That is to say, can I configure the TMG like I would if the TMG were on a standalone box?

* ANSWER:

While that might sound like a good idea - in general you should stay away from the TMG console. There are a limited number of supported scenarios where you should go into the TMG console. For a list of scenarios where TMG configuration is support on the UAG server, check out the UAG support boundaries document here <http://technet.microsoft.com/en-us/library/ee522953.aspx>.


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.

No comments:

Post a Comment