Wednesday, December 22, 2010

ISAserver.org - December 2010 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of December 2010
Sponsored by: AGAT Software Solutions
<http://www.agatsolutions.com/AgatSite/AG_Security_Suite/AG_ActiveSync_Filter.aspx?site=isaorgnewsletter>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. My Three Wishes for TMG and UAG for 2011
--------------------------------------------------------------

It's the holiday season and many of you are probably taking some kind of vacation now and easing up a bit on the TMG firewalling planning. That's cool, because we're in the same place over here. But one thing we all do during this time of year is to think about wishes for the future. In that context, I'd like to share what my three wishes are for UAG and TMG in the coming year.

Why three? I picked three because if I listed all the things I wanted for TMG and UAG it would number in the hundreds! By picking three, I figure that if I'm nice and not naughty, I might get one of them.

So what are the three things I'd like to see?

*TMG Information Leakage Protection*
Information Leakage Protection (ILP) is a big topic these days. With the increasing popularity of web-based email and social networking, there is a lot of potential for information being released from the secure confines of your network and making it out to YouTube, Facebook, LinkedIn or Hotmail. And that&#146;s not a good thing. What is good is that all of these types of services use HTTP as their transport, and with the TMG firewall functioning as a world class web proxy server, there&#146;s no reason that the TMG firewall can&#146;t be a powerful tool to protect your organization from information leakage. Combine this with the powerful SSL inspection feature already included with the TMG firewall and this should make TMG the de facto choice for all businesses that care about ILP.

*UAG DirectAccess in the Cloud*
While I love my UAG DirectAccess connectivity with my on-premises UAG server, it does take a bit of configuration of the back-end requirements to get the entire solution working. While I was able to get everything up and running and working great in half a day, a big reason for that is that I have a small office and was able to use UAG Test Lab Guides to show me exactly how to get things working (for more information about Test Lab Guides, which can be found at the TechNet wiki <http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx>). But for bigger companies with hundreds or thousands or tens of thousands of employees, it might be better to have a cloud-based solution. There's no reason why Microsoft can't put UAG DirectAccess in the cloud and put together a cool cloud-based admin console that allows you to provision, de-provision, manage and monitor all of your DirectAccess connections. This would provide the best of both worlds - UAG DirectAccess always-on, always-connected and always managed and controlled, and the ubiquity of the cloud.

*TMG Web Protection in the Cloud*
The one hole in the entire UAG DirectAccess story is that hosts that are off the network are able to connect to web resources unfiltered. In contrast, hosts on the intranet that are behind a TMG firewall are always protected by the TMG web protection feature. Of course, hosts on the intranet normally move on and off the intranet and therefore are unprotected for that period of time that they're off, but that's another story. What would close the circle on the UAG DirectAccess security story is that if we had TMG web protection in the cloud and could force users to use the cloud-based TMG firewall for web protection when off the network, the DirectAccess client would indeed be no different than an intranet client in terms of its security posture. Let&#146;s hope that 2011 brings us a TMG cloud firewall option!

How about you? Do you have some TMG or UAG wishes for 2011? If so, let me know! Send me a note at dshinder@isaserver.org and I'll publish your wishes and maybe I can get Tom to tell the TMG and UAG Teams about what you're looking for in these products in 2011.

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "Faster, cheaper and better &#150; pick two". - Anon
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Microsoft Forefront TMG - How to use SQL Server 2008 Express Reporting Services <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-How-to-use-SQL-Server-2008-Express-Reporting-Services.html>

* TMG Back to Basics - Part 1: Server Publishing Rules <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part1.html>

* Microsoft Forefront TMG - Explaining the Forefront TMG SDK <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Explaining-Forefront-TMG-SDK.html>

* UAG Service Pack 1 Release Candidate DirectAccess Overview - Step 1: Clients and GPOs
<http://www.isaserver.org/tutorials/UAG-Service-Pack-1-Release-Candidate-DirectAccess-Overview-Step1.html>

* Forefront Threat Management Gateway (TMG) 2010 Firewall Client Features and Benefits <http://www.isaserver.org/tutorials/Forefront-Threat-Management-Gateway-TMG-2010-Firewall-Client-Features-Benefits.html>

* UAG DirectAccess the Easy Way
<http://www.isaserver.org/tutorials/UAG-DirectAccess-Easy-Way.html>

* GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Monitoring & Administration
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Monitoring-Administration-GFI-WebMonitor-Sep10.html>

* Microsoft Forefront TMG - Using the BranchCache feature in Forefront TMG SP1 <http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Using-BranchCache-feature-Forefront-TMG-SP1.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Everybody loves a contest and it looks as if Tom is running a UAG DirectAccess &#147;pros&#148; contest. There are a total of eight quizzes in two rounds of four quizzes each. If you win, you get a Starbuck's gift card. If you don't win, you still end up learning a whole bunch about UAG DirectAccess. Definitely a win/win situation! Check out the contest on Tom's Edge Man blog over at <http://blogs.technet.com/b/tomshinder/>


5. Tip of the Month
--------------------------------------------------------------

Many of you are using the TMG firewall as an endpoint in a site to site VPN connection. If you haven't done this, or didn&#146;t know that the TMG firewall could do this, a site to site VPN allows you to connect two networks to each other over the Internet. The site to site VPN acts as a VPN router which can take the place of a dedicated WAN link. TMG is a great way to do this, and it&#146;s pretty easy to configure. However, you might have gone through all the steps and found that it didn&#146;t work. Why? Because you need to enable VPN connectivity before the site to site VPN can be established. The Enable VPN Client Access command needs to be enabled, even if you don&#146;t want to allow remote access VPN clients access to the TMG firewall. The figure below shows the setting that you need to click.
<http://www.isaserver.org/img/upl/ISA-MWN-December-10-1.jpg>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

One of the big advantages of using the TMG firewall as your primary network firewall is the Network Inspection System (NIS). The NIS provides protection that no other firewall available on the market today can provide. Microsoft writes signatures for the NIS that allow you to take some time to validate security updates on your intranet before deploying them, which can end up saving you a lot of time and stress. For more information on how the Network Inspection System works and how it provides exceptional protection for your network, check out the NIS in TMG Whitepaper at <http://download.microsoft.com/download/F/4/0/F40887FD-648B-40E1-B79B-AAE43CEDCA4C/NIS%20in%20TMG%20Whitepaper.docx>


7. Blog Posts
--------------------------------------------------------------

TMG Firewall Site to Site VPN Connection Fails with Error 913 <http://blogs.isaserver.org/shinder/2010/12/09/tmg-firewall-site-to-site-vpn-connection-fails-with-error-913/>

Why Do Clients Behind TMG Firewalls Fail Windows Update? <http://blogs.isaserver.org/shinder/2010/12/09/why-do-clients-behind-tmg-firewalls-fail-windows-update/>

Support for NLB on VLAN Tagged or Teamed NICs <http://blogs.isaserver.org/shinder/2010/12/09/support-for-nlb-on-vlan-tagged-or-teamed-nics/>

Why are some NIS Signatures Disabled by Default? <http://blogs.isaserver.org/shinder/2010/12/09/why-are-some-nis-signatures-disabled-by-default/>

The Red Cross of IIS Hosted TMG Reports <http://blogs.isaserver.org/shinder/2010/12/09/the-red-cross-of-iis-hosted-tmg-reports/>

Where are My NICs? <http://blogs.isaserver.org/shinder/2010/12/09/where-are-my-nics/>

Software Update 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 <http://blogs.isaserver.org/shinder/2010/12/02/software-update-2-for-forefront-threat-management-gateway-tmg-2010-service-pack-1/>

Long NetBIOS Names May Interfere with UAG DirectAccess User Interface <http://blogs.isaserver.org/shinder/2010/12/02/long-netbios-names-may-interfere-with-uag-directaccess-user-interface/>

Error C0040431 on TMG Firewall Array Join <http://blogs.isaserver.org/shinder/2010/11/29/error-c0040431-on-tmg-firewall-array-join/>

HTTP Security Filter Settings for RPC/HTTPS and ActiveSync <http://blogs.isaserver.org/shinder/2010/11/24/http-security-filter-settings-for-rpchttps-and-activesync/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

I would like to know how to get Outlook to work with the Forefront Client. Thanks! - Stefan.

* ANSWER:

You bet! This is a common question and you can find the answer at <http://www.isaserver.org/articles/2004olpop3smtp.html>

* QUESTION:

Yo Deb,

I know that this might be heresy, but here's my situation - I'm a SQL DBA but I've been given the job of publishing my Exchange 2010 with the TMG firewall. What my boss wants me to do is use the TMG firewall to allow incoming connections to OWA, RPC/HTTPS and ActiveSync so that we have all of our Exchange remote access bases covered. Sounds like a good idea, right?

So I find a nice whitepaper on how to do this over at <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022&displaylang=en>. The thing is - I don't want to have to deal with a lot of crazy pre-authentication stuff and different wizards that may or may not work. I was hoping that someone would have published a Test Lab Guide on how to do this, but I don't see any TMG Test Lab Guides at all, which sort of sucks.
Anyhow, after reading the white paper I figured I don&#146;t need to learn all that and all I want is to publish Exchange, not get a rocket to the Moon or Mars! Is there an easy way for me to make all these services available without having to do all this proxy stuff?
Thanks! - Ramon.

* ANSWER

Hi Ramon,

I feel your pain and know what you're talking about. There are a number of authentication issues and while the Exchange Team did a great job with that document, it's a very long read and there's no companion Test Lab Guide - which makes it hard to figure out how all the pieces work, especially for a guy like you who doesn&#146;t have a lot of extra time and TMG isn't your primary job.

What you can do - and it's not something I generally recommend - is to create an SSL (HTTPS) Server Publishing Rule for your Exchange Server. This isn't as secure as what you would get if you "did it right" (using the Exchange Web Publishing Wizards) but it will provide you with a level of security similar to what any other firewall would provide. You can learn about Server Publishing Rules in my recent article TMG Back to Basics - Part 1: Server Publishing Rules <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part1.html>

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.

No comments:

Post a Comment