Wednesday, May 25, 2011

ISAserver.org - May 2011 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of May 2011
Sponsored by: Collective Software <http://www.collectivesoftware.com/isaserver.newsletter.201105.authlite>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TMG Frequently Forgotten Features
--------------------------------------------------------------

When you're working with the TMG firewall, you'll probably find that you spend most of your time with the URL Filtering and web antimalware features. Oh, and you probably also spend a significant amount time publishing key services, such as Exchange and SharePoint, because the TMG firewall is probably the most secure way for you to publish these services.

While these high profile services are important and fun to work with, there are some cool nuggets of technology included with the TMG firewall that don&#146;t get nearly as much attention, but you might want to check some of them out and see whether they can solve a problem for you and your customers.

This is my short list of TMG features that are frequently forgotten or overlooked, or that you might not have even known about in the first place:

* Support for BranchCache
* Search the firewall rule set
* SSTP VPN Server
* NAP Support for VPN connections

Support for BranchCache

BranchCache allows you to cache CIFS/SMB and HTTPS content on a branch office network. In this scenario, you put the TMG firewall at the branch office and configure the TMG firewall as your site to site VPN server. When clients on the branch office network connect to file shares at the home office, that content will be cached on the TMG firewall so that when someone makes a request for the same content, the content will be returned from the TMG firewall's BranchCache instead of over the relatively slow site to site VPN connection. BranchCache also works for HTTP content, which gives you two choices for caching HTTP content: the TMG firewall&#146;s web proxy cache and the BranchCache HTTP content cache.

Search the firewall rule set

Did you know that you can search the firewall policy rule set now? Yes! This is something that we've been wanting for years and years and now we have it! You can go to the Firewall Policy node in the left pane of the console and you'll see, in the middle pane, the option to Search. You can search for a term in the name of the rule, search by protocol, and search by source or destination; in other words, you can search for almost anything. If you haven't tried out the TMG firewall policy search, zip over to the firewall console now and check it out!

SSTP VPN Server

SSTP is a new VPN protocol that allows you to create a VPN connection using an SSL connection. This allows you to VPN out through firewalls and web proxies that otherwise would block your PPTP or L2TP/IPsec connections. SSTP was actually available before TMG was released, but ISA didn&#146;t support SSTP. SSTP is very easy to set up with the TMG firewall and it works great! If you haven't tested it yet, give it a try. There are articles on the www.isaserver.org site that can help you get started on your SSTP testing adventure.

NAP Support for VPN connections

Network Access Protection (NAP) is a method you can use to control which machines can connect to your network. NAP can inspect the system state of the computer connecting to the VPN server and if the machine is not secure or does not meet your configuration and updating requirements, then the machine is blocked and won't be able to access resources on the intranet. You also have the option to remediate machines that aren't up to snuff in terms of security configuration and updates. NAP support for the TMG VPN server is nicely integrated and easy to set up. We also have articles on the www.isaserver.org site that can help you get up and running with your NAP deployment.

There you go! Do you have some favorite hidden or oft-overlooked features that you like on the TMG firewall? Let me know! Write to me at dshinder@isaserver.org and I&#146;ll share them. Thanks!

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "To be a champion requires more than simply being a strong player; one has to be a strong human being as well." - Anatoly Karpov.
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* TMG Back to Basics - Part 7: SharePoint Server Publishing <http://www.isaserver.org/tutorials/TMG-Back-Basics-Part7.html>

* Granular Control of HTTP Communication using Forefront Threat Management Gateway
<http://www.isaserver.org/tutorials/Granular-Control-HTTP-Communication-using-Forefront-Threat-Management-Gateway.html>

* GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Access Control
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-GFI-WebMonitor-ISA-TMG-Mar11.html>

* TMG Web Proxy Client Concepts and Configuration (Part 2) <http://www.isaserver.org/tutorials/TMG-Web-Proxy-Client-Concepts-Configuration-Part2.html>

* ISAserver.org Readers' Choice Awards Yearly Round Up 2010 <http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2010.html>

* Configuring Forefront TMG client VPN access with NAP
<http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-client-VPN-access-NAP.html>

* TMG Web Proxy Client Concepts and Configuration (Part 1)
<http://www.isaserver.org/tutorials/TMG-Web-Proxy-Client-Concepts-Configuration-Part1.html>

* Forefront TMG Advanced Web Protection Overview <http://www.isaserver.org/tutorials/Forefront-TMG-Advanced-Web-Protection-Overview.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Bypassing Forefront TMG for firewall client requests

Microsoft Forefront Threat Management Gateway (TMG) is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used (not to be confused with DirectAccess, the enterprise feature in Windows Server 2008 R2/Windows 7 and UAG).

Direct access enables Firewall client computers to do the following:

* Bypass the Microsoft Firewall Client configuration and connect directly to resources.
* Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.

For the details of this configuration, go to:
http://technet.microsoft.com/en-us/library/cc995133.aspx


5. Tip of the Month
--------------------------------------------------------------

Have you been wondering how to migrate from ISA 2006 to the brand new TMG firewall? Then check out this article by Marc Grote for all the details! http://www.isaserver.org/tutorials/How-migrate-Microsoft-ISA-Server-2006-Microsoft-Forefront-TMG.html


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

As anyone who was at this year's TechEd in Atlanta knows, these days it's all about the cloud. But one of the biggest obstacles to adoption of the cloud is the security concern. Another big concern is reliability - your users need continuous, uninterrupted access to their applications and data that are hosted in the cloud. In this article from TechNet Magazine, Yuri Diogenes explains how you can use TMG to provide secure access to cloud services while maintaining business continuity.

<http://technet.microsoft.com/en-us/magazine/gg607680.aspx>


7. Blog Posts
--------------------------------------------------------------

* Protecting your Weakest Point: On-Premise Resources <http://blogs.isaserver.org/shinder/2011/05/10/protecting-your-weakest-point-on-premise-resources/>

* A Solution to the "Forwarding on the 6to4 Interfaces Cannot be Enabled" Error <http://blogs.isaserver.org/shinder/2011/05/10/a-solution-to-the-forwarding-on-the-6to4-interfaces-cannot-be-enabled-error/>

* A New Tech Talk Show-Security Talk with Yuri Diogenes and Tom Shinder <http://blogs.isaserver.org/shinder/2011/05/10/a-new-tech-talk-showsecurity-talk-with-yuri-diogenes-and-tom-shinder/>

* UAG DirectAccess: Useful NETSH Commands <http://blogs.isaserver.org/shinder/2011/05/07/uag-directaccess-useful-netsh-commands/>

* Requiring Strong Authentication Only for Specific Published Paths or Sites <http://blogs.isaserver.org/shinder/2011/05/07/requiring-strong-authentication-only-for-specific-published-paths-or-sites-2/>

* You may receive a 550 Access is denied message to a MLSD command when accessing a FTP server published by Forefront TMG 2010 <http://blogs.isaserver.org/shinder/2011/05/07/you-may-receive-a-550-access-is-denied-message-to-a-mlsd-command-when-accessing-a-ftp-server-published-by-forefront-tmg-2010/>

* Forefront Threat Management Gateway (TMG) 2010 Troubleshooting Survival Guide <http://blogs.isaserver.org/shinder/2011/04/30/forefront-threat-management-gateway-tmg-2010-troubleshooting-survival-guide/>

* Requiring Strong Authentication Only for Specific Published Paths or Sites <http://blogs.isaserver.org/shinder/2011/04/30/requiring-strong-authentication-only-for-specific-published-paths-or-sites/>

* Do You Need TMG and UAG on Your Network? <http://blogs.isaserver.org/shinder/2011/04/29/do-you-need-tmg-and-uag-on-your-network/>

* Certificates and the UAG DirectAccess Server
<http://blogs.isaserver.org/shinder/2011/04/29/certificates-and-the-uag-directaccess-server/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

Hi Deb!

Quick question - do I need to put a firewall in front of my UAG DirectAccess server?

Thanks!
Damon

ANSWER:

Hey Damon! In general, you don't really need a firewall in front of the UAG DirectAccess server because the TMG firewall is on the same machine and can and does provide as high or a higher level of security than a typical hardware firewall.

However, in many cases there are hard coded policies and practices used in an organization that require that you put a "hardware" firewall in front of anything that is software (I know, it sounds silly, but the practice dates back to the 1990s, more than a decade ago). In that case, you need to make sure that you allow the IPv6 transition technology traffic to the external interface of the UAG DirectAccess server. For 6to4 you need to allow IP Protocol 41, for Teredo you need to allow UDP port 3544 and for IP-HTTPS you need to allow TCP port 443.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

No comments:

Post a Comment