Wednesday, July 27, 2011

ISAserver.org - July 2011 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of July 2011
Sponsored by: Collective Software <http://www.collectivesoftware.com/isaserver.newsletter.201107.lockoutguard>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Should Microsoft bake the TMG Firewall into the OS?
--------------------------------------------------------------

With all the uncertainty surrounding Microsoft's plans and roadmap for TMG, today we're going to take a little journey into the future - or at least a speculative future - to examine the possibilities regarding what might (or might not) happen to TMG on down the line.

Since TMG runs on Windows Server, it makes sense to first think about where that product is headed. The next version of the Windows Server operating system is expected to be released sometime next year. It&#146;s now being referred to by some as Windows 8 Server, but let's say they call it Windows Server 2012 (that's not a far-fetched guess, given the names of the Windows Server operating systems for the last decade). The last major version was Windows Server 2008, and Windows Server 2008 R2 was released about two years after that. If we look at this pattern, it would not be unreasonable to assume that the subsequent version of Windows Server is going to be Windows Server 2016 and maybe there will be a release of Windows Server 2016 R2 in the year 2018.

The Windows Server operating systems traditionally have a 10 year support window, so this means if you buy Windows Server 2016 R2 operating system in 2018, it should be supported until the year 2028. Wow! When I think of these dates, it becomes clear to me that the next version of Windows or the version after that could very well be the last version of the Windows Server operating system.

If you paid attention to that last sentence, you&#146;re probably thinking, "What? Last version of Windows Server? Why?"
No, I'm not predicting that Microsoft is going to go out of business or that enterprises are going to be any less dependent on Microsoft a decade and a half from today than they are now. I'm just looking at the vast changes that are expected to come about in computing over the next couple of decades. If we do see the end of Windows Server as we know it, it will be because of the cloud.

There are a number of estimates regarding the timeframe within which almost all information will be stored in the public cloud. I know it doesn't sound realistic from today's perspective, but most forward thinkers in the industry seem to be confident that the cloud is going to take over just about every on-premises data center in existence today. While there are plenty of arguments from multiple viewpoints, I do agree that a high level of migration to the cloud is inevitable, whether I like it or not.

Sure, there are some organizations that will require their information to remain "in house" - but the nature of "in-house" is likely to change significantly. For example, that information might be hosted in isolated segments in a public cloud infrastructure. But even if companies need to keep information on-premises, it&#146;s unlikely that they will use a general purpose operating system that's available to everyone. Most likely it will be a custom operating system created by Microsoft (or maybe someone else) that will be bundled with private cloud hardware. The current viewpoint is that when the transition comes to fruition, almost no small, midsized and large businesses will host their own data centers. And if that happens, there won't be a viable business reason for Microsoft to make a general purpose Windows Server OS available. In fact, some would say the focus has already shifted to Azure, and that is likely to intensify in the future.

Of course, the situation of the client OS is very different. You will still need a client operating system to reach the public cloud. Sure, you could use a thin client for some purposes, but the more sophisticated that client, the better the cloud application performance is going to be, so there will still be a need for "fat clients." In addition, we know based on today's trends that multiple form factors are going to attach to public cloud resources - smart phones, netbooks, notebooks, desktop PC (yes! They are not ever going to disappear completely), pad PCs, and other form factors that we haven&#146;t even dreamed of yet. So, while Windows Server might go away in the next decade, the Windows client OS should be expected to get better and better and work across multiple device form factors. The Windows 8 client is likely going to be a preview of that future.

Taking all these things into consideration, it's clear that corporate networks will evolve to the point that there will be no reason to maintain a network perimeter. IPv6 should be well on its way to replacing IPv4 by the end of this decade, so point to point communications (which is what the founders of the protocol envisioned) will be a reality and no NAT devices will be used or required. Unfortunately for those who have built their livelihoods on them, it also means that network firewalls is one business you won't want to be in at that point.

So what does that mean for the TMG firewall and others of its ilk? What it doesn't mean is that the concept of the firewall will be obsolete. Because of the IPv6-enabled point to point connectivity over globally unique (public) IP addresses, it'll be more important than ever for each host on the network to have a powerful host-based firewall. The network firewall won't completely disappear; it will just be pushed back to the client and behind a host-based firewall.

This is where the TMG firewall has an advantage over other "hardware" based firewalls. TMG can be pushed back to the client pretty easily. Most client systems are way overprovisioned when it comes to processing and memory, so pushing the TMG "guts" into the clients wouldn't be unrealistic. While it's possible that the "hardware" firewall vendors will come up with their own host-based firewalls (or significantly improve the ones they currently have), what the other vendors don't have is tight integration with Group Policy and the Windows ecosystem management framework. With a host-based TMG firewall, you could quickly and easily attain centralized configuration, management and monitoring, which is less likely to be the case with a third party "hardware" firewall vendor's product. In addition, advances in host-based virtualization could enable you to run the TMG firewall in transparent mode in a virtual environment, completely independent of the client side operating system.

Bottom line: it's not a radical assumption that the TMG firewall could go away sometime this decade just because of the anticipated end of Windows Server. However, the soul of TMG is likely to live forever in the Windows client. What do you think? Is this pure fantasy? A distinct possibility? A sure thing? Totally insane? Let me know! Write to me at dshinder@isaserver.org and I'll share your comments and observations.



See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "If you require absolute security, remove all devices in your computer capable of I/O." - Anon.
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Test Lab Guide (Part 2) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part2.html>

* What's going on during a Forefront TMG Installation?
<http://www.isaserver.org/tutorials/Whats-going-on-during-Forefront-TMG-Installation.html>

* Kaspersky Anti-Virus for Microsoft ISA Server Voted ISAserver.org Readers' Choice Award Winner - Anti Virus
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-for-Microsoft-ISA-Server-May11.html>

* Test Lab Guide (Part 1) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part1.html>

* Content Caching with Forefront Threat Management Gateway (TMG) 2010
<http://www.isaserver.org/tutorials/Content-Caching-Forefront-Threat-Management-Gateway-TMG-2010.html>

* TMG Back to Basics - Part 8: SafeSearch, URL Filtering and Certificate Revocation Options
<http://www.isaserver.org/tutorials/TMG-Back-Basics-Part8.html>

* Tweaking the configuration of Forefront TMG with customized TMG XML configuration files
<http://www.isaserver.org/tutorials/Tweaking-configuration-Forefront-TMG-customized-TMG-XML-configuration-files.html>

* Administration Best Practices for the Forefront Threat Management Gateway (TMG) 2010 Firewall
<http://www.isaserver.org/tutorials/Administration-Best-Practices-Forefront-Threat-Management-Gateway-TMG-2010-Firewall.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

The SuperFlow interactive content model provides a structured and interactive interface for viewing documentation. Each SuperFlow includes comprehensive information about a specific dataflow, workflow, or process. Depending on the focus of the SuperFlow, you will find overview information, steps that include detailed information, procedures, sample log entries, best practices, real-world scenarios, troubleshooting information, security information, animations, or other information. Each SuperFlow also includes links to relevant resources, such as Web sites or local files that are copied to your computer when you install the SuperFlow. There is a SuperFlow available that provides information that helps you to troubleshoot Forefront TMG installation issues.

Download this Superflow over at http://www.microsoft.com/download/en/details.aspx?id=14939


5. Tip of the Month
--------------------------------------------------------------

If you enable web antimalware protection on your TMG firewall, the firewall will hold files for inspection either in memory or on disk to enable the inspection. The problem with this is that there is a pre-defined, limited amount of space allocated for this inspection. If the file size is larger than the amount of space allocated for inspection, then the file will not download. While this typically isn&#146;t a problem, it can be if you want to download very large files, such as application installers. There are two ways you can fix this: first, you can increase the storage limit size, which is done in the Properties dialog box for the Malware Inspection configuration, as seen in the figure below. The other option is to unbind the web proxy filter from the HTTP protocol. In general, it&#146;s better to change the file size limit, as unbinding the web proxy filter from the HTTP protocol could have negative security implications.

<IMAGE: http://www.isaserver.org/img/ISA-MWN-July11-1.jpg>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

*Lync Client Access via TMG Firewall*

Many organizations are deploying Lync for communications in the corporate environment, and now companies that might not be able to afford to set up and maintain their own Lync servers can have all the benefits of Lync via Office 365 &#150; but how do you allow Lync client access through the TMG firewall? You&#146;ll find some guidelines on the Microsoft Office 365 Forums website: http://community.office365.com/en-us/f/148/p/3849/20302.aspx

*Integrating Websense with Forefront TMG 2010*

Good news: beginning with the release of Websense Web Security/Web Filter v7.6, Websense now provides full support for integrating with Forefront TMG 2010 running on the latest Windows Server 2008 R2 operating system. Richard Hicks talks about it over on his site, so if you&#146;re interested in this scenario, be sure to check it out: http://tmgblog.richardhicks.com/2011/07/11/integrating-websense-web-security-and-web-filter-v7-6-with-forefront-tmg-2010/


7. Blog Posts
--------------------------------------------------------------

* Multicast Mode NLB Support in UAG
<http://blogs.isaserver.org/shinder/2011/07/06/multicast-mode-nlb-support-in-uag/>

* SuperFlow for Troubleshooting Forefront TMG Installation
<http://blogs.isaserver.org/shinder/2011/07/06/superflow-for-troubleshooting-forefront-tmg-installation-2/>

* Configuring UAG Behind an External Load Balancer
<http://blogs.isaserver.org/shinder/2011/07/06/configuring-uag-behind-an-external-load-balancer/>

* Security Configuration Wizard for Forefront TMG 2010 and Windows Server 2008 R2 SP1
<http://blogs.isaserver.org/shinder/2011/07/06/security-configuration-wizard-for-forefront-tmg-2010-and-windows-server-2008-r2-sp1/>

* What is the Default IP Address on the External Interface of Your TMG Firewall
<http://blogs.isaserver.org/shinder/2011/07/06/what-is-the-default-ip-address-on-the-external-interface-of-your-tmg-firewall/>

* Virtualize Your TMG Firewalls
<http://blogs.isaserver.org/shinder/2011/07/06/virtualize-your-tmg-firewalls/>

* Identifying Suspicious Activity on your Edge Device &#150; Part 1
<http://blogs.isaserver.org/shinder/2011/07/06/identifying-suspicious-activity-on-your-edge-device-part-1/>

* The TMG Core Test Lab Guide
<http://blogs.isaserver.org/shinder/2011/07/06/the-tmg-core-test-lab-guide/>

* Understanding ISA and TMG Updates
<http://blogs.isaserver.org/shinder/2011/07/06/understanding-isa-and-tmg-updates/>

* UAG as a Network Detective
<http://blogs.isaserver.org/shinder/2011/06/29/uag-as-a-network-detective/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

I have searched the Internet for this answer and nothing pops up. We have an old ISA 2000 firewall that we're migrating to ISA2006 on a new server. Most users access the firewall's web proxy service through applications directly, but there are some apps that don't have native proxy support that have the ISA client installed.

We need to determine which users/machines are using the client software. Are there entries in the firewall or web logs that identify when the ISA client was used vs. a direct connection?

Thanks! - Chris

ANSWER:

Hi Chris,

Great question! Yes, the ISA and TMG firewalls do log information that will help you determine which machines have the Firewall client installed. While both the web proxy and Firewall client configuration enable the users to authenticate to the firewall, only the Firewall client machines will send application information. You can see this in the log file viewer when you enable the Client Agent column, as seen in the figure below.

<IMAGE: http://www.isaserver.org/img/ISA-MWN-July11-2.jpg>

In addition, if you want to see the names of computers that are currently connected using the firewall client, you can go to the Monitoring node in the left pane of the console and then click the Sessions tab. In the Application name column, you&#146;ll see the applications that computers are using, along with the name of the computer and the user name. The figure below shows the Application Name column.

<IMAGE: http://www.isaserver.org/img/ISA-MWN-July11-3.jpg>

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

1 comment:

  1. Anonymous9:26 AM

    As above give a nice post. Any business can adapt and administer their own servers and hosting companies with GIS, they can all all-embracing maps and added geographic advice arrangement database access.

    mapserver hosting

    ReplyDelete