Wednesday, August 31, 2011

ISAserver.org - August 2011 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of August 2011
Sponsored by: Collective Software <http://www.collectivesoftware.com/isaserver.newsletter.201107.lockoutguard>

-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. How TMG Completes the Security Story for DirectAccess
--------------------------------------------------------------

As you might have heard my husband say from time to time (and it's something with which I completely agree), the DirectAccess client is like any other client on your intranet and you should take the same security precautions and configuration measures with DirectAccess clients that you would apply to any other client on your intranet. The reason for this is that the threat profile of the DirectAccess clients on the Internet is not very different from the client system on the intranet. They are always connected to the intranet, are always under the command and control of corporate IT, and therefore they don&#146;t fall out of compliance like traditional VPN clients - making them the equivalent of intranet clients when it comes to security.

There's only one problem with this reasoning. Clients on the intranet have their Internet access controlled by an Internet gateway filtering device, such as a TMG firewall. If the intranet client never leaves the intranet (a rare situation now, but common in the 20th century), then Internet access is always filtered and the threat landscape to which that client is exposed will be much smaller. In contrast, the default configuration for DirectAccess clients is to enable split tunneling, which means that while the DirectAccess client connects to intranet resources of the DirectAccess tunnels, it connects directly to the Internet hosts that it needs to connect to, without going through the DirectAccess tunnels.

However, you can close this hole in the DirectAccess client security story by using something called "Force Tunneling". When Force Tunneling is enabled on the DirectAccess client, all traffic will be forced through the DirectAccess tunnel, including traffic that's destined for the Internet. You can then configure the DirectAccess client to always use a web proxy on the intranet to connect to the Internet. And since there is no better web proxy based Internet security gateway than the TMG firewall, you can see how the TMG firewall solves this problem.

My husband Tom Shinder, along with fellow Microsoft employee Yuri Diogenes, did a webcast about this recently and you might want to check it out. This is part of their Security Talk with Tom Shinder and Yuri Diogenes: From Endpoint to Edge and Beyond. Check it out at http://technet.microsoft.com/en-us/edge/from-end-to-edge-and-beyond-episode-5

What do you think? Does the TMG firewall close the security story for DirectAccess clients? Is there anything else that's required to make them as secure as an intranet client? Does an "intranet client" even exist anymore, now that most companies allow their employees to take laptops home and on the road and then bring them back to work - so that all clients share a similar security profile? Let me know your opinions! Send me your feedback and I'll share it next month in the newsletter.

See you next month! - Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "Airplane travel is nature's way of making you look like your passport photo." - Al Gore
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Test Lab Guide (Part 4) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part4.html>

* Overview of the Microsoft Reputation Service (MRS), Microsoft Malware Protection Center (MMPC) and other techniques
<http://www.isaserver.org/tutorials/Overview-Microsoft-Reputation-Service-MRS-Microsoft-Malware-Protection-Center-MMPC-other-techniques.html>

* Test Lab Guide (Part 3) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part3.html>

* Using Connectivity Verifiers in Forefront Threat Management Gateway (TMG) 2010
<http://www.isaserver.org/tutorials/Using-Connectivity-Verifiers-Forefront-Threat-Management-Gateway-TMG-2010.html>

* Test Lab Guide (Part 2) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part2.html>

* What's going on during a Forefront TMG Installation?
<http://www.isaserver.org/tutorials/Whats-going-on-during-Forefront-TMG-Installation.html>

* Kaspersky Anti-Virus for Microsoft ISA Server Voted ISAserver.org Readers&#146; Choice Award Winner - Anti Virus
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-for-Microsoft-ISA-Server-May11.html>

* Test Lab Guide (Part 1) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server
<http://www.isaserver.org/tutorials/Test-Lab-Guide-Part1.html>


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

The Forefront TMG BPA (Best Practices Analyzer) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront TMG computer from the Forefront TMG hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The Forefront TMG BPA is supplied with two supplemental tools:

* The TMG Data Packager enables you to create a single .cab file containing Forefront TMG diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.

* BPA2Visio generates a Microsoft Office VisioĊ½ diagram of your network topology as seen from a Forefront TMG computer or any Windows computer based on output from Forefront TMG BPA. Note that Microsoft Office Visio 2003, 2007, or 2010 must be installed in order to run BPA2Visio.

Download the TMG Best Practices Analyzer over at http://www.microsoft.com/download/en/details.aspx?id=17730


5. Tip of the Month
--------------------------------------------------------------

Did you know that you can get information about the names of the people connecting through the TMG firewall as well as the names of the computers they are using and the names of the applications they&#146;re using to connect to the Internet through the TMG firewall? You can! All you have to do is install the TMG client (Firewall client) on the client systems and configure the TMG client to connect to the TMG firewall. The figure below shows an example of the information you get in real time in the Sessions tab. The (user and computer) names have been changed to protect the innocent. Of course, this information is also available in the logs, so you can search the log files for this kind of information as well. Or course, you need to make sure the TMG client is installed. Then you&#146;re ready to go!

IMAGE: <http://www.isaserver.org/img/ISA-MWN-August11-1.jpg>


6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------

*Lync Client Access via TMG Firewall*

Many organizations are deploying Lync for communications in the corporate environment, and now companies that might not be able to afford to set up and maintain their own Lync servers can have all the benefits of Lync via Office 365 &#150; but how do you allow Lync client access through the TMG firewall? You&#146;ll find some guidelines on the Microsoft Office 365 Forums website: http://community.office365.com/en-us/f/148/p/3849/20302.aspx

*Integrating Websense with Forefront TMG 2010*

Good news: beginning with the release of Websense Web Security/Web Filter v7.6, Websense now provides full support for integrating with Forefront TMG 2010 running on the latest Windows Server 2008 R2 operating system. Richard Hicks talks about it over on his site, so if you&#146;re interested in this scenario, be sure to check it out: http://tmgblog.richardhicks.com/2011/07/11/integrating-websense-web-security-and-web-filter-v7-6-with-forefront-tmg-2010/


7. Blog Posts
--------------------------------------------------------------

* Experts: Cyber Threats Can Be Defeated With Off-the-Shelf Software
<http://blogs.isaserver.org/shinder/2011/07/31/experts-cyber-threats-can-be-defeated-with-off-the-shelf-software/>

* Configuring Splunk Universal Forwarder on Forefront TMG 2010
<http://blogs.isaserver.org/shinder/2011/07/31/configuring-splunk-universal-forwarder-on-forefront-tmg-2010/>

* UAG IP Address Changes Not Visible in Configuration
<http://blogs.isaserver.org/shinder/2011/07/31/uag-ip-address-changes-not-visible-in-configuration/>

* Manage Internet Bandwidth and Quota by Integrating BSplitter with FF TMG 2010
<http://blogs.isaserver.org/shinder/2011/07/31/manage-internet-bandwidth-and-quota-by-integrating-bsplitter-with-ff-tmg-2010/>

* Forwarding on the 6to4 network interface cannot be enabled
<http://blogs.isaserver.org/shinder/2011/07/28/forwarding-on-the-6to4-network-interface-cannot-be-enabled-2/>

* Certainty with Certificates for UAG and DirectAccess
<http://blogs.isaserver.org/shinder/2011/07/28/certainty-with-certificates-for-uag-and-directaccess/>

* Reinstalling DirectAccess Interfaces
<http://blogs.isaserver.org/shinder/2011/07/28/reinstalling-directaccess-interfaces/>

* Slow POST attacks through Forefront TMG 2010
<http://blogs.isaserver.org/shinder/2011/07/28/slow-post-attacks-through-forefront-tmg-2010/>

* Microsoft NIS and the Misplaced State of the Art
<http://blogs.isaserver.org/shinder/2011/07/28/microsoft-nis-and-the-misplaced-state-of-the-art/>

* Multicast Mode NLB Support in UAG
<http://blogs.isaserver.org/shinder/2011/07/06/multicast-mode-nlb-support-in-uag/>


8. Ask Sgt Deb
--------------------------------------------------------------

* QUESTION:

I&#146;m thinking about bringing in a TMG firewall but I have a question. I remember a few years ago I was looking at the ISA firewalls at the time, and one thing that was a problem for me was that there was no change tracking mechanism. As you know, the ability to audit the firewall for change tracking is important, especially from a troubleshooting perspective. Do you know if the TMG firewall has any improvements in this area?

Thanks! &#150;Edwin.


ANSWER:

Hey Edwin!

I have some good news for you - the TMG firewall does support change tracking. This is a feature that's included out of the box with the TMG firewall, although it was initially introduced with a service pack for ISA Server 2006. Just click the Troubleshooting node in the left pane of the console and then then click the Configure Change Tracking link in the Tasks Tab of the Task Pane. There you can enable or disable change tracking. After you enable it, you'll get detailed information about changes made to the TMG firewall, as seen in the figure below.

IMAGE: <http://www.isaserver.org/img/ISA-MWN-August11-2.jpg>

Finally, when you enable change tracking, you can control how many changes you want to store and whether you want to be prompted to provide a description of the changes you've made.


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2011. All rights reserved.

No comments:

Post a Comment