ISAserver.org Monthly Newsletter of January 2012
Sponsored by: Fastvue
<http://www.fastvue.co/takethetour>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. My TMG-related New Year's Resolutions
--------------------------------------------------------------
It's that time of year again, when many of us put together a list of things that we want to accomplish in the coming year. I like to make New Year's resolutions, although I don't always accomplish all of them. Still, having them in place – especially if I share them with other people – provides a powerful incentive to get it done. This year, I decided to make a few New Year's resolutions related to the TMG firewall in my home office. Since Tom has gone off to "private practice" up there in the Private Cloud, he doesn't pay nearly as much attention to our firewall as he used to, so the responsibility for the care and feeding of our TMG has fallen into my lap (sort of like the care and feeding of our other pets).
Like most of you, I'm pretty busy with my "real" work (i.e, the kind that pays the bills), so I don't have a lot of time to tweak our own TMG firewall for fun (sort of like the lawyer who has time to write wills for everyone else – for pay – while she and her husband are in danger of dying intestate). But this year is going to be different, at least to some degree. There are three things that I want to with my network and my TMG firewall in 2012 and so I'm making them part of my "official" New Year's resolutions here and now.
My first resolution is to get ISP redundancy working. Right now we have a single FiOS connection to the Internet. It's been rock solid reliable over the past several years that we've had it (more reliable than the $600/month T-1 line we had previously, in fact), but still … we're putting all our eggs in one basket. Because both my work and Tom's work (as a Microsoft employee who works at home here in Texas and telecommutes to Redmond) depend entirely on having Internet connectivity, it just doesn't make sense to be dependent on a single carrier, no matter how dependable that carrier might be. Therefore, I'm going to make sure we have a better "Plan B."
Currently, our emergency backup solution, if the FiOS connection should go down, would be to fire up the laptop and connect through a mobile hotspot on my cell phone to Verizon's 4G network. That works surprisingly well – for basic Internet connectivity for one or two computers – but that doesn't get all our servers on the Internet, and the cap on mobile hotspot usage is very low with overage charges very high. That's not the solution I would want to be stuck with for more than an hour or two.
Besides that, we're still depending on one company: Verizon. For real redundancy, we need a second connection that goes through a completely different network. So my resolution is to add a cable Internet connection and configure the TMG firewall to do load balancing and failover using the FiOS and cable connections. There was a time when cable Internet service was so slow and had so many outages that I wouldn't have bothered, but our cable provider has improved their network considerably over the past few years. We rarely have service outages with CATV now, and the cable company is even offering speeds up to 15 Mbps – half the FiOS speed, but still a respectable speed for business broadband.
For my second resolution, I'm planning to finally enter the 21st (or arguably, the 20th) century and start using VLANs on our production network. I have been doing physical segmentation of my network over the years, using a "dumb" layer 2 switch. In the spirit of moving forward, I got a new managed layer 2 switch for myself for Christmas, and I'm going to dump all the five and eight port switches that I'm using now for doing physical segmentation and configure my new switch with port-based VLANs so that I can save power and get rid of that tangled mass of switches and cables that are cluttering up my nice, newly organized server room. And since the TMG firewall supports VLAN tagging, I might just move out of the simple port-based VLANs and use 802.1q instead.
Finally, I resolve to move from a simple single TMG firewall configuration to a TMG firewall array so that I will have firewall redundancy. It doesn't make much sense to have redundancy in my Internet connections if I have a single firewall as a point of failure. I've been setting up arrays in test beds and for other companies for all these years. Now it's time we had one for ourselves so that our network (which might be small by enterprise standards, but is expected to serve many of the same functions as a much larger network) can reap the same benefits.
How about you? Do you have any TMG firewall-related resolutions for 2012? If so, I'd love to hear about them! Send me a note at dshinder@isaserver.org and I'll share them with the newsletter readership. Who knows, maybe I'll add one of yours to my list.
See you next month! – Deb.
dshinder@isaserver.org
=======================
Quote of the Month - Shepherd Book used to tell me, "Can't do somethin' smart, do somethin' right." (Jayne, Firefly)
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* Advanced Forefront TMG debugging
http://www.isaserver.org/tutorials/Advanced-Forefront-TMG-debugging.html
* GFI WebMonitor for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Content Security
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-GFI-WebMonitor-Nov11.html
* TMG Firewall Web Filtering (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewall-Web-Filtering-Part1.html
* Reasons to Upgrade from ISA Server to Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Reasons-Upgrade-ISA-Server-Forefront-Threat-Management-Gateway-TMG-2010.html
* Authenticating Outbound Web Traffic from TMG Firewall Protected Networks
http://www.isaserver.org/tutorials/Authenticating-Outbound-Web-Traffic-TMG-Firewall-Protected-Networks.html
* How to configure Forefront TMG logging into a central Microsoft SQL Server database
http://www.isaserver.org/tutorials/How-configure-Forefront-TMG-logging-into-central-Microsoft-SQL-Server-database.html
* Product Review: Fastvue Dashboard
http://www.isaserver.org/tutorials/Product-Review-Fastvue-Dashboard.html
* Deeper Dive into the TMG Firewall Network Templates
http://www.isaserver.org/tutorials/Deeper-Dive-TMG-Firewall-Network-Templates.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Can the TMG firewall do what you want it to do? Are you trying to make it do something that you haven't seen anyone else do? Are you trying to find information on how to make the TMG do something that you think it should do, but for which you can't seem to find any information? One of the reasons this might happen: you're trying to deploy an unsupported configuration. That doesn't always mean it absolutely can't be done, but it does mean that beating it into submission might not end up being worth the trouble, and more important, it means you won't be able to count on any help from Microsoft if something goes wrong in your unsupported setup. How do you know if your TMG plans are unsupported? You can check out the Unsupported Configurations doc over at http://technet.microsoft.com/en-us/library/ee796231.aspx. If what you want to do is on this list, then you might want to rethink your plans.
5. Tip of the Month
--------------------------------------------------------------
Are you using your TMG firewall to support your SIP VoIP implementation? Are you having problems with the configuration? If so, you'll need some help troubleshooting the setup. Where do you find the help you need? Use the Troubleshooting VoIP guidance over at http://technet.microsoft.com/en-us/library/ff849747.aspx. There's a nice flowchart included in the doc that makes it much easier to figure out what you've done already and what you might need to do to get things working.
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
UAG is a great product for DirectAccess and for publishing a tremendous variety of web sites. The rub is that while the wizards included with UAG are great to get you started, they aren't enough when you start getting deeper into configuration. You often need to do a ton of customization to get your portal to work the way you want it to work. And unfortunately, the docs aren't very good about showing you how to do this. So where do you turn? Right now, you hope and pray that you can find a UAG expert who can help you. In the future, you'll be able to get the information you need from a new book by Erez Ben-Ari and Rainier Amara. Jason Jones, esteemed TMG firewall and UAG MVP talks about this in his blog post over at http://blog.msedge.org.uk/2011/12/thinking-of-customising-forefront-uag.html
7. Blog Posts
--------------------------------------------------------------
* Remote Access Fails for L2TP VPN Clients when NLB is Enabled on the TMG Firewall
http://blogs.isaserver.org/shinder/2011/12/31/remote-access-fails-for-l2tp-vpn-clients-when-nlb-is-enabled-on-the-tmg-firewall/
* TMG Goes Into Lockdown Mode After Switching to Text Logging
http://blogs.isaserver.org/shinder/2011/12/31/tmg-goes-into-lockdown-mode-after-switching-to-text-logging/
* The Reasons for the DCA Showing the DA Connection is Broken What Its Actually Working
http://blogs.isaserver.org/shinder/2011/12/31/the-reasons-for-the-dca-showing-the-da-connection-is-broken-what-its-actually-working/
* How to Get SSO to SharePoint through UAG with Two Authentication Schemas
http://blogs.isaserver.org/shinder/2011/12/31/how-to-get-sso-to-sharepoint-through-uag-with-two-authentication-schemas/
* UAG Web Monitor Shows DirectAccess Configuration Note Healthy
http://blogs.isaserver.org/shinder/2011/12/31/uag-web-monitor-shows-directaccess-configuration-note-healthy/
* UAG Well Positioned in Gartner Magic Quadrant for SSL VPNs
http://blogs.isaserver.org/shinder/2011/12/30/uag-well-positioned-in-gartner-magic-quadrant-for-ssl-vpns/
* Richard Hicks Runs Survey on How You Use the Change Description Box
http://blogs.isaserver.org/shinder/2011/12/30/richard-hicks-runs-survey-on-how-you-use-the-change-description-box/
* Great Presentation on IPv6 Security
http://blogs.isaserver.org/shinder/2011/12/30/great-presentation-on-ipv6-security/
* Everything You Ever Wanted to Know about the DirectAccess Connectivity Assistant
http://blogs.isaserver.org/shinder/2011/12/30/everything-you-ever-wanted-to-know-about-the-directaccess-connectivity-assistant/
* Issues with Deploying TMG 2010 Services Packs at the Branch Office
http://blogs.isaserver.org/shinder/2011/12/30/issues-with-deploying-tmg-2010-services-packs-at-the-branch-office/
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hi Deb,
Thanks for the great articles on ISAserver.org! I don't know what I would do if there wasn't such a great resource like ISAserver.org. I really like the articles, they have shown me how to do a lot of things I wouldn't have been able to figure out on my own. However, one thing I haven't been able to find on your site is a list of tools and scripts that I could put in my "TMG firewall kit bag". Can you point me to anywhere that lists all the tools and scripts that I would use the most in my TMG firewall practice?
Thanks! –Devon.
ANSWER:
Hi Devon!
Good question. While we all have our own special favorites, it's hard to find a single clearinghouse of this kind of information. The good news is that Jason Jones has put together an excellent collection of tools and scripts, as well as some great recommendations that apply to the TMG firewall and also to UAG. You can find this valuable collection over at http://blog.msedge.org.uk/2011/12/forefront-tmguag-useful-tools-and.html
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.
No comments:
Post a Comment