Wednesday, July 25, 2012

ISAserver.org Monthly Newsletter - July 2012

-------------------------------------------------------
ISAserver.org Monthly Newsletter of July 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201208.flexform>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TMG and Modern SMB 3 Networks
--------------------------------------------------------------

Windows Server 2012 has a ton of new features in it and one of the most interesting new features is the SMB 3.0 protocol. I've written about that over on WindowsNetworking.com but how does it relate to TMG? I can hear you thinking, "SMB? Isn't that the file sharing protocol? Isn't that the protocol that the Blaster worm leveraged to whack a ton of networks back in the early 2000's?" Yes, you're right, that's the same protocol. Well, sort of. It's not exactly the same – because there have been significant changes in SMB over the years so that it's no longer the jittery protocol you used to have to deal with when your users would lose their file handles for no reason while editing documents over a 10Mbps network.

That was RPC or SMB back in the 1990's. Fast forward to the second decade of the 21st century. Blaster is a bad memory and performance gains have been amazing. At the recent TechEd in Amsterdam, Microsoft and its partner X-IO demonstrated a "cluster in a box" that could push up to 16GB/s of data over an Infiniband network. While I won't do all the numbers here, what this means is that in a few days you can send many petabytes of data over the network. That's some impressive stuff.

Okay, but what does this mean for TMG? If you've been following ISA and TMG over the years, we were pretty impressed with our ability to pump up to almost 2Gbps through the firewall. This seemed like an enormous number at the time, especially if you are thinking in terms of Internet bandwidth. And even if you used the TMG firewall as an intranet firewall, that 2 Gbps wasn't too shabby.

But now we're talking about file sharing access through the firewall, not in terms of Gbps (gigabits per second), but in terms of GBps (gigaBYTES per second). A GB is equal to 8 Gbs. There is no way the TMG firewall is going to be able to stand up to this type of traffic. And even if the TMG firewall will be supported on Windows Server 2012 (which Microsoft hasn't officially addressed one way or the other), it's doubtful that the core firewall engine was designed to support this level of bandwidth. After all, 10Gbps NICs weren't the norm for servers during the development of the ISA and TMG firewalls.

Unfortunately, I see the bottom line of the evolution of network technologies on the intranet (and probably the Internet as IPv6 begins to take hold) crowding out our beloved TMG firewall as an intranet firewall. For the time being, I think that it is still an exceptional solution for an Internet firewall and web proxy server, but the days when we could use it in our reperimeterization plans are probably coming to an end.

What do you think? Will you be moving your TMG firewalls off the intranet and using them only for Internet access? Do you think the 10Gbps network is something that you won't need to worry about for another few years? Let me know and I'll share your insights with the rest of the TMG firewall community in next month's newsletter.

See you next month! – Deb.

dshinder@isaserver.org

Samsung Galaxy Tab 2 Winner!

TechGenix is delighted to announce that the winner of the Samsung Galaxy Tab 2 is long-time subscriber Konrad Eysink from Dallas, Texas. Congratulations! Read the full announcement here:
http://www.techgenix.com/news/samsung-galaxy-tab-2-winner-announced.htm

=======================
Quote of the Month - All changes, even the most longed for, have their melancholy; for what we leave behind us is a part of ourselves. – Anatole France
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Microsoft Forefront UAG - Explaining and configuring Forefront UAG endpoint policies
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Explaining-configuring-Forefront-UAG-endpoint-policies.html

* Kaspersky Anti-Virus for Microsoft ISA Server Voted ISAserver.org Readers' Choice Award Winner - Anti Virus
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-for-Microsoft-ISA-Server-May12.html

* Planning for High Availability and Scalability in your TMG Deployment
http://www.isaserver.org/tutorials/Planning-High-Availability-Scalability-TMG-Deployment.html

* Measuring System Performance on a Forefront Threat Management Gateway (TMG) 2010 Firewall (Part 2)
http://www.isaserver.org/tutorials/Measuring-System-Performance-Forefront-Threat-Management-Gateway-TMG-2010-Firewall-Part2.html

* The TMG Firewall's VPN Server and Site to Site VPN Gateway Capabilities (Part 2)
http://www.isaserver.org/tutorials/TMG-Firewalls-VPN-Server-Site-to-Site-VPN-Gateway-Capabilities-Part2.html

* Product Review: AGAT Software Solutions' ActiveSync Shield
http://www.isaserver.org/tutorials/Product-Review-AGAT-Software-Solutions-ActiveSync-Shield.html

* Microsoft Forefront UAG - Creating a portal with Forefront UAG
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Creating-portal-Forefront-UAG.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

We all know how detailed things can get when we're configuring the TMG firewall to do all the things we want it to do. But even after you have the firewall finely tuned and your rules are perfect, the job isn't done yet. Why? Because the TMG firewall is truly a client/server application and you need to get the clients configured to work with your firewall, too. Whether it's the web proxy client configuration, the SecureNAT configuration or the Firewall client configuration, there's still a lot of configuring to do! Check out this TechNet site for all you need to know about configuring your TMG clients http://technet.microsoft.com/en-us/library/cc441532


5. Tip of the Month
--------------------------------------------------------------

Have you ever tried to add a new NIC to your ISA or TMG firewall and then not see that NIC show up in the configuration interface? I have! And it's not very much fun when you have already had the machine down for a while to put the NIC in and have to consider taking it down again to figure out what happened. If you run into this, here's a great tip on how to fix things without having to restart the server http://blogs.technet.com/b/isablog/archive/2012/06/27/newly-added-network-adapter-not-showing-up-in-rras-with-forefront-tmg.aspx


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

If you want to squeeze every last bit of performance out of your TMG firewall, one of the places you'll want to look is the logging settings. Logging takes a large amount of resources and if there are things you can get away with not logging, then don't log them! Here is a nice article by Richard Hicks that shows you how to turn off logging for System Policy Rules. Not that I would recommend this in all cases, but if you're interested, try out his method at http://tmgblog.richardhicks.com/


7. Blog Posts
--------------------------------------------------------------

* Using a Remote SQL Server for TMG Firewall Logging
http://blogs.isaserver.org/shinder/2012/07/02/using-a-remote-sql-server-for-tmg-firewall-logging/

* How to Enable Ipad YouTube App Through a TMG Firewall
http://blogs.isaserver.org/shinder/2012/07/02/how-to-enable-ipad-youtube-app-through-a-tmg-firewall/

* Great Tips on Analyzing Network Traffic with Network Monitor
http://blogs.isaserver.org/shinder/2012/07/02/great-tips-on-analyzing-network-traffic-with-network-monitor/

* How To Customize Web Site Categories with the TMG Firewall
http://blogs.isaserver.org/shinder/2012/07/02/how-to-customize-web-site-categories-with-the-tmg-firewall/

* Publishing Lync using UAG
http://blogs.isaserver.org/shinder/2012/07/02/publishing-lync-using-uag/

* Adding a New UAG Array Member Leads to Access Denied Condition
http://blogs.isaserver.org/shinder/2012/07/02/adding-a-new-uag-array-member-leads-to-access-denied-condition/

* New NIC doesn't show up in RRAS with TMG
http://blogs.isaserver.org/shinder/2012/07/01/new-nic-doesnt-show-up-in-rras-with-tmg/

* TMG blocking youtube videos?
http://blogs.isaserver.org/shinder/2012/06/30/tmg-blocking-youtube-videos/

* TMG services stopping unexpectedly: What's up with that?
http://blogs.isaserver.org/shinder/2012/06/29/tmg-services-stopping-unexpectedly-whats-up-with-that/

* Richard Hicks demystifies TMG and UAG
http://blogs.isaserver.org/shinder/2012/06/20/richard-hicks-demystifies-tmg-and-uag/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I'm interested in publishing ActiveSync on my TMG firewall but I don't see a lot of security configuration options or advantages. Sure, I can pre-authenticate but that seems to be about it in terms of advanced security. Can you recommend any add-ons or other things I can do to enhance the ActiveSync security publishing configuration?

Thanks! –Jolein

ANSWER:

Hi Jolein,

While there are probably a number of things that you can do at the TMG firewall platform level to increase the security of your ActiveSync connection, add-ons can certainly improve on what you can do. However, before installing an add-on, make sure you consider the following:

* Use the Exchange Server publishing rule to publish the ActiveSync site; don't use a Server Publishing Rule to publish the ActiveSync site.
* Use SSL to SSL bridging to make sure your users are secure from end to end.
* Make sure you have a well-managed PKI to support the Web Publishing Rule. You can use either a public certification authority or you can set up your own. Just make sure that both the client and server side certificates are well managed.
* Pre-authenticate users at the TMG firewall. Do not allow anonymous connections access to the ActiveSync publishing rule.

In addition to these basic best practices, you might want to consider an add-on such as AGAT's ActiveSync shield. You can find out more about this add-on on ISAserver.org at http://www.isaserver.org/tutorials/Product-Review-AGAT-Software-Solutions-ActiveSync-Shield.html

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

No comments:

Post a Comment