Search This Blog

Wednesday, August 29, 2012

ISAserver.org Monthly Newsletter - August 2012

-------------------------------------------------------
ISAserver.org Monthly Newsletter - August 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201208.ipbinder>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TMG, UAG, DirectAccess and Windows Server 2012 - What do I do?
--------------------------------------------------------------

For the TMG or UAG admin, things seem to be changing fast right now and we aren't quite sure what additional changes will be coming down the pike. That means planning is more important than ever, but how do you plan when you don't have all the facts? We all love our TMG firewalls and UAG gateways and we hope they'll be with us forever. However, it's hard to say how long "forever" is going to be, given that we still don't have any public information on a TMG firewall roadmap or even a UAG roadmap.

Also, while I haven't had a chance yet to try to install UAG on Windows Server 2012, I tried it with TMG and that didn't work; others have had the same experience. Thus we can't help but wonder whether TMG is going to be supported on Windows Server 2012, or whether this is another sign of things to come.

With that said, many folks won't be upgrading all their machines to Server 2012 immediately. We do know that both TMG and UAG, as well as Server 2008/2008R2, still have long support cycles ahead of them and so we will be able to happily keep our TMG firewalls humming for the next couple of years or so. But during that time, l think I'm going to be looking around for alternatives. Much as I hate to do that (it feels almost like "cheating" after all these years with ISA/TMG), I believe in hoping for the best but preparing for the worst.

If you've been thinking the same thing, you're probably wondering what direction I'm leaning in that respect. Will those alternatives be "hardware" or software firewalls? I know the debates about "hardware" and software firewalls were pretty hot back in the day, but now that virtualization rules the roost, I think that conversation is probably all but done. Once upon a time, we used to argue about performance hits due to virtualization and security issues – but with today's dual socket 16 processor machines that can, if needed, pass many Gbps to and from a virtual machine, I'd say that for all except the most demanding IT shops, the hardware firewall is going to quickly be a thing of the past. So with that in mind, I'll probably be looking for a virtual appliance to take over for my beloved TMG firewalls when the time comes to lay them to rest.

Okay, I know what your next question is going to be: What about UAG? Well, around here we really only use UAG for its DirectAccess functionality – the UAG reverse proxy is a little rough around the edges and, in my opinion, is not quite as good as what the TMG reverse proxy has to offer. Sure, the UAG reverse proxy is more flexible and supports many more authentication methods and repositories, but unless you have a specific niche need for these, the TMG firewall is my web publishing option of choice.

So, if you're like me and you're using the UAG server only for DirectAccess, where's your future? Microsoft has made it clear that they want to make DirectAccess a part of the Windows platform and they've ported all of the DirectAccess enhancements to Server 2012 that you once only got with UAG, along with adding a bunch more. So if you're using UAG for DirectAccess now, you probably ought to take a look at Windows Server 2012 DirectAccess and think about making plans to replace your UAG DirectAccess deployment with a Windows Server 2012 DirectAccess solution at some point. It just makes sense from the standpoint of cost effectiveness.

But enough about our network and what we're doing. What are your plans? Are you going to keep your TMG firewalls running until they pry them out of your cold, dead hands? Are you already making plans for replacing them in the near future or in the next couple of years? If and when that happens, do you prefer a traditional "hardware" firewall or will you implement a virtual appliance? Are you considering upgrading your DirectAccess solution to Windows Server 2012? Let me know!

By Deb Shinder

See you next month! – Deb.

dshinder@isaserver.org


=======================
Quote of the Month - Do you realize if it weren't for Edison we'd be watching TV by candlelight? – Al Boliska
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 3)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part3.html

* Microsoft Forefront UAG - Publishing Microsoft Exchange Server 2010 Outlook Anywhere and Exchange Active Sync
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Publishing-Microsoft-Exchange-Server-2010-Outlook-Anywhere-Exchange-Active-Sync.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 2)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part2.html

* Determining the Effectiveness of Advanced Web Protection in Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Determining-Effectiveness-Advanced-Web-Protection-Forefront-Threat-Management-Gateway-TMG-2010.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 1)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part1.html

* Microsoft Forefront UAG - Explaining and configuring Forefront UAG endpoint policies
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Explaining-configuring-Forefront-UAG-endpoint-policies.html

* Kaspersky Anti-Virus for Microsoft ISA Server Voted ISAserver.org Readers' Choice Award Winner - Anti Virus
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-for-Microsoft-ISA-Server-May12.html

* Planning for High Availability and Scalability in your TMG Deployment
http://www.isaserver.org/tutorials/Planning-High-Availability-Scalability-TMG-Deployment.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

When the Web Proxy Automatic Discovery (WPAD) protocol works, it's great! Users just open their browsers and get onto the Internet through the TMG firewall's web proxy feature. You don't have to configure browser settings in Active Directory and users don't need to configure their browsers to use your proxy. However, when WPAD stops working, life can get complicated fast. Users will be calling you and tell you that "the web site is down" and various other complaints. So, even if you haven't had a problem with WPAD failure yet, in the spirit of being prepared, you might want to check out the article WPAD is working or not at http://blogs.technet.com/b/sooraj-sec/archive/2011/07/07/wpad-is-working-or-not.aspx so that you'll know where to start if you are unfortunate enough to ever have a WPAD failure.


5. Tip of the Month
--------------------------------------------------------------

I've always been a hardware lover and I look forward to the times when I can open the case and put in new cards and generally muck around with the motherboard and internal components of my systems. But then there are times when I just need to get something done in "quick and dirty" fashion and don't want to have to find out how to get everything out of the way just to put in a new PCI card.

In those situations, I pull out my lazy admin guide and figure how to do things with the least amount of effort. So this month I share with you the "lazy admin's tip for creating TMG firewall DMZ networks" without opening up the server. What's the tip? Use an external USB NIC for your DMZ network. Suppose you need to quickly set up a guest network so that friends or people outside your business can get to the Internet using their laptops, smart phones, tablets, whatever. Just install the USB NIC driver, plug the USB NIC into the USB port, create a TMG firewall network and Network Rule, then create an Access Rule and there you go! Easy.



6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

If you loved UAG DirectAccess but longed for more features, then I've got great news for you – Windows Server 2012 DirectAccess is the answer to all the things you wanted in UAG DirectAccess but didn't get. Many of the UAG DirectAccess features are included in the Windows Server 2012 and you get many more "bonus features" too. What is the best way to get the inside information and tips you need to get it working? From the UAG Man himself – Ben Ari. Check out Ben's blog for information on his new book at Windows Server 2012 DirectAccess at http://blogs.technet.com/b/ben/archive/2012/08/01/directaccess-2012-the-book.aspx


7. Blog Posts
--------------------------------------------------------------

* Configure Publishing Rules for Lync via the TMG Firewall
http://blogs.isaserver.org/shinder/2012/07/31/configure-publishing-rules-for-lync-via-the-tmg-firewall/

* Ben Ari Records UAG Video Course
http://blogs.isaserver.org/shinder/2012/07/31/ben-ari-records-uag-video-course/

* Integrating Websense with the TMG Firewall
http://blogs.isaserver.org/shinder/2012/07/31/integrating-websense-with-the-tmg-firewall/

* TMG Control Fails to Start on NLB Array
http://blogs.isaserver.org/shinder/2012/07/31/tmg-control-fails-to-start-on-nlb-array/

* TMG Slow to Boot
http://blogs.isaserver.org/shinder/2012/07/31/tmg-slow-to-boot/

* Scripts You Can Use to Disable Logging for System Policy Rules
http://blogs.isaserver.org/shinder/2012/07/31/scripts-you-can-use-to-disable-logging-for-system-policy-rules/

* Twitter a Phishing Site
http://blogs.isaserver.org/shinder/2012/07/31/twitter-a-phishing-site/

* Make sure to turn off PPTP on your ISA and TMG firewalls
http://blogs.isaserver.org/shinder/2012/07/31/make-sure-to-turn-off-pptp-on-your-isa-and-tmg-firewalls/

* Using a Remote SQL Server for TMG Firewall Logging
http://blogs.isaserver.org/shinder/2012/07/02/using-a-remote-sql-server-for-tmg-firewall-logging/

* How to Enable Ipad YouTube App Through a TMG Firewall
http://blogs.isaserver.org/shinder/2012/07/02/how-to-enable-ipad-youtube-app-through-a-tmg-firewall/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I was hoping you could help or point me in the right direction. I work for a company that sells application load balancers and I have a customer that is using TMG 2010 for their Internet facing web access. I do not know much about their TMG setup, but they are terminating user SSL access on the TMG with a back-end SSL connection to our load balancer that in turn sends the traffic to a chosen web server. For only mobile users, we are seeing a Web Proxy status code of 0x80090330 on the TMG. It appears to be for the back-end SSL connection between the TMG and the load balancer. Access from PC clients using the typical web browsers works without any issue. I have not been able to find a lot of information on this status code, but I suspect it has to do with the certificate store on the TMG or configuration for the mobile clients. I was hoping you could point me in the right direction to trouble shoot the problem. Any help would be greatly appreciated.

Thanks! Ken.


ANSWER:

Hi Ken,

I have not seen this error specifically with the TMG firewall's web proxy server, but it does indeed appear to be a certificate issue. Do your mobile clients trust the web site certificate that's bound to the TMG firewall's web proxy listener? This is likely if they are using a private certificate PKI and the CA certificates were not installed on the clients. I hope this can point you in the right direction!

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

13 comments:

Anonymous said...

Ηello, і thinκ thаt i sаω уou viѕited my blog thus i camе
to “геturn thе faѵor”.

I'm attempting to find things to improve my web site!I suppose its ok to use some of your ideas!!

Feel free to visit my page :: instant cash
My web page > instant cash

Anonymous said...

What you рublished maԁe a great deal of ѕense.

But, think on thiѕ, what if you were to write a aweѕоmе post tіtle?

I mean, I don't wish to tell you how to run your website, however suppose you added a title to possibly grab people's attention?
I mean "ISAserver.org Monthly Newsletter - August 2012"
is kinda vanillа. You might look at Yahoο's home page and note how they create article titles to grab people interested. You might try adding a video or a picture or two to get readers interested about what you've got to ѕay.
In my opіnion, it ωould bring your websіte a little bit
more interesting.

Here iѕ my ωеb-site :: diet

Anonymous said...

I blоg fгequеntly and I seriously appreсiate
your cоntent. This greаt artіcle has rеаlly peаκed my іnteгeѕt.

I'm going to take a note of your website and keep checking for new information about once per week. I subscribed to your RSS feed too.

Here is my blog - bad credit payday loans

Anonymous said...

We stumbled over here coming from a different ωeb address аnԁ thought
I might сheck thingѕ out. I like what I sеe so now i am follοwing you.
Look forward to chеcking out youг ωeb page again.


Also visit my web page :: weight loss

Anonymous said...

Wow! Ӏn the end I got а web ѕite from where I know hоw to in
faсt obtain valuаble faсtѕ conсeгnіng my study аnd knowledge.


Feеl frеe to surf to mу blog post; lose weight

Anonymous said...

Αttractiνe sеctіоn of соntent.
I just stumblеd upоn youг weblog anԁ in accessіon capіtal
to assеrt that I аcquire in fact enjoyeԁ acсount your blοg ρostѕ.
Αnyωaу I'll be subscribing to your augment and even I achievement you access consistently rapidly.

My web-site payday loans
my web site > payday loans

Anonymous said...

hey there аnԁ thanks in yοur іnfo ?
Ӏ've certainly picked up something new from proper here. I did on the other hand expertise a few technical issues using this website, since I skilled to reload the site many instances previous to I may just get it to load properly. I have been pondering if your hosting is OK? Now not that I am complaining, but sluggish loading cases instances will often have an effect on your placement in google and could harm your quality score if advertising and marketing with Adwords. Anyway I am including this RSS to my email and could look out for much extra of your respective fascinating content. Ensure that you replace this once more very soon..

My blog post ... payday

Anonymous said...

It's remarkable to go to see this web page and reading the views of all mates on the topic of this article, while I am also eager of getting know-how.

My weblog: same day loans

Anonymous said...

It's really a great and helpful piece of info. I am happy that you simply shared this useful information with us. Please keep us informed like this. Thank you for sharing.

Look into my web blog; payday loans

Anonymous said...

I cоuld nοt resist commenting. Verу well writtеn!


Feеl frеe to surf to my web blog payday loans

Anonymous said...

I read this ρiеcе of writing сompletеly concerning the
difference оf nеwеst anԁ eaгlier tеchnоlogіes, it's remarkable article.

Look at my homepage; short term loans

Anonymous said...

I needed to thank уοu for this
veгy gooԁ read!! I ceгtainlу enjoyeԁ eveгy lіttle bіt of it.
I've got you bookmarked to check out new things you post…

Here is my web page - payday loans

Anonymous said...

Woω, amаzing blog layout! How long have уou bеen blоgging
for? you mаdе blogging look еаsy.
Тhe oѵerall look of your site is magnifіcent, aѕ well аѕ the content!


Also visit my wеblog: Same Day Payday Loans