Wednesday, September 26, 2012

ISAserver.org Monthly Newsletter - September 2012

-------------------------------------------------------
ISAserver.org Monthly Newsletter - September 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver-newsletter-201209-lockoutguard>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Eulogy for TMG
--------------------------------------------------------------

This year we celebrated the 15th birthday of Microsoft's proxy/firewall solution that has gone through a couple of name changes to get where it is today. Sadly, on September 12, Microsoft announced that the company is discontinuing TMG, along with FPE, FPSP, FSOCS and TMG Web Protection Services.
http://www.zdnet.com/microsoft-axes-many-of-its-forefront-enterprise-security-products-7000004166/
Microsoft will continue to support the products through 2015, with extended support for TMG through 2020. In the months ahead, we'll be looking at what else is out there and how you can plan for a relatively painless transition when the time comes.

Meanwhile, I thought it would be appropriate to celebrate TMG's life even as we mourn its impending death. And I want to start by taking a look back at the history of the Microsoft firewall. The TMG firewall was born in January 1997 and was christened Microsoft Proxy Server. It wasn't much of a firewall back then, but it was a decent proxy server. It did have some integration problems with NT networks, though, so they updated the Proxy Server to version 2.0 before the end of the year, in December 1997. Both versions 1 and 2 supported forward and reverse proxy, as well as Winsock Proxy.

In March 2001, the Proxy Server product got a major upgrade and a complete facelift, as well as a brand new (and to some, confusing) name. The new version of Proxy Server was renamed Internet Security and Acceleration Server 2000, although it was better known as ISA Server. ISA Server was an extremely popular product and there were tons of ISVs who made plug-ins of all kinds for ISA Server. ISA Server 2000 was also greatly improved over the Proxy Server by the addition of firewall functionality, such as stateful packet inspection. While it was very popular, the ISA 2000 firewall was somewhat difficult to configure and it could be hard to understand which rule was being applied at any point in time.

It took four years before we saw the next version of the ISA firewall, and the name of that was ISA 2004; it was released in September 2004. Again, the firewall got a major facelift and the interface began to take on the look that continues today with the TMG firewall. There were many improvements to stateful packet and application layer inspection and the interface was very easy to use – which meant the firewall was very easy to configure. A number of new wizards were added that made Exchange and other server publishing scenarios much easier to deploy, as well. In addition, an Enterprise Edition was introduced and it supported Network Load Balancing for high availability scenarios. An interesting bit of trivia is that Microsoft had considered naming ISA 2004 "Microsoft Firewall Server" but then decided to stick with the more familiar branding.

It only took two more years before the next version of the ISA firewall was released; this was ISA 2006. There weren't too many changes to the core functionality of the ISA 2006 firewall this time. Most of the improvements were under the hood and were related to advanced authentication capabilities for web publishing scenarios. Most ISA fans thought of the ISA 2006 firewall as pretty much like a Service Pack release or perhaps an R2.

The product got another name change with the next release, which was the Threat Management Gateway 2010. It was released in September of 2009. TMG looked a lot like the previous versions of the ISA firewall, but it had some significant new capabilities, such as outbound SSL inspection, web anti-malware support and URL filtering. These features were previously only available with very expensive firewalls and they made TMG very attractive to cost-conscious organizations. There have been two service packs for the TMG firewall that have continued to add more features.

And that's where we are today. It's been a wild ride and we're going to miss our old friend, but the concept of the network as a "walled garden" with defined edges is changing and as always in IT, we have to adapt to the new paradigm. I know many of you are upset or even angry about this business decision, but let's try to think constructively about where we go from here. Next month we'll start exploring that topic.
See you next month! – Deb.
dshinder@isaserver.org

=======================
Quote of the Month - Unless one says goodbye to what one loves, and unless one travels to completely new territories, one can expect merely a long wearing away of oneself and an eventual extinction. - Jean Dubuffet
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 5)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part5.html

* Considerations for Deploying Forefront Threat Management Gateway (TMG) 2010 on a Virtual Server
http://www.isaserver.org/tutorials/Considerations-Deploying-Forefront-Threat-Management-Gateway-TMG-2010-Virtual-Server.html

* ADVSoft ProxyInspector for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Reporting
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-ADVSoft-ProxyInspector-for-ISA-Server-Jul12.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 4)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part4.html

* Microsoft Forefront UAG - Publishing Microsoft Exchange Server 2010 Outlook Web App
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Publishing-Microsoft-Exchange-Server-2010-Outlook-Web-App.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 3)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part3.html

* Microsoft Forefront UAG - Publishing Microsoft Exchange Server 2010 Outlook Anywhere and Exchange Active Sync
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Publishing-Microsoft-Exchange-Server-2010-Outlook-Anywhere-Exchange-Active-Sync.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 2)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part2.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

As old and worn out as the FTP protocol is, and as many complaints regarding security and compatibility as you hear from users and admins, it's still alive and kicking after all these years. You might have some FTP servers in your own datacenter. If you do, and you find that you're having problems publishing your internal FTP servers, then you'll want to check out this article on Microsoft TechNet on how to publish FTP servers through the TMG firewall at http://technet.microsoft.com/en-us/library/cc441472


5. Tip of the Month
--------------------------------------------------------------

Thinking of running your TMG firewall on your shiny new Windows Server 2012 Hyper-V server? I am! Soon I'll be upgrading my Windows Server 2008 R2 Hyper-V servers to Windows Server 2012. I'm pretty busy, so I like to keep things as simple as possible, especially when it comes to backup and restore. Sure, I can do full backups of the TMG firewall, and for production use you probably want to continue to do that. But the firewall really doesn't have much state associated with it (especially if you have off-box logging enabled). In that case, maybe full backups aren't always required – especially for testbed environments. What I plan to do to is take advantage of a new Windows Server 2012 feature called Hyper-V Replica. With Hyper-V Replica I can do asynchronous continuous backup of the TMG firewall to another Hyper-V server. If something bad happens to the server on which the TMG firewall is running, I can quickly and easily restart the firewall on the other Hyper-V server. For more information Hyper-V Replica, check out http://technet.microsoft.com/en-us/library/jj134207



6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Richard Hicks has a great article on some new issues with the PPTP VPN protocol. Well, there's nothing actually wrong with the protocol, but there are some new issues regarding the default authentication protocol used by PPTP. For more information, check out Richard's blog at http://tmgblog.richardhicks.com/
For another great article by Richard, check out this piece on how to use the HTTP Security Filter to block IM connections http://www.fastvue.co/blog/block-instant-messaging-traffic-using-forefront-tmg-http-filter


7. Blog Posts
--------------------------------------------------------------

* Fix Windows Live Messenger login issues with TMG
http://blogs.isaserver.org/shinder/2012/08/31/fix-windows-live-messenger-login-issues-with-tmg/

* Enabling Outbound SSL Inspection
http://blogs.isaserver.org/shinder/2012/08/30/enabling-outbound-ssl-inspection/

* TMG at the Network Edge–the Great Debate Continues
http://blogs.isaserver.org/shinder/2012/08/30/tmg-at-the-network-edgethe-great-debate-continues/

* Troubleshooting Mysterious TMG Reporting Issues
http://blogs.isaserver.org/shinder/2012/08/30/troubleshooting-mysterious-tmg-reporting-issues/

* What Protocols Does the TMG Firewall Provide You Out of the Box?
http://blogs.isaserver.org/shinder/2012/08/30/what-protocols-does-the-tmg-firewall-provide-you-out-of-the-box/

* TMG Email Policy using the Wrong Source IP Address
http://blogs.isaserver.org/shinder/2012/08/30/tmg-email-policy-using-the-wrong-source-ip-address/

* TMG Firewall Performance Troubleshooting Cheat sheet
http://blogs.isaserver.org/shinder/2012/08/29/tmg-firewall-performance-troubleshooting-cheat-sheet/

* Publishing Windows Server Update Services with the TMG Firewall
http://blogs.isaserver.org/shinder/2012/08/29/publishing-windows-server-update-services-with-the-tmg-firewall/

* Troubleshooting TMG URL Filtering Problems
http://blogs.isaserver.org/shinder/2012/08/29/troubleshooting-tmg-url-filtering-problems/

* Manage the TMG Firewall from a 32 bit client
http://blogs.isaserver.org/shinder/2012/08/29/manage-the-tmg-firewall-from-a-32-bit-client/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,
Quick question: I'm planning to upgrade my environment to Windows Server 2012 soon and want to know if I can install the TMG firewall on the upgraded servers.
Thanks! –James


ANSWER:

Hi James.

Good question. I've done some research on the TechNet site for TMG requirements and have found that most of the documentation on that site hasn't been touched for over one and one-half years. On the System Requirements for Forefront TMG page at http://technet.microsoft.com/en-us/library/dd896981 there is no mention of Windows Server 2012. We did some testing and found that installation failed on Windows Server 2012 VMs. Other people have had the same experience. Windows Server 2012 hasn't been released yet so things could change – but my guess is that TMG probably won't be supported on Windows Server 2012. However, you always have the option to run the TMG firewall as a VM on a Windows Server 2012 Hyper-V Server, as I discussed above. Happy upgrading!


Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

No comments:

Post a Comment