Wednesday, October 31, 2012

ISAserver.org Monthly Newsletter - October 2012

-------------------------------------------------------
ISAserver.org Monthly Newsletter - October 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver-newsletter-201211-lockoutguard>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Entering the Endgame with TMG
--------------------------------------------------------------

Last month, we finally got the final verdict on the fate of TMG, and now we know what many of us have suspected for a long time: Microsoft is getting out of the firewall/proxy business (You might remember that I published The Demise of Threat Management Gateway way back in the spring of 2011). <http://www.techrepublic.com/blog/window-on-windows/the-demise-of-threat-management-gateway-is-microsoft-backing-away-from-the-edge/4387> Now it's official: development has been discontinued on TMG – and many other Forefront products – and when support runs out a few years down the road, its fans will need to find an alternative solution.

Organizations that are relying on TMG are in what chess players call the endgame. They know that this late stage of the game requires different strategies than those deployed in the opening or middlegame. The pawns (the little guys) become more important and the king typically becomes more aggressive. Now that the shock of losing our queen (the future of TMG) has subsided a bit, let's look at how you can adapt your IT strategy to take your organization successfully through this endgame and make a smooth transition to a secure network without the TMG firewall/proxy.

One of the most important things a neophyte chess player needs to learn is when an opponent attacks your king, don't panic. That advice is applicable here, too, even though you might be feeling as if your entire security plan is under attack. First, remember that mainstream support will last until April 2015, and extended support runs until 2020. That is a very long time in technology years. There is no need to switch over to a new firewall next week, or even next year. You have time to evaluate your options.

The security landscape has been rapidly changing; indeed the whole face of IT is undergoing a transformation as companies move toward a cloud-based computing model. Security will be more important than ever in this brave new world, but it will be accomplished in a different way. The boundaries between networks are becoming increasingly blurred and some have postulated that firewalls are no longer necessary and don't protect against modern threats. <http://www.infoworld.com/d/security/why-you-dont-need-firewall-193153?page=0,0>

Even if your organization has no plans to go "to the cloud" and will maintain a more traditional datacenter, the focus of security is moving away from the edge, and closer to the assets being protected. The old "moat around the castle" method of protecting those assets is becoming outmoded and the perimeters are moving inward, so that the protective resources are being put on the applications and the data, rather than attempting to secure the entire network. This makes the firewall, if not obsolete, less important. After all, it's really the data that's "king" in this game, because that's the digital asset that's most valuable and most difficult (sometimes impossible) to replace.

These are some of the things that come to mind when I'm asked by anxious admins, "What should I be looking at as a replacement for TMG?" It's a question that's almost impossible to answer, because by the time TMG's support runs out, all of the competitors in this particular space may be obsolete. Standalone firewalls may be a dead product category. And if the firewall as a security solution does survive, I suspect it will have evolved into a different role, one that none of today's solutions is fully prepared to fill.

When Microsoft made the decision to morph their proxy server into a full-fledged firewall (ISA Server 2000), it was during a time when the firewall ruled the security world. Today, with that paradigm in flux, it makes business sense for them to drop the product, even if it does come as unpleasant news to those who have adopted it and have come to love its features, some of which aren't really available elsewhere.

However, the fact that TMG as a product is going away doesn't necessarily mean the technology itself is dead. Today security is much more integrated and it's always possible that Microsoft could incorporate some or all of TMG's functionalities into the next version of Windows Server, or license it to a third party that specializes in firewall/security products, while Microsoft concentrates on its long-time core software areas – operating systems and productivity applications – as well as its new "devices and services" focus.

So in my opinion, step 1 of your new game plan should be to take a deep breath, step back and look at the big picture of where your network is headed in the next five years. Don't rush into a decision to invest a lot of money and learning overhead in one of today's competing products. TMG is still here and will serve you well as you develop a well-thought-out transition strategy over the next months or years. Third party developers have not abandoned TMG and are still coming out with add-ons to increase its functionality even if Microsoft isn't.

In future installments of this newsletter, we will look at some more specific transitionary approaches and possible alternative products or services, but it's too early for that now. Let's assess our individual needs and situations first, and go into the endgame from a position of strength and confidence.

See you next month! – Deb.

dshinder@isaserver.org

=======================
Quote of the Month - You have to learn the rules of the game. And then you have to play better than anyone else. – Albert Einstein
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Understanding Policy and Configuration Backup and Restore Options in Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Understanding-Policy-Configuration-Backup-Restore-Options-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 7)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part7.html

* Ten Common Mistakes Made by Forefront Threat Management Gateway (TMG) 2010 Administrators
http://www.isaserver.org/tutorials/Ten-Common-Mistakes-Made-Forefront-Threat-Management-Gateway-TMG-2010-Administrators.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 6)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part6.html

* Microsoft Forefront UAG – Publishing Microsoft Sharepoint Server 2010
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Publishing-Microsoft-Sharepoint-Server-2010.html

* Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 5)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part5.html

* Considerations for Deploying Forefront Threat Management Gateway (TMG) 2010 on a Virtual Server
http://www.isaserver.org/tutorials/Considerations-Deploying-Forefront-Threat-Management-Gateway-TMG-2010-Virtual-Server.html

* ADVSoft ProxyInspector for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Reporting
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-ADVSoft-ProxyInspector-for-ISA-Server-Jul12.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Did you know that the TMG firewall can act as your inbound SMTP relay? That's right! The TMG firewall can be a secure inbound SMTP relay because it supports the ability to install Forefront Protection for Exchange right on the firewall. This is because you can install the Exchange Edge Transport role right on the TMG firewall. However, there are a number of requirements that you need to be able to meet before you do this. For information on installation requirements for the TMG firewall, check out Installing prerequisites for email protection at http://technet.microsoft.com/en-us/library/ee207141.aspx


5. Tip of the Month
--------------------------------------------------------------

You've read the fantastic manual and you've gone over all the TMG firewall docs and all the articles you can find at www.isaserver.org and you're pretty sure that you've done everything right. But sometimes you think it would be nice to get a second opinion. Should you hire a TMG firewall consultant? Maybe. But before you do that, maybe you can benefit from the collective knowledge of the experts at Microsoft, without shelling out a bunch of money. So how do you do that? You can know everything that Microsoft knows about TMG firewall best practices by installing and running the TMG firewall Best Practice Analyzer. For more information on this great tool, check out Marc Grote's article on this subject at http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Best-Practice-Analyzer.html .


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

The great debate! Should you use TMG or UAG for reverse proxy when publishing Exchange? Of course, my preference is for you to use TMG, because TMG is the best! But if you need more details in order to make the best decision for you, then check out Do I use Forefront TMG or Forefront UAG for reverse proxy publishing for Exchange 2012 at http://blogs.technet.com/b/ucedsg/archive/2010/08/16/do-i-use-forefront-tmg-or-forefront-uag-for-reverse-proxy-publishing-for-exchange-2010.aspx


7. Blog Posts
--------------------------------------------------------------

* Mobile friendly authentication forms for TMG
http://blogs.isaserver.org/shinder/2012/10/07/mobile-friendly-authentication-forms-for-tmg/

* Third party companies picking up the slack
http://blogs.isaserver.org/shinder/2012/10/07/third-party-companies-picking-up-the-slack/

* How the discontinuation of TMG affects GFI WebMonitor
http://blogs.isaserver.org/shinder/2012/10/05/how-the-discontinuation-of-tmg-affects-gfi-webmonitor/

* The Firewall Service Crashes After Installing TMG Firewall Service Pack 2
http://blogs.isaserver.org/shinder/2012/10/01/the-firewall-service-crashes-after-installing-tmg-firewall-service-pack-2/

* Comparing DirectAccess Options
http://blogs.isaserver.org/shinder/2012/09/30/comparing-directaccess-options/

* Did you waste your time learning UAG DirectAccess
http://blogs.isaserver.org/shinder/2012/09/30/did-you-waste-your-time-learning-uag-directaccess/

* Initial Considerations for Migrating from Forefront TMG to UAG
http://blogs.isaserver.org/shinder/2012/09/30/initial-considerations-for-migrating-from-forefront-tmg-to-uag/

* TMG and Orphaned Databases
http://blogs.isaserver.org/shinder/2012/09/30/tmg-and-orphaned-databases/

* Sent Items Delayed when Exchange is Published through a TMG Firewall
http://blogs.isaserver.org/shinder/2012/09/29/sent-items-delayed-when-exchange-is-published-through-a-tmg-firewall/

* TMG gets Readers' Choice award
http://blogs.isaserver.org/shinder/2012/09/25/tmg-gets-readers-choice-award-2/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I'm worried about SSL connections. As you know, users can connect to SSL servers and then the TMG firewall can't see inside the SSL session. In my opinion, that's quite a security hole! Anything that I can do to close that hole?

Thanks! –Will

ANSWER:

Hi Will,
Great question! Yes, it's true that when users connect to SSL sites, most firewalls are unable to assess whether or not there is malware inside the secure session. That's because the firewall isn't able to decrypt the session and see what's going on inside there. This situation is very similar to VPN connections, since the firewall can't decrypt the VPN tunnel. There is a lot of malware and many Trojans that take advantage of this situation to sneak past firewalls.

The good news is that the TMG firewall enables you to crack open that SSL session so that the firewall can inspect it. This is what we call outbound SSL bridging or SSL inspection. You configure the TMG firewall to impersonate the SSL servers and the clients will connect to the firewall. Then the TMG firewall decrypts the connection, inspects it, and then encrypts it again for the journey between itself and the destination SSL server. You can learn more about this feature over at http://technet.microsoft.com/en-us/library/ee658156.aspx

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

3 comments:

  1. Anonymous5:22 PM

    Follow these rules and you will be on the right path.

    Some people however try to skip ahead when using
    search engine ranking software and use free tools on websites that offer free duplicates to SEO software programs.
    If you happen to be wondering what are the Best ways to make money (www.youtube.com) online, you are
    probably looking for something that is not only legitimate and will pay you real money, but hopefully
    will pay a lot of money.

    ReplyDelete
  2. Anonymous8:14 PM

    I'm impressed, I have to admit. Seldom do I encounter a
    blog that's both equally educative and engaging,
    and without a doubt, you have hit the nail on the
    head. The issue is an issue that not enough men and women are
    speaking intelligently about. Now i'm very happy that I
    came across this during my search for something relating
    to this.

    Here is my web page; advertisement on facebook

    ReplyDelete
  3. Anonymous11:21 AM

    I've learn several just right stuff here. Definitely price bookmarking for
    revisiting. I surprise how a lot attempt you place to create such a great informative website.


    my homepage - goji pro - -

    ReplyDelete