-------------------------------------------------------
ISAserver.org Monthly Newsletter - November 2012
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver-2012-authlite>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. Heading for the Holidays with TMG Firewalls
--------------------------------------------------------------
It's that time of year again when everyone is getting ready for the holidays. Autumn is one of my favorite times of the year too, with the leaves falling and the weather getting much more comfortable after our long, hot Texas summers. It's also the time of the year when my TMG firewall seems to get its hardest workout. Year after year, attackers like to use the holidays to break into networks, send malware, etc. I guess they have more time since they are off from their full time jobs. And they know that users and network administrators are more likely to be distracted, overworked and/or taking time off, too.
When it comes to work, it made me think about the uptime for my TMG firewalls running on Windows Server 2008 R2. I remember back in the day of ISA Server on Windows 2000, when it seemed as if I had to reboot the server at least twice a month, and that wasn't including reboots for the installation of updates. With TMG, I've found that I almost never have to reboot my firewall. I guess that should come as no surprise, since TMG and Windows Server 2008 R2 are so much more stable.
Of course, thinking about this progression can't help but remind me that when I upgrade my servers to Windows Server 2012, installing TMG on them won't be an option. You can, of course, install it in a VM on WS 2008 R2 running on top of WS 2012, but the lack of support for TMG by WS 2012 just brings home the fact that its days are numbered.
Some folks think security is destined to move to the cloud <http://redmondmag.com/articles/2012/09/17/microsoft-forefront-and-the-cloud.aspx>, and indeed, some believe that within five years on-premise firewalls won't be necessary because there will be no more on-premise servers. I think that might be wishful thinking on the parts of those who have investments in cloud technology. There's still a contingent who will never move some parts of their services to the public cloud <http://itknowledgeexchange.techtarget.com/sql-server/the-world-does-not-revolve-around-cloud-computing-or-coding/>, for security and availability reasons.
I think we're going to have to think about alternatives to TMG whether we want to or not. But what about those of you (and apparently there are quite a few) who have been using both TMG and a "hardware firewall" solution such as Cisco ASA together? I've been hearing from admins who have the ASA installed at the network edge, and use TMG for their VPN access. And in fact, I'm hearing that many TMG implementations are sitting behind other edge firewalls. Some are using TMG for its web filtering capabilities behind another firewall.
The migration path for those folks will be a little different than for those who have been relying on TMG to "do it all." They're going to be looking at questions such as whether they can use the Windows Server VPN server alone for VPN access (behind the existing firewall), and whether to replace the TMG web proxy with Websense), Blue Coat, Zscaler or one of the other solutions seen as leaders in the Secure Web Gateway space (a good starting point would be Gartner's Magic Quadrant for Secure Web Gateways <http://kensek.blogspot.com/2012/05/gartner-magic-quadrant-for-secure-web.html> published last spring).
For those who are looking for a new firewall solution, there are plenty of options to choose from – maybe too many. So-called Next-Generation Firewalls (NGF) from companies such as Barracuda, Palo Alto Networks, WatchGuard, Sonic Wall and others are ready to step in and take over TMG's firewall duties, but deciding which one is best for your network could be a daunting task.
I'm going to miss my TMG when it comes time to retire it. I still don't know what my next firewall and/or web filtering solution will be, but I've received a few suggestions from you folks out there in TMG land. In a future newsletter, I'll consolidate and organize all the suggestions you've sent to me and let you know what TMG firewall admins are doing and planning for the non-future of the TMG firewall.
So, let me know which firewall you are planning to transition to. And, just for the fun of it, also write and tell me your TMG firewall uptime stories. What is the longest period of time you have been able to go without rebooting your TMG server? I'll share your stories in an upcoming newsletter.
See you next month! – Deb.
dshinder@isaserver.org
=======================
Quote of the Month - You have to learn the rules of the game. And then you have to play better than anyone else. – Albert Einstein
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
- Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 2)
http://www.isaserver.org/tutorials/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
- Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 9)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part9.html
- Implementing Secure Remote Access with PPTP and Forefront Threat Management Gateway (TMG) 2010 (Part 1)
http://www.isaserver.org/tutorials/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html
- GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Monitoring & Administration
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Monitoring-Administration-GFI-WebMonitor-for-ISA-TMG-Sep12.html
- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 1)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Configuring-Forefront-UAG-DirectAccess-Server-Part1.html
- Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 8)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part8.html
- Understanding Policy and Configuration Backup and Restore Options in Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Understanding-Policy-Configuration-Backup-Restore-Options-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html
- Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 7)
http://www.isaserver.org/tutorials/Comprehensive-Overview-Web-Server-Publishing-Rules-TMG-2010-Part7.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
Did you know that you can install TMG in unattended server setup mode (also known as "silent install")? You sure can! You have the choice of installing TMG in either interactive or unattended mode. If you're installing just one TMG server, interactive mode is recommended, where you monitor the installation process and enter the required information when you're prompted to do so. But if you're installing multiple TMG servers, unattended mode will make your life a lot easier. Check out Installing Forefront TMG services in unattended mode at http://technet.microsoft.com/en-us/library/ee781946.aspx for details.
5. Tip of the Month
--------------------------------------------------------------
You probably know that System Policy is evaluated before the other rules in the firewall policy. For that reason, you should always configure System Policy before you get into configuring the firewall rules. But once you do that, you might be wondering: how do you back up the configuration? You don't have to wonder anymore. In this article, Richard Hicks shows you how to do exactly that. Check it out at http://www.isaserver.org/tutorials/Understanding-Policy-Configuration-Backup-Restore-Options-Forefront-Threat-Management-Gateway-TMG-2010-Part1.html
6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------
There's a lot of great stuff on the TechNet wiki. And even better, you can write your own stuff and editing the existing articles – so that you can make them even better. Microsoft needs you! But if you aren't in a sharing mood (or just don't have anything to say right now), that's okay - there is already a ton of great information on TMG in the TechNet wiki. Check it out over at http://social.technet.microsoft.com/Search/en-US?query=TMG&refinement=90&beta=0&ac=8
7. Blog Posts
--------------------------------------------------------------
- ISAserver.org Newsletter Archive
http://blogs.isaserver.org/shinder/2012/10/31/isaserverorg-newsletter-archive/
- DirectAccess and High Availability
http://blogs.isaserver.org/shinder/2012/10/31/directaccess-and-high-availability/
- Ten Common Mistakes Made by TMG Firewall Admins
http://blogs.isaserver.org/shinder/2012/10/31/ten-common-mistakes-made-by-tmg-firewall-admins/
- Understanding Policy and Configuration Backup and Restore Options in TMG Firewalls
http://blogs.isaserver.org/shinder/2012/10/31/understanding-policy-and-configuration-backup-and-restore-options-in-tmg-firewalls/
- GFI WebMonitor for ISA and TMG Voted ISAserver.org Readers Choice
http://blogs.isaserver.org/shinder/2012/10/31/gfi-webmonitor-for-isa-and-tmg-voted-isaserverorg-readers-choice/
- Making PPTP Secure with the TMG Firewall
http://blogs.isaserver.org/shinder/2012/10/31/making-pptp-secure-with-the-tmg-firewall/
- Critical Update for TMG Reporter
http://blogs.isaserver.org/shinder/2012/10/31/critical-update-for-tmg-reporter/
- Using the Account Lockout Feature in TMG 2010
http://blogs.isaserver.org/shinder/2012/10/31/using-the-account-lockout-feature-in-tmg-2010/
- Step by Step Guide for Windows Server 2012 Essentials
http://blogs.isaserver.org/shinder/2012/10/31/step-by-step-guide-for-windows-server-2012-essentials/
- Integrate Your TMG Firewall into Wireless Networks
http://blogs.isaserver.org/shinder/2012/10/31/integrate-your-tmg-firewall-into-wireless-networks/
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hi Deb,
I was wondering how I can make TMG highly available. Do you have any ideas for me?
Thanks! –Bob.
ANSWER:
Hi Bob,
That's a great question. Most people will think, off the tops of their heads, that maybe they could use failover clustering for high availability for the TMG firewall. However, unfortunately TMG does not support failover clustering. But don't despair. What you can do is create arrays and then you can use Network Load Balancing (NLB). The array will share a single configuration and NLB will allow you to assign the same IP addresses to the interfaces of the array members so that if one of the machines becomes unavailable, other machines can take over from it. Find out more about this solution at http://technet.microsoft.com/en-us/library/dd440989.aspx
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.
No comments:
Post a Comment