Wednesday, February 27, 2013

ISAserver.org Monthly Newsletter - February 2013

-------------------------------------------------------
ISAserver.org Monthly Newsletter - February 2013
Sponsored by: Fastvue
<http://www.fastvue.co/TMGReporter21>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. BYOD, the Cloud and TMG Firewalls
-----------------------------------------------------------

There are a many current and emerging trends that are going to have a profound influence over how we manage our networks, now and in the future. The Cloud is one of those and we've talked about cloud computing to a greater or lesser extent for the last couple of years in this newsletter. Another big trend that is separate, but loosely related to cloud computing, is the Bring Your Own Device (BYOD) wave. BYOD is all about users choosing the computing devices they want to use for work, in many cases buying those devices themselves, and then connecting those devices to the corporate network.

In the past, corporate IT usually had the responsibility for deciding which devices were approved to connect to corporate network resources. If the device wasn't under the complete command and control of the IT department, then that device not only wouldn't be allowed to access resources that resided on the corporate network, it wouldn't even be allowed to connect to the corporate network and use its Internet connection. This authoritarian approach worked well (at least for IT) for decades and most corporate security infrastructures were built on the assumption that only IT managed devices would be allowed to connect to the network.

Fast forward to today. Users have their own smart phones, Pad PCs, slates, and other devices that they want to connect to the corporate network. Some of these devices might be under your control, some of the devices might be under your partial control, and probably most of these devices are not under your control at all.

You might be wondering how you should deal with this and how can the TMG firewall help. One of the issues that you'll probably encounter is the issue of corpnet connectivity. For those devices that are not under your control at all, you should seriously consider setting up a separate DMZ wireless network and allowing them to get Internet access through that network. In fact, these devices should connect to any corporate resources that you allow through this network too.

One thing you don't want them to do is connect to corporate resources from within the corporate network itself. The reason for this is that you just don't know the security status of these devices – they have been out and about, and could have previously connected to all manner of wi-fi networks, some of which may have been completely insecure. There's no reason for you to expose your network to these devices and malware they may have picked up in their travels. In order to provide access for users to get work done with them, you can publish selected resources through the TMG firewall so that these devices can connect to those corporate resources, and nothing else.

There's also the issue of device trust. Even if you prevent these devices from connecting directly to the corporate network and allow application access through publishing, you still will want to consider what level of access users should have to the applications, based on the device that the user is using. The bad news is that the TMG firewall isn't a very good policeman here –it doesn't have the level of granular, application-based access control that would be required to control the application experience based on the connecting device.

The good news is that the Unified Access Gateway 2010 can do this. In fact, we thought that feature was one of the greatest selling points of UAG when it was being actively developed by Microsoft. Although the future of UAG is unclear right now, it's still on the list of products that you can buy from Microsoft. And especially if you already have a UAG deployment, you might want to consider using UAG to provide that level of granular access control to applications that you publish for users who are using unmanaged devices.

Of course, the best of all possible worlds would be to be able to manage all of these devices. If you could manage the security state of all of these devices as you can with Windows clients through Group Policy and other methods, then you could allow these devices to connect to the corporate network directly and then enforce granular access controls at the application itself, which is likely easier to implement than having a gateway device take care of that.

That's a big advantage of the new Windows 8 based tablets. As for other platforms, we're not really there yet, but from some of the things I've read and heard, it sounds as if Microsoft is going to be working on new technology that will allow you to manage iOS and Android devices, too. If and when that happens, you might consider changing how you partition your network for the new form factor devices.

See you next month! – Deb.

dshinder@isaserver.org

=======================
Quote of the Month - Going to work for a large company is like getting on a train. Are you going sixty miles an hour or is the train going sixty miles an hour and you're just sitting still? – J. Paul Getty
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

- Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 1)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-How-configure-arrays-Forefront-UAG-Part1.html

- Considerations for Replacing your TMG Firewall (Part 4)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part4.html

- Configuring Forefront Threat Management Gateway (TMG) 2010 Enterprise in Workgroup Mode
http://www.isaserver.org/tutorials/Configuring-Forefront-Threat-Management-Gateway-TMG-2010-Enterprise-Workgroup-Mode.html

Considerations for Replacing your TMG Firewall (Part 3)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part3.html

- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 3)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Configuring-Forefront-UAG-DirectAccess-Server-Part3.html

- Chaperon for ISA 2004/06 Voted ISAserver.org Readers' Choice Award Winner - Content Security
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Content-Security-Chaperon-for-ISA-200406-Nov12.html

- Considerations for Replacing your TMG Firewall (Part 2)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part2.html

- Troubleshooting Reporting Issues with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Troubleshooting-Reporting-Issues-Forefront-Threat-Management-Gateway-TMG-2010.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

The TMG firewall is probably best known for its web antimalware features, and it should be, as this is one of the features that most people find to be among the firewall's best. But the TMG firewall, like the ISA firewall before it, is a true Swiss Army Knife of firewalls and it can do a lot of different things. One of those things is to act as a site to site VPN gateway. While it's not hard to set it up, there are some things that you need to be aware of before you configure the firewall for a site to site VPN. Check out Configuring site-to-site VPN <http://technet.microsoft.com/en-us/library/bb838949.aspx> access for more information.


5. Tip of the Month
--------------------------------------------------------------

Did you know that you can configure the TMG firewall to be a DirectAccess server? If not, then you're in for a treat! If you're running TMG on Windows Server 2008 R2, then you can configure the firewall to be a DirectAccess server using the Windows version of DirectAccess. For information on how to do this, check out Forefront TMG and Windows 7 DirectAccess <http://blogs.technet.com/b/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx>.


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Recently there was a vulnerability discovered in the DirectAccess IP-HTTPS protocol that could lead to a possible compromise. While the vulnerability will not enable the attacker to get full access to the network, it's something that you should be aware of and you need to know what you can do to mitigate the threat. Check out the details at http://blogs.technet.com/b/srd/archive/2012/12/11/ms12-083-addressing-a-missing-certificate-revocation-check-in-ip-https.aspx.


7. Blog Posts
--------------------------------------------------------------

- Configuring the TMG Firewall in Workgroup Mode
http://blogs.isaserver.org/shinder/2013/02/01/configuring-the-tmg-firewall-in-workgroup-mode/

- CRL Checks for IP-HTTPS
http://blogs.isaserver.org/shinder/2013/02/01/crl-checks-for-ip-https/

- Operations Manager Management Pack for Windows Server 2012 DirectAccess
http://blogs.isaserver.org/shinder/2013/02/01/operations-manager-management-pack-for-windows-server-2012-directaccess/

- Free utility for W3C log files
http://blogs.isaserver.org/shinder/2013/01/30/free-utility-for-w3c-log-files/

- FastVue: Reporting on Hostnames with SecureNAT clients
http://blogs.isaserver.org/shinder/2013/01/30/fastvue-reporting-on-hostnames-with-securenat-clients/

- Ben Ari's Book on Windows Server 2012 Unified Remote Access Now Available
http://blogs.isaserver.org/shinder/2013/01/30/ben-aris-book-on-windows-server-2012-unified-remote-access-now-available/

- Extending TMG's ISP redundancy features
http://blogs.isaserver.org/shinder/2013/01/29/extending-tmgs-isp-redundancy-features/

- UAG DirectAccess management "Apply Policy" fails after PowerShell update
http://blogs.isaserver.org/shinder/2013/01/25/uag-directaccess-management-apply-policy-fails-after-powershell-update/

- TMG SP2 Rollup 3 is available
http://blogs.isaserver.org/shinder/2013/01/25/tmg-sp2-rollup-3-is-available/

- Unified Threat Management Appliances to Watch
http://blogs.isaserver.org/shinder/2013/01/25/unified-threat-management-appliances-to-watch/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hello Deb,

I've been reading a lot about Windows Server 2012 and we want to upgrade our computers to Windows Server 2012 as soon as possible. What I'm wondering is if I can upgrade my TMG firewall to Windows Server 2012. It's running great now on Windows Server 2008 R2 and I figure it should run even better on Windows Server 2012. I tried to find information on this but wasn't able to get an answer. Can you help?

Thanks! –Carl.


ANSWER:

Hi Carl,

Windows Server 2012 is a great operating system and has a ton of new features from which your network is likely to benefit. However, I have some bad news for you: you can't install the TMG firewall software on Windows Server 2012. I guess Microsoft figured that it wasn't worth the time and trouble to test TMG on Windows Server 2012 since they knew that TMG was going to be approaching its end of life. I suppose the good news is that Windows Server 2008 R2 is a rock solid operating system, so you should be able to keep your TMG firewalls humming on it for many years to come.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments:

Post a Comment