Wednesday, March 27, 2013

ISAserver.org Monthly Newsletter - March 2013

-------------------------------------------------------
ISAserver.org Monthly Newsletter - March 2013
Sponsored by: ADVSoft
<http://www.advsoft.info/download/?r1=isaserver_org&r2=newsletter2>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Windows Azure Infrastructure as a Service and TMG Firewalls
-----------------------------------------------------------

As I'm sure you've heard, Microsoft is "all in" when it comes to the cloud. This means a lot of things, but what I take out of this is that Microsoft is going to put most of their efforts into their cloud based offerings and put less effort into developing on-premises solutions. I'm not sure if this is going to be as successful as Microsoft thinks it will be, but regardless of what I think, if you want to stay relevant in the Microsoft world, you're going to have to take their cloud computing offerings seriously.

I've played with Office 365 and found it very cool in some ways and a bit frustrating in others. You might say that the customer wasn't entirely "delighted". It might be that I didn't set things up correctly, but there just seemed to be too many limitations and complications, compared to using our on-premises Exchange Server. I'm sure Office 365 will serve the needs of some people, who are less tech-oriented and not such control freaks as I am. And I'm also sure this cloud offering will continue to improve and maybe someday I will even move over to it. But there is still some work to be done, as far as I'm concerned. At least I can say that I like the Office 365 solution more than Google Docs, but then I digress.

Azure is a big deal at Microsoft. You can tell that this is true because they've put their best brains, such as Mark Russinovich, on top of the Azure efforts. The problem for me with Azure, at least in the past, has been that it was primarily a Platform as a Service (PaaS) offering. Since I'm not a developer, PaaS doesn't hold much interest for me. I read about the Azure VM role and thought that might be interesting to an IT Pro like me, but when I found out that the machine state wasn't preserved between boots, I realized that it would only be useful for hosting stateless applications – and that isn't the type of applications most of us run today.

Then I discovered Azure Virtual Machines. This, unlike the VM role previously available in Azure, is a real Infrastructure as a Service (IaaS) offering. That means we can put any workload that runs in the on-premises data center into the Azure IaaS cloud. Microsoft says that this can end up being more available and more cost effective than maintaining applications in your traditional data center. While I think the jury is still out on that claim, it's an interesting proposition with some significant implications.

So, that brings us to the topic of this discussion: how could we use Azure Virtual Machines with the TMG firewall? One idea is to use it to segment your virtual network in the Azure cloud. Unfortunately, Azure doesn't surface the full virtual switch to you, so you can't create the same type of "physical" segmentation that you can with an on-premises Hyper-V server. This essentially means that you cannot host a multi-homed TMG firewall in the Azure cloud. Indeed, if you check the documentation for Azure Virtual Machines, you'll find that multi-homed machines are not supported.

OK, no problem. How about a hork mode TMG firewall? For those of you who don't know the history of "hork mode", this is the term that Tom gave to TMG firewalls (and ISA firewalls) that only had a single NIC. The single NIC configuration creates a lot of functionality, so Tom considered the firewall "horked" in this configuration.

In spite of possible "horkness", this could be a good configuration for the TMG firewall in the Azure cloud. Your external users could use this TMG firewall as a forward proxy server. But what about authentication? The good news here is that Azure Virtual machines can be placed on Azure Virtual Networks and you can connect those Virtual Networks to your on-premises network using an IKEv1 site to site VPN tunnel.

There are other deployment scenarios too, but I'll save those for another time. What deployment scenarios can you imagine for the TMG firewall or the UAG server in the Azure cloud? Let me know!

See you next month! – Deb.

dshinder@isaserver.org

=======================
Quote of the Month - "These kids [of the current generation] have no fear of technology … sort of like I have no fear of a refrigerator." – Don Tapscott
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

- Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 2)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-How-configure-arrays-Forefront-UAG-Part2.html

- Avantis ContentCache Voted ISAserver.org Readers' Choice Award Winner - Hardware Appliances
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Avantis-ContentCache-Jan13.html

- Firewalls in the Cloud (Part 1)
http://www.isaserver.org/tutorials/Firewalls-Cloud-Part1.html

- Enable Cross-Premises Connectivity to Windows Azure with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/tutorials/Enable-Cross-Premises-Connectivity-Windows-Azure-Forefront-Threat-Management-Gateway-TMG-2010.html

- Considerations for Replacing your TMG Firewall (Part 5)
http://www.isaserver.org/tutorials/Considerations-Replacing-TMG-Firewall-Part5.html

- Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 1)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-How-configure-arrays-Forefront-UAG-Part1.html

- Considerations for Replacing your TMG Firewall (Part 4)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-How-configure-arrays-Forefront-UAG-Part1.html

- Configuring Forefront Threat Management Gateway (TMG) 2010 Enterprise in Workgroup Mode
http://www.isaserver.org/tutorials/Configuring-Forefront-Threat-Management-Gateway-TMG-2010-Enterprise-Workgroup-Mode.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

TMG 2010 can be used as a basic proxy for AD FS 2.0. Requests made to AD FS 2.0 are sent to your internal AD FS server and the responses are sent back to the client. The AD FS 2.0 proxy offers certain benefits over TMG. If you are looking to add Office 365 in the future, the AD FS 2.0 proxy offers additional flexibility with endpoints and you can setup a Client Access Policy.

If you already have TMG set up as your EDGE Firewall, you can have TMG point to your AD FS 2.0 proxy to have this functionality. For details on how to configure the TMG firewall as an AD FS Proxy, check out the TechNet Wiki. <http://social.technet.microsoft.com/wiki/contents/articles/7877.configuring-tmg-as-an-ad-fs-2-0-proxy.aspx>

5. Tip of the Month
--------------------------------------------------------------

Have you ever tried to determine which version of the TMG firewall you're running? If so, you realize that it's not as easy to figure out as one might think. Sure, you can click Help and then click About and get a number, but what does that number mean? If you don't know, then check this TechNet Wiki article on how to figure out which version of TMG you're running. <http://social.technet.microsoft.com/wiki/contents/articles/1550.how-to-determine-which-version-of-tmg-server-2010-is-installed.aspx>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

We know that TMG is no longer available for purchase, but there is some hope that there might be a future for UAG. After all, there have been service packs released over the last three years and there was one released just a month ago. However, if you check on what Sander de Wit says at http://www.forefrontblog.nl/category/forefront-uag/ the future doesn't look so bright for UAG. What is really interesting is what he has to say about IIS 8.0 capabilities and how they map to UAG features. What do you think?


7. Blog Posts
--------------------------------------------------------------

- Is the end in sight for Forefront UAG, too?
http://blogs.isaserver.org/shinder/2013/02/28/is-the-end-in-sight-for-forefront-uag-too/

- Securing the Edge in a Post-TMG World
http://blogs.isaserver.org/shinder/2013/02/28/securing-the-edge-in-a-post-tmg-world/

- Enable authentication for SafeSearch enforcement rule
http://blogs.isaserver.org/shinder/2013/02/28/enable-authentication-for-safesearch-enforcement-rule/

- TMG 2012 Interactive Diagnostic
http://blogs.isaserver.org/shinder/2013/02/28/tmg-2012-interactive-diagnostic/

- Snapp 360 makes migration easier
http://blogs.isaserver.org/shinder/2013/02/28/snapp-360-makes-migration-easier/

- What's new in FIM 2010 R2 SP1?
http://blogs.isaserver.org/shinder/2013/02/21/whats-new-in-fim-2010-r2-sp1/

- Forefront UAG SP3 download available
http://blogs.isaserver.org/shinder/2013/02/19/forefront-uag-sp3-download-available/

- Deprecated features in UAG SP3
http://blogs.isaserver.org/shinder/2013/02/18/deprecated-features-in-uag-sp3/

- Windows 8 Modern UI apps and TMG 2010
http://blogs.isaserver.org/shinder/2013/02/15/windows-8-modern-ui-apps-and-tmg-2010/

- Are you able to remotely manage the Enterprise Policy, but not the Array Policy?
http://blogs.isaserver.org/shinder/2013/02/11/are-you-able-to-remotely-manage-the-enterprise-policy-but-not-the-array-policy/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hello Deb,

I have a TMG firewall running as a virtual machine on a Windows Server 2012 Hyper-V server. It's working well and I'm happy with performance and security. However, I was wondering if there was a way that I could improve the boot time. It takes about 15 minutes for the TMG firewall to reboot. I know it's been like this with previous versions of Hyper-V, so I know that nothing has changed in this respect for Windows Server 2012. Do you have any suggestions on how I can speed up boot performance? –Lynn.

ANSWER:

Hi Lynn,

Yes, boot up times of 15 minutes are not unusual for the TMG firewall running on Hyper-V. One of the reasons why this might be the case is that you left the startup RAM for the virtual machine set at a low value, such as 512 MB. While taking advantage of dynamic memory is a great way to get the most out of your hardware investment for Hyper-V host servers, it can be a problem when it comes to boot times. Look at your TMG firewall's memory utilization over time. Do you find that it typically works its way up to 6 GB? If so, then try increasing the amount of RAM you dedicate to startup, to something like 2GB. That way the services will load faster and you should see a significant improvement in boot time.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments:

Post a Comment