Wednesday, May 29, 2013

ISAserver.org - Monthly Newsletter - May 2013

ISAserver.org - Monthly Newsletter - May 2013

Hi Security World,

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

---------------------------------------------------------
Is Forefront TMG really working the way you think?

Everyone using Fastvue TMG Reporter has discovered concerning network activity that they were unaware of. High volumes of traffic to sites they believed were blocked, URL Filtering not being enabled anymore, large amounts of unauthenticated traffic, or certain people using the web inappropriately at work. TMG Reporter opens your eyes to what is happening on your network and is an essential tool for any Forefront TMG Administrator.

Try it free today. You’ll be up and running in minutes. http://fastvue.co/
---------------------------------------------------------


1. The TMG Firewall on the TechNet Wiki
-----------------------------------------------------------

How do you find configuration, operation and troubleshooting instructions for TMG? There are a plethora of places where you can go to find useful information about the TMG firewall. Of course, we hope that the first place you come to will be www.isaserver.org. For over a decade, the authors and editors at ISAserver.org have been working hard to provide you with the information you need to plan, design, implement and operate your TMG firewalls as well as the best troubleshooting information and detailed configuration information for the most popular and most difficult scenarios. It's been great fun and we hope you've enjoyed the ride with us.

But there may be times when we don't have what you need. Where else can you go, then, to get useful information on the TMG firewall? Most folks will probably first try the TechNet library, where the core documentation for the TMG firewall can be found. Those documents are critical, because they provide detailed information on how the core features of the TMG firewall work. However, they often just tell you how things work and don't do a great job at helping you make things work the way you want them to. In addition, the troubleshooting information on the site isn't always the best because at the time that documentation is written, the product usually hasn't been used much "in the wild." That means that the variety of troubleshooting issues that are seen after deployment in the varied network environments that had never been envisioned just aren't available to the writers at the time the content is published.

Blogs can be another great resource for finding good information on the TMG firewall, but all blogs are not created equal. For the most authoritative info, there is the TMG firewall team blog, which provides excellent information on updates to the firewall and insights from the TMG firewall product team and also from Microsoft Customer Support Services. However, those blogs tend to walk the "party line." If you need information on unsupported scenarios, you might not find it there.

There are also a number of independent blogs that are run by long-time TMG firewall MVPs out there, such as Richard Hicks' blog, Jason Jones' blog and others. These blogs cover real world scenarios that these TMG experts have encountered and they share what they've learned in the field in their blogs. Sadly, though, with the impending demise of TMG, many of these guys have moved on to other endeavors or at least aren't putting as much time into their TMG blogs as they once did.

A relatively new option for getting useful information on the TMG firewall is the TechNet wiki. It's been around for a while but many people still aren't familiar with it. If you check it out, though, you'll find that it's a virtual treasure trove of useful information on the TMG firewall. Like any other wiki, it is based a collaborative writing experience, so that readers can post articles and work with others in developing the wiki article. And when you're finished with it, other people can come in and update it if more information on the subject comes in, which means that the content has the potential of always being fresh and accurate, no matter how long the article stays online. You can find the TechNet wiki at http://social.technet.microsoft.com/wiki/

Getting started with the TechNet wiki is easy! The first thing you need to do is to get a Microsoft account. What's a Microsoft account? If you've made the transition to Windows 8, you probably already know the answer to that. It's the same thing as what used to be called a "Windows Live ID." Most people already have a Microsoft account, but if you've never had a Hotmail account (which is now called an Outlook.com account) then you might not have one. If not, it's easy (and free) to get one. <http://windows.microsoft.com/en-us/windows-live/sign-up-create-account-how>

After you sign up for the Microsoft account, the next step is to go to the TechNet wiki front page and click the Post an article link in the upper right hand of the page. This will open the TechNet wiki editor, which is basically a web form that allows you to enter your content into the page. You can use the editor to type your article directly in on the web page, but I suggest you don't do that because if the browser crashes (and who among us has never seen that dread "Internet Explorer has stopped working" message?), you'll lose your work. That can be awfully frustrating if you've spent an hour creating something wonderful, only to have it disappear into the bitbucket of the universe.

Instead, use a basic text editor, a word processing program or a blogging tool such as Windows Live Writer. Compose your article, saving it often or relying on the application's autosave functionality. After you've finished with the article, just copy the content from the application's page and paste it into the TechNet wiki editor. Most of the time, that works pretty well. When you've finished copying and pasting, just click save and there you go; your page will be published in the TechNet wiki.

If you want to make changes to the page later, all you have to do is go to the page you created and click the Edit tab. If you don't see that tab, the reason is mostly likely that you're not logged in. Log in and then you'll see the tab. When you click it, the article will open in the editor and you can make changes. There is also a History tab. You can use this tab to find out about any changes that other people have made to your article. If you don't like a change that was made, you can reverse the changes and revert back to the version of the article you prefer.

Give the TechNet wiki a try! You might find that you really like it and become a TechNet wiki ninja!

See you next month! â€" Deb.

dshinder@isaserver.org


=======================
Quote of the Month - Don't judge each day by the harvest you reap but by the seeds that you plant. â€" Robert Louis Stevenson
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

Microsoft Forefront UAG - Forefront UAG monitoring and debugging (Part 2)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Forefront-UAG-monitoring-debugging-Part2.html

TMG Firewall Name Resolution (Part 3)
http://www.isaserver.org/tutorials/TMG-Firewall-Name-Resolution-Part3.html

Forefront TMG 2010 Policy and Configuration Management Tips and Tricks
http://www.isaserver.org/tutorials/Forefront-TMG-2010-Policy-Configuration-Management-Tips-Tricks.html

ISAserver.org Readers' Choice Awards Yearly Round Up 2012
http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2012.html

TMG Firewall Name Resolution (Part 2)
http://www.isaserver.org/tutorials/TMG-Firewall-Name-Resolution-Part2.html

Microsoft Forefront UAG - Forefront UAG monitoring and debugging (Part 1)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Forefront-UAG-monitoring-debugging-Part1.html

TMG Firewall Name Resolution (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewall-Name-Resolution-Part1.html

Configuring SafeSearch Enforcement in Forefront Threat Management Gateway (TMG)
http://www.isaserver.org/tutorials/Configuring-SafeSearch-Enforcement-Forefront-Threat-Management-Gateway-TMG.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

SafeSearch is an enhancement to the URL filtering capabilities in the TMG firewall. This feature was introduced in Update 1 for the TMG firewall. SafeSearch allows TMG firewall administrators to enforce blocking of adult text, images, and videos from search results returned by popular search engines. Although enabling SafeSearch can provide an additional layer of protection for your internal clients, the feature does have some limitations and shortcomings that should be taken into consideration prior to enabling it. Learn about SafeSearch from Richard Hicks. <http://www.isaserver.org/tutorials/Configuring-SafeSearch-Enforcement-Forefront-Threat-Management-Gateway-TMG.html>


5. Tip of the Month
--------------------------------------------------------------

The TMG firewall is an ideal candidate for virtualization. We've virtualized many TMG firewalls in our practice and I'm sure you have, too. One of the things that I like about virtualizing the TMG firewall is that it's so easy to snapshot the firewall so that you can go back to a working configuration in the event that an update goes wrong or something else bad happens to it. But what happens if you virtualize the TMG firewall and put it on the ESX platform and then you want to create an IPsec site to site VPN to a Cisco device? You'd think "no problem" because you've gotten it to work when the TMG firewall was installed on a physical server. It should just work when it's on ESX too, right. Well, it's not that easy. Check out this article in the TechNet wiki to find out why. <http://social.technet.microsoft.com/wiki/contents/articles/3928.site-to-site-ipsec-tunnel-between-tmg-2010-on-vmware-and-cisco.aspx>

---------------------------------------------------------
Is Forefront TMG really working the way you think?

Everyone using Fastvue TMG Reporter has discovered concerning network activity that they were unaware of. High volumes of traffic to sites they believed were blocked, URL Filtering not being enabled anymore, large amounts of unauthenticated traffic, or certain people using the web inappropriately at work. TMG Reporter opens your eyes to what is happening on your network and is an essential tool for any Forefront TMG Administrator.

Try it free today. You’ll be up and running in minutes. http://fastvue.co/
---------------------------------------------------------


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

The reporting enhancements in TMG SP1 were a big improvement over the reports we got just out of the box prior to SP1. However, there can be some problems with them, such as when reporting just stops. Ouch! How can you fix this? Here's a great article on the TechNet wiki that provides you with some great troubleshooting tips and tricks to help you get your reporting working again. Check it out. <http://social.technet.microsoft.com/wiki/contents/articles/3946.troubleshooting-tmg-sp1-reporting.aspx>

7. Blog Posts
--------------------------------------------------------------

TMG Firewall Policy Tips and Tricks
http://blogs.isaserver.org/shinder/2013/04/30/tmg-firewall-policy-tips-and-tricks/

DirectAccess and NAT
http://blogs.isaserver.org/shinder/2013/04/29/directaccess-and-nat/

Known Issuesâ€"ESET Gateway Security for TMG
http://blogs.isaserver.org/shinder/2013/04/29/known-issueseset-gateway-security-for-tmg/

ISA/TMG admins looking for new IT certs?
http://blogs.isaserver.org/shinder/2013/04/29/isatmg-admins-looking-for-new-it-certs/

UAG DirectAccess DirectAccess Clients and Repeated OTP prompts
http://blogs.isaserver.org/shinder/2013/04/22/uag-directaccess-directaccess-clients-and-repeated-otp-prompts/

Fastvue TMG Reporter 2.1 now available
http://blogs.isaserver.org/shinder/2013/04/18/fastvue-tmg-reporter-21-now-available/

How to configure an authoritative time server in Windows Server
http://blogs.isaserver.org/shinder/2013/04/17/how-to-configure-an-authoritative-time-server-in-windows-server/

Site-to-Azure VPN using Windows Server 2012 RRAS
http://blogs.isaserver.org/shinder/2013/04/15/site-to-azure-vpn-using-windows-server-2012-rras/

Firewall Exceptions to allow SCCM Remote Control for DirectAccess clients
http://blogs.isaserver.org/shinder/2013/04/12/firewall-exceptions-to-allow-sccm-remote-control-for-directaccess-clients/

How to configure the TMG Service Account to avoid problem with logging on SQL Server
http://blogs.isaserver.org/shinder/2013/04/10/how-to-configure-the-tmg-service-account-to-avoid-problem-with-logging-on-sql-server/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I've been having some performance issues with my TMG firewall that are hard to figure out and I was wondering where I might start. Do you have any suggestions? I figure if I start with the most common reasons I might be able to figure out faster. Thanks! â€"Zevon.

ANSWER:

Hi Zevon,

There are a number of reasons why the TMG firewall might be exhibiting difficult-to-troubleshoot performance issues. But, as you said, if you start with the most common reasons, you'll probably find a solution faster. When you hear hoofbeats, think horses â€" not zebras! One of the most common reasons for TMG performance issues is the NIC configuration on the firewall. This could be a default gateway issue, a DNS issue, or a routing issue. You have to make sure that the internal, external and DMZ interfaces are all configured correctly; otherwise strange performance issues can creep in. Check out this article on the TechNet wiki for a good explanation of correct TMG firewall NIC configurations. <http://social.technet.microsoft.com/wiki/contents/articles/recommended-network-adapter-configuration-for-forefront-tmg-standard-edition-servers.aspx>

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


---------------------------------------------------------
Is Forefront TMG really working the way you think?

Everyone using Fastvue TMG Reporter has discovered concerning network activity that they were unaware of. High volumes of traffic to sites they believed were blocked, URL Filtering not being enabled anymore, large amounts of unauthenticated traffic, or certain people using the web inappropriately at work. TMG Reporter opens your eyes to what is happening on your network and is an essential tool for any Forefront TMG Administrator.

Try it free today. You’ll be up and running in minutes. http://fastvue.co/
---------------------------------------------------------


ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments:

Post a Comment