Search This Blog

Wednesday, June 26, 2013

ISAserver.org - Monthly Newsletter - June 2013

ISAserver.org - Monthly Newsletter - June 2013

Hi Security World,

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TechEd 2013 in a post-TMG Firewall Age
-----------------------------------------------------------

This year TechEd was held in New Orleans again. I have a soft spot in my heart for New Orleans because I've had some memorable experiences there, including the first trip that Tom and I ever took together. The last time I was there was for TechEd a few years ago. This year, I had to stay home due to a number of work and personal responsibilities here, but Tom â€" as a Program Manager for the Architecture track â€" was on the scene. He came home pretty happy with the success of the architecture track, and he also shared with me some of his experiences there and what attendees had to say to him while he was there.

One of the most fun things about going to TechEd and similar events is seeing all the old techie friends that we've made over the years, as well as meeting new folks who know us from our books and articles and our work here on ISAServer.org. Tom told me that he saw plenty of both at this year's TechEd and, even though he has been working in the private cloud space for quite some time now, he was a little surprised to find that almost all the questions people asked him were about the TMG firewall.

A number of them asked him what he thought the future of the TMG firewall might be, and whether there might be any chance that Microsoft might bring it back to life someday. Of course, he had to say that he didn't know, and that anything is possible, but that he feels â€" as do I â€" that it is unlikely, because that's just not the direction in which Microsoft is moving these days. Whether we like it or not, the future of the company seems to be in the cloud, whether that means private cloud, public cloud or hybrid cloud. Sad to say, any investments in a network firewall don't really fit into those cloud aspirations.

I find it interesting that, after all this time, so many customers are still so interested and invested in the TMG firewall. I guess it shouldn't really come as a surprise, though; It's definitely the case that the TMG customers and MVPs were some of the most viciously loyal and outspoken Microsoft supporters of all the communities within Microsoft. These people were very sad and very disappointed (and yes, some of them were very angry) when it was announced that the TMG firewall would no longer be in development. It's no wonder that Tom (and I) still get questions about the potential future of the TMG firewall. I guess this proves that hope springs eternal among the fans of what we still consider to be the best firewall in the world.

Some folks seem to have worked through the stages of grief and arrived at the acceptance stage. Those were the ones who wanted to know whether there is anything in the future of Windows Server that might provide at least some of the functionality of the TMG firewall. Well, to my knowledge, I can't say that the future of Windows provides anything near the power and functionality of the TMG firewall or even UAG, but there was a new feature announced at TechEd in New Orleans this year called the Web Application Proxy. There was a presentation by Jairo Cadena that discussed this new Web Application Proxy. <http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013?sort=sequential&direction=desc&term=Web+Application+Proxy#fbid=7GWv7bdWOnG>

Here's the description of the session:

"Enabling employees to work from anywhere necessitates on-premises corporate IT resources to be made available over the Internet. Companies are willing to enable this provided they can implement a risk management strategy that allows them to comply with their corporate IT governance. This session showcases how you can enable this remote access to make your users productive while being effective in managing risk. The Web Application Proxy in conjunction with Active Directory Federation Services (ADFS) allows IT admins to publish selected on-premises web application to the internet, and only allow access when specific criteria such as multi-factor authentication is satisfied. You can leverage a variety of VPN solutions, from Microsoft as well as popular VPN vendors, in order to meet all of your needs for enabling remote access. Hear about third-party plugin support for VPNs in Windows and how we deliver a streamlined user experience, even as we simplify the provisioning and allow for implementation of your risk management strategies."

It sounds as if this new feature in Windows Server 2012 R2 is going to be some type of reverse proxy service that allows you to enforce multi-factor authentication and leverage ADFS for authentication and authorization decisions. While that sounds interesting, I realize that the entire solution sounds a little "light weight" for those of us who are used to the robust forward and reverse proxy capabilities in the TMG firewall and the extremely flexible and power security and publishing capabilities we had with UAG.

I suppose one interpretation of this offering is that Microsoft has given up on remote access to web applications, and expects you to put everything in the Azure PaaS and IaaS services. But even if you put your web applications in the IaaS service, aren't you going to need the same strong inbound access controls over incoming communications? Aren't you going to need more than simple port ACLs to control inbound access to web services coming into the Azure Infrastructure Services located virtual machines?

Like most new offerings from Microsoft, I suspect that the Web Application Proxy in Windows Server 2012 R2 is only the beginning. If they find that customers are interested in it, and if those customers ask for more features, they might very well rev it next year with more features and more capabilities. And given that Microsoft has decided to implement a yearly cadence for providing new versions of the server operating system, it won't be too long until we find out. I suppose if no one shows much interest in the new feature, they'll let it go the way of NAP and similar technologies â€" technologies that had great promise for changing the way we do things, but were left to hang because of shortcomings in the product offering or issues with complexity. We'll see.

Either way, it was good to hear that TMG firewall fans are still out there and that they still keep a candle burning for it. Tom said that these people still think about the old ISA and TMG firewalls fondly, and that would pick it up again in a moment's notice if Microsoft ever decided to bring it back. Who knows â€" maybe the Web Application Proxy will be enabled for forward and reverse proxy in the future, maybe they'll enable it will stateful packet and application layer inspection in the future, maybe they will add advanced IDS/IPS to the Web Application Proxy in the future â€" maybe … Hmmm. That's sounding like the resurrection of an old friend, isn't it?

dshinder@isaserver.org

=======================
Quote of the Month - Anybody who has been seriously engaged in scientific work of any kind realizes that over the entrance to the gates of the temple of science are written the words, "Ye must have faith." â€" Max Planck
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 1)
http://www.isaserver.org/articles-tutorials/general/implementing-windows-server-2012-directaccess-behind-forefront-tmg-part1.html

GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Access Control
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-GFI-WebMonitor-Mar13.html

Understanding TMG Logging (Part 1)
http://www.isaserver.org/articles-tutorials/general/Understanding-TMG-Logging-Part1.html

Enable Cross-Premises Connectivity to Amazon EC2 with Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/articles-tutorials/configuration-general/Enable-Cross-Premises-Connectivity-Amazon-EC2-Forefront-Threat-Management-Gateway-TMG-2010.html



4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Did you know that the TMG firewall has its own traffic simulator that you can use to simulate a variety of traffic conditions at the TMG firewall? The traffic simulator simulates network traffic based on request parameters that you set in the interface and gives you information about firewall policy rules that are evaluated for the traffic that you choose to simulate. You can use this feature to troubleshoot communication issues to and through the TMG firewall. The TMG traffic firewall's traffic simulator checks over the published rules matching with the scenario. You can check the results to determine how to fix whatever problems there might be with the firewall policy. To find out more about the TMG firewall's traffic simulator, check out Simulating network traffic. <http://technet.microsoft.com/en-us/library/dd897030.aspx>



5. Tip of the Month
--------------------------------------------------------------

Do you want to back up your UAG gateway using Microsoft Data Protection Manager? If you've tried to do this, you probably found that it didn't work. What's up with that? Well, what's up with that is that the TMG firewall that sits under the UAG components is blocking the backup from working. In order to fix this, you need to configure the underlying TMG firewall to allow the required protocols inbound and outbound. The article Modifying TMG settings to allow UAG backup using DPM 2012 shows you how. <http://social.technet.microsoft.com/wiki/contents/articles/16616.modifying-tmg-setting-to-allow-uag-backup-using-dpm-2012.aspx>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

There have been a large number of improvements in DirectAccess in Windows Server 2012. However, many of these improvements are based on having Windows 8 or above as the DirectAccess client. What happens when you want to use Windows 7 DirectAccess clients with a Windows Server 2012 DirectAccess server? To find out, check out Richard Hicks' article, The Drawbacks of Supporting Windows 7 Clients with Windows Server 2012 DirectAccess. <http://directaccess.richardhicks.com/2013/06/06/the-drawbacks-of-supporting-windows-7-clients-with-windows-server-2012-directaccess/>


7. Blog Posts
--------------------------------------------------------------

The Future Is Now! Next Generation Remote Access Today with Windows Server 2012 DirectAccess
http://www.isaserver.org/blogs/shinder/future-now-next-generation-remote-access-today-windows-server-2012-directaccess.html

How to Report on YouTube Activity with Fastvue TMG Reporter
http://www.isaserver.org/blogs/shinder/how-report-youtube-activity-fastvue-tmg-reporter.html

Win a Copy of Windows Server 2012 Security from End to Edge and Beyond
http://www.isaserver.org/blogs/shinder/win-copy-windows-server-2012-security-end-edge-and-beyond.html

Secure your devices with 3 quick Microsoft Forefront UAG tips
http://www.isaserver.org/blogs/shinder/secure-your-devices-3-quick-microsoft-forefront-uag-tips.html

Exploring TMG replacement possibilities, Part 2
http://www.isaserver.org/blogs/shinder/exploring-tmg-replacement-possibilities-part-2.html

Exploring TMG replacement possibilities
http://www.isaserver.org/blogs/shinder/exploring-tmg-replacement-possibilities.html

The Human Side of the Firewall
http://www.isaserver.org/blogs/shinder/human-side-firewall.html

The Amazing Hyper-V Network Virtualization in Windows Server 2012
http://www.isaserver.org/blogs/shinder/amazing-hyper-v-network-virtualization-windows-server-2012.html

Lync Security Solution Enhanced â€" Enterprise Edition of Security Web Filter Announced
http://www.isaserver.org/blogs/shinder/lync-security-solution-enhanced-enterprise-edition-security-web-filter-announced.html

Updated Forefront UAG SP3 tracing for is now available
http://www.isaserver.org/blogs/shinder/updated-forefront-uag-sp3-tracing-now-available.html


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I plan to keep the TMG firewall running as long as I can, but I'd like to get your opinion on what I should consider for my TMG firewall replacement. You have any clues you can throw my way as I evaluate my options? Thanks! â€"Xavier.

ANSWER:

Hi Xavier,

There are a lot of options out there for sure, as we've discussed before in the newsletter and articles on ISAServer.org. The unified threat management gateways you have to choose from are legion, and new products are always hitting the market â€" to make your decision even more confusing. One option that we've been looking at is the new Dell SonicWALL Network Security Appliance (NSA). The new SonicWALL NSA device performs stateful inspection as well as application layer inspection. It is also very fast, with SKUs ranging from 6 to 24 cores and 10 GB interfaces so that you can use it as an internal or network segmentation firewall too, just like when you used the TMG firewall for network reperimeterization projects. The SonicWALL NSA can also be managed through a centralized management console, so that if you have these devices distributed throughout a global enterprise, you'll be able to manage them all from a single console, called the SonicWALL Global Management System (GMS). For more information, check out this page. <http://www.telecomtiger.com/fullstory.aspx?storyid=17573&flag=1&passfrom=topstory&section=S106>

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments: