Wednesday, October 30, 2013

ISAserver.org - Monthly Newsletter - October 2013

ISAserver.org - Monthly Newsletter - October 2013

Hi Security World,


Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. TMG's Role in Security in the Azure Infrastructure Services Cloud
-----------------------------------------------------------

When I read some of the commentary out there about the cloud, the subject of security always seems to be a "twitchy one." On one hand, you have the people who think that cloud breaks down the traditional security barriers and that you don't need firewalls or network based security because you're supposed to move all of your security back into the applications and data. And on the other hand, you have the people who think that cloud increases the attack surface significantly and so you need to double down on security at all levels. It's an interesting discussion and I think I fall somewhere between the two camps. Cloud or not, the fact that you need defense in depth hasn't changed, even though the location of the data and services has changed.

So, speaking of the cloud (and it seems like there's a lot of speaking about cloud these days), where does the TMG firewall fit in? A couple of months ago, we talked here about the role of firewalls in general in a hybrid IT environment. But specifically, how does the TMG firewall fit in with the new Microsoft Azure Infrastructure Services â€" a new cloud service provided by Microsoft that allows you to put your virtual machines into their public cloud network?

If you've been following my articles here on ISAServer.org, you might know that I've been doing a multi-part series that addresses the "how to" using TMG in Azure Infrastructure Services. But if you're not at the point of doing that yet, you might not want to plow through those 8000+ words. So for those who are only thinking about it at this point, let's talk about the reasons for doing it in the first place.

Essentially, Azure Infrastructure Services is like AWS EC2 â€" a public cloud IaaS offering. You know that we can put the TMG firewall on a virtual machine. There's a good chance that you have already put it on a virtual machine in your traditional datacenter or private cloud. But what about putting it in Azure Infrastructure Services? Are there scenarios where you might want to do that?

There are, indeed. But all the scenarios get hung up on a single but significant limitation imposed by Azure Infrastructure Services: virtual machines that are placed on a Azure Virtual Network can have only a single network interface. What that means is that if you want to put a TMG firewall in an Azure Virtual Network, its functionality will be limited to what the TMG firewall can provide in a single NIC configuration.

What are those scenarios? They include:

Forward proxy
Reverse proxy or web publishing
Exchange server publishing (a form of web publishing)
Remote access VPN server

While these four scenarios represent a fraction of the functionality provided by the TMG firewall, nevertheless there are a number of deployment options available to you within those limitations. And when you consider the potential advantages of putting the TMG firewall in a virtual machine on an Azure Virtual Network, the scenarios become even more interesting!

If you would like to learn more about why you would put a TMG firewall on an Azure Virtual Network and get detailed information on how to do it, check out my article series on Using the TMG Firewall in Azure Infrastructure Services <http://www.isaserver.org/articles-tutorials/configuration-general/using-tmg-firewall-azure-infrastructure-services-part1.html>.

Thanks! â€"Deb.

dshinder@isaserver.org

=======================
Quote of the Month - All things are difficult before they are easy. â€" Thomas Fuller
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

Improving SSL Security for Forefront Threat Management Gateway (TMG) 2010 Published Web Sites
http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html

Using the TMG Firewall in Azure Infrastructure Services (Part 3)
http://www.isaserver.org/articles-tutorials/configuration-general/using-tmg-firewall-azure-infrastructure-services-part3.html

Integrated Network Load Balancing (NLB) and Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/articles-tutorials/configuration-general/integrated-network-load-balancing-nlb-forefront-threat-management-gateway-tmg-2010.html

Using the TMG Firewall in Azure Infrastructure Services (Part 2)
http://www.isaserver.org/articles-tutorials/configuration-general/using-tmg-firewall-azure-infrastructure-services-part2.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

One of the nice things about the TMG firewall is that it allows you to authenticate and authorize users for both inbound and outbound access. For outbound access, you can use either the web proxy or firewall client configuration to transparently authenticate users who connect to resources through the TMG firewall. For inbound access, there isn't a transparent authentication process, but users can still be authenticated, albeit only for inbound connections through the web proxy service. You also can use several mechanisms to authenticate the users. With the TMG firewall, you can use LDAP or Active Directory to authenticate, you can use RADIUS or you can use the RSA Authentication Manager. For details on when and how to use each of these authentication mechanisms, please see Configuring Client Authentication Servers. <http://technet.microsoft.com/en-us/library/cc441510.aspx>


5. Tip of the Month
--------------------------------------------------------------

When planning for web caching, there are several things you should take into consideration, especially for forward caching scenarios:

- More is better â€" at least when it comes to RAM. With the 64bit architecture on which the TMG firewall is built, you can easily put in 16GB, 32GB, 64GB, 128GB, 256GB or more of memory if you like. RAM cache is going to be much faster than on-disk cache, so if your traffic profile is such that web caching is a key to your end-user happiness, then load up your server with as much RAM as it will support and you can afford. Also, in buying new servers, consider getting a motherboard that supports more memory than you can afford now so that you can upgrade your memory when you get the extra budget dollars (or when the price of high capacity sticks comes down).
- It should go without saying that the on-disk cache must be on an NTFS drive and it has to be a local drive (Direct Attached Storage). The file name will be dir1.cdat and that file will be stored in the drive:\urlcache folder. One cache file per volume is supported.
- Maximum cache file size is 64GB, but for performance reasons you might want to keep the size at 40GB or less.
- Files that are larger than 512MB will not stay in cache after reboot.
- You should put the cache files on volumes other than the boot volume, so that the cache file initialization isn't contending with the OS files trying to start.

The best thing you can do regarding caching is to find out what your baseline is. After that, you can tweak your settings and maybe get more benefit from the caching configuration. A good place to start is to create a PerfMon console and watch the cache performance counters and record some historical information for a week or two. Check out the cache performance counters here. <http://technet.microsoft.com/en-us/library/cc441748.aspx>


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

SSL renegotiation has been in the news lately and many readers have had questions about the TMG firewall in regard to this issue. It's important to consider this problem since the TMG firewall can be configured to provide reverse proxy for SSL connections. This problem is related to the fact that the client can ask to renegotiate the SSL session parameters and during that process, a man in the middle attack could use the renegotiation to send the server malicious information. Clearly, this is not a good thing. Unfortunately, the TMG firewall is vulnerable to this problem and you'll need to install a hotfix to correct the situation. More information on this subject and a link to download the hotfix can be found on the TMG firewall team blog at http://blogs.technet.com/b/isablog/archive/2013/09/18/isa-2006-tmg-2010-disable-client-initiated-ssl-renegotiation-protecting-against-dos-attacks-and-malicious-data-injection.aspx

7. Blog Posts
--------------------------------------------------------------

Hyper-V Network Virtualization in Windows Server 2012
http://www.isaserver.org/blogs/shinder/hyper-v-network-virtualization-windows-server-2012.html

Africa also urged to Mind the TMG gap
http://www.isaserver.org/blogs/shinder/africa-also-urged-mind-tmg-gap.html

Using the TMG firewall on an Azure Virtual Network
http://www.isaserver.org/blogs/shinder/using-tmg-firewall-azure-virtual-network.html

ActiveSync on some Smartphones(in this scenario Iphones) with client certificate authentication does not work,
ActiveSync here is published through TMG
http://www.isaserver.org/blogs/shinder/activesync-some-smartphones-scenario-iphones-client-certificate-authentication-does-not-work-activesync-here-published-through-tmg.html

Testing and Monitoring Forefront TMG Malware Inspection and Intrusion Prevention (NIS) Systems
http://www.isaserver.org/blogs/shinder/testing-and-monitoring-forefront-tmg-malware-inspection-and-intrusion-prevention-nis-systems.html

Integrated Network Load Balancing (NLB) and Forefront Threat Management Gateway (TMG) 2010
http://www.isaserver.org/blogs/shinder/integrated-network-load-balancing-nlb-and-forefront-threat-management-gateway-tmg-2010.html

Windows Server 2012 DirectAccess Network Location Server Not Working Properly
http://www.isaserver.org/blogs/shinder/windows-server-2012-directaccess-network-location-server-not-working-properly.html

How To Recover Forefront TMG From a Corrupt Configuration Database
http://www.isaserver.org/blogs/shinder/how-recover-forefront-tmg-corrupt-configuration-database.html

Forefront TMG Configuration Backup Scripts For Standalone and Enterprise Arrays
http://www.isaserver.org/blogs/shinder/forefront-tmg-configuration-backup-scripts-standalone-and-enterprise-arrays.html

Processing domain name sets and URL sets
http://www.isaserver.org/blogs/shinder/processing-domain-name-sets-and-url-sets.html


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

Can you tell me what kind of high availability options I have for the TMG firewall? I've been using single ISA and TMG firewalls for years, but figured that it might be a good idea to have some redundancy, giving that most of our applications are in the cloud these days.

Thanks! â€"Mandy.

ANSWER:

Hi Mandy,

The TMG firewall provides you with high availability on two levels; the first is at the ISP level and the second one is at the network level. The TMG firewall supports ISP redundancy so that you can use two ISPs at the same time. When you configure ISP redundancy, you can set it up to support a failover configuration, where the second ISP is used when the primary ISP is unavailable, or you can set it up for load balancing, where connections are load balanced between the ISP connections. You can even configure this feature to always use a specific ISP for particular protocols or sites.

The second level of redundancy can be achieved at the network level through the use of the Windows Server Network Load Balancing feature (NLB). NLB will automatically direct traffic in a random fashion between members of a load balanced array. If one of the TMG firewalls in the load balanced array should become unavailable, connections will be automatically forwarded to a server that is available. When the unavailable server comes back on line, connections will then be forwarded to the array member again.
Richard Hicks wrote a nice article here on ISAserver.org about how this all works, check it out at http://www.isaserver.org/articles-tutorials/configuration-general/integrated-network-load-balancing-nlb-forefront-threat-management-gateway-tmg-2010.html

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.



ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.

No comments:

Post a Comment