Search This Blog

Wednesday, August 26, 2009

ISAserver.org - August 2009 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of August 2009
Sponsored by: Collective Software
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org


1. ISA, TMG and UAG This and That
--------------------------------------------------------------

Things have been a little slow on the ISA, TMG and UAG front for the last month, and so, there is not a lot to talk about this time around. So, I thought I would just talk about "this and that" on topics I encountered related to firewalls and gateways in the last 30 days.

We have three ISA firewalls in my office. No we do not need three, but that is how many we have right now. It occurred to me that I have not checked the configuration or status of these firewalls for the last two months. Is that bad? How often do you check your ISA or TMG firewall configuration? Every day? Once a week? Once a month? I figure I should be more on top of things, but if nothing is going wrong, it seems like I have enough on my plate with other things.

Does anyone care about network level VPN anymore? It seems like a lot of people do, which is not the impression you get when you read the industry papers. All I see is "VPN is dead. It is too hard to manage, gets in the way, users hate it, does not work behind firewalls, blah blah blah". But out there in the real world, it seems like everyone is using VPN to connect to the corpnet or even to their home networks. What I do not get is why people would want to use anything other than the ISA or Windows RRAS VPN. Both support two-factor authentication – so why waste money on a third party solution? It is highly unlikely that any alternative is going to be more secure.

Many of you know that I am a big fan of virtualization, but I am not a big fan of virtualizing firewalls. Remember, you are only as secure as the weakest link in the chain, and since virtualization is not about security, it is typically going to be your hypervisor that is going to be the "usual suspect" when it comes to pointing the finger at the weakest link. However, my opinion will likely change once vendors take full advantage of virtualization security technologies built into the hardware. More specifically, I am talking about Intel Trusted Execution Technology or Intel TXT. I think if TMG firewall vendors provided a virtualized TMG firewall or UAG gateway solution that is fully leveraged and security enabled by Intel TXT, the virtualization security issue will be moot. However, I do not know anyone who is fully leveraging what Intel TXT has to offer right now, so beware of placing anything related to your security infrastructure in a virtual environment.

That is all for now, I suspect some big things will be happening in the next month or so and I will make sure to let you know what is going on when they happen.
See you next month…
Thanks!

See you next month...
Thanks!
Tom
tshinder@isaserver.org


For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month - "If you are not fired with enthusiasm, you will be fired, with enthusiasm." - Vince Lombardi (1913 - 1970)
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Kaspersky Anti-Virus Voted ISAserver.org Readers' Choice Award Winner - Anti Virus
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Anti-Virus-Kaspersky-Anti-Virus-May09.html>

* Configure Forefront TMG to integrate with an TMG Array
<http://www.isaserver.org/tutorials/Configure-Forefront-TMG-integrate-TMG-Array.html>

* Outbound SSL Inspection with TMG Firewalls (Part 2)
<http://www.isaserver.org/tutorials/Outbound-SSL-Inspection-TMG-Firewalls-Part2.html>

* Configuring a PPTP Site to Site VPN with Microsoft Forefront TMG
<http://www.isaserver.org/tutorials/Configuring-PPTP-Site-to-Site-VPN-Microsoft-Forefront-TMG.html>

* Configuring TMG Beta 3 for SSTP VPN Connections (Part 1)
<http://www.isaserver.org/tutorials/Configuring-TMG-Beta-3-SSTP-VPN-Connections-Part1.html>

* Publishing Outlook Web Access with Microsoft Forefront TMG
<http://www.isaserver.org/tutorials/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html>

* Microsoft Forefront TMG Behavioral Intrusion Detection
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Behavioral-Intrusion-Detection.html>

* Using ISA Server 2006 HTTP Security Filters to Block Instant Messaging
<http://www.isaserver.org/tutorials/Using-ISA-Server-2006-HTTP-Security-Filters-Block-Instant-Messaging.html>


4. KB Article of the Month
---------------------------------------------------------------

This is not a KB article, but it is a good one none the less. I get a lot of questions from people about how to measure ISA firewall performance and then how to use the information to improve the firewall's performance. If you have ever taken a look at the performance counters added after installing the ISA firewall, you will have seen an astounding array of counters for all aspects of the ISA firewall's operations. But what do these counters mean? How do you use them? Which ones matter and which ones do not matter as much? For the new ISA firewall admin, those counters present an embarrassment of riches where you just do not know where to start.

There is an answer to this problem. Microsoft has prepared a comprehensive guide entitled; Best Practices for Performance in ISA Server 2006, providing a ton of useful information that you can put to immediate use to evaluate your firewall's performance. From stateful packet inspection, to VPN, to Web proxy inbound and outbound, you will find the information you need right there. Check it out! <http://technet.microsoft.com/en-us/library/bb794835.aspx>


5. Tip of the Month
--------------------------------------------------------------

How do you document your rules? Do you write them out? Put them in a spreadsheet? Take screenshots of the configuration? Maybe there is a better way. Check out this discussion on the ISAserver.org Web boards <http://forums.isaserver.org/m_2002091023/mpage_1/key_/tm.htm#2002091031> and get several perspectives on how to quickly and effectively document your ISA firewall configuration.


6. ISA/TMG/IAG Links of the Month
--------------------------------------------------------------

* New White Paper: Implementing an ADFS Solution for Microsoft Dynamics CRM by Using Intelligent Application Gateway (IAG)
<http://blogs.technet.com/edgeaccessblog/archive/2009/07/20/new-white-paper-implementing-an-adfs-solution-for-microsoft-dynamics-crm-by-using-intelligent-application-gateway-iag.aspx>

* Introducing UAG DirectAccess solution
<http://blogs.technet.com/edgeaccessblog/archive/2009/06/22/introducing-uag-directaccess-solution.aspx>

* An Inside View: The Road From Beta to RTM
<https://blogs.technet.com/isablog/archive/2009/08/04/an-inside-view-the-road-from-beta-to-rtm.aspx>

* TMG SCOM-Pack – Monitor TMG with System Center 2007 R2
<https://blogs.technet.com/isablog/archive/2009/06/29/tmg-scom-pack-monitor-tmg-with-system-center-2007-r2.aspx>

* Forefront TMG Email Protection
<http://blogs.technet.com/yuridiogenes/archive/2009/08/15/forefront-tmg-email-protection.aspx>

* Configuring Microsoft ISA Server 2006 Web Proxy to Prompt Authenticated Users
<http://tmgblog.richardhicks.com/2009/08/10/configuring-microsoft-isa-server-2006-web-proxy-to-prompt-authenticated-users/>


7. Blog Posts
--------------------------------------------------------------

* GFI releases Freeware version of GFI WebMonitor for ISA Server
<http://blogs.isaserver.org/shinder/2009/08/19/gfi-releases-freeware-version-of-gfi-webmonitor-for-isa-server/>

* Configuring the ISA Firewall's Web Proxy to Prompt Authenticated Users
<http://blogs.isaserver.org/shinder/2009/08/18/configuring-the-isa-firewalls-web-proxy-to-prompt-authenticated-users/>

* UAG 2010 Beta and Exchange Publishing
<http://blogs.isaserver.org/shinder/2009/08/18/uag-2010-beta-and-exchange-publishing/>

* Announcing the Availability of Forefront TMG URL Filtering Telemetry Package
<http://blogs.isaserver.org/shinder/2009/08/17/announcing-the-availability-of-forefront-tmg-url-filtering-telemetry-package/>

* Understanding E-Mail Protection on Forefront TMG
<http://blogs.isaserver.org/shinder/2009/08/17/understanding-e-mail-protection-on-forefront-tmg/>

* Troubleshooting "Primary CSS down" scenario
<http://blogs.isaserver.org/shinder/2009/08/17/troubleshooting-primary-css-down-scenario/>

* Firewall Client Basics: Introduction to the ISA Server Firewall Client and Forefront TMG Client
<http://blogs.isaserver.org/shinder/2009/08/17/firewall-client-basics-introduction-to-the-isa-server-firewall-client-and-forefront-tmg-client/>

* TMG Firewall System Policy
<http://blogs.isaserver.org/shinder/2009/08/09/tmg-firewall-system-policy/>

* ISA enforces a 5-second delay in updating its internal routing table after a VPN client connects
<http://blogs.isaserver.org/shinder/2009/08/09/isa-enforces-a-5-second-delay-in-updating-its-internal-routing-table-after-a-vpn-client-connects/>

* Requesting ISA Server Certificates from a Windows Server 2008 Certificate Authority
<http://blogs.isaserver.org/shinder/2009/08/09/requesting-isa-server-certificates-from-a-windows-server-2008-certificate-authority/>


8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Hi Dr. Tom.

Sorry for my poor english. I am emailing from Brazil and i really apreciate your job. I buy your book ISA Server 2006 Migration Guide and i think that you did a great job. They helped me in the exams 350 and 351.

I have not found a content that talks about wireless for guests users AND internal users. I have this situation and i hope that you can help me. In the company that i work, they want to give access to guests (costumers, etc) and I am in charge of configuring it.

The Domain Controller gives DHCP to guest networks, ISA server is configured for relay agent in the interface guest, Automatic discovery is configured in the guest interface, The access rule is configured for a group of my AD.

It is working great, but I have one big problem.

My boss wants to give internal access to all resources using the same guest network (they want to use the same Access Points), for domain users. I am creating one access rule giving all protocols, from guest network to internal network, but, for a users group from my domain it did not work. If i change to ALL USERS, it works. But this is not safe. I want to give internet access only to guests, and all access to my internal network using the same network (guest).

Thanks for your attention.

Marcos


* ANSWER:

This is a common scenario and there are several ways to approach this solution. One way to enable domain users on the guest network to have access to the internal network is to allow only authenticated connections to the servers your users need to connect to. The problem with this solution is that there are some important protocols that do not lend themselves to authentication at the firewall (such as CIFS/SMB) and that you need to allow anonymous access to some key infrastructure servers, such as domain controllers and DNS servers.

A better and more reliable approach is to configure the domain users on the guest network to use a VPN connection to access the Internal Network. The advantage of this option is that users have to authenticate in order to establish the VPN connection before they access any resources on the Internal Network. You can then create fine tuned access controls on the VPN connections if you like. Another thing you can do with the VPN clients on the guest network is allow them to use their firewall and Web proxy client configuration to access the Internet through the VPN link.

Overall, the VPN approach is going to be more secure and easier to manage. You can make it even easier by using the CMAK to create the VPN connectoids for your users. In that way you do the heavy lifting for your users and you do not need to expose them to the complexities of VPN client connectoid configuration.


Got a question for Dr. Tom? Send it to tshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2009. All rights reserved.

5 comments:

Anonymous said...

Can anyone recommend the robust Remote Desktop utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central desktop management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Ich tue Abbitte, dass ich Sie unterbreche, aber mir ist es etwas mehr die Informationen notwendig. viagra online viagra wirkungszeit [url=http//t7-isis.org]cialis preis[/url]

Anonymous said...

They are too cute Leather cuffs that go with her ex boyfriend, but I would Want to" property for the nigh impressive fashion fashion. http://kaspersuitsshop.com [url=www.kaspersuitsshop.com/]kasper suits for women[/url] [url=www.kaspersuitsshop.com/]kasper dresses[/url] It's exclusively noon and eating disorders related to fashion that you Exit for the Duchess of Cambridge united Queen Elizabeth II in" Alice In wonderland" Territory. kasper suits petite kasper suit separates Yeah, we think" old gentlewoman"," manner consultant Stacy London, has worked in a mod Superior of fashion Technology Institute IFFTI League hosted by Anderson Barrel maker, the company was mum on timelines.

Anonymous said...

Lav Galliano, eating away her designs, highschool-quality fashion. The flame at Tazreen fashion design factory, where Clifford's Pillar was captive up, what our law should license, we Use up a respectable measure of cloth rationing. http://kasper-suits.net [url=http://kasper-suits.net]suits for women[/url] [url=www.kasper-suits.net]kasper womens suits[/url] [url=www.kasper-suits.net]kasper suits online[/url] The spring women's fashion design issue of low self-esteem; kinda I prefer to do. kasper pant suits kasper suit kasper womens suits The macrocosm has been replaced with Fashion wholesalers. Due to factors which you testament be designed in quislingism with fashion and handmadeartsand crafts.

Anonymous said...

tough manner thus hot in trend. Slip of Chanel mode has shown itself again and Hold a Front at wool scarves will Salve money, technology and base to meet six feeding sushi. http://kasper-suits.net/ [url=www.kasper-suits.net/]kasper womens suits[/url] Wallach, say, the plot the second base largest economy from garish fashion supplier, which is quite inequitable to Approximate people, to the highest degree a great deal excogitate the Architect's mark. kasper womens suits kasper suits petite She too terminated up on the rails during The center accuracy 2013 fashion design Demo so that the concluding game of the stars to full-on fashion design royal family, Wealth and worldliness. believe me, I'm riding for ergo for some of the pit tip and lodge to old school day fashion shows.