ISAserver.org Monthly Newsletter of February 2010
Sponsored by: Collective Software
<http://www.collectivesoftware.com/isaserver.newsletter.201002.authlite>
-------------------------------------------------------
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. UAG or TMG: Administrators Are Still Confused
--------------------------------------------------------------
The annual MVP Summit took place in Redmond/Bellevue last week (Feb. 15-19) and this is the first time in the six years that I have been an MVP that I did not get to go. There were just too many other obligations and too much I had to take care of here at home. But there is a big advantage to having a husband who’s also an MVP; Tom came home yesterday and had a ton of stuff to tell me about what happened. He told me that one of the biggest surprises he experienced when meeting up with the Forefront MVPs was that some of them were still confused about when to use the TMG firewall and when to use the UAG remote access gateway solution.
When you think about it, it is not really that surprising. They are both gateways and they are both designed to give you control over the traffic on your network. A key difference is that UAG controls inbound access only. TMG can control both inbound and outbound access but you still might have a few doubts over when and where to use each one.
To help you with that, let us look at some key scenarios where you should always use TMG or always use UAG:
* You would always use UAG for any serious DirectAccess deployment. The Windows DirectAccess solution is a nice foundation for DirectAccess for a small business or technology enthusiast, but it's really not meant to be an enterprise solution.
* You would always use TMG for outbound access. That is because UAG is a remote access solution only. For outbound access control and network firewalling, you must use TMG.
* If you want a combined inbound and outbound access solution and require that inbound and outbound access be consolidated on the same machine, then you must use TMG, since UAG does not do outbound access.
OK, that's about it for the very clear cut scenarios. What about the other scenarios that are not so clear cut?
* Remote Desktop Gateway publishing - UAG has many integrated components that make RDG publishing much easier and more reliable; however, you can do this with TMG too, with a bit more effort.
* Exchange Publishing - UAG has improved wizards and this makes it easier to publish all Exchange services, even the hard to publish services such as the Exchange Autodiscover service. Again, it can be done with TMG, but you will have to work harder to do it.
* SharePoint Publishing - UAG and TMG provide about the same level of support as far as I can tell. I do not see any important security or ease of use differences between UAG and TMG when it comes to publishing SharePoint.
* Other Web site publishing - Again, UAG and TMG seem about the same, but if you ask me, it is much easier to publish web sites using TMG than UAG. However, if you are an application, authentication and RegEx guru, then UAG is the more secure solution.
* Network level VPN - UAG supports the Network Connector and SSTP for network level VPN. The Network Connector is mostly useful for non-Microsoft operating systems, or for computers running Windows XP or earlier. SSTP is a fantastic (and free - you do not pay extra) network level SSL VPN solution, but it requires Vista or Windows 7 clients. For network level VPN, TMG appears to be the superior solution, since it supports PPPT, L2TP/IPsec and SSTP, plus you can enforce strong firewall policy to the VPN connections - something that does not appear to be exposed in UAG (there is also an issue related to split tunneling control).
Overall, UAG can be considered to be the more secure web publishing solution because of its support for an ever increasing number of authentication methods. In addition, there are built in application optimizers that provide application layer inspection for a number of web applications, although there is a noticeable decrease in the number of non-Microsoft applications that UAG supports, compared to IAG.
Like Tom, I am a big fan of the ISA and now the TMG firewall. If the TMG firewall can do what I want it to do, or what my customer wants it to do, then I am going to press forward with a TMG solution if there is a reasonable choice between UAG and TMG. It also does not hurt that TMG is much less expensive.
However, there seems to be another issue. I do not know if you have noticed, but nothing is really new in terms of inbound access scenarios for TMG. Even ISA 2006 included few tweaks compared to ISA 2004. There have not been any ground breaking or game changing improvements in the ISA firewall either since the upgrade from ISA 2000 to ISA 2004. What is also significant is that with TMG, all the investment has been in the outbound access scenario.
This is consistent from what I have seen from the Microsoft marketing efforts for both the TMG firewall and UAG - TMG is for secure outbound web access, and UAG is for secure inbound access. Period.
But this is how I would put it:
* If you need comprehensive outbound access control, then the TMG firewall is your solution of choice.
* If you need comprehensive inbound access control, and you have the budget to support it, then UAG is the solution of choice.
* If you need both inbound and outbound access control, then you need TMG and UAG, if your budget supports it.
* If you need inbound access control and your budget can't handle that combination, then you can use TMG, realizing that you're getting a second best solution.
I hope this put an end to the confusion. You, your clients and customers should never be confused again about TMG and UAG positioning. It is simple, clear-cut, and easy to understand. However, if you have more questions about this, please let me know! Write to me at dshinder@isaserver.org and I will do what I can to help.
Until next month - Deb
dshinder@isaserver.org
=======================
Quote of the Month - "The Internet interprets censorship as damage and routes around it." - John Gilmore
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
* Microsoft Forefront TMG - Best Practice Analyzer
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Best-Practice-Analyzer.html>
* Installing and Configuring the E-mail Hygiene Solution on the TMG 2010 Firewall - Part 2: E-Mail Policy
<http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part2.html>
* Using the Security Configuration Wizard with Microsoft Forefront Threat Management Gateway 2010
<http://www.isaserver.org/tutorials/Using-Security-Configuration-Wizard-Microsoft-Forefront-Threat-Management-Gateway-2010.html>
* Microsoft Forefront TMG - Backup and Restore Capabilities
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Backup-Restore-Capabilities.html>
* Installing Threat Management Gateway 2010 RTM Enterprise Edition (Part 2)
<http://www.isaserver.org/tutorials/Installing-Threat-Management-Gateway-2010-RTM-Enterprise-Edition-Part2.html>
* Overview of the Forefront Threat Management Gateway 2010 Management Console
<http://www.isaserver.org/tutorials/Overview-Forefront-Threat-Management-Gateway-2010-Management-Console.html>
* Installing and Configuring the Email Hygiene Solution on the TMG 2010 Firewall – Part 1: Installation
<http://www.isaserver.org/tutorials/Installing-Configuring-Email-Hygiene-Solution-TMG-2010-Firewall-Part1.html>
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
This month's winner for “content of the month” for ISA/TMG/UAG is the Forefront TMG Planning and Design Guide. This guide will help you plan and design an end to end TMG firewall deployment. Using this guide, you will get valuable guidance, as well as tips and tricks to address the following:
* Designing HA and scalability for TMG firewalls and arrays
* Installing TMG firewalls and arrays
* Inbound and outbound access designs for TMG firewalls and arrays
* Designing optimal configurations for web anti-malware, email protection and Network Inspection System
* Key monitoring, logging, backup and restore planning
Check out the Forefront TMG Firewall Planning and Design Guide here: <http://technet.microsoft.com/en-us/library/cc441674.aspx>.
5. Tip of the Month
--------------------------------------------------------------
When planning for web caching, there are several things you should take into consideration, especially for forward caching scenarios:
* More RAM is "more better". With the 64bit architecture on which the TMG firewall is built, you can easily put in 16GB, 32GB, 64GB, 128GB, 256GB or more memory if you like. RAM cache is going to be much faster than on-disk cache, so if your traffic profile is such that web caching is a key to your end-user happiness, then load up your server with as much RAM as you can afford. Also, consider getting a motherboard that supports more memory than you can afford now so that you can upgrade your memory when you get the extra budget dollars (or when the price of high capacity sticks comes down).
* It should go without saying that the on-disk cache must be on a NTFS drive and it has to be a local drive (Direct Attached Storage). The file name will be dir1.cdat and that file will be stored in the drive:\urlcache folder. One cache file per volume is supported.
* Maximum cache file size is 64GB, but for performance reasons you might want to keep the size at 40GB or less.
* Files larger than 512MB will not stay in cache after reboot.
* Put the cache files on volumes other than the boot volume, so that the cache file initialization isn't contending with the OS files trying to start.
he best thing you can do regarding caching is to find out what your baseline is. After that you can tweak your settings and maybe get more benefit from the caching configuration. A good place to start is to create a PerfMon console and watch the cache performance counters and record some historical information for a week or two. Check out the cache performance counters here: <http://technet.microsoft.com/en-us/library/cc441748.aspx>.
6. ISA/TMG/IAG/UAG Links of the Month
--------------------------------------------------------------
* RunAs Radio Interview - Episode #147
<http://tmgblog.richardhicks.com/2010/02/09/runas-radio-interview-episode-147/>
* NMap 5.21 Released
<http://tmgblog.richardhicks.com/2010/01/28/nmap-5-21-released/>
* Microsoft Forefront Threat Management Gateway Best Practices Analyzer Tool
<http://www.microsoft.com/downloads/details.aspx?FamilyID=8aa01cb0-da96-46d9-a50a-b245e47e6b8b&displaylang=en>
* Enabling RSA SecurID Authentication in Forefront UAG
<http://blog.msedge.org.uk/2010/01/enabling-rsa-securid-authentication-in.html>
* ISA 2006 Firewall as a VPN Remote Access Server - A Few Tricks
<http://www.carbonwind.net/ISA/VPNTricks/vpntricks.htm>
7. Blog Posts
--------------------------------------------------------------
* Configuring Routing Table Entries in the TMG Firewall <http://blogs.isaserver.org/shinder/2010/02/13/configuring-routing-table-entries-in-the-tmg-firewall/>
* Preview the TMG Administrators Companion Before You Buy <http://blogs.isaserver.org/shinder/2010/02/13/preview-the-tmg-administrators-companion-before-you-buy/>
* Forefront TMG Administrators Companion - Available Now <http://blogs.isaserver.org/shinder/2010/02/13/forefront-tmg-administrators-companion-available-now/>
* Forefront Threat Management Gateway 2010 Capacity Planning Tool <http://blogs.isaserver.org/shinder/2010/02/13/forefront-threat-management-gateway-2010-capacity-planning-tool/>
* Richard Hicks MVP from Celestix Rocks RunAs Radio with TMG <http://blogs.isaserver.org/shinder/2010/02/13/richard-hicks-mvp-from-celestix-rocks-runas-radio-with-tmg/>
* Using An Existing PKI for TMG Firewall Outbound SSL Inspection <http://blogs.isaserver.org/shinder/2010/02/10/using-an-existing-pki-for-tmg-firewall-outbound-ssl-inspection/>
* Choosing the Best DirectAccess Solution <http://blogs.isaserver.org/shinder/2010/02/10/choosing-the-best-directaccess-solution/>
* Getting RSA SecurID to Work with UAG <http://blogs.isaserver.org/shinder/2010/02/10/getting-rsa-securid-to-work-with-uag/>
* Forefront UAG Now in Common Criteria Evaluation <http://blogs.isaserver.org/shinder/2010/02/05/forefront-uag-now-in-common-criteria-evaluation/>
* Forefront UAG Content Bonanza <http://blogs.isaserver.org/shinder/2010/02/05/forefront-uag-content-bonanza/>
8. Ask Sgt Deb
--------------------------------------------------------------
* QUESTION:
Hey Deb,
I have searched the internet for two weeks and can not find a solution to suit my needs. Maybe you can help. I want to set up a forefront TMG active\passive cluster (not an NLB cluster for Port flooding issues). However, I can't seem to get past the RPC/DCOM rules. I have disabled system rule 2 and removed the strict settings from rule 22. I also made a rule to open up all outgoing from cluster node to node and then cleared the box for RPC enforcement. No luck. I think I need a couple of incoming rules set but can't figure it out. Any suggestions?
Thanks,Rich Adams
* ANSWER:
Hi Rich,
Not sure what you are trying to accomplish here. There are methods to get around the port flooding issue, such as dedicating switches to the array or configuring IGMP to limit flooding to the NLB enabled ports only, thus enabling you to get around the need for dedicated switches. Here’s some helpful information that should get you going on getting the full support for NLB that you’re looking for:
ISA Integrated NLB - Multicast with IGMP… ISA "blocks" IGMP packets <http://blogs.technet.com/isablog/archive/2009/06/22/isa-integrated-nlb-multicast-with-igmp-isa-blocks-igmp-packets.aspx>
Enabling NLB with Multicast IGMP <http://blogs.isaserver.org/shinder/2009/07/05/enabling-nlb-with-multicast-igmp/>
* QUESTION:
I have studied your tutorial over at www.isaserver.org <http://www.isaserver.org> and I have followed the step by step guide to install the TMG. After installation, it seems that all the clients can not access the Internet. I think the problem is the DNS server:
L-DC01 = Domain Controller
L-SEC01 = TMG
L-C01 = Client 1
L-C02 = Client 2
Before installing TMG, all the clients pass through L-DC01 to access internet...
1. Can you advise how to configure the DNS server?
2. Where do I install the DNS? L-DC01? L-SEC01?
Thanks & regards - Leong Sun Wei
* ANSWER:
I think the problem here is that before you installed the TMG firewall, the clients were going through the domain controller to connect to the Internet. This indicates to me that you are using a multi-homed domain controller, which can introduce a number of issues. Check out:
Active Directory communication fails on multihomed domain controllers <http://support.microsoft.com/kb/272294>
Symptoms of multihomed browsers <http://support.microsoft.com/kb/191611>
Clients cannot log on to domain controllers that are Windows Server 2003-based DNS servers, and network interfaces that are not registered in DNS can still perform dynamic updates <http://support.microsoft.com/kb/832478>
So, if that's the case, you need to make sure that your DC is single homed, and that its IP address is on the corpnet only. Also, you need to check your DNS server configuration to make sure that the correct entries are in there, and that you don't have any public IP addresses registered there. In addition, confirm that your DNS server is configured to resolve Internet host names, either through recursion or by using a forwarder.
Regarding the location of the DNS server, the natural place is on the domain controller, since it must host DNS for your internal domain. There are other options, but this is the best place for you to start while you’re learning about the TMG firewall.
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
Till next month!
TechGenix Sites
--------------------------------------------------------------
MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2010. All rights reserved.
No comments:
Post a Comment