Search This Blog

Wednesday, May 30, 2012

ISAserver.org Monthly Newsletter of May 2012

-------------------------------------------------------
ISAserver.org Monthly Newsletter of May 2012
Sponsored by: Fastvue
<http://fastvue.co/>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. What's New in the Windows Firewall for Windows Server 2012?
--------------------------------------------------------------

With the future of the TMG firewall somewhat still in doubt, I thought it might be interesting to take a look at a firewall that definitely seems to have a future – the Windows Firewall with Advanced Security. The Windows Firewall will be included in both the Windows 8 Client and the Windows Server 2012 server versions of Microsoft's next operating system. I've worked with the Windows Firewall for a number of years, and I've already been partial to it as a great free host-based security tool. It does a great job and I've been looking forward to some of the new things we might see in the Windows Firewall with the future versions of the Windows operating system.

Well, now we know. Here are some of the new things you can expect to see in the Windows Firewall with Advanced Security in Windows 8/Server 2012:

* IKEv2 for IPsec Transport Mode. This feature will enable you to create remote access VPN client/server connections using the IKEv2 protocol. This is a great security solution and it adds another nice feature which will enable the VPN connection to automatically reconnect in the event that the connection is lost at any time.

* Metro Style App Network Isolation. This feature will allow you to enforce network boundaries so that any apps that are compromised will only be able to access networks to which you have explicitly given them access. For example, if an app is only allowed to connect to the Internet, and then it gets compromised, it won't be able to impact anything on your production network.

* Windows PowerShell Cmdlets for Windows Firewall. You know that in the past, you could use the netsh command line utility to manage the Windows Firewall. Well, now you can use PowerShell, and take advantage of PowerShell's sophisticated scripting capabilities, as well.

Hmmm. Those are some good new features, but I was hoping for a little bit more in this area, weren't you? It seems as though the Windows Firewall with Advanced Security hasn't been updated very much. That goes along with the modern philosophy that firewalls don't hold quite the high spot in a security plan that they once did.

That does bring up the question about exactly where Microsoft is now focusing their efforts when it comes to security. I've done a little digging and I think I've found at least one answer to that. They're putting a ton of work into the Windows Server 2012 Hyper-V switch and in the SMB 3 protocol. In future newsletters, we'll talk a bit about these and we'll discuss whether these new features will be able to fill the hole that would be left by the possible absence of TMG in the future.

See you next month! – Deb.
dshinder@isaserver.org

=======================
Quote of the Month - "DOS is ugly and interferes with users' experience." Bill Gates
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

* Understanding TMG Web Caching Concepts and Architectures
http://www.isaserver.org/tutorials/Understanding-TMG-Web-Caching-Concepts-Architectures.html

* Microsoft Forefront TMG - Remote Administration concepts
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Remote-Administration-concepts.html

* GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Access Control
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-GFI-WebMonitor-for-ISA-TMG-Mar12.html

* Configuring SCCM with UAG DirectAccess (Part 2)
http://www.isaserver.org/tutorials/Configuring-SCCM-UAG-DirectAccess-Part2.html

* ISAserver.org Readers' Choice Awards Yearly Round Up 2011
http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2011.html

* Forefront Threat Management Gateway (TMG) 2010 Web Proxy Client Redundancy Deep Dive (Part 3) - Enable Kerberos Authentication in Load Balanced Scenarios
http://www.isaserver.org/tutorials/Forefront-Threat-Management-Gateway-TMG-2010-Web-Proxy-Client-Redundancy-Deep-Dive-Part3.html

* Configuring SCCM with UAG DirectAccess (Part 1)
http://www.isaserver.org/tutorials/Configuring-SCCM-UAG-DirectAccess-Part1.html

* Microsoft Forefront TMG - Best Practices Firewall policy rules
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Best-Practices-Firewall-policy-rules.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

Windows Server 2012 makes it clear that the future of server management in the Microsoft world is going to be all about remote management. While most of us are already managing our servers across the network from a workstation, some admins are still engaging in local management of servers. If that's you, take a second look at your options. There are a lot of advantages to remote management and very few disadvantages, so why not learn more about remote management of TMG firewalls? You can get started with this great article by Marc Grote Microsoft Forefront TMG – Remote Administration Concepts.
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Remote-Administration-concepts.html


5. Tip of the Month
--------------------------------------------------------------

The TMG firewall comes with a host of great built-in reports that can give you an exceptional level of insight into what's happening on your network. With SP2 for the TMG firewall, you can even get user level reports so that you can figure out what specific users have been doing over your Internet connection. But did you know that you can take the reporting feature to the next level and get even more insight into your users and network traffic profiles? You bet! There's a new product called Fastvue that gives you unparalled information and amazing reports that you can quickly configure and print out that will satisfy even the most picky bosses. Check out the review our own Richard Hicks has done on Fastvue in his article Product Review: Fastvue Dashboard.
http://www.isaserver.org/tutorials/Product-Review-Fastvue-Dashboard.html


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

As those of you who read my blog already know, this month we are being treated to a new Hotfix Rollup for the TMG firewall. The name of this software is Hotfix Rollup 2 for TMG 2010 SP2. Here are some of the things you get when you install it:

KB2701952 – "Access is denied" status error when you use a delegated user account to try to monitor services in Forefront TMG 2010.
http://support.microsoft.com/kb/2701952

KB2700248 – A server that is running Forefront TMG 2010 may randomly stop processing incoming traffic.
http://support.microsoft.com/kb/2700248

KB2700806 – Connectivity verifier that uses the "HTTP request" connection method may not detect when a web server comes back online in Forefront TMG 2010.
http://support.microsoft.com/kb/2700806

KB2705787 – The Firewall service may intermittently crash when it processes client web proxy requests in a Forefront TMG 2010 environment.
http://support.microsoft.com/kb/2705787

KB2701943 – Error message when you try to join a Forefront 2010 server to an array: "The Operation Failed. Error code – 0×80070002 – the system cannot find the file specified".
http://support.microsoft.com/kb/2701943

KB2705829 – The Firewall service may stop responding to all traffic on a server that is running Forefront TMG 2010.
http://support.microsoft.com/kb/2705829

KB2694478 – Dynamic Caching may incorrectly delete recently cached objects from a caching server that is running Forefront TMG 2010 or ISA Server 2006.
http://support.microsoft.com/kb/2694478

You can download the new hotfix rollup pack HERE.
http://support.microsoft.com/kb/2689195

7. Blog Posts
--------------------------------------------------------------

* New Antimalware Engine for Forefront
http://blogs.isaserver.org/shinder/2012/05/11/new-antimalware-engine-for-forefront/

* TMG Reporter v2.0 released
http://blogs.isaserver.org/shinder/2012/05/11/tmg-reporter-v20-released/

* Cross site single sign-on not working between two UAG servers
http://blogs.isaserver.org/shinder/2012/05/08/cross-site-single-sign-on-not-working-between-two-uag-servers/

* UAG Host Address Translation Explained
http://blogs.isaserver.org/shinder/2012/04/30/uag-host-address-translation-explained/

* Multi-Site DirectAccess Configuration in Windows Server 2012
http://blogs.isaserver.org/shinder/2012/04/30/multi-site-directaccess-configuration-in-windows-server-2012/

* Configuring SCCM with UAG DirectAccess
http://blogs.isaserver.org/shinder/2012/04/30/configuring-sccm-with-uag-directaccess/

* OWA Session Timeouts Fail When Published Through UAG
http://blogs.isaserver.org/shinder/2012/04/30/owa-session-timeouts-fail-when-published-through-uag/

* Upgrading UAG 2010 to Service Pack 1 Fails
http://blogs.isaserver.org/shinder/2012/04/30/upgrading-uag-2010-to-service-pack-1-fails/

* Vulnerabilities in Forefront Unified Access Gateway Could Lead to Information Disclosure
http://blogs.isaserver.org/shinder/2012/04/30/vulnerabilities-in-forefront-unified-access-gateway-could-lead-to-information-disclosure/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hi Deb,

I've just installed a new TMG firewall and I'm in the process of learning how it works. One of the things I'm wondering about is if there are any rules that I should create right after installing the firewall. I know that no traffic to or through the firewall is allowed by default, but what should I be looking at in terms of firewall rules right after installation?

Thanks! – Neal


ANSWER:

Hi, Neal.

Great question! While there are a number of options in this area, the best place for you to start is by taking a look at your system policy rules. Whereas the default system policy rules make a good "best guess", I recommend that you take a close look at these after you complete your installation to make sure that they aren't too liberal. There are many situations where you would want to lock down some of the system policy rules. Another thing you should think about when creating firewall policy is the order in which you should put your firewall rules. Remember that the TMG firewall evaluates each connection to or through the firewall by applying the rules list from the top down – so the order in which your rules are listed is important. For more information on firewall rule best practices, check out Marc Grote's article Microsoft Forefront TMG – Best Practices Firewall Policy Rules.
http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Best-Practices-Firewall-policy-rules.html

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2012. All rights reserved.

No comments: