ISAserver.org Monthly Newsletter - April 2013

-------------------------------------------------------
ISAserver.org Monthly Newsletter - April 2013
Sponsored by: ADVSoft
<http://www.advsoft.info/download/?r1=isaserver_org&r2=newsletter2>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org


1. Did the Cloud Kill the TMG Firewall?
-----------------------------------------------------------

"Video killed the radio star"
http://www.bing.com/videos/search?q=tv+killed+the+radio+star&mid=10B5570B0EF22B1A311510B5570B0EF22B1A3115&view=detail&FORM=VIRE3

Someone recently mentioned to me that the title of that tune runs through his head sometimes when he thinks about the demise of the TMG firewall. While we'll probably never know the reason(s) for Microsoft's decision to kill off what many of us regarded as their premiere security product, we all have some guesses.

My guess is that one of the big reasons for the decision was due to the company's new focus on cloud computing. When Microsoft made the commitment to go "all in" with the cloud, TMG was doomed – and that's why I was pessimistic about TMG's future prospects long before its demise was ever officially announced. You might recall that almost two years ago, I questioned whether Microsoft was backing away from the edge in an article over on TechRepublic that created quite an uproar. <http://www.techrepublic.com/blog/window-on-windows/the-demise-of-threat-management-gateway-is-microsoft-backing-away-from-the-edge/4387>

Many folks called me crazy (or at least wrong) back then, and I was afraid a few of them wanted to shoot the messenger. But looking at it in hindsight, it seems pretty inevitable. With cloud computing, the vision is that everything is going to be hosted in the cloud. That information might be delivered to the business through software as a service, platform as a service or infrastructure as a service. Regardless, in all of these models, components of your datacenter are moved off premises and into the cloud. When fully realized, only the proprietary information for that organization will be on premises. Microsoft's vision seems to be that eventually almost all of the logic and processing will be done on a public cloud infrastructure.

Now, I said that is the ultimate vision when it's completed. Will we ever really get that far? I don't know. The analysts tell us that is the future and that we need to prepare for it. But I'm going to be a contrarian once again. I'm not sure the on-premises datacenter will ever go away completely, at least in my lifetime.

You could say there were those who doubted the PC Revolution would result in mainframes going away (for the most part), too. I think what's different about the cloud revolution is that it's not being driven by a grass roots campaign of technologists. Instead, the cloud is being forced on us by business initiatives. The bean counters have bought into the promise that the cloud will save them a ton of cash. Whether that plays out in real life is another story, but the fact is that many organizations are already moving some or all of their computing infrastructure to the cloud.

Where does that leave a gateway device like TMG, then? In such a world, I suppose the only value it might provide is to function as a site to site VPN gateway between your on premises network and the cloud. What about protecting the clients? Cloud dictates that cloud resources should be available from any device and any location (with the appropriate access controls, of course). That means that your networks might as well be an open network, with each client having full access to the Internet. Problems with malware that might be downloaded from the Internet are, under this utopian vision, minimal, since operating systems are becoming increasingly secure. And if an operating system does get compromised, it'll be a no brainer to restore it to a previous pristine state because user state virtualization will enable a "push button" restore, again, due to that state being stored in the cloud.

One might argue that this is all wishful thinking and that you still need edge security in order to prevent malware and Trojans from compromising your network. But if your network has nothing but clients on it (with perhaps the exception of the back-end databases that are on completely separate networks and not directly accessible to any client system on your network), you begin to see that security is something that will need to be handled mostly in the cloud. And while there will be some holdouts, Microsoft would probably say that investments in on premises security will continue to diminish as cloud adoption accelerates. And maybe they're right.

What do you think? Do you think that the cloud will end up taking over the datacenter world? Do you think the need for edge security is going to be increasingly marginalized because of advancements in operating system security and restoration? Let me know! Send a note to dshinder@isaserver.org and I'll share your observations.

See you next month! – Deb.

dshinder@isaserver.org

=======================
Quote of the Month - We cannot solve our problems with the same thinking we used when we created them. – Albert Einstein
=======================


2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.


3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

- TMG Firewall Name Resolution (Part 2)
http://www.isaserver.org/tutorials/TMG-Firewall-Name-Resolution-Part2.html

- Microsoft Forefront UAG - Forefront UAG monitoring and debugging (Part 1)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-Forefront-UAG-monitoring-debugging-Part1.html

- TMG Firewall Name Resolution (Part 1)
http://www.isaserver.org/tutorials/TMG-Firewall-Name-Resolution-Part1.html

- Configuring SafeSearch Enforcement in Forefront Threat Management Gateway (TMG)
http://www.isaserver.org/tutorials/Configuring-SafeSearch-Enforcement-Forefront-Threat-Management-Gateway-TMG.html

- Should you replace your TMG firewalls with UAG
http://www.isaserver.org/tutorials/Should-replace-TMG-firewalls-with-UAG.html

- Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 2)
http://www.isaserver.org/tutorials/Microsoft-Forefront-UAG-How-configure-arrays-Forefront-UAG-Part2.html

- Avantis ContentCache Voted ISAserver.org Readers' Choice Award Winner - Hardware Appliances
http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Avantis-ContentCache-Jan13.html

- Firewalls in the Cloud (Part 1)
http://www.isaserver.org/tutorials/Firewalls-Cloud-Part1.html


4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------

IT Pros have been waiting a long time for a real Infrastructure as a Service (IaaS) solution from Microsoft. If you're one of them, it's time for you to check out Azure Virtual Machines and Virtual Networks. This offering will allow you to stand up virtual machines in Azure on which you can run any workload, just as you do in your own datacenter. This will allow you to realize the benefits of hybrid IT – the best of both the on-premises and cloud worlds. You connect your network to the Azure Virtual Network that your virtual machines live on by creating a site to site VPN.

What's the catch? There's always a catch. The problem here is that Azure Virtual Networks supports only a handful of VPN gateway devices. What if you just want to test basic functionality and you don't have one of those approved gateways? Richard Hicks saves the day with his article on how to connect TMG firewalls to the Azure Virtual Networks. Check out Richard's article here:
http://www.isaserver.org/tutorials/Enable-Cross-Premises-Connectivity-Windows-Azure-Forefront-Threat-Management-Gateway-TMG-2010.html


5. Tip of the Month
--------------------------------------------------------------

High availability for your TMG firewall is job one. If your firewall is down, then your users are going to be out of commission until you get things fixed. We know that you can ensure HA by using NLB and putting together a network load balanced array of TMG firewalls. But did you know that you can also have high availability for your Internet connectivity too? You bet! The TMG firewall supports multiple ISP connections for your TMG firewall, so that if one of the connections goes down, you're still up and running. Check out the article Keeping High Availability with Forefront TMG's ISP Redundancy Feature for the details:
http://blogs.technet.com/b/isablog/archive/2009/02/16/keeping-high-availability-with-forefront-tmg-s-isp-redundancy-feature.aspx


6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------

Have you recently been having problems with your TMG firewall stopping its servicing of web proxy requests? I hate when that happens. This is often a difficult problem to troubleshoot, and troubleshooting gets even more problematic when you have NLB enabled. In this blog post, the TMG firewall team discusses a case where the web proxy stopped servicing requests in a situation where NLB was enabled on the firewall array. Check out the problem and the solution here:
http://blogs.technet.com/b/isablog/archive/2013/04/09/tmg-stopped-processing-web-proxy-requests.aspx


7. Blog Posts
--------------------------------------------------------------

- New Cloud and Datacenter Solution Hub
http://blogs.isaserver.org/shinder/2013/03/31/new-cloud-and-datacenter-solution-hub/

- Azure Site to Site VPNs with TMG Firewalls
http://blogs.isaserver.org/shinder/2013/03/29/azure-site-to-site-vpns-with-tmg-firewalls/

- Configuring DirectAccess in Windows Server 2012 Video
http://blogs.isaserver.org/shinder/2013/03/28/configuring-directaccess-in-windows-server-2012-video/

- How to purchase Forefront TMG now
http://blogs.isaserver.org/shinder/2013/03/21/how-to-purchase-forefront-tmg-now/

- DirectAccess Manage Out using Native IPv6 with WS 2012
http://blogs.isaserver.org/shinder/2013/03/21/directaccess-manage-out-using-native-ipv6-with-ws-2012/

- DirectAccess Comparison Table
http://blogs.isaserver.org/shinder/2013/03/21/directaccess-comparison-table/

- Jason Jones joins Microsoft Consulting
http://blogs.isaserver.org/shinder/2013/03/21/jason-jones-joins-microsoft-consulting/

- Blocking Anonymous Unauthenticated Traffic
http://blogs.isaserver.org/shinder/2013/03/20/blocking-anonymous-unauthenticated-traffic/

- DirectAccess Hotfix Summary
http://blogs.isaserver.org/shinder/2013/03/12/directaccess-hotfix-summary/

- Cloud Infrastructure Solution for Enterprise IT
http://blogs.isaserver.org/shinder/2013/03/11/cloud-infrastructure-solution-for-enterprise-it/


8. Ask Sgt Deb
--------------------------------------------------------------

QUESTION:

Hello Deb,

I heard that a new rollup fix pack was made available for the TMG firewall a couple of months ago. Do you have any information on what I get with it and do I need to install it? Thanks! –Jack.

ANSWER:

Hi Jack,

Indeed, a new rollup pack, called Rollup 3 for Forefront Threat Management Gateway 2010 Service Pack 2 <http://support.microsoft.com/kb/2735208> was released back in January. A number of fixes were included in that rollup fix pack. Some of them include:

* 2700248 (http://support.microsoft.com/kb/2700248/)

FIX: A server that is running Forefront Threat Management Gateway 2010 may stop accepting all new connections and may become unresponsive

* 2761736 (http://support.microsoft.com/kb/2761736/)

FIX: All servers in a load-balanced web farm may become unavailable in Forefront Threat Management Gateway 2010

* 2761895 (http://support.microsoft.com/kb/2761895/)

FIX: The Firewall service (WSPSRV.EXE) may crash when the firewall policy rules are reevaluated in Forefront Threat Management Gateway 2010

* 2780562 (http://support.microsoft.com/kb/2780562/)

FIX: PPTP connections through Forefront Threat Management Gateway (TMG) 2010 may be unsuccessful when internal clients try to access a VPN server on the external network

* 2780594 (http://support.microsoft.com/kb/2780594/)

FIX: A non-web-proxy client in a Forefront Threat Management Gateway (TMG) 2010 environment cannot open certain load-balanced websites when TMG HTTPS inspection is enabled

* 2783332 (http://support.microsoft.com/kb/2783332/)

FIX: You cannot log on when FQDN is used and Authentication delegation is set to "Kerberos constrained delegation" in a Forefront Threat Management Gateway 2010 environment

* 2783339 (http://support.microsoft.com/kb/2783339/)

FIX: A closed connection to a domain controller is never reestablished when Authentication delegation is set to "Kerberos constrained delegation" in a Forefront Threat Management Gateway 2010 environment

* 2783345 (http://support.microsoft.com/kb/2783345/)

FIX: Unexpected authentication prompts while you use an OWA website that is published by using Forefront Threat Management Gateway (TMG) 2010 when RSA authentication and FBA are used

* 2785800 (http://support.microsoft.com/kb/2785800/)

FIX: A "DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)" Stop Error may occur on a server that is running Forefront Threat Management Gateway (TMG) 2010

* 2790765 (http://support.microsoft.com/kb/2790765/)

FIX: A "Host Not Found (11001)" error message occurs when an SSL site is accessed by using a downstream Forefront Threat Management Gateway 2010 server that has HTTPS Inspection enabled

Regarding whether or not you should install the rollup, I would say that if you're running into one of these problems, then you definitely should install it. Even if you are not having any of these problems, I would still install it because you might encounter them in the future if you enable scenarios where these issues will be surfaced. Better safe than sorry!

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.


TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WServerNews.com <http://www.wservernews.com/>

--

Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright ISAserver.org 2013. All rights reserved.