ISAserver.org - Monthly Newsletter - August 2013
Hi Security World,
Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org
1. What Got You Here Won't Get You There
-----------------------------------------------------------
Hey everyone! It's been a long time since I had the chance to write to you. Debi is taking a cruise with her cousin this week so I'm taking over for Deb this week and doing the editorial for the ISAserver.org newsletter. I have to admit, it's been a long time since I've touched a TMG firewall other than the one that I run in my home, so I thought I'd tell you what I've been up to the last three and half years.
You might remember that I joined Microsoft in December of 2009. That was an exciting and somewhat nervous time for me, since I'd never worked for a big company. I started on the UAG DirectAccess team, which was pretty challenging since I didn't know anything about DirectAccess at the time. But within six months I pretty much became the "DirectAccess guy" and delivered four talks on DirectAccess at TechEd in 2010. That job lasted about 9 months.
I then moved to what we call the "Solutions" team, where my job was to come up with solutions for private cloud. Wow! Talk about going from the frying pan and into the fire. The team is very architecture oriented and I had never spent much time on IT architecture in the past. But I started to get the hang of it and now I can almost call myself an enterprise architect. The initial focus was on private cloud and we put up a lot of material related to private cloud architecture. I even got to present on private cloud security architecture in Moscow!
The focus was pretty much private cloud until the beginning of this year, when we decided to move our focus to hybrid IT. Hybrid IT is about hosting enterprise resources both on-premises and in a public cloud infrastructure service provider's network. We're about to publish our work on hybrid IT as part of an article set named "Hybrid IT Solution for Enterprise IT". The first article in the set is now online, Hybrid IT Infrastructure Design Considerations. <http://social.technet.microsoft.com/wiki/contents/articles/18120.hybrid-it-infrastructure-design-considerations-for-enterprise-it.aspx>
In the next year we'll be working on a revision of our Cloud Infrastructure Solution for Enterprise IT <http://www.microsoft.com/en-us/download/details.aspx?id=36795>, which is all about putting together a cloud infrastructure. The revision will include the full infrastructure and fabric management components required to create a cloud solution that can host SaaS, PaaS or IaaS service models. We'll also be revising the hybrid IT solution later this year. Those are going to be fun projects and they really point to the future of enterprise computing. I hope that you will be able to take a look at Azure Infrastructure Services because it's really cool! I don't have to set up labs on my own machines anymore, because I can do the same thing on Azure in a fraction of the time.
So that's what I've been up to. I miss the days of ISA and TMG and ISAserver.org, those were great times and I really enjoyed working with all of you. I hope that you'll find a great replacement for TMG someday. I'll be running mine until it runs out of support in 2020. But you'll probably want to plan ahead and check into some alternatives for TMG before that. Keep an eye out on ISAserver.org for articles and advertisements for TMG alternatives.
It's been a wild ride and one thing I realized is that what got me here won't get me there. My ISA/TMG skills didn't really translate into private or public cloud skills, so I had to reinvent myself. It's likely that many of you will need to do the same in the future. My advice to you is to look at this as an opportunity to learn something new. We went into this business because we liked challenges and there are plenty of them coming in the future. So go for it!
Good luck and embrace the future! â€" Tom.
*MS Exchange CON 2013 Virtual Conference*
Just wanted to let you all know that our sister site MSExchange.org is hosting a Virtual Conference on September 12 where you can get your top MS Exchange questions answered.
Register here:
https://qlm.infusionsoft.com/app/page/exchangecon2013registration
- Hear from a top analyst from Osterman Research with the latest survey research on MS Exchange top trends and challenges
- Watch how vendors are solving some of the biggest Exchange Management problems
- Get answers to your top MS Exchange and MS Exchange 2013 questions with an Exchange MVP
All from the convenience of your office.
Discover answers to questions like:
- What are the key features of MS Exchange 2013?
- How can we secure and better control our MS Exchange environment?
- What are 5 strategies to better manage MS Exchange for 2013 and beyond?
This unique, online conference is limited to 1,000 participants, so register now if you have not already done so!
<https://qlm.infusionsoft.com/app/page/exchangecon2013registration>
dshinder@isaserver.org
=======================
Quote of the Month - "Success is a lousy teacher. It seduces smart people into thinking they can't lose." Bill Gates
=======================
2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------
Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.
Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.
3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------
Troubleshooting the TMG Firewall with Network Monitor (Part 2)
http://www.isaserver.org/articles-tutorials/general/troubleshooting-tmg-firewall-network-monitor-part2.html
Preparing Forefront Threat Management Gateway (TMG) 2010 for Automated Deployment
http://www.isaserver.org/articles-tutorials/installation-planning/preparing-forefront-threat-management-gateway-tmg-2010-automated-deployment.html
Troubleshooting the TMG Firewall with Network Monitor (Part 1)
http://www.isaserver.org/articles-tutorials/general/troubleshooting-tmg-firewall-network-monitor-part1.html
Product Review - Portsys Unified Access Gateway
http://www.isaserver.org/articles-tutorials/product-reviews/product-review-portsys-unified-access-gateway.html
4. ISA/TMG/UAG Content of the Month
---------------------------------------------------------------
One of the core attributes of cloud computing is automation. While automation isn't an essential characteristic of cloud computing, it feeds into the minimize human involvement essential characteristic. As I wrote about last month, you can use the TMG firewall in a cloud environment in a number of ways. Wouldn't it be nice if you could automate the deployment of a TMG firewall deployment? And if you use Windows Azure as your public cloud infrastructure provider, you could automate the deployment of the TMG firewall and pair that up with auto-scaling <http://blogs.msdn.com/b/agile/archive/2013/07/02/windows-azure-autoscaling-now-built-in.aspx>. But how do you automate a TMG firewall deployment? Richard Hicks knows how and he shows you how to do it at http://www.isaserver.org/articles-tutorials/installation-planning/preparing-forefront-threat-management-gateway-tmg-2010-automated-deployment.html
5. Tip of the Month
--------------------------------------------------------------
Tick, tick, tick. The clock is ticking on the TMG firewall. While we have a few years before the clock stops on our beloved firewall, we need to think about replacing it. It's hard to find a firewall that has all the features and security of the TMG firewall, so it might be that you end up needing to deploy multiple solutions. One of those solutions might be from Citrix. Netscaler is a Citrix product and they have even put out a white paper on the subject. Check out Netscaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway. <http://www.citrix.com/content/dam/citrix/en_us/documents/products/netscaler-comprehensive-replacement-for-microsoft-forefront-threat-management-gateway.pdf>
6. ISA/TMG/IAG/UAG Link of the Month
--------------------------------------------------------------
Perhaps the most dangerous type of traffic that the TMG firewall has to deal with is unauthenticated traffic. Who is that anonymous user? What is that anonymous user trying to do? It's difficult to figure out if the anonymous users is benign or one that has evil intentions. Because the anonymous user is so dangerous, you want the TMG firewall to block as many anonymous connections as possible. How do you do that? Well, there are a lot of things you can do. Check out Reducing Anonymous (Unauthenticated) Traffic <http://www.fastvue.co/blog/reducing-unauthenticated-traffic-in-forefront-tmg> in Forefront TMG written by Scott Glew from our friends at Fastvue.
7. Blog Posts
--------------------------------------------------------------
How many firewalls does your private cloud need?
http://www.isaserver.org/blogs/shinder/how-many-firewalls-does-your-private-cloud-need.html
Avoiding Complexity Risks with Next-Gen Firewalls
http://www.isaserver.org/blogs/shinder/avoiding-complexity-risks-next-gen-firewalls.html
Deploying Winfrasoft Forefront TMG Virtual Appliances
http://www.isaserver.org/blogs/shinder/deploying-winfrasoft-forefront-tmg-virtual-appliances.html
TMG Replacement: And the winner is ...
http://www.isaserver.org/blogs/shinder/tmg-replacement-and-winner.html
Publishing SharePoint in Forefront UAG
http://www.isaserver.org/blogs/shinder/publishing-sharepoint-forefront-uag.html
Client certificate authentication on UAG 2010 Portal
http://www.isaserver.org/blogs/shinder/client-certificate-authentication-uag-2010-portal.html
Celestix announces global availability of DirectAccess appliance
http://www.isaserver.org/blogs/shinder/celestix-announces-global-availability-directaccess-appliance.html
Life in a Post TMG world
http://www.isaserver.org/blogs/shinder/life-post-tmg-world.html
TMG "no longer needed" to secure newer versions of Exchange?
http://www.isaserver.org/blogs/shinder/tmg-no-longer-needed-secure-newer-versions-exchange.html
Enable Hybrid Cloud with Forefront TMG and Windows Azure
http://www.isaserver.org/blogs/shinder/enable-hybrid-cloud-forefront-tmg-and-windows-azure.html
8. Ask Sgt Deb
--------------------------------------------------------------
QUESTION:
Hello Deb,
I read some of your articles on isaserver.org, and I would like to ask you a question.
For a deployment of an array with 22 TMG firewalls, is it better to choose a standalone array or an EMS array? Each TMG is going to have different setup and each TMG will have a single network adapter configuration. Yes, "hork mode"
Best regards -Stephane.
ANSWER:
Hi Stephane,
Well, I'm sorry to hear that you're using hork mode, but that happens sometimes J. First, you need to understand the differences between a standalone and an enterprise array:
Standalone arrayâ€"In a standalone array, the configuration settings are stored in a configuration store on the array manager server. This storage method, which is also used to store settings on a standalone Forefront TMG server, is similar to the Configuration Storage Server (CSS), which was used to store configuration settings and enterprise policies in ISA Server 2006 Enterprise Edition.
Array managed by Enterprise Management Server (EMS)â€"In an array that is managed by an EMS, the configuration settings are stored on the EMS.
The primary differences are that in a standalone array, firewall policy is stored on the array manager, which is one of the members of the array versus the enterprise array, where the storage of firewall policy is on the enterprise management server (EMS). In addition, when you deploy an EMS, you can manage different arrays, not a single array like with the standalone server. Remember, an array is a collection of TMG firewalls that share the same configuration. If you want each TMG firewall to have a different configuration, then you'll need create a different array for each configuration. Given the number of arrays you plan to deploy, centralized management using an EMS seems like the best option to me.
Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.
ISAserver.org Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.isaserver.org/articles-tutorials/)
- Products (http://www.isaserver.org/software/)
- Reviews (http://www.isaserver.org/articles-tutorials/product-reviews/)
- Free Tools (http://www.isaserver.org/software/Free-Tools/)
- Blogs (http://www.isaserver.org/blogs/)
- Forums (http://forums.isaserver.org/)
- Contact Us (http://www.isaserver.org/pages/contact-us.html)
Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- WindowSecurity.com (http://www.windowsecurity.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)
--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@ISAserver.org
Copyright ISAserver.org 2013. All rights reserved.
No comments:
Post a Comment