ISAserver.org - June 2009 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of June 2009
Sponsored by: Wavecrest Computing
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. What's New in TMG Beta 3
--------------------------------------------------------------

Have you been enjoying your TMG Beta 2 testing? I know I have! But what could be more fun than testing TMG Beta 2? How about TMG Beta 3! That's right, if you have not heard already, TMG Beta 3 has been released and can be downloaded from the Microsoft site <http://www.microsoft.com/downloads/details.aspx?FamilyID=e05aecbc-d0eb-4e0f-a5db-8f236995bccd&displaylang=en>.

I have been running TMG Beta 3 for a couple of weeks now and I can tell you that it is a tremendous improvement over the previous Beta versions. Not only has performance been significantly improved, but with Beta 3 we see the return of the URL filtering feature. URL filtering was available in earlier Beta versions of the TMG firewall, but was removed for technical and business reasons from Beta 2. With Beta 3, you have a fully functioning URL filtering mechanism built right into the firewall.

While the return of URL filtering was the thing I was looking most forward to, there are a number of new and enhanced features and capabilities included in beta 3 that make it worth your while to download and start testing. Some of these include:

* Setup Preparation Tool. With Beta 3, you will find that the installation experience has changed. Instead of trying to figure out if you have the correct prerequisite software installed, the TMG beta 3 installer will check for you. If you are missing any software, it will automatically download and install it for you. You will probably have to restart the computer before continuing with the installation, but the installer will let you know.

* VPN server SSTP support. BAM! This is one my of my favorite new features. SSTP allows you to create a network level SSL VPN connection that can pass through just about any firewall or Web proxy. No more users calling you from the Sahara Las Vegas complaining that they ca not get a VPN connection to the corpnet. SSTP support is baked into the TMG firewall and is very easy to set up. The only thing missing from Beta 3 is a wizard that creates a Web Publishing Rule that publishes your CRL, since if you use private certificates for your VPN (and why would you use public certificates for a private service?), you will need to make your CRL available to SSTP users.

* DirectAccess support? I put a question mark here because I do not know if a DirectAccess server is actually supported on the TMG firewall itself. I know that there are System Policy Rules designed to allow DirectAccess communications to the firewall. There are also some IPv6 configuration options available suggesting that this is possible. However, I have not tested this and there is no documentation that leads me in one direction or the other. However, I can tell you that the upcoming UAG (the next version of IAG 2007) will support the DirectAccess server on the UAG device. I will write about this in detail in next month's newsletter.

* Standard and Enterprise Editions. We thought we were going to get out from under the Standard Edition versus Enterprise edition rock earlier in the TMG development process, but it looks like that is not going to happen this time around. I have not seen the details on what the differences are between Standard Edition and Enterprise edition, as they were not on the public site, the connect site, the release notes or the deployment guide. I suspect the Enterprise edition will allow you to manage multiple Enterprise arrays and create Enterprise firewall policies and network elements, and will support NLB and CARP. However, it is possible that the Standard Edition will support NLB and CARP in what are known as "standalone arrays". I will keep you posted on my blog when I figure this out.

* Workgroup support. Previous Beta versions did not support workgroup installations of TMG. Beta 3 does support workgroup installations. Not that I ever recommend workgroup installation, but it's nice to know that if you're forced to install in a workgroup, at least now you have a chance to begin your testing.

* Windows Server 2008 and Windows Server 2008 R2 support. You can install TMG Beta 3 on either Windows Server 2008 or Windows Server 2008 R2. The documentation mentions that RTM will have "full support" for R2, but it does not mention if there are any current limitations. I suppose this is due to the fact that R2 is still in public beta testing, and it is hard to make any hard and fast assumptions about TMG beta functionality on a beta operating system. However, R2 support is significant, since it opens up the possibility not only for DirectAccess, but maybe also IKEv2. IKEv2 is a new VPN protocol included with Windows 7 that allows you to move around and have the machine automatically reconnect to the VPN in the background, similar to what you see with DirectAccess. In general, DirectAccess is the best solution, but if you do not have the IPv6 infrastructure to support DirectAccess, or you do not have a NAT-PT device to support connections to your non-IPv6 capable servers, then IKEv2 is a sweet second best. However, I do not want to go on too much about IKEv2 (sometimes known as "VPN Reconnect") until I figure out if it works with the TMG firewall. I can tell you that it is not integrated in the TMG management console, so, whether it works or not is going to be a coin flip scenario for me at this time.

* Performance enhancements. The installation process for TMG Beta 3 is a long and drawn out affair. Not that you have to spend a lot of time doing the configuration steps; those go really fast and very easy given the improved installation wizard. The wait comes from the installation itself. Prepare for it to take 15-30 minutes even on a very fast, Nehalem-based Intel processor on a machine with 8+ GBs of RAM. However, after installation is complete, you will find the console extremely snappy and responsive. Network performance also seems significantly improved, although I haven't performed any formal testing yet; stay tuned for that.

* Rule Set Grouping. Here is something that you have been asking for ever since ISA 2004 hit the market: Rule Set Grouping. With Rule Set Grouping you can get a handle on your large and unwieldy rule sets and put rules into groups that are meaningful to you. Grouping would not change the rule order and rules will continue to be evaluated from the top down. But now, you can group your rules so that you have a much better visual cue as to what the firewall policy is doing. Three cheers for the development team for making this a reality!

* Rule Set Search. Search is another feature you have been wanting for years. Now you have it! Search for protocols, sources, destinations, users, just about anything you want. You do not have to manually sift through all your entries to find the information you are looking for. Nice!

These are just some of the more obvious additions and improvements you will find in Beta 3. Another thing that you will immediately notice is that the icons and other elements of the console have been updated and enhanced. This makes working with the TMG console a real joy. The combination of form and functionality put the TMG Beta 3 at the head of its class in the Unified Threat Management device category.

Download Beta 3, test it on either Windows Server 2008 or Windows Server 2008 R2, and then let me know what you think about it. You can write to me at tshinder@isaserver.org, or if you are having problems or want community help and advice, head on over to the ISAserver.org message boards. We have a number of TMG Microsoft MVPs and industry experts who help out on those boards are ready, willing and able to give you the help you need to make your testing a success!

See you next month...
Thanks!
Tom
tshinder@isaserver.org

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt <http://www.blackhat.com/html/bh-usa-09/train-bh-usa-09-tm-ms-bbe.html> Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month - "Tact is the knack of making a point without making an enemy." - Sir Isaac Newton
=======================

2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.

3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Overview of New Features in TMG Beta 2 (Part 3)
<http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part3.html>

* Websense Enterprise Voted ISAserver.org Readers&#146; Choice Award Winner - Access Control
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Access-Control-Websense-Enterprise-Mar09.html>

* Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 2)
<http://www.isaserver.org/tutorials/Configuring-using-E-Mail-protection-feature-Microsoft-Forefront-Threat-Management-Gateway-Beta-2-Part2.html>

* ISAserver.org Readers' Choice Awards Yearly Round Up 2008
<http://www.isaserver.org/news/ISA-Readers-Choice-Awards-Yearly-Round-Up-2008.html>

* Overview of New Features in TMG Beta 2 (Part 4)
<http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part4.html>

* Configuring the AntiMalware functionality in Microsoft Forefront TMG
<http://www.isaserver.org/tutorials/Configuring-AntiMalware-functionality-Microsoft-Forefront-TMG.html>

* Overview of New Features in TMG Beta 2 (Part 5)
<http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part5.html>

* Explaining and configuring NIS (Network Inspection Service)
<http://www.isaserver.org/tutorials/Explaining-configuring-NIS-Network-Inspection-Service.html>

4. KB Article of the Month
---------------------------------------------------------------

Before sharing the KB article of the month, I want to let you know that I am still trying to figure out how to get a list of KB articles released in the last 30 days. If you have not read this newsletter in the past, I used to provide a list of KB articles that had been released since the previous newsletter. This was a nice feature, since if you stayed on top of this list, you had a pretty good idea about the flow of KB releases. The date search feature was removed from the general Microsoft Help and Support site, but for a few months I was able to do this search using the MCP private search site. However, they removed that site from the Web a few months ago and now we have no mechanism for performing this kind of date based search. I was hoping the introduction of BING would help with this, but still a no go.

*Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008.*

Consider the following scenario:

* You have a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 in a split DNS infrastructure.
* You have a Web server that automatically redirects HTTP requests to Secure Socket Layer (SSL) requests.
- You create a Web publishing rule for the Web server that redirects HTTP requests to HTTPS.
- You use one of the following configurations:
- You configure the Web listener to listen for HTTP requests and also to use bridging.
- You configure the Web listener and the bridging for both HTTP and for SSL requests (HTTPS).

In this scenario, when the Web server receives an HTTP request, it redirects the request to the ISA server as an SSL request (HTTPS). For example, http://www.contoso.com is redirected to https://www.contoso.com.

Then, the ISA server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 translates SSL requests to HTTP requests and redirects it to the Web server. This causes an endless loop.

For a solution to this problem, check out the following KB article <http://support.microsoft.com/kb/924373>.

5. Tip of the Month
--------------------------------------------------------------

Over the years, I have received quite a few requests on how to get Visual Studio to work through an ISA firewall. Not being a programmer myself, and not knowing how to even get started with solving any Visual Studio problem, I have had to depend on others to help solve this problem. If you are using Visual Studio and you are having a problem getting to work through an ISA firewall, then check out this thread on the ISAserver.org Web boards <http://forums.isaserver.org/m_2002087347/mpage_1/key_/tm.htm#2002087743>.

Along those lines, this KB article <http://support.microsoft.com/kb/910804> might be helpful too.

Now check out this problem:

&#147;In ISA Server 2000, if a non domain PC tried to access Internet via WebProxy then the user would be prompted for username and password on the domain.

I cannot get the same behavior to work in ISA 2006. I have Internal Web Proxy enabled for Integrated and Basic Authentication. I do not have the require users to authenticate as would have been the case in ISA 2000 - I believe this is no longer required.

From a non domain client (e.g. contractor) with Internet Explorer set to connect via proxy server the user just does not get Internet access (ISA 502 error code - page cannot be displayed - unreachable address)

I have firewall policy to allow access to Internet for members of the Domain created Internet Users Group&#148;

How to solve this problem? Check out this thread on the ISAserver.org Web boards <http://forums.isaserver.org/m_2002070560/mpage_1/key_/tm.htm#2002070780>.

6. ISA/TMG/IAG Links of the Month
--------------------------------------------------------------

* Enhanced TS Gateway Security with ISA 2006 and RSA Security
<http://www.scribd.com/doc/15682090/TS-Gateway-2008-RSA>

* Split Streaming ISA Server 2006 with Service Pack 1
<http://www.elmajdal.net/ISAServer/Split_Streaming_ISA_Server_2006_with_SP1.aspx>

* ISA Firewall Quick Tip : How To Allow Cisco VPN Client To Connect Through ISA Server
<http://www.elmajdal.net/ISAServer/How_To_Allow_Cisco_VPN_Client_To_Connect_Through_ISA_Server.aspx>

* Using the ADAM Sites Tool with ISA Server 2006 Enterprise Edition
<http://blog.msfirewall.org.uk/2009/05/using-adam-sites-tool-with-isa-server.html>

* Fun with Bing behind Forefront TMG Beta 3 or it&#146;s just me?
<http://www.carbonwind.net/blog/post/2009/06/12/Fun-with-Bing-behind-Forefront-TMG-Beta-3-or-ite28099s-just-me-.aspx>

* Microsoft ISA Server 2006 Role Based Administration
<http://tmgblog.richardhicks.com/2009/06/11/microsoft-isa-server-2006-role-based-administration/>

7. Blog Posts
--------------------------------------------------------------

* The DirectAccess Challenge - NAT Traversal
<http://blogs.isaserver.org/shinder/2009/06/14/the-directaccess-challenge-nat-traversal/>

* Direct Access Versus DirectAccess - Know the Difference
<http://blogs.isaserver.org/shinder/2009/06/14/direct-access-versus-directaccess-know-the-difference/>

* Enterprise Management for ISA and TMG Firewall Arrays
<http://blogs.isaserver.org/shinder/2009/06/14/enterprise-management-for-isa-and-tmg-firewall-arrays/>

* Troubleshooting Authentication Issues in ISA Server Using Net Logon Logging
<http://blogs.isaserver.org/shinder/2009/06/14/troubleshooting-authentication-issues-in-isa-server-using-net-logon-logging/>

* Microsoft ISA Server 2006 Role Based Administration
<http://blogs.isaserver.org/shinder/2009/06/14/microsoft-isa-server-2006-role-based-administration/>

* TMG Beta 3 Reintroduces URL Filtering
<http://blogs.isaserver.org/shinder/2009/06/11/tmg-beta-3-reintroduces-url-filtering/>

8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Good day,

I am new to the ISA server environment and I plan to install ISA server for our company. We are currently using a MS Proxy Server version 2. I plan to replace this Proxy server with the ISA server.

We have an Active Directory environment for more or less 150 users.

I need to know if the ISA 2006 standard version will be able to use the Active directory or do I need to buy the Enterprise edition.

I do not need redundancy or central management.

Thanks! - Robbie.

* ANSWER:

Hi Robbie! Welcome to the 21st century :)

There have been a lot of changes to the product since Proxy 2.0. As you know, Proxy 2.0 was designed primarily as a Web proxy server that also had the ability to remote Winsock calls and act as a Winsock Proxy server when the Winsock Proxy client was installed on the Proxy 2.0 box. Proxy 2.0 was also built on top of IIS, which introduced a number of security issues. With Proxy 2.0 you had to make sure you had firewalls in front of and behind the Proxy server, since the machine wasn&#146;t a firewall.

Fast forward to ISA 2006 SP1... ISA 2006 is a full featured network firewall that does not require any other firewalls in front of it or behind it (although you are certainly welcome to install more ISA firewalls for a back to back configuration if you like). Not only is the ISA 2006 firewall a firewall, it is also a Web proxy device, a Winsock proxy device, a remote access VPN client server and a site to site VPN server. No networks are trusted, and all connections to and through the ISA firewall are subject to both stateful packet and application layer inspection.

Replacing Proxy 2.0 will take a bit of rearchitecting of your environment, since the ISA firewall is a firewall, and not a proxy server (although it has Web and Winsock proxy components built on top of the core firewall engine). You will need to consider putting the ISA firewall at the edge of the network. If you already have a firewall solution, you can consider putting the ISA firewall in parallel with the current firewall, or put it behind the current firewall in a back to back configuration. The key consideration here is that you do not need to "rip and replace" your current firewall solution - you already paid for it, you might as well use it.

The ISA firewall is able to leverage Active Directory so that you can create fine-tuned Access Rules that control outbound access, or if you want to publish resources, the ISA firewall can use the Active Directory to control inbound access based on Active Directory user or group accounts. If you were paying attention during the ISA 2000 days, you might have read that the Enterprise version of the ISA 2000 firewall required that you store configuration settings in the Active Directory. That is no longer the case, as the Enterprise version of the ISA 2006 firewall stores configuration in a special instance of Active Directory Application Mode

So, to answer your question, you will not need to buy the Enterprise edition. However, if you think you might be interested in redundancy via NLB, or have centralized management of arrays, then you might want to consider Enterprise edition. Good luck on your introduction to ISA firewall and remember to come early and often to the Web boards <http://forums.isaserver.org/> at ISAserver.org if you ever have any questions on how to get the more out of your ISA firewall purchase!

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2009. All rights reserved.