If you haven’t been to the Microsoft ISA/TMG home page for a while, you might want to take a minute to check out it’s new look. The page has been updated so that it has the same look and feel as other Microsoft product page. There’s no new content, but it has a slick look and it’s easier to find the information you need.
Check it out at:
http://www.microsoft.com/forefront/edgesecurity/is...t.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Check this out. A financial magazine mentions ISAserver.org. Nice!
http://www.tradingmarkets.com/.site/news/Stock%20N...23845/
Thanks!
Tom
A couple days ago I mentioned some confusion over the TMG versions available to the public. This stemmed from what I thought was an interesting gaff made by the PSS team who revised an ISA KB article regarding Hork Mode deployments so that it would apply to the TMG. I thought it was a gaff because the EBS installer doesn’t allow you to install the TMG in Hork Mode (single NIC deployment). As it turned out it wasn’t a gaff!
Yuri Diogenes put up a blog post today regarding this issue and shows that there are differences in the delivery of the TMG MBE and the TMG EBS. Note the differences are in the delivery or licensing — it’s the same product in both cases.
Check out Yuri’s post on this issue at:
http://blogs.technet.com/yuridiogenes/archive/2008...s.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Doron Juster discusses an interesting issue regarding authentication settings on Web Proxy listeners and how they affect Web applications (such as a Web browser) running on the firewall. This article provide more evidence that enabling the Require all users to authenticate option on a ISA Firewall Network’s Web Proxy listener is a very bad thing 
Check out Doron’s article at:
https://blogs.technet.com/isablog/archive/2008/11/...s.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
I ran into one of these just the other day. The problem is with the Web server that you’re connecting to, not the ISA firewall. However, in order for you to connect to these sites, you’ll need to do a little “breaking” of the ISA firewall (just like how some orthopedists need to break some bones in order to get them to work better).
To fix this 502 Proxy error through the ISA firewall (and the TMB firewall as well), check out:
http://support.microsoft.com/kb/935882/
BUT — you’re not done yet. After installing the hotfix, you need to create a Registry entry. You’ll find that information here:
http://support.microsoft.com/default.aspx?scid=kb;...935693
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
A few days ago I wrote about the recent announcement of the IAG 2007 SP2 offering. As a reminder, IAG 2007 introduces a number of feature improvements that are going to make existing ISA 2007 customers very happy. But the most significant aspect of the IAG 2007 SP2 release is that there will be a downloadable evaluation version that you can install and configure in your lab. This is going to allow thousands, even tens of thousands of Microsoft network admins the opportunity to test this fantastic software on their own terms (outside of the “clean room” environment of virtual labs where you don’t really know how it would act if you got to set it up from scratch).
When I wrote the blog post I didn’t know where you would find it when it becomes available. Since then I found out that you’ll be able to find it at the TechNet evaluation center at http://technet.microsoft.com/en-us/evalcenter/defa...t.aspx
The IAG 2007 SP2 bits aren’t up there yet, but I’ll let you know when they are. Once you have a chance to download these bits, make sure you return to the ISAserver.org Web site to see the step by step articles we’re famous for to help you get up and running on your IAG 2007 SP2 deployment.
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
On this blog yesterday I had a little fun with the ISA/TMG support team about a KB article on the limitations of the TMG MBE in hork mode (single NIC). I commented that this wasn’t an option for the TMG MBE, since the EBS installer doesn’t give you the hork mode option. Since then, I found out that it was probably me who got “slap happy”
Why? Because I was equating TMG MBE with TMG EBS. I thought they were the same. Well, they are the same, sort of. The TMG MBE is a standalone version of the TMG MBE while the TMG EBS is the TMG MBE that’s included with the EBS product suite. So while the TMG MBE is the same regardless of whether or not it’s part of the EBS product suite, the deployment of the firewall is different.
Or is it? It’s true that the TMG EBS installer doesn’t give you the option to install it in hork mode, but it’s also true that you can break your EBS network security posture by reconfiguring it to a hork mode network configuration. I’m not sure if such a reconfiguration would break anything in terms of monitoring the EBS configuration, but the setup is entirely possible.
Thus, it looks like it was “my bad” on yesterday’s post.
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
As I pointed out in an earlier blog post today, the ISA/TMG support team have been busy reviewing and updating ISA firewall KB articles so that they can apply to the Forefront TMG firewall. It took a lot of work on their part to make this happen, so we have only the highest admiration and respect for their efforts.
However, sometimes the best of us get a little “slap happy” when we’re forced with large volumes of work and tight deadlines. I think this was the case when the ISA/TMG support team updated this article:
The features and limitations of a single-homed ISA Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer
http://support.microsoft.com/kb/838364/en-us
The article definitely applies to ISA 2004 and ISA 2006 firewalls, but Forefront TMG MBE? I don’t think TMG MBE is supposed to work in hork mode at all (Hork mode is a single NIC ISA firewall that has had its security feature set stripped down due to the single NIC deployment). I might be wrong, but it’s my implicit understanding that the Forefront TMG MBE firewall is only supported in the configuration created by the EBS installer. If you do things to marginalize the EBS and TMG’s security posture, then you’re likely going outside of a supported configuration.
======================================================
Just a reminder — friends don’t let friends deploy ISA or TMG firewalls in hork mode
Think of your ISA or TMG firewall as a Polar Bear who wants to protect you
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
One of the greatest mysteries facing mankind in the 21st century is ISA firewall policy storage.
Yes, we knew Standard Edition policy was stored only in the local Registry and Enterprise Edition stored policy in the CSS and copied it to the local Registry — but that was about all we knew. Sure, we could play around with some scripts and “make things happen”, but did we really know what was going on “under the hood”? No.
Jim Harrison has come out with an article on some of the basics of ISA firewall policy storage. Jim and the team come up with some interesting and useful conclusions:
- ISA Standard Edition has only one policy storage, so if policy storage updates or initial load fails, it cannot function.
- ISA Enterprise Edition can still perform as a firewall/proxy using the last known good policy in the registry even if CSS is not available. Only if this system-local copy fails to initialize properly will the firewall service enter lockdown for policy load failure
- You cannot reverse-engineer the registry-based Enterprise Edition policies to CSS-format storage
- In a disaster recovery situation, you cannot export the registry keys and import in a new system as an attempt to recreate the firewall policies.
- If you deploy a single CSS for your Enterprise firewall solution, you’re risking a complete Enterprise rebuild when (not if) that CSS fails. (bold highlight mine)
- If you use any method besides ISA Export / Import for disaster recovery, you risk losing data
For the details, check out:
https://blogs.technet.com/isablog/archive/2008/10/...mments
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
- Date - November 10th, 2008
- Category - News
Nice article by Chris Blankenship on how duplicate addresses on the network horked his hork mode firewall. Hey Chris! Great job in finding out the solution to the problem, but you need to get that ISA firewall fixed and bag the hork mode. The firewall is more secure than any other firewall on market today, so why caponize it by deploying in hork mode?
Check out Chris’ article at:
http://www.dscoduc.com/post/2008/10/20/ISA-NLB-Tro...e.aspx
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
