A common problem with publishing SharePoint sites is the constant authentication prompts you get when working with SharePoint information and Office applications. I think just about every ISA firewall admin who’s published a SharePoint site has run into this problem.

The problem is related to cookie handling. The key is to change the form settings to use persistent cookies. The problem is that there are security implications to this decision.

Check out Philipp Sand’s article on this subject where he explains the issues and the implications or your possible decisions at:

https://blogs.technet.com/isablog/archive/2009/06/...a.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Previous versions of the ISA firewall had a rudimentary intrusion detection and prevention system, mostly based on network layer attacks that were popular in the 1990s. For industrial strength IDS/IPS, you had to look somewhere else.

With the introduction of the TMG firewall, a new and vastly improved IDS/IPS is included. This is known as the Network Inspection System (NIS). The NIS is based on the Generic Application Protocol Analyzer (GAPA), which is able to intercept packets in the datastream and evaluate whether they contain potential threats. NIS is a signature based product and is focused primarily on preventing known exploits in Microsoft products.

NIS right now can inspect a number of application layer protocols, such as SMTP, IMAP, POP3, and RPC. The current focus and goal of NIS is to buy the network admin time for updating. Often security and other updates can’t be applied until testing takes place, so there’s a lag between the time a vulnerability becomes known and the time an update is released, and then there’s time between when the update is released and when it’s applied.

In order to reduce your exposure during these two windows of vulnerability, you can take advantage of the TMG NIS. Since Microsoft has intimate knowledge regarding security issues with their products, they’ll be able to send out updates to the NIS before a fix is released, or after a fix is released but before you have time to roll it out.

Attackers won’t be able to reverse engineer the information in the signatures in an attempt to create an exploit, since the signatures are encrypted. At this time you can’t create your own signatures, but this is something that might be possible in the future.

There’s not much to configuring the TMG NIS. You either enable the system or you don’t, and then you configure what actions you want TMG to take when NIS detects a problem. Or, most likely, you’ll do what I do and just go with the Microsoft default settings for each signature, with some of them set to detect and report mode and some of them configured to block the dangerous communications.

If you want more information about NIS and how to configure it, check out this blog post by Moshe Golan on the TMG Firewall Team blog site over at https://blogs.technet.com/isablog/archive/2009/06/...s.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

One the reasons to consider a TMG firewall is the ability to integrate the firewall with the rest of your management infrastructure. The concept of managing security under a “single pane of glass” has caught on, as the industry is recognizing that using multiple consoles from multiple vendors with different interface models introduces high overhead in terms of IT training and maintenance.

Think about it – why should your firewall, your SSL VPN gateway, your enterprise anti-malware, your email anti-malware, and your collaboration anti-malware all use different types of console and use different methods for displaying information and alerts? It never made sense to me, but then it was our only option.

System Center Operations Manager has the ability to provide you that single pane of glass that gives you insight into what’s happening throughout your physical, virtual, security, email, and collaboration infrastructure. In addition, if you have an Intel vPro enabled client deployment, you have advanced control over client power states and the ability to perform remote management using an out of band connection, so that even if client systems can’t boot into the operating system or have failed hard disks, you can still get to those machines. In addition, key auditing information is stored on a chip on the motherboard, so you don’t have to depend on the OS for critical accounting of your hardware.

If you’re not into System Center Operations Manager, it’s worth a look. The setup and configuration isn’t too complex, and the insight you’ll gain into your environment will amaze you. And now with the recent release of a SCOM pack for TMG, you’ll be able to tightly weave your edge security deployment into your well managed infrastructure.

For more information about the SCOM pack for TMG, check out a great article by Gabriel Koren over at the TMG firewall team blog at:

https://blogs.technet.com/isablog/archive/2009/06/...2.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

If you haven’t had a chance to test out Microsoft’s new search engine – Bing – then today’s a good day to start. I never thought I’d used anything but Google for Internet search, but since Microsoft released Bing a couple of weeks ago, I’ve been using Bing as my first search engine and then falling back on Google if I don’t find what I need.

It’s pretty nice and you should give it a try and see how it works for you.

One issue that put Bing on the map is the preview feature for videos. It was reported (and confirmed by me) that if you search for “certain” terms, you can put together a nice library of 30 second salacious videos. Not exactly something you want available to your firm’s employees

Is there a way you can leverage your ISA or TMG firewall investment to control user access to this Bing “feature”? You bet!

Check out this article Jim Harrison, who provides you all the step by steps to get the job done:

https://blogs.technet.com/isablog/archive/2009/06/...g.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

If you haven’t heard of DirectAccess, then now is a great time to start to get to know it. DirectAccess is a new remote access technology (some might even consider it a VPN technology, but that depends on your definition of virtual private networking) that is available when you pair Windows 7 clients with Windows Server 2008 R2.

DirectAccess allows your Windows 7 clients to connect to the corporate network when the machine starts up. Users do not need to log onto the machine – the VPN connection is established automatically on machine startup. Once the machine connects to the DirectAccess server, the machine can be accessed by your network management infrastructure. This allows you to have external devices managed to the extent that your internal machines are managed. And when the user logs on, that user will be exposed to your NAP infrastructure, so that these machines are have their health status checked in the same way as your corpnet clients.

DirectAccess allows you to extend your domain to clients located anywhere in the world. However, DirectAccess is highly dependent on IPv6. The problem is that it’s pretty unlikely for the foreseeable future that your clients are going to be connected to an IPv6 Internet. To solve this problem, Windows 7 can use a number of IPv6 transition technologies to connect to the DirectAccess server. In most cases the transport is going to be over an HTTPS connection, where the IPsec and IPv6 communications are tunneled over HTTPS.

But there’s a problem. Actually, there are a lot of problems. DirectAccess introduces a number of challenges that many network admins might not be able to meet at this time:

• The DirectAccess server needs to have a public address, this means putting it at the edge of your network in most cases
• DirectAccess requires that your servers and services on the corporate network support IPv6 – this is unlikely the cases for the majority of networks in service today
• DirectAccess depends on complex Group Policy and Windows Firewall configuration settings, which are typically deployed via Group Policy
• High availability is problematic, with current HA solutions for DirectAccess being less than optimal

So does that mean that DirectAccess is going to die on the vine due to high complexity and hard to meet requirements?

Not necessarily. The value provided by DirectAccess is very high, and therefore some organizations will be willing to eat the costs of ramping up their IT staff with the knowledge they need to understand the solution, understand the underlying IPv6 technologies and understand what it takes to integrate a native IPv6 solution with today’s predominantly IPv4 intranets. It will take a lot of corporate resources and IT investments in time and money to get it working.

What about the rest of us? Time is money, and time spent trying to get up to speed on DirectAccess is time lost on other pressing projects that are currently making the company money, or at least keeping the company above water during these tough economic times. Is there is complete DirectAccess solution that provides everything we need, right out of the box, so that we can cut down on expensive hours of training and trial and error?

I think there is. In a recent blog post on the UAG Team Blog, Nitzan Daube revealed that Microsoft intends to make the upcoming UAG a complete DirectAccess solution that combines many enabling technologies required to get DirectAccess to work on the edge of your network.

Consider these facts about the UAG:

• Since UAG runs on top of the TMG firewall, you can safely put it at the edge of your network, so you don’t have to worry about putting another firewall in front of the UAG
• UAG includes on the box support for NAT64 (NAT 6 to 4 or NAT-PT) and DNS64 (DNS 6 to 4 or DNS-ALG) to simplify access to IPv4 servers on the corporate network
• UAG includes enhancements to the Windows NLB network load balancing protocol to provide high availability for your DirectAccess servers (which are located on box with the UAG) in a way you can’t do without the UAG
• Built in wizards that setup, configure, activate your DirectAccess solution so that you don’t have to wade through reams of Windows Server 2008 R2 and Windows 7 documentation to just get started
• Automatic configuration of Group Policy settings so that you don’t have to go through the complex process of configuring these yourself in the Group Policy Management console

There are other advantages to using the UAG as your DirectAccess server solution, but we’ll save those for when the UAG beta is released to the public in the near future. Until then, if you’re considering a DirectAccess deployment, you should consider UAG your first priority in planning your future DirectAccess scheme.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

“This is the end
Beautiful friend
This is the end
My only friend, the end
Of our elaborate plans, the end
Of everything that stands, the end
No safety or surprise, the end
Ill never look into your eyes…again…”

http://blogs.technet.com/rrasblog/archive/2009/02/...7.aspx

OK, maybe a little melodramatic, but this blog post really seemed to come out of left field. Actually, it’s not as bad as you might think it is. The RRAS just wants to know what the community thinks of removing PPTP and L2TP/IPsec support for operating systems after Windows 7 and Windows Server 2008 R2.

Microsoft clients starting with Windows Vista SP1 support the SSTP VPN protocol, which is superior to PPTP and L2TP/IPsec in terms of usability. Users can be located anywhere, behind NAT and Web proxies and still connect – not something you see with PPTP and L2TP/IPsec all the time. In addition, beginning with Windows 7, you’ll have access to VPN Reconnect, with is a new VPN protocol that uses IKEv2.

There are some problems with dropping support for these legacy VPN protocols that will need to be solved or addressed:

• What about non-Windows clients? Will Microsoft create VPN clients that will support SSTP and IKEv2 VPN Reconnect?
• What about site to site VPNs? Neither IKEv2 (as far as I know) nor SSTP are enabled for site to site VPN configuration or support
• What about site to site VPN connections to Windows Server 2008 R2 and earlier? I expect to see these VPN gateways still being in place for at least the next 5-8 years. If future versions of RRAS remove support for PPTP or L2TP/IPsec, there will need to be some sort of back port of the new site to site VPN protocols at least for Windows Server 2008
• Since ISA and TMG leverage RRAS for VPN connections, updates to at least TMG will need to be made to support the new site to site VPN protocols

None of these issues are insurmountable. However, it might be better to wait a little longer before retiring these protocols, and let the community know long in advance that this is going to happen, so plans can be made.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Meir Mendelovich a Senior Program Manager in the Microsoft UAG product group, posted an important blog post last week regarding the future of Microsoft remote access. You can check out Meir’s blog post over at:

http://blogs.technet.com/edgeaccessblog/archive/20...e.aspx

From that post, it’s become clear to me that Microsoft intends the next version of IAG to be the one-stop shop for all remote access to network resources, especially remote access to Microsoft networks. The next version of IAG isn’t coincidently named “Unified Access Gateway” – it was named that because of its intended purpose: to provide a single remote access gateway that consolidates almost all of Microsoft’s remote access technologies.

This creates an interesting conundrum for the current ISA or TMG firewall administrator. For the last decade, we considered the best way to enable remote access to internal resources to be through Web Publishing, Server Publishing or network level VPN using PPTP, L2TP/IPsec or SSTP (SSTP if you’re using a TMG firewall). All of these methods enabled both stateful packet and application layer inspection, with Web Publishing and VPN access allowing you to enforce strong user/group granular access controls.

WHAT HAPPENED TO IAG?

Of course, IAG has been out there for the last couple of years. The problem IAG had was that while it should have been a major player in the Microsoft remote remote access community and supplant the ISA or TMG firewall’s remote access schemes, it failed to meet its potential, at least among the ISA or TMG firewall crowed because there was no software only version available.

Sure, there was a trial .vhd you could download and test, but the only way you could purchase IAG, at least until SP2, was to buy an hardware appliance. While this approach works for other vendors very well, Microsoft admins like to install things themselves, kick the tires, customize the configuration and give things a good strong workout before committing themselves to a new technology purchase. Microsoft admins aren’t so trusting of the “black box” approach used by hardware appliance vendors. Unfortunately for IAG, the .vhd trial download and purchase option came too late.

In contrast, UAG will soon be available for beta testing in a number of formats, including software installation, trial .vhd and hardware appliance. This gives UAG a significant advantage over IAG right from the start. In addition, UAG will have profound usability improvements that address some of the more problematic issues exposed during an IAG deployment.

CHANGING OF THE GUARD FOR MICROSOFT REMOTE ACCESS

But the key issue here for ISA and TMG firewall administrators is the entire issue of remote access. With the introduction of UAG as a unified remote access gateway that consolidates almost all of Microsoft remote access technologies, the playing field will change.

For remote access scenarios the decision making process regarding what to use for inbound access will change and shift toward a UAG solution. Some of the reason for this include:

• UAG will be a more secure reverse proxy solution than TMG
• UAG will make configuring secure remote access to both Microsoft and non-Microsoft resources easier than TMG, and provide a much larger collection of authentication options
• UAG will be a complete DirectAccess solution. TMG might be able to support DirectAccess to a certain extent, but it will be far from a complete solution. If you haven’t seen the infinite number of moving parts in a DirectAccess infrastructure, you might not appreciate this yet. If you have, then you already know. The fact is that UAG will enable you to get DirectAccess working in a fraction of the time it would take to get a fully working solution without it.
• UAG will enable high availability scenarios for DirectAccess that aren’t really possible without it. I can’t share with you the details of how this is implemented at this time, but when you find out, you’ll realize that DirectAccess without UAG is like peanut butter without chocolate.
• UAG will provide network layer SSL VPN connectivity to all Windows clients – not just Vista SP1 and above (which are the only ones that support SSTP)
• UAG provides sophisticated endpoint detection right out of the box for all SSL VPN reverse proxy scenarios. TMG does not do this for reverse proxy. UAG can use either its build-in endpoint detection or leverage an existing NAP infrastructure. In contrast, TMG supports NAP or remote access VPN quarantine only for network level VPN connections over PPTP, L2TP/IPsec or SSTP.

TMG INVESTMENTS ARE IN THE UTM SPACE

If you look closely at TMG beta 3, you’ll notice that no major investments were made in the reverse Web proxy component, and the only two major investments in inbound access (and ones we highly appreciate!) are in TMG VPN networking is SSTP support and enhanced NAT to support SMTP server publishing.

Why? Most likely the reason for this is that UAG is the target of Microsoft efforts at providing fast, stable, secure and reliable anytime, anywhere access to Web resources over the Internet.

None of this is meant to denigrate TMG. In fact, I think the TMG firewall is one of the most impressive efforts I’ve ever seen come out of Microsoft. The issue here is remote access. TMG has made major investments in IPS/IDS, outbound SSL inspection, Web protection with integrated anti-malware, advancements in ease of setup and maintenance, improved troubleshooting tools, new reports, and enhancements to the firewall engine and services that comprise the firewall’s firewall core to improve performance and security. What’s clear is that TMG is moving forward as a Unified Threat Management (UTM) solution whose purpose is to secure your network in outbound access scenarios.

For inbound access, you need to start looking at the UAG.

That’s not to say that you can’t use Web Publishing, Server Publishing and network layer VPNs with TMG. However, TMG is not going to be the best option – it won’t be the easiest to use solution for remote access scenarios, it won’t be the most secure solution for remote access scenarios, and it won’t provide the single point of visibility and control for all of your remote access connections, which include going forward, DirectAccess.

UAG AND TMG AT ISASERVER.ORG

That’s why you’ll see some changes at ISAserver.org in the coming months. We’ll be doing a good number of articles on UAG, starting soon after UAG’s beta release. When the focus is on remote access, we’ll focus the content on UAG. When the focus is on outbound access, we’ll focus on the TMG. Our goal, as always, is to promote security best practices and this UAG/TMG division of labor helps us continue in that direction.

So, look forward to lots of new material this year in both the UAG and TMG spaces. One thing’s for certain, things are getting better and better for the Microsoft edge network admin!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

There are a lot of new goodies included in the Beta 3 version of the upcoming TMG firewall and we’ll cover them in detail here at ISAserver.org in the coming months. However, if you want a quick look at what we think are the best and the brightest new features and capabilities included in the beta 3, then make sure you subscribe to our newsletter. I’ll cover these in the next edition which should be released sometime next week.

You can sign up for the newsletter at:

http://isaserver.org/pages/newsletter.asp

One of the most important new features is the reintroduction of Web Filtering, a feature that was included in previous betas, but removed during beta 2, which scared a lot of TMG firewall fan into thinking that maybe these feature wouldn’t return.

No worries! URL filtering is back and it’s great. We’ll talk more about this feature in the future, but if you’re already playing with this feature, you might want to know how to “opt out” users from this feature. After all, as the TMG firewall admin, you certainly don’t want to be limited by URL filtering

Check out this article by Gershon Levitz to see how you can exclude users from URL filtering.

https://blogs.technet.com/isablog/archive/2009/06/17/how-to-exclude-specific-computers-from-url-filtering.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Yuri Diogenes reminds us that SSTP is now available with the Beta 3 version of the TMG firewall in his blog post over at http://blogs.technet.com/yuridiogenes/archive/2009...y.aspx

SSTP (Secure Socket Tunnel Protocol) is a great addition to the TMG firewall’s suite of VPN protocols. The TMG firewall now supports three VPN protocols for remote access client VPN connections. These are:

• PPTP (Point to Point Tunneling Protocol)
• L2TP/IPsec (Layer 2 Tunneling Protocol over IPsec)
• SSTP (Secure Socket Tunneling Protocol)

PPTP and L2TP/IPsec can be used for both remote access client VPN and site to site VPN connections. In contrast, SSTP can only be used for remote access VPN client connections.

SSTP is essentially PPP over an SSL encrypted HTTP connection. This allows your users to be behind virtually any firewall or Web proxy and connect to your TMG firewall’s remote access client VPN server. This is going to significantly reduce the number of help desk calls from your users.

Even more importantly, you can graciously dump your very expensive Cisco, Check Point or Juniper SSL VPN solution and take advantage of the security and reliability of SSTP while paying commodity prices. You won’t have to take out a second mortgage to pay Cisco, and the money you save might be the money needed to keep your job in these tough economic times.

SSTP is flexible reliable and cost-effective, but it’s also a tricky little guy. You need to be on your toes when planning and configuring SSTP. Here are some things you need to keep in mind when configuring your TMG firewall to support SSTP:

• You need to publish your CRL if you’re going to use a private CA to generate your machine certificates. SSTP requires that you create a Web Listener and bind a Web site certificate to the Listener. If you used an internal CA, you need to make sure that the client can reach that CA or the URL included in the AIA on the certificate
• If you use a commercial certificate (not likely in most cases, since your VPN is a private connection, not something that should be accessible from the general public), then you don’t need to publish your CRL, as it will be available on the Internet
• SSTP uses a Web Listener to accept the incoming SSL connections. This Web Listener must not pre-authenticate and cannot use a form. While the SSTP server is only listening for a single path when using this listener, the configuration of the Listener virtually guarantees that you won’t be using it for any Web Publishing Rule. The end result is that you’ll need to dedicate an IP address for your SSTP connection.

TMG has done a lot to make SSTP easier to configure, but it would have been a lot better if they would have integrated a CRL publishing wizard. Maybe in the next version of TMG?

For more information on SSTP troubleshooting, check out:

http://support.microsoft.com/kb/947031

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

I’ve talked about changes in how DNS works with updates to Windows Server 2003 and Windows Server 2008 as they relate to WPAD. The main reason I’ve brought this topic up in the past is that I got burned with strange WPAD failures.

Even when I had configured a WPAD Host (A) record on the Windows Server 2008 DNS server and configured the ISA firewall to published autodiscovery information, the autodiscovery process failed. When troubleshooting the problem with NetMon 3.x, I found that the DNS server was responding with “server failure” messages, in spite of the fact that there was a WPAD entry in the domain.

Richard Hicks puts his own spin on this issue on his blog at http://tmgblog.richardhicks.com/2009/06/16/dns-sec...overy/

Take a read of Richard’s article and keep this issue in mind the next time your autodiscovery process failure. It just might be a DNS issue.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)