Here’s a great article by Richard Hicks on TMG firewall policy tips and tricks!
Definitely worth a read!
http://www.isaserver.org/tutorials/Forefront-TMG-2...s.html
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Have you ever wanted to deploy DirectAccess behind a NAT? If you did, and you tried to use UAG, you were welcomed to a big disappoint, because that scenario just wasn’t support. So while you would have loved to have DirectAccess, there was no way you could support the public IP address requirement.
The good news is that with Windows Server 2012 you can!
Check out this article by Richard Hicks’ who gives you the details:
http://directaccess.richardhicks.com/2013/03/19/di...d-nat/
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
The Release Candidate of ESET Gateway Security for Microsoft Forefront Threat Management Gateway has some known issues, which are documented on the ESET web site. If you’re running (or considering running) the RC beta, you’ll want to check these out so you’ll know what to expect:
You’ve had time to work through the stages of grief: You can no longer deny that Microsoft really is discontinuing TMG. You’ve come to realize that being angry at the company for a business decision really doesn’t accomplish anything. You know there’s no use in trying to bargain with them to change their minds. You’ve gotten past the depressed feeling that you might never find another job after devoting a big chunk of your career to learning ISA/TMG.
Now comes the final step: acceptance of the inevitable. Part of acceptance is moving on with your life. In doing that, you might be looking at developing new skills to propel you into the next phase. And you might be considering getting new IT certifications toward that end.
Before you spend a lot of money on certification prep materials, be sure to check out this article by Ed Tittel, the king of IT Certs:
OTP support for DirectAccess is a nice feature included in the SP2 release of the UAG DirectAccess Server. However, in certain scenarios, the OTP process can go haywire and stop working and cause multiple OTP prompts. Not good!
Richard Hicks’ explains why this happens in his blog post at:
http://directaccess.richardhicks.com/2013/03/26/fo...ompts/
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Fastvue TMG Reporter is a great reporting add on for the TMG firewall. While the default logging and reporting tools are pretty nice, Fastvue gives you a complete solution that includes reports on just about anything you want to know as long as that information is included in the TMG firewall’s log files.
If you want to know more about what’s new, check out Richard Hicks’ blog at:
http://tmgblog.richardhicks.com/
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
What’s time got to do with TMG firewalls? Well, think log files. If you don’t have accurate time on your TMG firewalls, the log files are not going to be accurate and when you need to do forensics, and coordinate TMG log files with other log files on your network, you’re going to be in a world of hurt!
Configuring the time server is a bit of a pain, given that you need to go into the registry and set a bunch of keys.
The good news is that there is a “FixIt” for this!
Check it out at:
http://support.microsoft.com/kb/816042
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Did you know that you can use RRAS in Windows Server 2012 to connect to Azure Virtual Networks?
Yes you can!
With the recent GA release of Windows Azure Infrastructure Services, you can use RRAS to connect your on premises network to the Azure Virtual Network. They even provide you a script that will enable you to use PowerShell to configure the RRAS server.
However, if you’re nervous about using scripts for this function, you can use this great article by Shannon Fritz on how to connect your Windows Server 2012 RRAS server to the Azure Virtual network.
Check it out on the Concurrency blog at:
http://blog.concurrency.com/featured-post/site-to-...-rras/
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Here’s a great article by Microsoft MVP Shannon Fritz on what firewall exemptions you need to make to support SCCM remote control of DirectAccess clients.
Check it out on the Concurrency blog at:
http://blog.concurrency.com/featured-post/firewall...ients/
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
With TMG Firewall’s Service Park 2 you could start using Kerberos authentication when using NLB. This wasn’t something you could do before. Part of the trick to making this work was to enable the TMG firewall service to run under a domain account.
However, you always need to consider unintended consequences. Once unintended consequence of running the firewall service under a domain account relates to account names that are used for SQL Server Logging with the TMG firewall.
For more information on this issue and how to avoid problems, check out the TMG Team blog over at:
http://blogs.technet.com/b/isablog/archive/2013/04...r.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
Order today Amazon.com