The ISA Central category is where administrators can get inside information about ISA Server Universal Threat Management firewalls.

Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. We regularly discuss issues in using ISA firewalls to protect Microsoft Exchange Server and SharePoint Portal Server.

Before I took over this blog, Tom used to talk about DirectAccess a bit. It you go back into the archives on the blog site, you’ll see that Tom really liked the idea of DirectAccess, but was pretty concerned about the complexity. I can tell you that when the subject came up during dinner that he often said “I hope MS didn’t come up with a way to ruin another great idea”.

Of course, that was before he joined Microsoft and started working with the UAG DirectAccess Anywhere Access Team. Turns out Tom was doing and saying stuff that happens all too often in this business, he read a little bit about the tech, decided it was too hard, and then essentially gave up on it and moved on. I guess that makes sense, since everyone is so very busy these days.

One thing that I have learned is that DirectAccess can actually be very simple to set up. After asking Tom for a little direction in terms of configuration guidance, I got it up and running pretty quickly, and nothing was that difficult or complicated. Now I can’t live without my DirectAccess connection to my office!

I think one of the things that make people shy away from DirectAccess is the IPv6 component. They think they need to learn IPv6, and there is just too much work that needs to be done before going back to school to learn IPv6. In this regard I have some good news for all of you! You do not need to know a thing about IPv6 to get IPv6 going and working. How do I know that? Because I don’t know anything about IPv6 and I have a great DirectAccess deployment in my office.

For more information on how UAG DirectAccess can dispel IPv6-phobia, check out Tom’s article on his Edge Man blog at:

http://blogs.technet.com/tomshinder/archive/2010/0...6.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

What happened to FWENGMON? You know, the tool we used to see what was going on with the ISA Firewall Engine.

It’s gone. Well, it’s still in ISA, but you won’t find it in your TMG firewall anywhere.

Where’d it go? It’s now part of the netsh command set!

What commands are available with the netsh version of FWENGMON?

Check it out:

netsh show all

netsh show allowedrange

netsh show connections

netsh show global

netsh show holdpackets

netsh show nlbhookrules

netsh show usermodepackets

For more information, check out Yuri Diogenes’s post over at:

http://blogs.technet.com/yuridiogenes/archive/2010...0.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

If you haven’t visited our online forums you’ve been missing out. We have over 52,000 registered users and over 280,000 posts on the forums page! Check out the forums at http://forums.isaserver.org

Tom asked me if I could get a new forum up on the site – this forum is dedicated to the UAG DirectAccess feature. I thought that was a great idea, since DirectAccess is the future of corporate remote access computing and we at ISAserver.org don’t want to get behind the curve on the DirectAccess train.

While DA that comes with Windows is pretty good, the UAG DA is fantastic! If you are seriously thinking about deploying DA, you’re going to want to do it with UAG.

You can find the new UAG DirectAccess forum over at:

http://forums.isaserver.org/DirectAccess/forumid_8...tt.htm

Tom said he’s going to post UAG tips and trips a few times a week on that forum. So, even if you don’t have any questions or problems with UAG DA, you can visit the forum to see what Tom’s “tip of the day” has to say.

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

A lot of the magic that goes into making DirectAccess with UAG (and even with Windows) work are the dozens of settings that are enabled through Group Policy Object settings. Group Policy is responsible for configuring the UAG DA server, the DA clients and the servers that are in the group that are enabled for end-to-end security.

Ben Bernstein wrote a recent blog post that describes how you can customize the Group Policy deployment scripts that are created by the UAG DA wizard. These customizations will allow you to do two things that you can’t do in the wizard right now.

These are:

• Configuring GPO settings in a GPO you’ve already created, instead of one created by the DA Wizard – you can then link this GPO to an OU of your choice, instead of having the GPO linked to the root of the domain and using security filtering
• Enable a “manage out” scenario only. “Manage out” is term that the UAG team uses to describe remote management only for DA clients. That allows IT to manage the DA clients using their existing network management and control tools, but doesn’t enable DA clients from connecting to the network over the intranet tunnel

To make these changes, you’ll need to run the UAG DA wizard and then save the PowerShell script. Then you’ll need to make some edits to the script.

Check out the details on the UAG Team blog over at:

http://blogs.technet.com/edgeaccessblog/archive/20...s.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

Like it’s predecessors, the TMG firewall is now in Common Criteria evaluation.

You can check out the details over at:

http://blogs.technet.com/isablog/archive/2010/02/2...n.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

As you can imagine, the tech talk in our home gets pretty interesting at times. For years the talk centered around ISA and then TMG firewalls. Of course we still love our ISA and TMG firewalls, but from listening to Tom talk, it sounds like the Forefront Unified Access Gateway has a bright future. Since I like bright and shiny things as much as the next gal, I figured I should get to speed on UAG.

While I don’t consider myself a UAG expert (yet), I can say that it’s clear from what I’ve studied and from what Tom says, is that DirectAccess is the UAG deployment scenario that will make the most difference in any organization. DirectAccess (DA) is something that can revolutionize the way your company does remote access computing – and make your employees more productive, from anywhere.

How do I know? First, I see Tom using it everyday when he remains connected to the Microsoft corporate network all day using DirectAccess – then I listened to him rave about DirectAccess during his recent trip to the MVP conference. He said DA connected him to the MS corpnet when he was at DFW, then when he was at SEA, and then when he was at the hotel. When he got on the MS campus, he connected to the MS wireless network and DA turned itself off. What did he have to do to make this happen?

NOTHING. It just worked.

But that’s Tom and Microsoft. I only believe things that I can make work. So I took the information from the UAG DA Deployment Guide and with a little advice from Tom, setup DA on my own office network. It works! Now when I leave to go to a meeting, attend a conference, or travel out of town to see relatives and friends, I’m always connected to my office – with access to the Terabytes of personal and profession information I’ve gathered over the last twenty years at my fingertips, without having to do anything other than turn on the computer and log on.

This got me to thinking about writing an article about DirectAccess for TechRepublic. The article is titled 10 Things You Should Know About DirectAccess. That article covers DA in general. I also did another one called 10 things you should know about UAG and DA, which should be published in a week or two. I figured I should share some interesting things you should know about DA in general before telling you about the wonderful things that UAG DA does (I deployed UAG DA in my office).

Check out the article at:

http://downloads.techrepublic.com.com/abstract.asp...582705

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

Hey! I just wanted to let you know Tom has started a new blog on the Microsoft TechNet blogger site.

Check out his first article:

Why Microsoft DirectAccess Represents a Real Paradigm Shift

at:

http://blogs.technet.com/tomshinder/archive/2010/0...t.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience. This Solution Accelerator is part of the Windows® Optimized Desktop Toolkit 2010 (WODT 2010).

The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience.

DCA informs mobile users of their connectivity status at all times; provides tools to help them reconnect on their own if problems arise; and creates diagnostics to help mobile users provide IT staff with key information if necessary—all to help customers operate with more efficiency, and at a lower cost.

DCA is the newest addition to the Windows® Optimized Desktop Toolkit 2010, which is designed to help IT pros plan, deliver, and operate the right desktop technologies for users across their organization.

The download includes the following components:

• Microsoft_DirectAccess_Connectivity_Assistant.zip
• Microsoft_DirectAccess_Connectivity_Assistant_x32.msi
• Microsoft_DirectAccess_Connectivity_Assistant_x64.msi
• Microsoft_DirectAccess_Connectivity_Assistant_DeploymentGuide.docx
• Microsoft_DirectAccess_Connectivity_Assistant_Release_Notes.en.htm
• DirectAccess Connectivity Assistant GP.admx
• DirectAccess Connectivity Assistant GP.adml

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org

With the ISA firewall, you could add and remove routing table entries using the Route Add and Route Delete commands. We’ve been doing it that way for years and years – it’s tried and true, we know how it works, and it always (almost) does what it’s supposed to do.

So what’s up with the TMG firewall? Have you found that you added a routing table entry during setup, and then wanted to remove a route? Did you notice that when you used the Route Delete that it still showed up in the routing table?

Whoa.

What’s up with that is the fact that you need to use the TMG firewall console (both MBE and 2010) to make the routing changes.

Check out the Forefront TMG firewall team blog for details over at:

https://blogs.technet.com/isablog/archive/2010/02/...g.aspx

HTH,

Deb

DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org