Check the News category to get the latest news and reports about ISA Server Universal Threat Management Firewalls.
Find out when patches, scripts, free tools and new versions are due for release. Stay informed upcoming webcasts and seminars. Various links to reports on new security threats and malware and how to configure ISA Server to protect and secure the corporate network.
Check out this great article on using TMG as a secure outbound Web proxy over at TechNet magazine:
http://technet.microsoft.com/en-us/magazine/ff4724...2.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Before I took over this blog, Tom used to talk about DirectAccess a bit. It you go back into the archives on the blog site, you’ll see that Tom really liked the idea of DirectAccess, but was pretty concerned about the complexity. I can tell you that when the subject came up during dinner that he often said “I hope MS didn’t come up with a way to ruin another great idea”.
Of course, that was before he joined Microsoft and started working with the UAG DirectAccess Anywhere Access Team. Turns out Tom was doing and saying stuff that happens all too often in this business, he read a little bit about the tech, decided it was too hard, and then essentially gave up on it and moved on. I guess that makes sense, since everyone is so very busy these days.
One thing that I have learned is that DirectAccess can actually be very simple to set up. After asking Tom for a little direction in terms of configuration guidance, I got it up and running pretty quickly, and nothing was that difficult or complicated. Now I can’t live without my DirectAccess connection to my office!
I think one of the things that make people shy away from DirectAccess is the IPv6 component. They think they need to learn IPv6, and there is just too much work that needs to be done before going back to school to learn IPv6. In this regard I have some good news for all of you! You do not need to know a thing about IPv6 to get IPv6 going and working. How do I know that? Because I don’t know anything about IPv6 and I have a great DirectAccess deployment in my office.
For more information on how UAG DirectAccess can dispel IPv6-phobia, check out Tom’s article on his Edge Man blog at:
http://blogs.technet.com/tomshinder/archive/2010/0...6.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
What happened to FWENGMON? You know, the tool we used to see what was going on with the ISA Firewall Engine.
It’s gone. Well, it’s still in ISA, but you won’t find it in your TMG firewall anywhere.
Where’d it go? It’s now part of the netsh command set!
What commands are available with the netsh version of FWENGMON?
Check it out:
netsh show all
netsh show allowedrange
netsh show connections
netsh show global
netsh show holdpackets
netsh show nlbhookrules
netsh show usermodepackets
For more information, check out Yuri Diogenes’s post over at:
http://blogs.technet.com/yuridiogenes/archive/2010...0.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
If you haven’t visited our online forums you’ve been missing out. We have over 52,000 registered users and over 280,000 posts on the forums page! Check out the forums at http://forums.isaserver.org
Tom asked me if I could get a new forum up on the site – this forum is dedicated to the UAG DirectAccess feature. I thought that was a great idea, since DirectAccess is the future of corporate remote access computing and we at ISAserver.org don’t want to get behind the curve on the DirectAccess train.
While DA that comes with Windows is pretty good, the UAG DA is fantastic! If you are seriously thinking about deploying DA, you’re going to want to do it with UAG.
You can find the new UAG DirectAccess forum over at:
http://forums.isaserver.org/DirectAccess/forumid_8...tt.htm
Tom said he’s going to post UAG tips and trips a few times a week on that forum. So, even if you don’t have any questions or problems with UAG DA, you can visit the forum to see what Tom’s “tip of the day” has to say.
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
“The firewall engine (fweng.sys) and firewall service (wspsrv.exe) share an implementation of the rules engine (the component that decides if the current policy allows the traffic or not). When matching traffic to policy rules, some aspects cannot be matched by the firewall engine because performing blocked operations is not allowed in the kernel-mode context of the firewall engine. Specifically, matching user identity (authentication) and performing reverse name lookups (name resolution) are both blocking operations (APIs which involve I/O) and therefore can’t be done by the firewall engine.
The operating system network stack does not allow the driver to “delay” a packet at this stage (kernel). What the driver actually does is copy the packet to its own memory, tell the OS network stack to drop the packet, and then ask the firewall service to determine what to do next with the packet. If the firewall service decides to let this traffic through, it creates all of the necessary objects, and then tells the firewall engine to inject this packet into the OS network stack (at the firewall hook), as if it has just arrived from the lower network layers. This mechanism is called the re-inject mechanism and here are some core definitions about this mechanism:
As can be seen from this description, connection elements are created because there is an allowing policy rule (checked by either the driver or the service), or when there is a creation element. The former represents static rules configured by the administrator. The latter is a dynamic mechanism through which firewall service components can allow traffic that they anticipate. For example, the firewall service instructs the driver to create one creation element per published server. When a client attempts to connect to the published server, the creation element allows the creation of a new connection element for this connection…”
Head on over to http://technet.microsoft.com/en-us/library/ff432667.aspx for the rest of the story!
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Cool! The Forefront Edge Team has put together a nice newsletter on what’s going on with Forefront Edge products, technologies and documentation. There is even some coverage of the recent Forefront MVP get together during the World Wide MVP Summit.
Check it out at:
http://blogs.technet.com/edgeaccessblog/archive/20...r.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
I remember way back when I was working with Windows 95 clients and playing with the VPN capabilities included with that system. I don’t remember if VPN came with Windows 95 at RTM – I think that was a feature added well after the RTM release. I would play with connecting it to Windows NT, and it worked great. Even connected it to the Internet. That’s when I learned about split tunneling.
Back in Windows 95 days, split tunnel was an issue that you had to be aware of for your VPN clients, since it included the possibility of routing between networks. However, that hasn’t been an issue for quite a while for Windows client operating systems.
However, in terms of DirectAccess, its even less of an issue. One thing that people need to keep in mind is that DirectAccess is not a VPN solution, and doesn’t work like a VPN. I know that Tom had written some articles about how DA was MS’s new VPN solution, but I don’t think he fully understood the underpinnings of DA and how DA works. I’m confident now that he doesn’t believe that DA is a VPN solution 
In fact, Tom has done a nice piece regarding DA split tunneling and how it’s not a security issue on his “Edge Man” blog site. I’m not sure I like that name, but he likes it, so he can keep it for now 
Check out Tom’s article over at:
http://blogs.technet.com/tomshinder/archive/2010/0...s.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
A lot of the magic that goes into making DirectAccess with UAG (and even with Windows) work are the dozens of settings that are enabled through Group Policy Object settings. Group Policy is responsible for configuring the UAG DA server, the DA clients and the servers that are in the group that are enabled for end-to-end security.
Ben Bernstein wrote a recent blog post that describes how you can customize the Group Policy deployment scripts that are created by the UAG DA wizard. These customizations will allow you to do two things that you can’t do in the wizard right now.
These are:
To make these changes, you’ll need to run the UAG DA wizard and then save the PowerShell script. Then you’ll need to make some edits to the script.
Check out the details on the UAG Team blog over at:
http://blogs.technet.com/edgeaccessblog/archive/20...s.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Like it’s predecessors, the TMG firewall is now in Common Criteria evaluation.
You can check out the details over at:
http://blogs.technet.com/isablog/archive/2010/02/2...n.aspx
HTH,
Deb
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)
“MS SECURITY”
dshinder@isaserver.org
Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!
Order today Amazon.com
