The next version of the ISA firewall has been officially released! That’s right. The King is Dead, Long Live the King! There will be no more ISA firewalls in your future, but don’t fear. A new and more powerful ally will come to your side to protect your networks better than ever before. That new firewall is the Forefront Threat Management Gateway (Forefront TMG).

The first version of the Forefront TMG to hit the streets is in fact not a standalone product, but an a key component of the integrated Essential Business Server suite of products. This version of the Forefront TMG firewall is called Forefront Threat Management Gateway, Medium Business Edition (Forefront TMG MBE). The Medium Business Edition of the Forefront TMG firewall is configured for you by the sophisticated installation wizard included with EBS. When installation is complete, the Forefront TMG firewall has all the Publishing and Access Rules in place to secure your EBS network right out of the box.

Forefront TMG, Medium Business Edition adds to the security provided by the old ISA firewall by adding UTM capabilities. There is now an integrated Web anti-malware scanner, so that you no longer need a third party product to block malware. There are a couple of other new features that you’ll be interested in, and I’ll cover those in future articles on the Forefront TMG MBE here on the ISAserver.org.

Let’s welcome the release of the new Forefront TMG! For more information check out David Cross’s announcement at https://blogs.technet.com/isablog/archive/2008/09/...n.aspx

Check out a useful demo of the new EBS product suite at http://www.microsoft.com/ebs/en/us/demos.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

^{Beta 1}

Following the success of VPN-Q 2006, Winfrasoft are working on the next version of VPN-Q! VPN-Q 2008 will maintain the same key benefits of the previous version and introduce new functionality and features that our customers have been asking for.

VPN-Q 2008 helps secure your VPN connections by checking the health state of remote endpoint machines while they are isolated in a VPN quarantine network. Threats from viruses, worms, hackers and malicious users are everywhere! By ensuring that remote PC’s connecting to your network have up-to-date anti virus software, a personal firewall enabled and patches installed, to name a few features, these threats can be significantly reduced.

VPN-Q 2008 introduces a new member to the lineup - the Express Edition! Unlike VPN-Q 2006, there will no longer be a Free or Standard Edition. Customer feedback told us that the Standard Edition feature set did not suit requirements well enough and a mix of the Free Edition and Standard Edition would be ideal - hence Express Edition. VPN-Q 2008 is expected to release Q3 2008

Read more and download the Beta 1 version of VPN 2008, the BEST solution for ISA Firewalls and VPN Quarantine at:

http://www.winfrasoft.com/vpnq2008beta.htm

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Are you looking to add X-Forwarded-For functionality to your IIS Web Server or ISA Server proxy infrastructure like you can with Squid, Apache, F5 Big-IP, Blue Coat, Cisco Cache Engine, Netcache etc? Now you can! Winfrasoft X-Forwarded-For for ISA Server and IIS adds the ability to track and log the source IP address of a client PC through a proxy server chain to the web server.

This is very useful for log analysis when branch offices connect to the Internet via a head office proxy server, and when the real client IP address is required on a web server for accurate reporting and analysis.

Version 2.0 of X-Forwarded-For for IIS introduces some key new features asked for by our customers, this includes:

• Added support for Proxy Trust List
• Supports logging of both X-Forwarded-For data and layer 4 source IP information
• Runs on Windows Server 2008 with IIS 7.0

Version 2.0 of X-Forwarded-For for ISA Server introduces some key new features asked for by our customers, this includes:

• Added support for reverse proxy scenarios
• Works with both HTTP and SSL connections for Web Publishing
• Supports proxy chains longer than two servers in both directions
• Integrates with other 3rd party products that support the X-Forwarded-For de facto standard
• Runs on ISA Server 2004

For more information, check out:

http://www.winfrasoft.com/X-Forwarded-For.htm

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

“Virtualization of server workloads has become an increasingly popular method for making more efficient use of computer hardware and the supporting infrastructure. Virtualization provides many advantages to the data center administrator, while necessarily changing the way they create and manage their deployments. Server application virtualization is a more difficult undertaking due to the complexity of properly allocating the hardware across multiple server workloads. Combining applications which cannot coexist on a single machine across multiple Child partitions within the same host presents unique sizing and security challenges as well. Likewise, resulting network virtualization and the potential for multiple simultaneous server failures when the Parent partition fails presents unique security and availability problems.”

Check out the rest of this fantastic article at http://technet.microsoft.com/en-us/library/cc891502.aspx

This is one of the best articles I’ve ever read on the Microsoft.com Web site. Unlike many other articles that rehash stuff we already know, don’t care about, or contain useless information to bolster word counts, this article is chock full with stuff you don’t already know, and contains dozens of tips and tricks and implementation recommendations that you can put to use right away. I give this effort two phat THUMBS UP!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

For how many years have we been waiting for some kind of static NAT feature for our ISA firewalls? You know the scenario, we have multiple SMTP servers and multiple IP addresses bound to the external interface of the ISA firewall. We need to make sure that mail for the domains that we host shows the source IP address associated with the MX record for that domain, or at least represent a single rDNS record for that IP address.

Or, maybe you’re connecting to an external host who’s authenticating based on source IP address. The problem is, as you know, we couldn’t do any of these things with the ISA firewall because all outbound connections sourced from the primary IP address on the external interface of the firewall.

NO LONGER! Collective Software has developed a new tools, called IPBinder. Here’s what IPBinder can do for you:

• Configure Access Rules to specify what IP address should be used as the local source address for outbound connections
• Works with outbound HTTP Web Proxy traffic
• Bind to any TCP protocol — such as outbound SMTP
• Compatible with arrays where each server has different external IP addresses
• Default behavior of Access Rules is preserved automatically unless you change them

For more information and to participate in the beta, check out the IPBinder page on the Collective Software Web site at:

http://www.collectivesoftware.com/Products/IPbinder

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

If you have not had a chance to check out the Microsoft Essential Business Server (EBS) product, you should carve out some time from your busy schedule to take a look at it. Take a look at the public preview software for EBS.

EBS is a three server solution designed for small or mid-sized businesses with up to 300 PCs. The EBS solution includes three servers, which can be run as physical or virtual machines. There is the Management Server, which is a domain controller and file server that also runs System Center Essentials. There is the Messaging Server, which is also a domain controller, and runs Exchange 2007. And finally there is the Security Server, which runs the Threat Management Gateway (TMG) Medium Business Edition. TMG is the next version of the ISA firewall. In addition to running TMG, the Security Server also runs Exchange Edge Server for anti-spam protection.

From what I have heard, there are a number of people who want the EBS solution, but would like to deploy it without the Security Server. The reason most of these people give for not wanting the Security Server is that they already have a “firewall” and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise “simple” network security configuration.

At first blush you might think “sure, that is a valid request. If the customer already has a firewall, why introduce a second firewall into the mix?” The problem with this thinking is that the EBS team put a great deal of work thinking about the EBS threat models and how to make sure that all components of the solution have adequate defenses against the enumerated threats.

The TMG in the EBS solution allows remote access to a number of services on the EBS network. Some examples of the services to which users can gain remote access to include OWA, RPC/HTTP, Exchange ActiveSync, Terminal Services and Terminal Services Gateway, and SMTP. And these are the default settings. In a production network, you’ll likely see the TMG allow inbound access to POP3S, IMAP4S, DNS and other protocols.

Given all the remote access traffic that the EBS solution supports, you need to be assured that the connections from the external clients can be trusted. The problem the EBS team has, and you as a potential EBS customer, is that how can you define the threat model and the response to the established EBS threat model if you can’t control the nature of the defenses against those threats.

The type of “firewall” that small and midsized businesses might already have in place can vary widely. In most cases, the “firewall” they are currently using is little more than a NAT device that also provides some NAT editors and the ability to perform reverse NAT or “port forwarding” for UDP and TCP ports. Some of them might even include a rudimentary remote access VPN server or even support site to site VPN connections. Other “firewalls” the customer might have in place might include some degree of content filtering or even anti-malware capabilities.

The thing is, the EBS team does not know what kind of “firewall” you already have in place. But they do know what security features and capabilities the TMG has. The TMG provides an exceptionally high level of security for remote access connections by providing pre-authentication for inbound connections to Web servers, a firewall generated log on page, protections against anonymous attacks, an HTTP Security Filter to ensure HTTP protocol stream compliance and security, an SMTP filter to block SMTP exploits, an Edge Exchange Server prevent spam and its attendant malware and phishing attacks from entering the network over the SMTP protocol channel, strong outbound access control on a per user, per group, per protocol, per site basis, network flood protection, stateful packet and application layer inspection for all communications through and to the TMG firewall (including remote access VPN connections), and many more security capabilities.

Thus, the threat and response model for the EBS solution is based on a relatively sophisticated set of network security tools that are available with the TMG. Yes, it is possible that a small or midsized business has paid thousands of dollars for another firewall solution that can provide some of the features included in the TMG feature set, but it is unlikely that a non-TMG firewall could provide all the features that are used to provide the strong inbound and outbound access controls and connection scrubbing that the TMG firewall can provide.

So, rather than thinking of the TMG as a potential burden to your network, think of it as a unique opportunity to increase your network’s security posture to a level that your network has not seen before. This is not to say that you need to get rid of your current network firewall. Two heads are better than one, and two firewalls are better than one. The EBS team has done a great job at making it easy to drop in the TMG firewall behind your existing firewall. After the TMG firewall is installed, all you need to do on your existing firewall is configure some port forwarding rules for HTTP, HTTPS, SMTP, RDP and other protocols, so that they are redirected to the external IP address on the TMG firewall.

While at first glance it might seem that the TMG adds needless complexity to the EBS network configuration, the fact is that the EBS installer does most of the heavy lifting for you, so you do not really need to understand the internals of the TMG installation and configuration during the initial setup. The only thing you need to do is configure old firewall with port forwarding rules. You do not even need to renumber your network or change the default gateway settings on the machine on your network.

The bottom line is that the TMG firewall allows you to roll out a secure EBS networking solutions using a known, standard security model that is common to all EBS network scenarios. Sure, you can go in and break the EBS TMG security model by creating unsecure rules, but out of the box, the settings insure a well-defined baseline for network security, something you can’t say if you stayed with the old “firewall” or NAT device and had not introduced the TMG firewall into the design.

I would like to hear what you think about the TMG as part of the EBS solution. Send me note at tshinder@isaserver.org and I’ll discuss your opinions in the next newsletter.

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Cat’s sleeping with dogs? Fish riding bicycles? Cows with wings? ISA firewall on a DC? Tell me it’s not true! For years we’ve been waving the flag that the ISA firewall should never, ever, never ever, never ever never never ever be installed on a domain controller. This is a key tenet on why the SBS 2003 platform could never be considered secure, since the DC was an Internet facing device and had a horked ISA firewall configuration required to support domain traffic to the firewall.

So, what’s up with this new article on the ISA firewall community site? What article? ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller at http://technet.microsoft.com/en-us/library/cc891503.aspx

Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can’t come out and say “hey, this is a great idea” any more than parents and teachers can say to kids “hey kids, its a great thing that you run with scissors in your hands”, the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid’s scissors and “round the edges” of the firewall policies on the branch office domain controller that also hosts an ISA firewall.

Let me know what you think of this development? Do you think this guidance gives hapless admins the imprimatur to install ISA firewall’s on DCs? Will this hurt the overall reputation of the ISA firewall as a enterprise grade network firewall? Or, does it matter, since the ISA brand is soon to go on life support at the TMG firewall bellys up to the bar to take the torch from the ISA firewall?

Thanks!

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

An ISAserver.org member wrote to me about a problem last week after I posted an announcement about a new Celestix offering that includes Kaspersky AV and anti-malware on the box. The advantage of putting Kaspersky on the Celestix ISA firewall is that the Celestix ISA firewall can inspect the contents of the session between your internal clients and external servers and block malware before it has a chance to enter and infect your network.

Inline anti-malware is a great thing. Why? Because you can’t always depend on endpoint security. Users might disable their AV and anti-malware software, the AV or anti-malware software might not be updated, or the AV or anti-malware software on the clients might have been corrupted by other malware or by the user’s attempts to get around it.

In contrast, the ISA firewall administrator is responsible for maintaining the ISA firewall and the AV and anti-malware solution and can assure that the software is updated, current and uncorrupted. Most of us can agree that there is no replacement for in-line network AV and anti-malware devices when it comes to a comprehensive defense in depth plan.

The problem with this scenario, as mentioned by our good ISAserver.org member, is that when there is an SSL connection between the internal client and external server, then the AV and anti-malware software is totally helpless at providing protection. The reason for this is that the ISA firewall, out of the box, does not perform outbound SSL inspection. Once the SSL connection is established between the client and external server, the contents of the communication is hidden within an SSL tunnel, similar to what you see when an internal user establishes a VPN connection to a remote network.

There’s a reason why we don’t allow outbound VPN connections to a remote network. You have no idea how secure the remote network is, you have no idea what security controls they’ve placed on that remote network. If you can’t trust that network, you can’t trust that a direct tunnel to that network isn’t going to suck down all sort of viruses and malware into your network, completely hidden from the AV and anti-malware protections that you’ve implemented at the firewall.

So, if you don’t allow VPN connections for valid security reasons, why would you allow SSL connections? Did you know that much of today’s malware takes advantage of SSL connection to hide from your firewall controls, so that it can download more malware from attackers’ Web servers? How are you going to protect your network from this gaping SSL security hole?

If you’re using an ISA firewall the solution is easy. While we don’t have outbound SSL inspection available out of the box, you can get the ClearTunnel add on to provide this vitally important security. ClearTunnel breaks open the outbound SSL tunnel so that your ISA firewall can inspect the session and clean out the malware before it makes it to your client computers and spreads to other clients and servers on your network.

To learn more about ClearTunnel, check out my article at http://www.isaserver.org/tutorials/Product-Review-...l.html

To get more information about ClearTunnel from Collective Software, check out http://www.collectivesoftware.com/Products/ClearTunnel

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Windows 2008 Server and Windows Vista were both released with support for SSL/TLS ciphersuites which use the AES symmetric encryption. Windows 2003 Server was released without these ciphersuites, and so IAG 2007 did not support them either. Recently Microsoft has released a hotfix for Windows 2003 Server which adds two TLS AES ciphersuites, one for 128-bit encryption and one for 256-bit encryption. Installing this hotfix on an IAG 2007 appliance will add support for the TLS AES ciphersuites. More information about the hotfix is available at http://support.microsoft.com/kb/948963/en-us

From the IAG Team blog at:

http://blogs.technet.com/edgeaccessblog/archive/20...d.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Dall Ball, on the ISAserver.org mailing list shared an interesting problem. He noted that after installing ISA 2006 SP1, his users were starting to see errors that they hadn’t seen before. The error returned to the users’ browsers was:

• Error Code: 502 Proxy Error. The request is not supported. (50)

It seemed like a pretty mysterious problem to me, even after checking a few lines of log files information provided by Dan. But then Dan did a packet trace on the connection and sent to Jim Harrison. Jim read the capture and said:

Do you have compression disabled?

If so, have a peek at the script in http://support.microsoft.com/?id=927263.

This script is supported for ISA 2006 after SP1.

This is a problem I wasn’t aware of! You might have the same problem as Dan if the following is true:

On a server that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 with Service Pack 2, you disable the following two Web filters:

• Compression Filter
• Caching Compressed Content Filter

After you do this, ISA Server 2004 blocks requests that include the Accept-Encoding HTTP header when a forward proxy is used.

These Web filters were introduced in ISA Server 2004 Service Pack 2. You might disable these Web filters because of program compatibility problems that involve some Web servers.

So, if you’re seeing random 502 proxy errors with the request not being supported (50), then you should run the script found at http://support.microsoft.com/kb/927263

UPDATE:

More information on this issue from Jim Harrison:

“When compression is disabled, ISA will strip off the “Accept-encoding” header that the client sends.

This is done to prevent the web site sending compressed responses because ISA can’t apply HTTP body inspection to it.

In this case (and several others, it seems), the web site sends compressed content anyway (it’s a Sun server; waddayexpect?).

Since ISA knows it can’t process compressed HTTP bodies, it rejects it.

Adding this value causes ISA to forward the “Accept-encoding” header and when the content is delivered compressed, ISA simply sends it back to the client as-is without inspecting it.”

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)