ISAserver.org Monthly Newsletter of April 2008 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. First, Quick Look at the Forefront Threat Management Gateway (TMG)

If you missed out in my previous newsletter or blog posts, you might not know that ISA Server, as a product name, is going away. However, that does not mean that the actual product that we have come to love is going away. Nope, the ISA Firewall still lives, but it is being reincarnated with a new name. That name is the Forefront Threat Management Gateway or Forefront TMG or TMG.

The beta1 version of the TMG was made available to the public last week. If you did not notice this, it might be because it is part of the "Stirling" download, which includes not only the Stirling security management software, but also Forefront Security for Exchange and Forefront Security for SharePoint. If you have not found that download link yet, you can get the TMG Beta1 software and the other Forefront Software at Evaluate Microsoft Forefront codename "Stirling" Beta today

Yesterday I finally had the chance to install the new TMG software. The TMG runs only on Windows Server 2008 and is and will only be available in a 64-bit edition. There is likely going to be a 32-bit evaluation version available after the TMG goes RTM sometime next year but there will not be any 32-bit version available for beta testing. So, if you do not have a 64-bit capable machine, it is time to get one. The hardware requirements or nominal and any 64-bit capable machine will easily meet those requirements (1 GB RAM, 150MB disk).

The TMG will run on Windows Server 2008 Hypervisor or VMware Server. I chose to install it on VMware Server. Also, for this beta version, the TMG must be a domain member. This will change when the software is officially released.

The installation process is essentially the same. You tell the installer what your default Internal Network should be and the installation completes. I noticed during installation that no questions were asked regarding whether or not I wanted to support unencrypted Firewall client connections. I do not know if they plan to drop support for unencrypted connections, or if there is something that will be included in a future beta of the TMG or just something that they did not consider important enough to ask about during the installation process.

Something new is a collection of configuration wizards that come up after installation completes. One of the wizards asks about the IP address configuration on each of the TMG's NICs. You also choose what network template you want to use at this point. The purpose of the second wizard is less clear. It is called the System Configuration Wizard and the only things it asks for are the host name of the machine, whether or not it is a domain member, and the primary DNS suffix of the machine. I think this information is used for the Firewall Client configuration, as I found that a single label name is used in the Firewall client configuration when it completes. Of course, this was the default setting in the past.

The third wizard is the Deployment Wizard. This one asks you if you want to use Microsoft Update to check for updates and how you want the updates to be handled. It also asks if you want to participate in the Customer Feedback Program and if you want to participate in the Microsoft Telemetry Service (used to report malware back to Microsoft).

At this point you can complete your configuration or continue with an optional fourth wizard. This wizard is the Web Access Policy Wizard. This is where the TMG significantly differs from the ISA Firewall. You can use the Wizard to create policies controlling the types of Web sites users are allowed to access, the malware inspection settings, and the Web cache settings. I am not sure what the value of this wizard is, as it seems to make the process of configuring Access Rules much more complicated than they need to be. The Firewall policy also segregates "Web Policies" from other policies that do not apply to HTTP, or more accurately, those that are not created using the wizard.

However, with more experience with the product, I may come to understand and appreciate why they decided to segregate the HTTP/HTTPS access policies from the others in the firewall policy rule set.

The malware inspection feature is new with the TMG. The antimalware definitions are automatically downloaded and installed (if you choose that option). You also have the option to configure a User Notification message to let users know what happened when the connection is blocked by the TMG.

The TMG will not include multiple editions. Gone are the standard and enterprise editions. However, the TMG is based on ADAM (like the Enterprise edition of the ISA Firewall), so you have the choice of creating what we used to think of as enterprise arrays. I do not know yet if we are still going to call them enterprise arrays, but it is clear that support for CARP and integrated NLB will continue.

There are a number of cosmetic changes. The nodes in the left pane have been reduced. That means you are going to have to hunt around a little bit to find the configuration interfaces that you used with the ISA Firewall. However, if you keep a close eye on the Tasks tab on the Task Pane, you should be able to find just about everything you need.

I have not tested any publishing rules yet, so I cannot tell you about that. A quick look at the VPN configuration shows that there have not been any changes there either. I found a folder on the hard disk that had files indicating that they could be used to enable IPv6 and disable IPv6, however looking at the user interface, it is clear that none of the dialog boxes have been updated to support IPv6 addresses. I did notice an option to disable IPv6 entries in the log viewer.

On the brighter side, I found a new Application Filter (more application filters are better, given that the TMG is supposed to be both a stateful packet and application layer inspection firewall.) The new application filter adds support for TFTP.

The dashboard has been updated. It now includes an Update Services section to let you know the status of the anti-malware updates. The System Performance section at the bottom of the console has also changed - the non-functional allowed and dropped packets per second sections are gone. Now you see information about CPU Usage and Available Memory, which is actually very important performance information when quickly assessing the TMG firewall's state.

I noticed that there is a new report - the Malware Inspection Content report. I did not notice too many changes to the options in the other reports. This is a bit disappointing as one of the most frequent requests for improving ISA reports is to enable the firewall administrator to get a custom report on a per user basis. Maybe this will be included in a future beta of the TMG. I did notice that the default time for creating Log Summaries is 12:30:36AM. In ISA 2006, this value was 12:30AM :-). I did notice that the option for configuring report storage was missing.

That is about it. Remember, this was a very quick look at the current Beta1 version of the TMG. If you notice that none of the features that you have been asking for the last eight years are not included with the TMG, do not get disappointed! This is a very early beta version of the product and it is far from being feature complete. Take some time to play with the Beta1, get to know where all your configuration options have been moved to, and test the anti-malware feature in your test lab. In future betas, it is likely that there will be many improvements and features that will make you very happy. So while first impressions are lasting ones, I want you to forget your first impression of the TMG and think of it as a young child who is going to grow into the firewall that you always wanted the ISA Firewall to be!

I will be posting a more comprehensive quick look review on the ISAserver.org version soon. In fact, it might be posted before you receive this newsletter. The article will include screenshots of the setup experience, including the three setup wizards I discussed earlier. Then I will do another article on the new interface, so that you will not have to hunt around too long for the things you are used to working with. Then I will do some articles on the Exchange and SharePoint publishing features, and go into a bit more depth on the Web Access Policy component of the Firewall policy. And of course, there will be a lot more, because that's what we do here at ISAserver.org.

If you get a chance to test the TMG Beta1, let me know. I would like to know what you think of it and will be happy to share your opinions with Microsoft. It is early enough to get things added and fixed, so this is the time to let them know. Write to me at tshinder@isaserver.org with your opinions, observations and suggestions.

Thanks!

Tom

=======================

Quote of the Month - "The More Things Change, the More They Stay the Same"
-- Anonymous

=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Access Control
• Prevent Denial of Service Attacks with Lockout Guard
• ISAserver.org Readers' Choice Awards Yearly Round Up 2007
• How to automatically deploy the Microsoft Firewall client
• Teaching the Boss and the Network Guys About the ISA Firewall (Part 3)
• ISA Firewall Dirty Dozen
• ISA Server Tools

4. KB Articles of the Month

• Firewall service stops responding intermittently in ISA Server 2006
• A report may not display HTTPS traffic in ISA Server 2006
• How to configure ISA Server 2004 and ISA Server 2006 to log data to an SQL Server database
• Some Web servers that are published in ISA Server 2006 by using the Web Publishing Load Balancing feature may be incorrectly detected as unavailable at random times
• A computer that is running ISA Server 2006 may randomly stop routing packets from certain VPN clients or from certain VPN site-to-site networks

5. Tips of the Month

NLB always includes some complexities that you do not see when NLB is not deployed. In this thread on ISAserver.org, Oliver figures out how to get DHCP relay to work with an ISA Firewall Array that has NLB enabled. Check out the thread at DHCP Relay Agent on NLB-Cluster

6. ISA Firewall Links of the Month

• How to publish a Polycom 7000e VSX H.323 Videoconference Device Behind ISA Server 2004
• Users experience delayed logins when you enable Password Management features in ISA Server 2006
• Microsoft PPTP Clients Cannot Authenticate
• How to create offline L2TP/IPSec Certificates
• DNS Cache Tool for ISA Server 2006
• ISA Firewall Quick Tip : How To Identify a Trial Version of ISA Server 2006

7. Blog Posts

• The Next Version of the ISA Firewall - the Forefront Threat Management Gateway - Now Available for Download
• X-Forwarded-For ISA Server 2.0
• Forefront MVPs Missing in Action - ISA Server MVPs Contact Me
• Introducing the Future of the ISA Firewall — The Forefront Threat Management Gateway (Forefront TMG)
• ISA Server 2006 form base authentication problem using UPN logon format on a multiple domain environment
• Introducing a New Era for ISA Server
• Understanding By-Design Behavior of ISA Server 2006: Buffering and Streaming Web Publishing Rule Content
• IE 7.0 may fail to open FTP sites through ISA Server Web Proxy

8. Ask Dr. Tom

QUESTION: Hello Mr. Shinder,

I am sorry to drag you into this. But I have tried to solve this problem for months now, and despite being in touch with a lot of people, I have been unable to find anyone who can get this to work, or offer any kind of explanation to why this can not be made to work.

I am all out of ideas, and it seems to me that ISA2004 must be have a bug or some other defect that prevents this from working as expected, but I cannot be sure, but I feel enough people have looked at it, and we all agree that the configuration is as is should be, but to no avail, because it is still not working.

I hope that you can find time at some point to read the article and suggest some error in my approach that will turn out to be the solution, if anyone can solve this, I suspect it would be you :o)

Publishing RDP on a side network - 1.Apr.2008 6:22:34 AM

Regards, Michael Brandi Andersen

ANSWER: Hi Michael,

I took a look at your post, and I have to admit, there are far too many extraneous details included that makes it hard for me to make an assessment. However, I can tell you that if your scenario is that you have multiple internal ISA Firewall Networks, then you can easily allow RDP access between these networks.

In most cases, the multiple internal ISA Firewall networks are going to have a Route relationship with one another and not a NAT relationship. The only time when I would recommend that you have a NAT relationship with a custom ISA Firewall Network is when the networks are of significantly different trust levels, such as an anonymous access DMZ network. In your case, from what I can tell, you created a second network of similar trust.

In this case, all you need to do is create an access rule that allows the source ISA Firewall Network clients to the destination RDP server. Remember that the clients need to be SecureNET clients or Firewall clients of the ISA Firewall so that the ISA Firewall receives the requests. If the connections are not being routed correct through the ISA Firewall, check the ISA Firewall's Firewall service log and see what rule may have denied the connection. If you only see that the default rule denied the connection, check that you correctly configured your Access Rule. If the Access Rule turns out to be OK, then check that you have correctly configured your Network Rules. Failure to correctly configure the Network Rules is the most common reason for connections between different ISA Firewall Networks to fail.

QUESTION: Hi Dr Tom,

One of the biggest problems I have with ISA and ISA documentation is that it speaks little about the effect that 'enabling authentication' has on certain websites such as audio streaming/voip from WEbEX. I have a number of other apps that only seem to work through ISA server when authentication is disabled.

Does your book cover this topic?

Regards, Jose Moreno

ANSWER: Hi Jose,

The problem with these applications or sites is that they do not work correct when there is an authenticating Web proxy in the path. Of course, you do not want to get rid of authentication, since that is why you are using the ISA Firewall, to make sure that only authenticated users connect to Internet resources that you've given them permission to access.

What you need to do is configure those sites for Direct Access, and I do discuss Direct Access in my books. However, the problem with Direct Access configuration is that when the client makes the request for the destination site, it will bypass the Web Proxy client configuration and use another client configuration to reach the site. If the machine is also configured as a SecureNET client, then the Web Proxy client configuration will be bypassed for access to the problematic sites, but you will not be able to authenticate, since authentication of any type, to any firewall (not just the ISA Firewall), requires a client side configuration, and the basic TCP/IP stack doesn't include a mechanism for this.

The answer is to apply ISA Firewall best practices, which means installing the Firewall client. I've written a number of articles on ISA Firewall best practices, and installation of the Firewall client on client system is always one of the top five best practices when using the ISA Firewall. When the Firewall client is installed, the Web Proxy machine will bypass it's Web Proxy configuration when attempting to access a Direct Access site, and then will fall back on its Firewall client configuration. This both fixes the authentication problem for accessing these problematic sites and also allows users to continue to authenticate to the ISA Firewall.

Finally, remember to force authentication on the Access Rule. Never use the option on the Web Proxy Listener that asks if you want to force all users to authentication. Enabling that option will provide you with another problem that you don't want to have to troubleshoot.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.