ISAserver.org Monthly Newsletter of August 2009 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. ISA, TMG and UAG This and That

Things have been a little slow on the ISA, TMG and UAG front for the last month, and so, there is not a lot to talk about this time around. So, I thought I would just talk about "this and that" on topics I encountered related to firewalls and gateways in the last 30 days.

We have three ISA firewalls in my office. No we do not need three, but that is how many we have right now. It occurred to me that I have not checked the configuration or status of these firewalls for the last two months. Is that bad? How often do you check your ISA or TMG firewall configuration? Every day? Once a week? Once a month? I figure I should be more on top of things, but if nothing is going wrong, it seems like I have enough on my plate with other things.

Does anyone care about network level VPN anymore? It seems like a lot of people do, which is not the impression you get when you read the industry papers. All I see is "VPN is dead". It is too hard to manage, gets in the way, users hate it, does not work behind firewalls, blah blah blah". But out there in the real world, it seems like everyone is using VPN to connect to the corpnet or even to their home networks. What I do not get is why people would want to use anything other than the ISA or Windows RRAS VPN. Both support two-factor authentication - so why waste money on a third party solution? It is highly unlikely that any alternative is going to be more secure.

Many of you know that I am a big fan of virtualization, but I am not a big fan of virtualizing firewalls. Remember, you are only as secure as the weakest link in the chain, and since virtualization is not about security, it is typically going to be your hypervisor that is going to be the "usual suspect" when it comes to pointing the finger at the weakest link. However, my opinion will likely change once vendors take full advantage of virtualization security technologies built into the hardware. More specifically, I am talking about Intel Trusted Execution Technology or Intel TXT. I think if TMG firewall vendors provided a virtualized TMG firewall or UAG gateway solution that is fully leveraged and security enabled by Intel TXT, the virtualization security issue will be moot. However, I do not know anyone who is fully leveraging what Intel TXT has to offer right now, so beware of placing anything related to your security infrastructure in a virtual environment.

That is all for now, I suspect some big things will be happening in the next month or so and I will make sure to let you know what is going on when they happen.

See you next month...

Thanks!
Tom

For ISA and TMG and other Forefront Consulting Services in the USA, call me at Prowess Consulting on 206-443-1117.

=====================
Quote of the Month - "If you are not fired with enthusiasm, you will be fired, with enthusiasm." - Vince Lombardi (1913 - 1970)
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Kaspersky Anti-Virus Voted ISAserver.org Readers’ Choice Award Winner - Anti Virus
  
• Configure Forefront TMG to integrate with an TMG Array
  
• Outbound SSL Inspection with TMG Firewalls (Part 2)
  
• Configuring a PPTP Site to Site VPN with Microsoft Forefront TMG
  
• Configuring TMG Beta 3 for SSTP VPN Connections (Part 1)
  
• Publishing Outlook Web Access with Microsoft Forefront TMG
  
• Microsoft Forefront TMG Behavioral Intrusion Detection
  
• Using ISA Server 2006 HTTP Security Filters to Block Instant Messaging
  

4. KB Article of the Month

This is not a KB article, but it is a good one none the less. I get a lot of questions from people about how to measure ISA firewall performance and then how to use the information to improve the firewall's performance. If you have ever taken a look at the performance counters added after installing the ISA firewall, you will have seen an astounding array of counters for all aspects of the ISA firewall's operations. But what do these counters mean? How do you use them? Which ones matter and which ones do not matter as much? For the new ISA firewall admin, those counters present an embarrassment of riches where you just do not know where to start.

There is an answer to this problem. Microsoft has prepared a comprehensive guide entitled; Best Practices for Performance in ISA Server 2006, providing a ton of useful information that you can put to immediate use to evaluate your firewall's performance. From stateful packet inspection, to VPN, to Web proxy inbound and outbound, you will find the information you need right there. Check it out!

5. Tip of the Month

How do you document your rules? Do you write them out? Put them in a spreadsheet? Take screenshots of the configuration? Maybe there is a better way. Check out this discussion on the ISAserver.org Web boards and get several perspectives on how to quickly and effectively document your ISA firewall configuration.

6. ISA/TMG/IAG Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• New White Paper: Implementing an ADFS Solution for Microsoft Dynamics CRM by Using Intelligent Application Gateway (IAG)
  
• Introducing UAG DirectAccess solution
  
• An Inside View: The Road From Beta to RTM
  
• TMG SCOM-Pack - Monitor TMG with System Center 2007 R2
  
• Forefront TMG Email Protection
  
• Configuring Microsoft ISA Server 2006 Web Proxy to Prompt Authenticated Users
  

7. Blog Posts

• GFI releases Freeware version of GFI WebMonitor for ISA Server
  
• Configuring the ISA Firewall's Web Proxy to Prompt Authenticated Users
  
• UAG 2010 Beta and Exchange Publishing
  
• Announcing the Availability of Forefront TMG URL Filtering Telemetry Package
  
• Understanding E-Mail Protection on Forefront TMG
  
• Troubleshooting "Primary CSS down" scenario
  
• Firewall Client Basics: Introduction to the ISA Server Firewall Client and Forefront TMG Client
  
• TMG Firewall System Policy
  
• ISA enforces a 5-second delay in updating its internal routing table after a VPN client connects
  
• Requesting ISA Server Certificates from a Windows Server 2008 Certificate Authority
  

8. Ask Dr. Tom

QUESTION:

Hi Dr. Tom.

Sorry for my poor english. I am emailing from Brazil and i really apreciate your job. I buy your book ISA Server 2006 Migration Guide and i think that you did a great job. They helped me in the exams 350 and 351.
I have not found a content that talks about wireless for guests users AND internal users. I have this situation and i hope that you can help me. In the company that i work, they want to give access to guests (costumers, etc) and I am in charge of configuring it.

The Domain Controller gives DHCP to guest networks, ISA server is configured for relay agent in the interface guest, Automatic discovery is configured in the guest interface, The access rule is configured for a group of my AD.
It is working great, but I have one big problem.

My boss wants to give internal access to all resources using the same guest network (they want to use the same Access Points), for domain users. I am creating one access rule giving all protocols, from guest network to internal network, but, for a users group from my domain it did not work. If i change to ALL USERS, it works. But this is not safe. I want to give internet access only to guests, and all access to my internal network using the same network (guest).

Thanks for your attention.
Marcos

ANSWER:

This is a common scenario and there are several ways to approach this solution. One way to enable domain users on the guest network to have access to the internal network is to allow only authenticated connections to the servers your users need to connect to. The problem with this solution is that there are some important protocols that do not lend themselves to authentication at the firewall (such as CIFS/SMB) and that you need to allow anonymous access to some key infrastructure servers, such as domain controllers and DNS servers.

A better and more reliable approach is to configure the domain users on the guest network to use a VPN connection to access the Internal Network. The advantage of this option is that users have to authenticate in order to establish the VPN connection before they access any resources on the Internal Network. You can then create fine tuned access controls on the VPN connections if you like. Another thing you can do with the VPN clients on the guest network is allow them to use their firewall and Web proxy client configuration to access the Internet through the VPN link.

Overall, the VPN approach is going to be more secure and easier to manage. You can make it even easier by using the CMAK to create the VPN connectoids for your users. In that way you do the heavy lifting for your users and you do not need to expose them to the complexities of VPN client connectoid configuration.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.