ISAserver.org Monthly Newsletter of August 2011 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. How TMG Completes the Security Story for DirectAccess

As you might have heard my husband say from time to time (and it's something with which I completely agree), the DirectAccess client is like any other client on your intranet and you should take the same security precautions and configuration measures with DirectAccess clients that you would apply to any other client on your intranet. The reason for this is that the threat profile of the DirectAccess clients on the Internet is not very different from the client system on the intranet. They are always connected to the intranet, are always under the command and control of corporate IT, and therefore they don't fall out of compliance like traditional VPN clients - making them the equivalent of intranet clients when it comes to security.

There's only one problem with this reasoning. Clients on the intranet have their Internet access controlled by an Internet gateway filtering device, such as a TMG firewall. If the intranet client never leaves the intranet (a rare situation now, but common in the 20th century), then Internet access is always filtered and the threat landscape to which that client is exposed will be much smaller. In contrast, the default configuration for DirectAccess clients is to enable split tunneling, which means that while the DirectAccess client connects to intranet resources of the DirectAccess tunnels, it connects directly to the Internet hosts that it needs to connect to, without going through the DirectAccess tunnels.

However, you can close this hole in the DirectAccess client security story by using something called "Force Tunneling". When Force Tunneling is enabled on the DirectAccess client, all traffic will be forced through the DirectAccess tunnel, including traffic that's destined for the Internet. You can then configure the DirectAccess client to always use a web proxy on the intranet to connect to the Internet. And since there is no better web proxy based Internet security gateway than the TMG firewall, you can see how the TMG firewall solves this problem.

My husband Tom Shinder, along with fellow Microsoft employee Yuri Diogenes, did a webcast about this recently and you might want to check it out. This is part of their Security Talk with Tom Shinder and Yuri Diogenes: From Endpoint to Edge and Beyond. Check it out here. 

What do you think? Does the TMG firewall close the security story for DirectAccess clients? Is there anything else that's required to make them as secure as an intranet client? Does an "intranet client" even exist anymore, now that most companies allow their employees to take laptops home and on the road and then bring them back to work - so that all clients share a similar security profile? Let me know your opinions! Send me your feedback and I'll share it next month in the newsletter.

See you next month! - Deb.
dshinder@isaserver.org

======================
Quote of the Month - "Airplane travel is nature's way of making you look like your passport photo." - Al Gore
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• Test Lab Guide (Part 4) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
• Overview of the Microsoft Reputation Service (MRS), Microsoft Malware Protection Center (MMPC) and other techniques
• Test Lab Guide (Part 3) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
• Using Connectivity Verifiers in Forefront Threat Management Gateway (TMG) 2010
• Test Lab Guide (Part 2) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server (Cont.)
• What's going on during a Forefront TMG Installation?
• Kaspersky Anti-Virus for Microsoft ISA Server Voted ISAserver.org Readers? Choice Award Winner - Anti Virus
• Test Lab Guide (Part 1) - Demonstrate TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server
  

4. ISA/TMG/UAG Content of the Month

The Forefront TMG BPA (Best Practices Analyzer) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront TMG computer from the Forefront TMG hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

The resulting report details critical configuration issues, potential problems, and information about the local computer. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

The Forefront TMG BPA is supplied with two supplemental tools:

• The TMG Data Packager enables you to create a single .cab file containing Forefront TMG diagnostic information that can be easily sent to Microsoft Product Support Services for analysis.
• BPA2Visio generates a Microsoft Office Visio? diagram of your network topology as seen from a Forefront TMG computer or any Windows computer based on output from Forefront TMG BPA. Note that Microsoft Office Visio 2003, 2007, or 2010 must be installed in order to run BPA2Visio.

Download the TMG Best Practices Analyzer here.

5. Tip of the Month

Did you know that you can get information about the names of the people connecting through the TMG firewall as well as the names of the computers they are using and the names of the applications they're using to connect to the Internet through the TMG firewall? You can! All you have to do is install the TMG client (Firewall client) on the client systems and configure the TMG client to connect to the TMG firewall. The figure below shows an example of the information you get in real time in the Sessions tab. The (user and computer) names have been changed to protect the innocent. Of course, this information is also available in the logs, so you can search the log files for this kind of information as well. Or course, you need to make sure the TMG client is installed. Then you're ready to go!

6. ISA/TMG/IAG/UAG Links of the Month

Forefront TMG 2010 Network Inspection System and Custom Protocols

An intrusion detection and prevention system (IDS/IPS) is an essential component of a modern secure web gateway. The Network Inspection System (NIS) in Forefront Threat Management Gateway (TMG) 2010 is a unique implementation of IDS/IPS. If you want to learn more about how NIS works, and especially the secrets of applying NIS inspection to custom protocols, run on over to Richard Hicks' blog post on the subject.

List of Build Number for TMG

You've probably seen the build number on your TMG installation, something in the format of 7.0.XXXX.XXX.  But ? what does that mean? If you want to find out the service pack rollups and updates that are based on the different build numbers, that information is available over on the TechNet Wiki here.

7. Blog Posts 

• Experts: Cyber Threats Can Be Defeated With Off-the-Shelf Software
• Configuring Splunk Universal Forwarder on Forefront TMG 2010
• UAG IP Address Changes Not Visible in Configuration
• Manage Internet Bandwidth and Quota by Integrating BSplitter with FF TMG 2010
• Forwarding on the 6to4 network interface cannot be enabled
• Certainty with Certificates for UAG and DirectAccess
• Reinstalling DirectAccess Interfaces
• Slow POST attacks through Forefront TMG 2010
• Microsoft NIS and the Misplaced State of the Art
• Multicast Mode NLB Support in UAG

8. Ask Sgt Deb

QUESTION:

Hey Deb,

I'm thinking about bringing in a TMG firewall but I have a question. I remember a few years ago I was looking at the ISA firewalls at the time, and one thing that was a problem for me was that there was no change tracking mechanism. As you know, the ability to audit the firewall for change tracking is important, especially from a troubleshooting perspective. Do you know if the TMG firewall has any improvements in this area?

Thanks! -Edwin.

ANSWER:

Hey Edwin!

I have some good news for you - the TMG firewall does support change tracking. This is a feature that's included out of the box with the TMG firewall, although it was initially introduced with a service pack for ISA Server 2006. Just click the Troubleshooting node in the left pane of the console and then then click the Configure Change Tracking link in the Tasks Tab of the Task Pane. There you can enable or disable change tracking. After you enable it, you'll get detailed information about changes made to the TMG firewall, as seen in the figure below.

Finally, when you enable change tracking, you can control how many changes you want to store and whether you want to be prompted to provide a description of the changes you've made.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.