ISAserver.org Monthly Newsletter of December 2009 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. Introducing ISAserver.org's Deb Shinder

As most of you already know from last month's newsletter, Tom has taken a full time position with the TMG team at Microsoft. Consequently, I will be taking over most of his former duties here on ISAserver.org. It makes sense, as I co-authored the ISA Server books with him and have served as his sounding board and sometimes proofreader for all these years. And hey, the network infrastructure is already in place.

In addition the ISA books, I have authored two books of my own, co-authored a few with other people, and contributed to more than twenty in all, on a wide range of networking and security topics. I write for Windowsecurity.com, TechRepublic/CNET, and blog about Windows 7 for Amazon and about tech gadgets and consumer technology on Windows Live. I edit a couple of weekly Windows newsletters and do contract work (white papers, product documentation, courseware) for Microsoft, Hewlett-Packard, Sony, and other software and hardware companies. For the past five years, I have been a Microsoft MVP in the field of Enterprise Security. If you want to know more about me, check out my personal web site at www.debshinder.com

Tom is a hard act to follow, but my pledge to you is follow the precedents he has set and to continue to provide the same high quality content in this newsletter, articles and blog posts on this site. The good news is that I have my own in-house TMG expert to turn to with the tough questions - although of course he may not always be able to answer all of them because of NDA.

For those of you who are worried about missing Tom's unique personality, do not worry! Even though he can not work for TechGenix anymore, he will still be involved in the discussion boards along with other Microsoft employees, so his voice will not disappear from the site.

Meanwhile, I want to let you know about a project that he has been involved in: the new TMG book that he, Jim Harrison, Yuri Diogenes, and Mohit Saxena have been working on. Actually, Jim, Yuri and Mohit did the writing, and Tom did the technical edit of the book. This book, The TM Administrator's Guide, was quite the labor of love; for the last year I have watched Tom working 12-14 hours a day on his regular job, and then after that, spending a couple of hours most nights reviewing the chapters of the TMG book. From what Tom tells me, this book is going to set a new standard for ISA/TMG books. Some of the reasons this book will be unique:

• The TMG Administrator's Guide is written by insiders - the guys who really know the internal details of how the TMG firewall works.
• The TMG Administrator's Guide is based on practical experience with the firewall, not just theory. These guys have put in hundreds of hours working with the product in every conceivable scenario.
• The TMG Administrator's Guide is based on real world experiences, not just the controlled lab environment. The book benefits from the experiences of many people who have put the TMG firewall into production as part of the TMG TAP program, and other customers who called Customer Support Services for help.
• The TMG Administrator's Guide will be fully supported by its authors and tech editor in multiple public forums - making it a core textbook on TMG, where you can always reach the professors for more information.

Now, after all these months, the writing is all done and we are looking forward to its release in February. If you want to learn more about TMG, from the most authoritative sources, plan on checking it out. For more information about the book, have a look here. 

With Tom's new job, I expect that he will be writing much more about TMG and UAG - and you will reap the benefits of his efforts in various "locations" - such as at Microsoft.com and presenting at a variety of tech conferences. Although he enjoys all aspects of IT work, Tom has always been happiest when he was working full time on ISA Server, and it is great that he has the opportunity to do that again. I am looking forward to seeing my husband looking forward to each day and working with the technology that really gets his mind going in high gear - TMG and UAG!

I am looking forward to working more with these technologies myself, and doing all I can to help those of you who use them.

Deb Shinder
dshinder@isaserver.org

======================
Quote of the Month - "If you are not criticized, you may not be doing much." - Donald Rumsfeld
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Installing Threat Management Gateway 2010 RTM Enterprise Edition
• Microsoft Forefront TMG - installing and configuring the Forefront TMG client
• Product Review: Celestix HOTPin
• Microsoft Forefront TMG - FTP and FTP Server publishing
• Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 2: Enabling ISP Redundancy
• Microsoft ISA Server 2006 - Certificate troubleshooting (Part 2)
• GFI WebMonitor for ISA Server Voted ISAserver.org Readers’ Choice Award Winner - Monitoring and Administration
• Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 1: Configuring the Virtual Infrastructure and the TMG Firewall Interfaces
  

4. ISA/TMG Article of the Month

One thing that the old ISA firewall did not have much to brag about was its IDS/IPS capabilities. Sure, it had a decade old system that could be used to look at a handful of network level attacks, but somehow that feature was much more interesting in 1999 than in 2009. TMG changes the game quite a bit with the introduction of the Network Inspection System (NIS). With NIS, you get a real, industrial strength IDS/IPS that protects your networks (especially your Microsoft networks) better than just about anything on the market today - and that's saying quite a bit, because there are a lot of good IDS/IPS products out there right now.

Don't believe me? Then check out the new Guide to Configuring, Monitoring, and Troubleshooting the Network Inspection System (NIS) in Forefront Threat Management Gateway (TMG) 2010. 

5. Tip of the Month

Arrays. We encounter quite a variety of arrays when thinking about ISA or TMG firewalls. CARP arrays, NLB arrays, firewall arrays, web proxy arrays - it's a dizzying array of arrays! TMG adds to the plethora of arrays with two new definitions of array: "standalone array" and "array managed by Enterprise Management Server (EMS)" (and here you might have thought that EMS was "Emergency Medical Services").

What's the difference between the two? In a standalone array, the configuration settings are stored on one of the members of the firewall array, and this is called the "array manager server". The array manager server is the equivalent of the dedicated CSS, but it's on one of the array members. Not the most secure option in the world, but not the least either. The EMS managed array is an array managed by an Enterprise Management Server (I guess we would not be using the term CSS anymore).

Note that in both the standalone and EMS managed arrays, the configuration is stored in Active Directory LDS - which was the same way it was stored for Enterprise Edition for the ISA firewall.

Some interesting facts about arrays of TMG firewalls:

• A standalone array can have up to 50 TMG firewalls managed by one of the array members that acts as the array manager.
• An EMS can manage up to 200 arrays, and each array can contain up to 50 TMG firewalls.
• A single EMS can manage up to 200x50 or 10,000 TMG firewalls.
• You can replicate the settings and manage up to 15 EMS managed arrays using the same settings - giving you the potential to manage up to 150,000 TMG firewalls from a central location.

Wow! That's a LOT of TMG firewalls!

For more information about TMG firewall arrays, go here. 

6. ISA/TMG/IAG/UAG Links of the Month

• About Web Publishing Load Balancing
• Planning for Internet Service Provider High Availability 
• Planning to cache Web content
  
• TMG Firewall Deployment Checklist
  
• Configuring Network Access Protection
  

7. Blog Posts 

• TMG Firewall as Hosted Mode BranchCache Server
• Forefront TMG 2010 Administrator's Companion - A unique reading experience is coming
• What's New in UAG Application Wrappers
• Customizing the UAG Portal Page
• TMG Post Deployment Checklist from the TMG Team
• Special Offer for ISAserver.org Readers' from Winfrasoft
• TMG NIS White Paper
• What's New in Forefront Threat Management Gateway 2010 - Level 300
• TechNet Webcast: Microsoft Secure Endpoint Solution (Level 200)
• TMG Has a Web Page
  

8. Ask Deb Shinder

QUESTION:

Hi Deb,

Welcome to ISAserver.org! I have read your books you did with Tom and I am happy to see you here answering questions and doing the newsletter. OK, since this is your first newsletter, I will ask you an easy question. I have an ISA firewall, and as you know it creates problems with rDNS, since my MX record is pointing to an IP address which is not the default IP address on the external interface of my firewall. Well, I should say I "had" that problem since I had to fix it once I figured out what was going on. Can you tell me if the TMG firewall fixes this problem?

Thanks! - Leon.

ANSWER:

Thanks for the easy question! Yes, I have some good news for you: the TMG firewall has a new feature called "Enhanced NAT" or ENAT. With ENAT, you can bind a specific IP address on the external interface of the firewall for outbound connections. This allows you to bind a specific IP address on the external interface of the firewall to an SMTP server on your internal network. For example, if you have .1, .2, and .3 on the external interface, and the default IP address is .1, you can have outbound mail for your mail server go out showing a source IP address of .2 or .3. You can use this for other protocols as well. Note that this only works when the primary connection is outbound. Responses to inbound requests will not use the ENAT address; they will come back on the IP address on which the request was made.

This can get tricky for some protocols, such as FTP. PASV mode FTP is not a problem because all requests are coming from the FTP client, so connections always go through the same IP address on the external interface of the TMG firewall. When the inbound request is to .2, responses come back on .2. However, with PORT mode FTP, the initial inbound request is initiated to .2 by the external client, but if the FTP server is configured with an ENAT mapping to .3, the connection will fail because the client was expecting the response to come from .2. Ouch! So be careful with your ENAT mappings or you might get an unwanted surprise.
Thanks - Deb

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.

Till next month!