ISAserver.org Monthly Newsletter of February 2011 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. Does Remote Access Matter Anymore?

Cloud, cloud, cloud! Seems like all you hear about these days is cloud! OK, you also hear about smart phones and "pads" - but where do those devices go to get their never-ending stream of apps and store much of their data? That's right: "To the cloud." Today's IT world seems to be all about data in the cloud, services in the cloud, and connecting to data and services in the cloud using a smart phone or a tablet. If we're to believe the tech press, desktops are dead, laptops are on a respirator, and the PC revolution is about to have its history written off as the "golden age of computing," something we can tell our grandchildren about as we reminisce about how fun computing was when it was new and free.

But maybe things aren't really quite that gloomy. In fact, I think you hear so much about cloud, smart phones and pad PCs because they're considered the new, hot items and more importantly, because they are high margin devices in a market that has lots of room for growth. The desktop and laptop PC markets are pretty saturated, at least in the U.S. and other so-called first-world countries - so there's not a lot of room for growth. Both of those markets have reached a point of commoditization, so the margins are thin and there's little room to innovate in those spaces. But the fact is, if you want to get work done - and I mean real, creative, profit-making work - you're probably going to need a desktop or laptop PC.

In addition, you're going to need access to the information that's stored on your intranet. In spite of all the "cloud speak," the truth is that organizations will not put all, or even most of the information that you need to get high-impact, profit making work done in the cloud. The company might not trust the cloud, might not believe that the cloud is secure, or there might be regulations that prevent the company from putting key information in the cloud. Estimates at this time vary, but most of the larger IT departments in the world estimate that at most, they expect to put between 40-60% of their data and services into the cloud. Information and services that are most critical, most sensitive, most private, and most demanding of the command and control of the firm that owns that data and services, will stay on premises.

Given that it's likely that more than half of the data and services that your firm needs to drive its success will remain on internal servers, it seems that remote access is still an important and critical issue. In fact, remote access is more important than ever - not in spite of the cloud, but in part because of it. Employees will expect anytime, anywhere from any device access to intranet resources because they will have become accustomed to the universal access enabled by the cloud-sourced data and services. This means that the services and data hosted on the intranet will need to be similarly available.

The cloud is "always on". Your users don't need to connect to a VPN in order to connect to a cloud resource. Your users don't need to connect to a corporate SSL portal to connect to a cloud resource. They don't have to think about connectivity at all. Sure, they might use different applications to connect to different cloud resources, but they don't have to think about the issue of connectivity itself. They open a browser or some line of business application and they get what they need. No muss, no fuss.

We need to provide the same connectivity for intranet resources. If we don't, users will shy away from information and services hosted on the intranet, with the end result being that the company will be at a competitive disadvantage. This means that you are going to have to provide the same "always-on" connectivity for your intranet resources.

How do you do that? Well, you've probably heard of DirectAccess. DirectAccess is all about allowing the same transparency to intranet access that your users have to the Internet cloud based services. When you enable DirectAccess for your users, all the user had to do is turn on the computer and it connects to the intranet. In fact, the user doesn't even have to log on. And if the computer is running, corporate IT can connect to the DirectAccess client and manage it. After the user logs on, the user has access to the intranet in the same way he would if he were connected directly to the corporate LAN. And as with connectivity to the cloud, the user didn't have to do anything to connect to the intranet data and services - they just work "automagically."

What's the catch? Such a critical service must be highly available. That's where UAG DirectAccess comes in. While there is DirectAccess built into the Windows Server 2008 R2 operating system, it doesn't provide high availability. Remember, you want the same "dial tone" access that cloud services provide, so you need HA with DirectAccess. UAG DirectAccess gives you that.

In a cloudy future, DirectAccess is the best possible remote access solution. High overhead, clunky, and inconsistent access experiences provided by VPNs and SSL VPN gateways are old school; if you want your organization to compete and win, you need the always on connectivity provided with DirectAccess.

Of course, there are some security issues (there are ALWAYS security issues). Next month, we'll talk about some of those security issues and what you can do to solve them in an always connected, always on, and always working world on cloud and on-premises solutions.

See you next month! - Deb.
dshinder@isaserver.org

======================
Quote of the Month - "Computers are like Old Testament gods; lots of rules and no mercy". - Joseph Campbell
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• Forefront TMG - Scripting with VBScript and Powershell
• TMG Back to Basics - Part 4: Network Objects
• Configuring One-to-One NAT with TMG 2010
• Five Dumb Things Admins Do with a TMG Firewall
• Microsoft Forefront TMG - How to configure Forefront TMG as a DirectAccess Server
• TMG back to Basics - Part 3: Protocol Definitions
• GFI WebMonitor Voted ISAserver.org Readers? Choice Award Winner - Content Security
• DNS Configuration Review for Microsoft Forefront Threat Management Gateway (TMG) 2010
  

4. ISA/TMG/UAG Content of the Month

Are you new to the TMG firewall? Need to know what your deployment options are? Then check out this webcast. TechNet Webcast: Forefront Threat management Gateway: Deployment, Migration, and Licensing (Level 300).

Many of you are interested in the new web protection and IDS capabilities in the TMG firewall - none of which were available in the previous version, the ISA firewall. In this webcast, TechNet Webcast: Forefront Threat Management Gateway 2010: Protection Features and Underlying Technologies (Level 300), you can learn about these new advanced security features included with the TMG firewall.

5. Tip of the Month

Are you an ISA firewall admin who's wondering whether it will be worth upgrading to the TMG firewall? You're happy with your ISA firewall, so why upgrade to TMG? There are a number of good reasons, not the least of which is the new Troubleshooting node in the TMG firewall console. In the Troubleshooting node of the TMG console, you'll see some significant improvements over what you had with ISA firewall Service Pack 2. There are four tabs in the new Troubleshooting node: Troubleshooting, Change Tracking, Traffic Simulator, Diagnostic Logging and Connectivity Test. You can use these new tools to solve many of your TMG firewall problems. For more information on TMG firewall troubleshooting and how to use these tools, check out Forefront TMG Troubleshooting.

6. ISA/TMG/IAG/UAG Link of the Month

I've run into a number of ISA firewall admins in the last couple of months who are very interested in upgrading to the TMG firewall. Like all of us, they would like to get the latest and greatest, but we have to be careful with our time. How easy is it to upgrade from the ISA firewall to the TMG firewall? Easier than you think! For the details of how easy it is, check out the topic Migrating and upgrading to Forefront TMG.

7. Blog Posts 

• Why You Need an External ISATAP Router to Support Multi-Site UAG Deployments
• Forwarding on the 6to4 network interface cannot be enabled
• Inbound TLS SMTP Traffic gets TCP Reset when published through TMG 2010
• New IPv6 Test Lab Guide Available
• Configure a Site to Site VPN Between PIX and TMG Firewalls
• Looks Like the TMG Firewall Team Likes My Back to Basics Series
• Solving the Mystery of Firewall Service High CPU Utilization
• HTTP to HTTPS Redirection Options in Forefront TMG and UAG
• Using Exchange Client Access Server (CAS) Forms Based Authentication (FBA) with Forefront UAG is Not Supported (Now Enforced in SP1)
• Why Does UAG DirectAccess Require Two Public IP Addresses?
  

8. Ask Sgt Deb

QUESTION:

Hi Deb!

I need assistance to configure my 2 ISA firewalls in such a way that if my one ISA firewall goes down, the request is routed to the other firewall (basically a failover).

Here are the current setups for my ISA firewalls:

1. Both  ISA firewalls are Enterprise Edition 2006
2. They are at different locations(different subnets altogether)
3. Right now  the firewalls  are deployed as only forward web proxy firewalls
4. On my client computers,the IE settings are Use proxy server and from group policy we have added the proxy address according to the location
5. Also they have their own CSS.
6. One more important thing, there is only 1 array and it has one server under it on both the ISA consoles.

As I was not the one who initially set up this, I do not want to change any current setting without any knowledge on this.

I have read a few articles which only talk about the failover for intra-array server, and that too by DHCP or DNS which either uses automatically client setting or the configuration script. Not the ones which use the following proxy server.

Please help me with this as I am really required to implement this. Regards - Deeptha

ANSWER:

Hi Deeptha,

There are a number of things included in your scenario that actually make it easier to do what you want to do. Most importantly, you are using your TMG firewalls as forward web proxies only. This allows you to configure the autoconfiguration settings on each of the TMG firewalls to forward requests to another web proxy in the event that the web proxy isn't available. You will need to configure the web proxy clients to use the autoconfiguration script so that they will receive the settings and will know what web proxy address to send the request to if the web proxy that they're configured to use becomes unavailable.

Here's what you need to do: Click on the Networking node in the left pane of the TMG firewall console and then click the Networks tab. Right click the Internal Network and click Properties and then click Web Browser.

On the Web Browser tab, you'll see something similar to what appears in the figure below. Put a checkmark in the checkbox that says If Forefront TMG is unavailable, use this backup route to connect to the Internet. Then select the Alternative Forefront TMG option and put in the FQDN of the other ISA firewall. Do the same on the other ISA firewall, but enter the name of the first ISA firewall. After the web proxy clients get the autoconfiguration script, they will try to access the Internet through the alternative ISA firewall if their primary ISA firewall becomes unavailable.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.