ISAserver.org Monthly Newsletter of July 2009 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Unified Access Gateway Beta 2 Ready to Roll

We have talked about IAG 2007 from time to time in this space over the last year or so. Things got a bit more interesting last year when IAG 2007 SP2 was released because it was the first time you could actually get some real hands on experience with the product, using a virtual environment. Before then, the only way you could work with the IAG 2007 SSL VPN gateway was to get a loaner from a hardware IAG 2007 provider, or play around with it in a virtual lab.

While SP2 did open up the opportunity to check on what IAG 2007 had to offer, it really did not ramp up interest the way I thought it would. I think the primary issue was that the .vhd download did not really give people the experience they were expecting, and there were some limitations to its use. Nonetheless, there were a number of people who did get their appetites whetted by the IAG 2007 SP2 .vhd. Overall, we can consider this a good thing.

I liked IAG 2007, but I have to say that it is not the easiest product in the world to work with. There are a lot of moving parts, and a lot of those moving parts are hidden behind other parts or are buried under several layers of complexity that can force you to pull your hair out. Indeed, if you wanted to get the most out of your IAG 2007 deployment, you really needed to hire an experienced consultant to give you anything other than a generic out of box experience.

With this as background, you will understand why I am so excited by the recent release of the beta 2 version of the Microsoft Unified Access Gateway or UAG. UAG beta 2 is a public beta, which means you can download and install it and really kick the tires on this release. UAG is a major update when compared to the IAG 2007 product, and works much more like a native Microsoft application. You can install it like any other Microsoft product, and integrate it into your environment in a similar way to what you are used to with ISA and TMG firewall installations.

What is so hot about UAG?

Lots! UAG represents a major shift in Microsoft's approach to remote access. The idea here is that what you really need is a central point of control and management for inbound connections to your network. This is more important than ever, since an increasing number of people are working from home, from hotels, from conference centers, from customer's offices, and many other places that are not at the parent office. You need a way to make connectivity transparent to all your users, so they can get the information they need regardless of their location or even the device they are using. That is the core of the UAG remote access philosophy.

While UAG stands for "Unified Access Gateway", I would like to think of it as the "Universal" Access Gateway, since it enables so many remote access scenarios into a single deployment, configuration and management solution. Why should you have to mess with multiple devices to support access for you users anytime/anywhere? You do not need several different boxes or solutions with UAG. It is your one-stop shop.

UAG is your remote access solution for the following scenarios:

• Terminal Services Gateway and Terminal Services RemoteApp. No need to deploy a second server or array for TSG and TS RemoteApp - use UAG's easy to use wizard to get your TS deployment working in record time.
• Reverse Web Proxy (Web SSL VPN) with exceptional application layer inspection through UAG's advanced positive and negative logic filtering schemes. Built in application optimizers get you up and running with secure access to SharePoint, Exchange, Microsoft CRM, and non-Microsoft Web applications in no time.
• Endpoint detection, either through NAP or UAG's integrated endpoint detection facilities. Session cleanup policies can be based on the results of endpoint detection so that session cleanup and level of access, even on a per-application basis, is possible when connecting through the UAG Web portal.
• Secure Web Portal access, supporting a wide array of authentication protocols for secure two-factor authentication prior to application access. Support for advanced authentication methods such as Kerberos Constrained Delegation is available right out of the box, and it does not require a "rocket science" degree to get it working, which some might have considered the case with IAG 2007.
• Network level VPN support, so that users can access the network over PPTP, L2TP/IPsec and SSTP. SSTP is a great solution for Vista SP1 (and above) clients since it is a true SSL VPN, providing PPP based connectivity over an SSL link
• Continued support for the Network Connector, which is another true SSL VPN, providing network level access for downlevel clients over an SSL connection. This is helpful if you have clients who need network level access, but they do not support SSTP or DirectAccess
• Integrated support for Windows 7/Windows Server 2008 R2 DirectAccess. If you do not know about DirectAccess, now is the time to start, as it provides transparent VPN-like connectivity without requiring user intervention to establish the connection. The problem is that DirectAccess is extraordinarily difficult to get setup and configured and has major dependencies on IPv6. UAG beta 2 takes out much of the IPv6 and DirectAccess hassle, providing right out of the box integrated support for IPv6 transition technologies. The reason for this is so that you can make non-IPv6 resources available to your remote users over the DirectAccess link
• Array support to provide central configuration and high availability for up to 8 members in a UAG array. This included integrated support for NLB, which was not available in IAG 2007. NLB has been enhanced so that UAG represents the only realistically viable solution for DirectAccess server high availability.
• Tight integration with Threat Management Gateway 2010, where TMG provides the rock solid firewall support to make it possible to put the UAG at the edge of the network. UAG automatically configures TMG firewall policies so that admins never need to worry about the TMG configuration. In fact, as a UAG SSL VPN gateway admin, you should never need to look at the TMG firewall policy or need to move into the TMG console for any reason.

These are just some of the highlights. There is a lot more in UAG beta 2 to like. It is very clear that the UAG team spend a tremendous amount of time working on the usability issues that might have stood as barriers to adoption in the IAG 2007 world. Even configuration of the portal interface has been remarkably simplified so that you do not need to be a Web programmer and navigate to 20 different places in the file system to get the look and feel of your portals where you want them.

Now, that is not to say that the UAG is perfect. Nothing is. There are a couple of areas where I think the "unified' aspect of the inbound access gateway approach falls down. There are several inbound access scenarios that are not supported by UAG which will require that you deploy another, separate solution to support them (which to me, violates the spirit of the UAG being the single inbound access solution you need):

• No support for VPN Reconnect (aka - IKEv2). There are some scenarios where you might want to support VPN Reconnect. One I can think of is that VPN Reconnect is a great VPN solution for firms who are not quite ready to get their DirectAccess solutions working.
• No support for what we refer to as "Server Publishing Rules" in the ISA/TMG world. What about SMTP inbound? What about IMAP4? What about POP3? What about DNS? These are important inbound protocols that will require that we use another device, such as a TMG firewall, to allow inbound. If the goal is a separation of duties so that UAG handles all inbound traffic, and TMG handles outbound traffic, then UAG should support all of TMG's Server Publishing Rule facilities
• No support for fine-tuned access controls on network level VPN connections. In contrast to the robust support for per user, per group, per protocol, per destination, per time, per content controls you can enforce through TMG network level VPN connections, this functionality isn't exposed in the UAG interface.

Are these issues enough to make we want to steer clear of the UAG? Not a chance! But these are things I think the UAG team needs to think about so that we can create a clear demarcation of duties between the UAG and the TMG.

Check it out for yourself! You can download UAG beta 2 by following this link.

Finally, I encourage you to read the release notes and other system requirements before getting started on your UAG beta 2 quest. I guarantee that the 15 minutes you spend reading them will more than pay off for itself and you will avoid silly mistakes like those I made when I began testing my UAG beta 2 deployment.

Let me know what you think of UAG beta 2. Send me your thoughts on UAG beta 2 over at tshinder@isaserver.org and I will get them in the newsletter, and if it seems appropriate, share them with the UAG beta 2 team.

See you next month...
Thanks!
Tom

For ISA and TMG and other Forefront Consulting Services in the USA, call me at Prowess Consulting on 206-443-1117.

=====================
Quote of the Month - "If you are not fired with enthusiasm, you will be fired, with enthusiasm." - Vince Lombardi (1913 - 1970)
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Overview of New Features in TMG Beta 2 (Part 5)
  
• Outbound SSL Inspection with TMG Firewalls (Part 1)
  
• Outbound SSL Inspection with TMG Firewalls (Part 2)
  
• Configure Forefront TMG to integrate with an TMG Array
  
• How create a PPTP Site to Site VPN between two Microsoft Forefront TMG servers
  

4. KB Article of the Month

A final follow up on my attempt to find a date ordered list of KB articles. I have spoken to people within Microsoft about this, and unfortunately, they confirm that there's no way to find out what the latest KB articles are, at least to the extent that there is no way to find what KB articles were published in the last month. This is a crying shame (as we say in my part of the world). However, Microsoft does change with time and it is always a possibility that they will return the functionality that we once had.

=======================

10060 Connection timed out error with proxy server or ISA Server on slow link

Winsock timeout errors may occur on slow, congested, or high latency Internet links with Microsoft Proxy Server or ISA Server. The following Winsock error Message appears on the client Web browser: 

Proxy Reports:
10060 Connection timed out
The Web server specified in your URL could not be contacted. Please check your URL or try your request again.

Note:
A timeout error may also occur when connecting to an Internet server that does not exist or if there is more than one default gateway on the Proxy Server computer.

For more information and an automated fix for this problem, Microsoft's support site will be able to help.

5. Tip of the Month

With the TMG firewall well into its beta 3 phase, it is time to start planning for your upcoming TMG deployments. Earlier this year, we mentioned that one of the advancements seen in the TMG firewall, compared to the ISA firewall, is the removal of the old "editions" approach to TMG. We were energized by the idea that there would be a single edition that had all the features of what were seeing in the Enterprise editions of the ISA firewalls of the past. Sadly, things did not quite end up that way and we will see two versions of the TMG firewall. In fact, if you have been testing the beta 3 version, you will have already seen the Enterprise edition.

That is water under the bridge. What is important now is to find out what the differences are between Standard Edition and Enterprise Edition. Here's a "cheat sheet" that can help you decide which version you will need:

• Enterprise Edition supports both standalone and EMS (enterprise) arrays. Standard Edition supports standalone server configuration only
• Enterprise Edition supports an unlimited number of CPUs. Standard Edition supports four (not sure if this is four cores, or four sockets)
• Enterprise Edition supports remote storage of firewall configuration. Standard Edition uses local storage
• Enterprise Edition supports arrays, NLB and CARP. Standard Edition supports single member firewall deployments
• Enterprise Edition supports enterprise management. Standard Edition does not
• Enterprise Edition integrates with Stirling. Standard Edition does not.

Those are the main differences between Standard and Enterprise editions. One thing I ca not tell you yet is what the price differences between the editions will be. If I had to guess, they will probably be similar to what we saw with ISA Standard Edition and Enterprise editions.

6. ISA/TMG/IAG Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• Comparing UAG and TMG arrays
  
• New White Paper: Implementing an ADFS Solution for Microsoft Dynamics CRM by Using Intelligent Application Gateway (IAG)
  
• Microsoft ISA Server 2006 Web-based Management Console?
  
• Reviewing the Microsoft ISA Server 2006 System Policy
  
• Requesting ISA Server Certificates from a Windows Server 2008 Certificate Authority
  
• Using the ADAM Sites Tool with ISA Server 2006 Enterprise Edition
  
• I've Just Installed Forefront TMG Beta In VMware Workstation
  

7. Blog Posts

• Installing TMG Beta 3 on a DC?
  
• Join the Microsoft Telemetry Community and Make TMG Better
  
• UAG Loves Your End-Users and So Should You
  
• More Information on the Office Web Components Issue
  
• MS09-031: ISA Server 2006 FBA and RADIUS OTP Bulletin
  
• Unified Access Gateway 2010 Beta 2 is Here!
  
• Closing the Network Backdoor: Using Forefront Threat Management Gateway Beta 2 to Create a Safe Web Experience
  

8. Ask Dr. Tom

QUESTION:

Hi Tom,

Is there an easy way to export and/or print system and firewall rules. I am the network administrator but have been given the task of taking over the ISA Server 2006. I want to be able to see this in either a spreadsheet or otherwise to understand what each rule is doing (i.e. ... blocking port 23 or blocking ebay and facebook) or allowing FTP traffic.

Thanks!
Jerry W.

ANSWER:

Hi Jerry,

There is nothing in the ISA firewall console that will allow you to do this easily. But I can highly recommend that you use Jim Harrison's ISAInfo tool to get the information you need. ISAInfo will provide you with a nice printout of your configuration that you can use in your review of firewall policy. Check out the ISAinfo tool here. Another option is Redline Software's Config Viewer. I have never used it but some people have recommended it.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.