ISAserver.org Monthly Newsletter of June 2011 Sponsored by: Wavecrest Computing

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. On the Road with the TMG Firewall

Like most of you, I run a TMG firewall on my home network. This allows me to test a variety of configurations and do proof of concept testing on a live FiOS network, trying out scenarios that would be difficult to do if I used only test labs to do the testing. Over the years. the "skunkworks"  (Tom's term) network we've put together, starting with ISA 2000 and now running TMG 2010, has grown into one with multiple DMZs, network services segments, and all sorts of wireless segments of varying levels of trust. We even have a honeynet that we use from time to time to do some testing that requires honeypots.

I had the chance to spend a little time out of town recently and the experience made me think about how much I still depend on the TMG firewall when I'm out of the office and on the road. Some of those thoughts about TMG from the road include:

• The TMG sits in front of my UAG DirectAccess server. You might wonder how I got the UAG DirectAccess server to work from behind the TMG firewall that is acting as a NAT device; it works because Tom told me how to create a design that will "trick" the UAG DirectAccess server into thinking that it's using real public IP addresses. I'd tell you how I did this, but Tom tells me it's an unsupported configuration (although it does work).
• Not all of the devices or computers I use when on the road support DirectAccess. So the TMG firewall acts as a remote access VPN server. For the machines that support it, I use the SSTP VPN. For devices that don't support SSTP, I'll use PPTP or L2TP/IPsec to create the VPN connection. VPN connections are important when you're using an untrusted WAP to connect to the Internet (and to a suspicious former cop like me, all WAPs are untrusted, except those that I manage myself at home). The risk of "side jacking" is significant and you can mitigate this risk by using an encrypted connection to the TMG firewall and then reaching the Internet through the firewall instead of directly. The TMG firewall fully supports this configuration, and the client can even be a web proxy and firewall client of the TMG firewall into which it's VPNed.
• One trick I use from time to time, when I don't want or need a full VPN connection, is to create a secure web proxy client connection to my TMG firewall. As you might know, you can't secure the web proxy client connection between the web proxy client and the TMG firewall. However, you can secure the connection between two TMG firewalls in a web proxy chaining configuration. The trick is to host a virtual instance of the TMG firewall on the laptop, then chain that virtual instance to the TMG firewall at home. Sure, it's overkill and sort of a kludge, but if you can do it, why not? It creates a secure connection and doesn't expose my network to a VPN connection (why use VPN if you only want to use a secure web proxy?)
• Another option is to use remote desktop to my "VDI" instance in the office. With Windows Server 2008 R2 and the right GPU in the server, I can get really great full screen video over the RDP connection. You?d be amazed at how well this works over a wireless hotspot 4G LTE connection (thank you, Verizon Wireless).

What do you do that's fun, innovative, and maybe not supported with your TMG firewalls that you run in your home or home office? Let me know! I'll publish the more interesting deployments in next month's newsletter.

NOTE: I've received quite a bit of mail over the past two weeks, full of questions about the future of TMG. That might have seemed like a logical topic for this month's editorial, but the fact is: I've already said all that I can say about it. I just don't have any new information to share with you. The statement that Gartner quoted from Microsoft has been repeated, dissected and analyzed but until we get something official to confirm or deny the conclusions that Gartner made based on that statement, we're in WaS (Wait and See) mode. The minute that happens, I'll let you know, so be sure to follow me on Twitter (debshinder) and check the ISAServer.org blog regularly.

See you next month! - Deb.
dshinder@isaserver.org

======================
Quote of the Month - "If you require absolute security, remove all devices in your computer capable of I/O." - Anon.
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• Tweaking the configuration of Forefront TMG with customized TMG XML configuration files
• Administration Best Practices for the Forefront Threat Management Gateway (TMG) 2010 Firewall
• TMG Core Test Lab
• Configuring the Forefront TMG HTTP Filter
• TMG Back to Basics - Part 7: SharePoint Server Publishing
• Granular Control of HTTP Communication using Forefront Threat Management Gateway
• GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Access Control
• TMG Web Proxy Client Concepts and Configuration (Part 2)
  

4. ISA/TMG/UAG Content of the Month

Configuring the TMG Firewall as a BranchCache Server

BranchCache is a very cool technology that allows users at the branch office to obtain SMB and HTTP content from a local network cache instead of having to go over the WAN link over and over again to get that material. For hosted mode, you need a server. But why should you have to dedicate a server for BranchCache when the TMG firewall can act as the hosted mode BranchCache server? Check out the guidance on how to do this here.

5. Tip of the Month

"Historically, some believed that a firewall based on a general purpose operating system like Microsoft Windows couldn?t be secure. With a mature Security Development Lifecycle (SDL) in place, a well-defined vulnerability notification and patch management process, and Microsoft ISA Server and Forefront Threat Management Gateway's (TMG) long track record of security and reliability, this theory has been conclusively disproven. The Forefront TMG firewall running on Windows Server 2008 R2 is arguably more secure than many of its competitors today.

The overall security of the solution can be enhanced and the TMG firewall?s attack surface further reduced by adhering to some common administrative best practices. Following them will ensure the highest level of security for the TMG firewall. When establishing a management policy for your TMG firewalls, it is best to enforce the principle of least privilege as much as possible..."

Check out the administrative tips and tricks in this article by Richard Hicks.

6. ISA/TMG/IAG/UAG Link of the Month

A TMG rule by any other name might perform the same - but putting a little thought into the names that you give to your rules can make it easier to manage them, and a lot easier for another administrator who comes in someday to take your place (because you've moved up to bigger, better things). This short post provides some handy tips on naming conventions for TMG rules, to help you pick names that will be helpful on down the road.

7. Blog Posts 

• Recommended Network Adapter Configuration for Forefront UAG Servers
• The demise of Threat Management Gateway: Is Microsoft backing away from the edge?
• TMG 2010 Web Proxy Auto Detect Fails
• More on the Death of TMG-Microsoft Responds
• Death of TMG?
• Forefront TMG 2010 Configuration Error Alert
• Troubleshooting Exchange Content Filter Problems on the TMG Firewall
• Microsoft Forefront TMG 2010 (Standard Edition and Enterprise Edition) has passed Common Criteria Evaluation Assurance Level 4+
• Eicar zip archives virus test files and TMG?s malware inspection Attempt to clean files that are found to be infected option
• Protecting your Weakest Point: On-Premise Resources

8. Ask Sgt Deb

QUESTION:

I need assistance to configure my 2 ISA firewalls in such a way that if one of my ISA firewalls goes down, the request is routed to the other (basically, a failover scenario). Here is the current setup for my ISA

1. Both are enterprise edition
2. They are at different locations (diff subnet altogether)
3. Right now  they're only acting as a web proxy servers for my clients
4. On my client computers, the IE settings are Use proxy server and from group policy we have added the proxy address according to the location
5. Also they have their own CSS.
6. One more important thing, there is only 1 array and it has one server under it on both the ISA consoles.

As I was not the one who initially set up this, I do not want to change any current setting without any knowledge on this.

I have read a few articles  which only talk about the failover for intra-array server, and that too by DHCP or DNS which either uses automatically client setting or the configuration script. Not the ones which use the following proxy server. Please help me with this as I am really required to implement this.

Regards,
Deeptha

ANSWER:

The best way to solve this problem is to make both firewalls members of the same array, then let the autoconfiguration script take care of things for you. While this isn't a transparent solution, the user will be able to restart the browser and get access to the remaining TMG firewall. However, since you're not in a position to change this, it sounds as if what you want to do is have one of the TMG firewalls  be the main web proxy server, and the other firewall will act as a hot standby. You can accomplish this for web proxy clients by configuring the "active" TMG firewall to configure the autoconfiguration script with a backup route.

If you open the Properties dialog box of the Network or Networks from which the web proxy client requests originate and click on the Web Browser tab, you'll see something similar to what appears in the figure below. All you need to do is enter the name (FQDN) of the alternate TMG firewall and the clients will forward their requests to the live backup firewall.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.