ISAserver.org Monthly Newsletter of March 2009 Sponsored by: GFI

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. What About TMG in the Cloud?

I have been spending a lot of my time lately with my head in the clouds. No, I do not mean that I have been daydreaming a lot. What I mean is that I have been thinking about and doing a lot of research into cloud computing. Cloud computing is the Next Big Thing and it is important that everyone, including ISA and TMG firewall admins, have a good idea what cloud computing is about and how to prepare yourself for this upcoming paradigm shift.

There are a lot of different definitions of cloud computing. Some say that it is just Internet based services, like hosted services. Some say that its Internet based delivery of a software development platform. Some says that it is an extension of Grid Computing, where you can massively scale out compute resources on-demand. Some say it is really utility computing, where customers are charged based on usage, like with electricity or gas. And some say that it is all of the above and more, such as virtualization over the Internet.

In reality, cloud computing can be any of these things, as long as the infrastructure, platform or service is delivered over the Internet. What I see as the primary goal of cloud computing is to enable increased flexibility in computer resource allocation and significantly reduced capital expenditures. The increased flexibility enables you to get the compute resources your need on demand, pay only for the resources you need, scale down when you do not need them any more, and focus your capital outlay on your core line of business rather than shelling out for hardware that you might never need.

Cloud computing will change how we do things in our datacenters. If predictions about cloud computing are accurate, you will see much of your current datacenter moved to cloud providers, such as IBM, Google, Amazon or Microsoft. You will be using these providers to enable infrastructure services, software development platform services, and software as a service. SharePoint, Exchange, Microsoft CRM, SQL and other types of dedicated administrators would not be required in-house because the cloud services provider will do 90%+ of that work for you. The remaining 10% of the work can be done by many fewer admins, and their expertise would not necessarily be in these software applications as much as it will be in being a liaison with the cloud services provider and optimizing the applications to work most efficiently in the cloud.

So how does this effect the ISA or TMG firewall admin? Or the general purpose network security guy? Unlike the other applications I mentioned, I do not think the ISA or TMG firewall admin will be as adversely affected as say, the Exchange Server admin. With software as a service and Exchange hosted services, as well as services such as Microsoft Business Productivity Online, we can envision a future where sophisticated and high-dollar Exchange administrators will go away, since the cloud provider will do the heavy lifting. In contrast, I don't see such a future for the ISA or TMG firewall administrator.

Why? Because there is always going to be a network behind the firewall. Not all information can be trusted to the cloud. And even if trust is not an issue, bandwidth will always be an issue, to the extent that hosting some types of information or compute resources in the cloud is not feasible. Also, many organizations will prefer to adopt more of a "cloudburst" model, where information is maintained primarily on the corporate network, but synchronized to the cloud for disaster recovery and high availability.

Regardless the reason, there will always be a corporate network of higher trust than the "non-internal" networks. And the line of demarcation between the two is the edge network security device, which in the future will be a sophisticated UTM instead of the traditional firewall, and it is also likely that the UTM, such as the TMG firewall, will be running on a virtualized platform to take advantage of the economies of scale enabled by 64 bit software and hardware architectures.

While the futures of Exchange, SharePoint and other services based admins seems somewhat dim, the good news is that if your focus is on network and infrastructure security, you should be in good shape. You still need to control access out of, and into your corporate network, you still need to perform stateful packet and application layer inspection on that traffic, and you need to provide your users anywhere access to information that still remains on the corporate network and is not available from the cloud.

This is not to say that that the cloud isn't another place for the TMG. Indeed, I can foresee a future where there are corporate TMG firewall arrays controlling inbound and outbound access to the corporate network, and cloud based TMG firewall arrays that control what corporate clients do when outside of the company network. Employees outside of the corporate network will use these cloud based TMG firewall arrays to enable the same level of network security experienced by users behind the edge TMG firewall arrays at the office.

The future is bright for cloud computing and for network security and firewall administrators. In subsequent newsletters and articles I will write more about my ideas on TMG firewall arrays and cloud computing, and present some ideas you might be able to implement before Microsoft comes up with any possible TMG cloud plays of its own.

But the writing is on the wall - update your skills sets now so that you're ahead of the cloud.

What do you think? Will ISA and TMG firewall admins be less impacted by cloud computing than other infrastructure and services admins? Do you think that TMG might be a viable cloud based solution? Did I get anything wrong? Let me know! Write to me at tshinder@isaserver.org and let us talk about it. Maybe we will be the next in line to become cloud billionaires :)

Tom
tshinder@isaserver.org

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA and TMG and other Forefront Consulting Services in the USA, call me at Prowess Consulting on 206-443-1117.

=====================
Quote of the Month - "The difference between ordinary and extraordinary is that little extra." - Jimmy Johnson =======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Product Review: Winfrasoft Gateway Appliances
  
• Overview of New Features in TMG Beta 2 (Part 1)
  
• Celestix MSA Series Voted ISAserver.org Readers’ Choice Award Winner - ISA Appliance
  
• Explaining ISA Server 2006 Web Server load balancing
  
• Enabling Secure FTP Access Through ISA 2006 Firewalls (Part 2)
  
• Enabling Secure FTP Access Through ISA 2006 Firewalls (Part 1)
  
• How to use the ISA Server 2006 Network Templates
  

4. KB Article of the Month

Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008

"Consider the following scenario:

1. You have a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 in a split DNS infrastructure.
2. You have a Web server that automatically redirects HTTP requests to Secure Socket Layer (SSL) requests.
3. You create a Web publishing rule for the Web server that redirects HTTP requests to HTTPS.

4. You use one of the following configurations:

   • You configure the Web listener to listen for HTTP requests and also to use bridging.
   • You configure the Web listener and the bridging for both HTTP and for SSL requests (HTTPS).
     In this scenario, when the Web server receives an HTTP request, it redirects the request to the ISA server as an SSL request (HTTPS). For example, http://www.contoso.com is redirected to https://www.contoso.com.

Then, the ISA server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 translates SSL requests to HTTP requests and redirects it to the Web server. This causes an endless loop.

To fix this problem, check out the KB article over here.

5. Tip of the Month

Getting OCS and ISA to play well together is not for the home gamer. There are a lot of moving parts that you need to consider and if one of them stops moving, you're going to be in a world of hurt. Check out this thread over at the ISAserrver.org Web boards to get a jump on the configuration.

Did life suddenly go from bad to worse when you installed ISA Server 2006 SP1? You know, when the "change password" feature stopped working? Well, SP1 fixed something to prevent a certain security issue that could be leveraged by determined hackers. However, it also horked some required functionality for the change password feature. Check out the KB article The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1 here. 

6. ISA/TMG/IAG Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• How ISA Server and Microsoft Forefront Threat Management Gateway, Medium Business Edition cache responses to Web publishing client requests in reverse proxy mode
  
• Interoperability of Routing and Remote Access and Internet Security and Acceleration Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition
  
• IT Manager Webcast: Closing the Network Backdoor: Using Forefront Threat Management Gateway Beta 2 to Create a Safe Web Experience (Level 200)
  
• The external network adapter on your ISA Server 2006, ISA Server 2004, or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer cannot obtain an IP address from a DHCP server 
  

7. Blog Posts

• AuthLite Two Factor Authentication Now Available
  
• Handy Guidelines for Determining Whether to Use Access or Publishing Rules
  
• Best practices for configuring ISA/TMG to allow SQM data
  
• SQL Server 2005 Express Edition Service Pack 3 fails to install on a TMG machine
  
• What's New in GFI WebMonitor 2009
  
• Installing Forefront Threat Management Gateway (TMG) Beta 2
  
• Please Read the TMG Beta 2 Release Notes
  
• Stirling/TMG Firewall Honeypot Detection
  

8. Ask Dr. Tom

QUESTION:

Good day Dr. Shinder,

Please could I ask for your assistance with the matter below:

I have a Cisco ASA that terminates clientless SSL VPN connections. When users log onto the SSL VPN portal, they cannot access the OWA link that is published. ISA server sees this as a spoofed packet because the request is not coming from the host but the ASA. I get the following error message:
0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

I have posted on the forum but have not had any response and the matter is becoming more and more urgent.

Your assistance in this matter will be greatly appreciated.
Kind regards,
Aadil Hassim

ANSWER:

Hi Aadil,

Very good question. The ISA firewall's spoof detection feature enables the firewall to block connection attempts from Networks that are not directly reachable from the interface that receives them. For example, if you have a dual NIC ISA firewall, with two ISA Firewall Networks, default External and Default Internal, then connections made to the External interface must source from an IP address that belongs to the Default External Network, and connections arriving at the internal interface must belong to the Default Internal Network.

Now, in regards to your PIX, it sounds like you're PIX is replacing the original source IP address of the external client with it's own internal IP address. To fix this problem, you need to make sure that IP address on the ISA firewall that receives the connection from the PIX belongs to the same ISA Firewall Network as the PIX's internal IP address.

While you haven't stated what your ISA firewall configuration is like, I suspect that you're using a unihomed ISA firewall, but haven't configured it to use the unihomed Network Template. To fix this problem, apply the Single NIC template to your ISA firewall. When you do that, all addresses are considered internal, and the ISA firewall will not generate a spoof alert, since the firewall will see ALL addresses as being on the same ISA Firewall Network.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.