ISAserver.org Monthly Newsletter of May 2009 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Getting Ready for a Hot TMG Firewall Summer

Last month I spoke about how virtualization has changed the way we do computing, even the way we do network security. I made a point of the fact that all computing is about software, and virtualization changes the game and makes the artificial distinction between "hardware" and "software" firewalls moot. This is a good thing for ISA and TMG firewall admins, because now when talking with the network guys, they don't have to get into the relative security differences between traditional hardware and software firewalls - all firewalls will be software and most of them will be virtualized.

That said, there we a number of people who said that I was wrong about not being able to trust virtualization as a security platform. They directed me to information about how Microsoft has implemented a superior security model compared to VMware's and that Hyper-V does leverage Intel?s VT extensions to the extent that you can put your ISA or TMG firewalls in a virtualized environment and not worry about any potential attack surface the virtualization layer may represent.

There were other people we wrote that I was maybe half right. These people thought I was right about the potential attack surface the virtualization software can represent, but thought that this attack surface wasn?t so great that they would never put their ISA or TMG firewall up in a virtualized environment. Instead, what these people recommend is that you deploy your ISA or TMG firewalls on dedicated hardware at the edge, but then put the ISA or TMG firewall on a virtual machine anywhere else on the internal network.

Probably the most interesting responses were from those who said that there should be an ISA or TMG firewall on every virtual server. In this model, every virtual server has one or more "internal" networks were server resources are located. At the edge of the internal networks contained on the virtual servers are one or more ISA or TMG firewalls. Thus, the ISA or TMG firewall becomes the standard "virtual edge solution". I found this to be a very compelling design and will put together a series of articles on how you might implement the TMG firewall as a centrally managed "virtual edge solution". Nice!

Before signing out for this month, I just wanted to remind you that TMG Beta 2 is still available and if you have not had a chance to check it out, there is still time. But, if you want to wait just a week or two, you might want to hold on and check out TMG Beta 3, which should be out sometime in June. As reported at TechEd, URL filtering is back with Beta 3! That is indeed good news and I think you are going to like some of the new and improved features included with Beta 3. I will talk about TMG Beta 3 in the next newsletter.

Thanks!
Tom
tshinder@isaserver.org

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA and TMG and other Forefront Consulting Services in the USA, call me at Prowess Consulting on 206-443-1117.

=====================
Quote of the Month - "Tact is the knack of making a point without making an enemy." - Sir Isaac Newton
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Overview of New Features in TMG Beta 2 (Part 2)
  
• Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 1)
  
• Overview of New Features in TMG Beta 2 (Part 3)
  
• Websense Enterprise Voted ISAserver.org Readers? Choice Award Winner - Access Control
  
• Configuring and using the E-Mail protection feature in Microsoft Forefront Threat Management Gateway Beta 2 (Part 2)
  
• ISAserver.org Readers' Choice Awards Yearly Round Up 2008
  
• Overview of New Features in TMG Beta 2 (Part 4)
  
• Configuring the AntiMalware functionality in Microsoft Forefront TMG
  

4. KB Article of the Month

On your ISA or TMG firewall, the following alert may appear in the Management node in the console on the Alerts tab:

Resource allocation failure

The alert description is similar to the following:

Description:
The Web Proxy filter failed to bind its socket to IP_address port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure. The failure is due to error: 0x80072740.

Note:
The same description is repeated for the IP address 127.0.0.1.
If you restart the Microsoft Firewall service, the alert is logged again.

When you receive the alert, you may experience either or both of the following symptoms:

• Clients that are configured to use automatic discovery cannot connect to the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.
• Users cannot connect to a Web site that is published through a Web publishing rule on your ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer. The Web publishing rule uses a listener that is configured to use port 80.

Check out Microsoft?s support base for an explanation and a solution.

5. Tip of the Month

One of the most common questions appearing on the ISAserver.org message boards and mailing list are related to getting RSA SecurID working with the ISA firewall or TMG firewall. One of the trickier configurations is getting SecurID working with Terminal Services Gateway. Last month someone posted a link to a great article that gives you the step by step details on how to make it work! Check it out. 

6. ISA/TMG/IAG Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• Forefront Threat Management Gateway is the future version of Microsoft ISA Server
  
• Microsoft ISA Server / Forefront Threat Management Gateway Two Vulnerabilities
  
• Installing Forefront Threat Management Gateway
  
• Running TMG (Threat Management Gateway) in Hyper-V
  
• Using the ADAM Sites Tool with ISA Server 2006 Enterprise Edition
  
• ISA Server 2006/2004 Configuration Storage Server Frequently Asked Questions
  

7. Blog Posts

• Outlook RPC/HTTP Client Locks Out User Account through ISA Firewall
• Clearing the ISA Firewall?s Web Cache
• Configure an IPsec Tunnel Mode Site-to-Site VPN between an ISA Server 2006 SP1 SE and a Check Point NGX R65 VPN-1
• Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2
• Improving Web Proxy Client Authentication Performance on ISA Server 2006
• Jason Jones Demystifies ADAM Sites Configuration
• Caching and Memory - Too Much of a Good Thing?
• TechEd 2009: Post Show Feedback - David Cross
• Jason Jones ISA Server 2006/2004 Configuration Storage Server FAQ
• See a Panel Discussion on the TMG from TechEd

8. Ask Dr. Tom

QUESTION:

Dear Tom,

I have setup a Back-to-Back ISA firewall between a front-end Pix and Back-end ISA firewall array. Now I have setup another back-to-back between the Front-end Array and Back-end single ISA Server. Internet is available only through the Front-end Array network. I want to allow the internal clients behind another Back-end ISA Server to access the Internet via proxy Front-end Array. Is it possible to configure Changing and DownStream?

Thanks,
Habibalby

ANSWER:

Hi Habibalby,

There is no reason why you can not have a front end ISA firewall array in front of a single ISA firewall on the back end. This is a common scenario when you have multiple ISA firewalls distributed over the network, often representing departmental ISA firewalls. All the department ISA firewall can then be configured to forward connections to the front-end ISA firewall array.
Since it sounds like you are using the back-end ISA firewalls for forward Web proxy only, you?re best and most flexible option is to chain the back-end ISA firewalls to the front-end array. All you need to do is configure a Web chaining rule to chain the back-end ISA firewalls to the front-end array.

Authentication might be an issue in your scenario. Remember that for general user authentication, you want to enable authentication on the back-end ISA firewalls. You do not want to load the front-end array with authentication requirements, at least not for forward proxy. You did not mention if the front-end array was part of the domain, but in general, if the back-end firewalls are part of the domain, there is no reason to add the front-end array to the domain, since it is the back-end firewalls that are performing the authentication heavy lifting.

Instead, make the front-end array part of its own workgroup, and create an account on the array members that the downstream ISA firewall?s can use with chaining with the front-end firewall array. If you want, you can create multiple accounts, one for each of the downstream ISA firewalls. In that way, your reports will break out the traffic forwarded from each of the downstream firewalls.

The figure below shows the configuration interface where you would enter your credentials. Note that if you choose to use basic authentication, you should configure the downstream ISA firewall to use SSL between itself and the upstream.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.