ISAserver.org Monthly Newsletter of May 2011 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. TMG Frequently Forgotten Features

When you're working with the TMG firewall, you'll probably find that you spend most of your time with the URL Filtering and web antimalware features. Oh, and you probably also spend a significant amount time publishing key services, such as Exchange and SharePoint, because the TMG firewall is probably the most secure way for you to publish these services.

While these high profile services are important and fun to work with, there are some cool nuggets of technology included with the TMG firewall that don't get nearly as much attention, but you might want to check some of them out and see whether they can solve a problem for you and your customers.

This is my short list of TMG features that are frequently forgotten or overlooked, or that you might not have even known about in the first place:

• Support for BranchCache
• Search the firewall rule set
• SSTP VPN Server
• NAP Support for VPN connections

Support for BranchCache

BranchCache allows you to cache CIFS/SMB and HTTPS content on a branch office network. In this scenario, you put the TMG firewall at the branch office and configure the TMG firewall as your site to site VPN server. When clients on the branch office network connect to file shares at the home office, that content will be cached on the TMG firewall so that when someone makes a request for the same content, the content will be returned from the TMG firewall's BranchCache instead of over the relatively slow site to site VPN connection. BranchCache also works for HTTP content, which gives you two choices for caching HTTP content: the TMG firewall's web proxy cache and the BranchCache HTTP content cache.

Search the firewall rule set

Did you know that you can search the firewall policy rule set now? Yes! This is something that we've been wanting for years and years and now we have it! You can go to the Firewall Policy node in the left pane of the console and you'll see, in the middle pane, the option to Search. You can search for a term in the name of the rule, search by protocol, and search by source or destination; in other words, you can search for almost anything. If you haven't tried out the TMG firewall policy search, zip over to the firewall console now and check it out!

SSTP VPN Server

SSTP is a new VPN protocol that allows you to create a VPN connection using an SSL connection. This allows you to VPN out through firewalls and web proxies that otherwise would block your PPTP or L2TP/IPsec connections. SSTP was actually available before TMG was released, but ISA didn't support SSTP. SSTP is very easy to set up with the TMG firewall and it works great! If you haven't tested it yet, give it a try. There are articles on the ISAserver.org site that can help you get started on your SSTP testing adventure.

NAP Support for VPN connections

Network Access Protection (NAP) is a method you can use to control which machines can connect to your network. NAP can inspect the system state of the computer connecting to the VPN server and if the machine is not secure or does not meet your configuration and updating requirements, then the machine is blocked and won't be able to access resources on the intranet. You also have the option to remediate machines that aren't up to snuff in terms of security configuration and updates. NAP support for the TMG VPN server is nicely integrated and easy to set up. We also have articles on the ISAserver.org site that can help you get up and running with your NAP deployment.

There you go! Do you have some favorite hidden or oft-overlooked features that you like on the TMG firewall? Let me know! Write to me at dshinder@isaserver.org and I'll share them. Thanks!

See you next month! - Deb.
dshinder@isaserver.org

======================
Quote of the Month - "To be a champion requires more than simply being a strong player; one has to be a strong human being as well." - Anatoly Karpov.
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• TMG Back to Basics - Part 7: SharePoint Server Publishing
• Granular Control of HTTP Communication using Forefront Threat Management Gateway
• GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers' Choice Award Winner - Access Control
• TMG Web Proxy Client Concepts and Configuration (Part 2)
• ISAserver.org Readers' Choice Awards Yearly Round Up 2010
• Configuring Forefront TMG client VPN access with NAP
• TMG Web Proxy Client Concepts and Configuration (Part 1)
• Forefront TMG Advanced Web Protection Overview
  

4. ISA/TMG/UAG Content of the Month

Bypassing Forefront TMG for firewall client requests

Microsoft Forefront Threat Management Gateway (TMG) is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used (not to be confused with DirectAccess, the enterprise feature in Windows Server 2008 R2/Windows 7 and UAG).

Direct access enables Firewall client computers to do the following:

• Bypass the Microsoft Firewall Client configuration and connect directly to resources.
• Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.

For the details of this configuration, go here. 

5. Tip of the Month

Have you been wondering how to migrate from ISA 2006 to the brand new TMG firewall? Then check out this article by Marc Grote for all the details!

How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG

6. ISA/TMG/IAG/UAG Link of the Month

As anyone who was at this year's TechEd in Atlanta knows, these days it's all about the cloud. But one of the biggest obstacles to adoption of the cloud is the security concern. Another big concern is reliability - your users need continuous, uninterrupted access to their applications and data that are hosted in the cloud. In this article from TechNet Magazine, Yuri Diogenes explains how you can use TMG to provide secure access to cloud services while maintaining business continuity. 

7. Blog Posts 

• Protecting your Weakest Point: On-Premise Resources
• A Solution to the "Forwarding on the 6to4 Interfaces Cannot be Enabled" Error
• A New Tech Talk Show-Security Talk with Yuri Diogenes and Tom Shinder
• UAG DirectAccess: Useful NETSH Commands
• Requiring Strong Authentication Only for Specific Published Paths or Sites
• You may receive a 550 Access is denied message to a MLSD command when accessing a FTP server published by Forefront TMG 2010
• Forefront Threat Management Gateway (TMG) 2010 Troubleshooting Survival Guide
• Requiring Strong Authentication Only for Specific Published Paths or Sites
• Do You Need TMG and UAG on Your Network?
• Certificates and the UAG DirectAccess Server
  

8. Ask Sgt Deb

QUESTION:

Hi Deb!

Quick question - do I need to put a firewall in front of my UAG DirectAccess server?

Thanks!
Damon

ANSWER:

Hey Damon! In general, you don't really need a firewall in front of the UAG DirectAccess server because the TMG firewall is on the same machine and can and does provide as high or a higher level of security than a typical hardware firewall.

However, in many cases there are hard coded policies and practices used in an organization that require that you put a "hardware" firewall in front of anything that is software (I know, it sounds silly, but the practice dates back to the 1990s, more than a decade ago). In that case, you need to make sure that you allow the IPv6 transition technology traffic to the external interface of the UAG DirectAccess server. For 6to4 you need to allow IP Protocol 41, for Teredo you need to allow UDP port 3544 and for IP-HTTPS you need to allow TCP port 443.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.