ISAserver.org Monthly Newsletter of November 2009 Sponsored by: Wavecrest Computing

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Forefront Threat Management Gateway 2010 Goes RTM

It has finally happened! Forefront Threat Management Gateway 2010 has finally gone RTM (Actually, that happened some time last week ;)). This is a tremendous milestone and represents a new age for the ISA firewall. New Age because it is no longer the ISA firewall - now it is the TMG firewall. It is sort of sad to see the ISA firewall brand go away. I have been working with ISA everyday since it was released almost a decade ago. I made quite a career for myself being the ISA firewall guy and have written hundreds of articles and 6 books on the ISA firewall. The ISA firewall was a friend of mine, I knew the ISA firewall, and I AM going to miss it.

But maybe not so much. The TMG firewall is based on the ISA firewall, only it represents the culmination of what the ISA firewall was designed to be - a stateful packet and application layer inspection firewall. While the ISA 2000 firewall was a thought leader in this area when it was released, it began to fall behind a bit with the 2004 and 2006 releases, so much so that in order to stay ahead of modern threats you really needed a 3rd party application to do your URL filtering and Web anti-malware. Of course, the ISA firewalls always were the publishing and VPN solutions of choice, but for secure outbound access, it was getting a bit long in the tooth.

TMG fixes that problem, and fixes it big time. TMG comes with robust URL filtering and Web anti-malware solution right out of the box. There is no longer a need to install a 3rd party app to get that kind of protection. This is a tremendous boon to ISA firewall admins, because I suspect that the price for the URL Filtering and Web anti-malware signatures are going to be much lower than what you are paying for right now, such as those provided by Websense. In fact, if you’re not using all the extra features that Websense provides, and are concerned mostly with URL filter and Web anti-malware, you are going to see an impressive improvement in your bottom line.

Of course, there’s a lot of other new stuff you will see in the TMG firewall:

• Outbound SSL inspection that prevents attackers and malware from hiding within an SSL tunnel
• The Network Inspection System, which provides the TMG firewall with a very sophisticated and cutting edge intrusion detection and prevention system
• Enhanced NAT, that allows you to control what IP address on the TMG firewall will be used as the source address for outbound connection
• New support for the SSTP VPN protocol – making it easier than every to get users connected to the TMG VPN server using a firewall and proxy friend network level VPN protocol
• SIP support for VoIP, so that you can get your SIP PBXs working with the TMG firewall
• New installation and configuration wizards, that make it easier than ever to get up and running and configuring a secure configuration
• A supercharged firewall client - which has a new named "TMG Client" which provides users notification of outbound SSL inspection and also provides promise in the future for allowing you to control what applications are allowed to connect through the TMG firewall to the Internet
• A new search capability for firewall policy, so that you do not have to poke around to find what rules are using what rule elements - the search feature does all this for you
• Enhanced logging and reporting use SQL and SQL Reporting Services, and an SDK that will allow you to customize reports to provide you the information that you're interested in

These are just a few examples of what you will see in the new TMG firewall. There is a lot more new stuff going on under the hood. The best way to find out about this stuff is to install the TMG firewall evaluation version yourself and get to work on it! You can find the evaluation version here.

======================================

On another note, I need to tell you all that this is my last ISAserver.org newsletter. In fact, this month will be the last month that I will be writing for ISAserver.org or any of the other TechGenix Web sites. This represents the end of an era in my life - as I have had a very close relationship with TechGenix and all of you at ISAserver.org for just about a decade. I have considered all of you as sort of an extended family. My daily activities always included thinking about what all of you are interested in, what you all need, and how I can provide you the information that makes your ISA firewall setups easier to deploy, easier to configure, easier to maintain, and easier to manage. ISAserver.org has always been about you! And I am glad that I have been able to help you all over the last ten years.

So why am I leaving? Because I've decided to join the TMG firewall team at Microsoft! This is a tremendous opportunity for me because I will be able to work with the TMG firewall full time. Over the last several years, I have had to split my time between ISA/TMG and other demands from the jobs I have had. Always in the back of my head I have thought "If I could just work with ISA/TMG all the time, every day, I could provide even more helpful information to the ISA/TMG community". Well, my good friends on the Forefront team must have heard my prayers, and they offered me what I consider a "dream job" (since it is the job I have dreamt about having for years).

I will be working with an insanely smart and passionate group of Forefront and TMG experts and I can honestly say I have never been so excited about starting a new chapter in my life since I was accepted to Medical School in 1985 - making this the most exciting thing that's happened to me in about 25 years (OK, with the exception of getting married in the early 1990s).

However, I want to let you all know that I am not going away. In fact, I hope that in my new position that I will be able to stay in even closer contact with all of you, and bring your needs, hopes, wishes, and demands even closer to the product team. It is still all about community for me, and the TMG team recognizes and values that - so keep the ideas coming and we will do whatever we can to bring you are the information you need to make your TMG deployments better and your lives easier (at least in regard to TMG).

So - thanks for being my "virtual friends" on ISAserver.org for the last ten years, and I hope to be your new "old friend" at Microsoft for the next ten years.

Take care, and thanks for the fish!

Thanks!
Tom
tshinder@isaserver.org

======================
Quote of the Month - "Believe you can and you're halfway there." - Theodore Roosevelt
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Blocking Dangerous Sites with Domain Name and URL Sets
  
• Configuring TMG Beta 3 for SSTP VPN Connections - Part 3: Configure TMG VPN Settings and Making the Connection
  
• Microsoft ISA Server 2006 - Secure FTP Server (FTPS) publishing with Windows Server 2008
  
• Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 1: Configuring the Virtual Infrastructure and the TMG Firewall Interfaces
  
• GFI WebMonitor for ISA Server Voted ISAserver.org Readers' Choice Award Winner - Monitoring and Administration
  
• Microsoft ISA Server 2006 - Certificate troubleshooting (Part 2)
  
• Kicking the Tires on the TMG 2010 RC ISP Redundancy - Part 2: Enabling ISP Redundancy
  
• Microsoft Forefront TMG - FTP and FTP Server publishing
  

4. KB Article of the Month

As I mentioned at the beginning of this newsletter, TMG 2010 has gone RTM and the final version is available for you to download (although it is not available yet on MSDN as of the time I wrote this). When a new version of the firewall comes out (formerly, ISA, now TMG), what is the first thing you should do? Install it and see what happens? Read the Help file? Wait for us to put up some installation instructions on ISAserver.org? Let me just take a second to tell you what the first thing I do before installing a new version:

Read the Release Notes!

That’s right. Read the release notes. There are a number of issues with the TMG RTM that you need to be aware of before you even begin to install the TMG firewall. While I would not consider anything in the release notes "major" - there are some potential stumbling blocks that will definitely catch you by surprise if you do not know about them in advance.

Check out the TMG 2010 Release Notes.

5. Tip of the Month

Whilst I would like to think everyone uses a Windows Mobile phone, sadly that is not the case. Until then, you are going to need to be able to configure your ISA and TMG firewalls to work with other phones. One of the phones is the BlackBerry. BBs are very popular in the executive class, so I am sure that if you have not run into BB support yet, you will soon. So this question arises - how do you get your BlackBerry to work with your Exchange 2007 installation? Easy! Just check this link on the BB support forums.

6. ISA/TMG/IAG Links of the Month

With TMG going RTM last week, you will need to know where to find information on how it works and how to make it work. The best place to get this sort of information right now is at the Microsoft site, in the product documentation. Here's a useful collection of lines to the main content areas for TMG documentation at Microsoft:

• Forefront TMG - Getting Started
  
• Forefront TMG Planning and Design
  
• Forefront TMG Deployment
  
• Forefront TMG Operations
  
• Forefront TMG Troubleshooting
  
• Forefront TMG Technical Reference
  
• Forefront TMG Development Guide
  

7. Blog Posts 

• BranchCache and TMG Interoperability
  
• Forefront TMG RTM Overview Interview
  
• Customizing the mobile device xHTML FBA page to allow password change
  
• UAG and DirectAccess and Client Management
  
• Forefront TMG 2010 Goes RTM
  
• Forefront Threat Management Gateway 2010 Goes Official
  
• Important Notes Regarding VPN for TMG RC
  
• Walkthrough of TMG Exchange 2010 Edge Server Role
  
• New Enlightenment Regarding Host AV on ISA and TMG Firewalls
  
• UAG and DirectAccess with Meir Mendelovich
  

8. Ask Dr. Tom

QUESTION:

Hi Thomas Shinder,
 
I have many simple query but very confusing to me.
 
Which version of Forefront TMG can I deploy in a production system? What exact versions on operating system should I have to use.
 
Thank you in advance for your help.
Iftekhar

ANSWER:

There are two editions of the TMG 2010 firewall. Those are Standard Edition and Enterprise edition. Whilst the earlier part of the development of the TMG firewall was considered to have a single version, for a number of reasons, the decision was made to continue with the Standard Edition and Enterprise Edition division.

What's the difference between these two? Here are the major feature comparisons on which you might be able to make a decision:

• Supported Deployment Scenarios - Standard Edition supports a standalone server only. Enterprise edition supported a server in a standalone array or an array managed by EMS
• CPUs - Standard Edition supports up to 4 CPUs. Enterprise edition supports an unlimited number of CPUs
• Configuration Storage - Standard Edition only supports local storage. Enterprise edition supports remote storage and remote management of firewall policies.
• Array/NLB/CARP support - Standard Edition supports none of these. Enterprise edition supports all of these
  
• Enterprise management - no enterprise management support for Standard Edition. Enterprise edition supports enterprise management for Enterprise edition arrays, and also supports managing Standard Edition firewalls within the same console

Those are the major differences in terms of functionality. Planning, configuring and managing a Standard Edition versus an Enterprise edition solution are going to be significantly different, but you should first make your decision based on your requirements and which version will meet those requirements.