ISAserver.org Monthly Newsletter of November 2010 Sponsored by: Wavecrest Computing

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. What's New with UAG 2010 SP1

Seems like only yesterday that UAG 2010 was released. Now it looks as if, in the near future, we're going to be treated to UAG 2010 SP1! Back in the day, Microsoft didn't focus on adding new features with Service Packs, and I seem to remember that once upon a time they said that service packs were for bug fixes and optimizations, and shouldn't introduce new features. Well, I'm glad they changed their minds about that, because waiting for "bug fix packs" is not nearly as fun as awaiting the new and improved features you now often get with your service packs.

So what does UAG 2010 Service Pack 1 have to offer? Most of the goodness comes with enhancements to its DirectAccess feature set. If you've been reading this newsletter for a while, you know that I'm a big fan of DirectAccess. If you've been wanting someone to give you some of that DirectAccess love,  you'll be happy to know that Service Pack 1 does exactly that. Here are some of the DirectAccess-related improvements you'll find in UAG 2010 SP1:

• Improvements in the Web Monitor that include detailed information about the DirectAccess client connections. With this new feature, you don't have to wave shrunken heads and throw chicken bones on the floor or wait for the planets to align properly in order to determine the DirectAccess clients currently and historically connected to the UAG DirectAccess server or array.
• An Improved DirectAccess Connectivity Assistant (DCA) that includes advanced diagnostics, which the DirectAccess user can run and then automatically email to the DirectAccess administrator. The troubleshooting report is very well formatted and easy to read, making it easier for the UAG DirectAccess admin to solve client side issues faster than ever.
• While pre-SP1 UAG DirectAccess servers support NAP, it took a bit of work to figure out how to make NAP work on the back-end if you didn't already have it set up. With UAG SP1, you can take advantage of the integrated NAP wizard, which automatically configures NAP for you, and hosts the NAP and HRA server on the UAG DirectAccess server or array. This is very nice and makes it almost a no brainer to get NAP for DirectAccess clients up and running in no time.
• By default, Split Tunneling is enabled for DirectAccess clients so that connections to the intranet go over the DirectAccess IPsec tunnels and all other connections go directly to the non-DirectAccess connections. However, there are some legacy concerns over split tunneling based on VPN implementations in the late 20th and early 21st century. As we enter the second decade of the 21st century, split tunneling is no longer the security issue it was once considered to be. However, some security organizations suffer from leftover effects of legacy policies, and therefore cannot allow split tunneling for any remote access client. For that reason, UAG DirectAccess supports something called "Force Tunneling". Force Tunneling requires all connections to move off the UAG DirectAccess IPsec tunnels. Prior to UAG SP1, it was a bit of a chore to get Force Tunneling working the way you wanted it to. But with UAG SP1, there is a very simple wizard that allows you to enforce force tunneling and it gives you two different options to do this: one option allows you to give the DirectAccess clients a web proxy to use to access the Internet and the second option allows you to route connections through the UAG DirectAccess server to the Internet (what Tom calls "bouncing" the connections off the UAG DirectAccess server).
• While I think that one of the coolest things about DirectAccess is the always-on feature that ensures I'm always connected to my office and don't have to think about VPNs or portals, I know many IT groups don't even want their users to have remote access to the intranet. However, they would like to have always-on access from their management stations and the DirectAccess clients. UAG SP1 makes it easy to configure the "always managed - manage only" scenario with a few clicks in the Manage Only wizard.
• The RTM version of UAG enabled two-factor authentication by using Smart Cards. While Smart Cards are the choice of some businesses, most enterprises are already using RSA SecurID. With UAG SP1, you can now take advantage of SecurID and require it for establishment of the intranet tunnel. In fact, you can use any OAUTH compliant RADIUS based two-factor authentication solution with UAG SP1. Nice! However, note that you will need to update your DCA to version 1.5, which comes with UAG SP1.
• Simplified deployment of GPO settings is also included with UAG SP1. With UAG RTM, you could use the UAG DirectAccess wizard to deploy GPO settings to security groups. While this worked great, many firms wanted to deploy the settings to OUs. I can see a reason for that and in fact, I prefer to use OUs myself. Before SP1, you could export the settings to a file and tweak the file, but that is so Windows 3.1 - and you have to use PowerShell - which some administrators love but others loath. With UAG SP1, you are offered the option from within the wizard to deploy to either security groups or OUs.

In addition to those on the list, there have been a number of improvements in the look and feel of the UAG SP1 console. When you open the console now, you?re not staring at a blank page and wondering what you?re going to be doing with the next few hours of your life. The biggest improvements have been to the DirectAccess interface. While it would be quite a stretch to say that the UAG console has a polished look and feel like the ISA or TMG console, it does represent an incremental improvement. I want to say that it now looks like a Microsoft product, but as Mick Jagger told us over forty years ago (has it really been that long?), you can't always get what you want.

We?ve been testing UAG SP1 RC in our own office and find it to be very stable, and it does what it's supposed to do. I highly recommend that you try out the UAG SP1 RC before you deploy UAG SP1 in production. You can download UAG SP1 RC here.

See you next month!  ? Deb.
dshinder@isaserver.org

======================
Quote of the Month - "Two cute dogs are too cute". - Anon.
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• UAG Service Pack 1 Release Candidate DirectAccess Overview - Step 1: Clients and GPOs
• Forefront Threat Management Gateway (TMG) 2010 Firewall Client Features and Benefits
• UAG DirectAccess the Easy Way
• GFI WebMonitor Voted ISAserver.org Readers' Choice Award Winner - Monitoring & Administration
• Microsoft Forefront TMG - Using the BranchCache feature in Forefront TMG SP1
• Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 2)
• Product Review: BNTC Software's Bandwidth Splitter
• More Basics: An Inside Look into TMG Firewall Networks
  

4. ISA/TMG/UAG Content of the Month

A whole slew of new documents related to UAG SP1 were released this month. Check out these tasty morsels:

• What's new in SP1
• Comparison of DirectAccess RTM and SP1 features
• Release notes
• Installation
• Deployment
• ADFS Solution guide
  
• Mobile Devices Solution guide
• Monitoring information

For more information, check out the UAG Team Blog here.

5. Tip of the Month

In the RTM version of UAG, you had the option in the DirectAccess wizard to enable or disable the NAT64/DNS64 service. That option has been removed from the wizard with UAG SP1, most likely because no one ever disables that service, since there aren?t any other NAT64/DNS64 available at this time, and almost no one has a native IPv6 network. However, if you want to do some testing or just want to mess around to challenge your colleagues' troubleshooting skills, then you can create a Registry setting that breaks NAT64/DNS64. Check out the details here.

6. ISA/TMG/IAG/UAG Link of the Month

It's time to move to a 64 bit world so that you can get a jump from those "hardware" firewalls. The best way to do this is to upgrade your aging ISA 2006 firewall to TMG. But how do you do it? You do it by reading the Migrating from ISA Server 2004/2006 to Forefront TMG, which you can find here.

7. Blog Posts 

• UAG SP1 RC Demonstrate UAG DirectAccess Connectivity Assistant (DCA) Test Lab Guide Available
• Moving Away from Websense to TMG URL Filtering
• UAG DirectAccess with SSTP Test Lab Guide Now Available
• The Edge Man Releases The UAG SP1 DirectAccess Connectivity Assistant (DCA) Test Lab Guide
• Exchange Edge Default Receive Connector on TMG Firewall Unexpectedly Disabled
• UAG SP1 RC Force Tunneling Test Lab Guide
• The Mysterious Case of a Failed Test Button Test
• New UAG SP1 RC DirectAccess with NAP Test Lab Guide Published
• TMG and IANA Unallocated Reserved Networks
• Unable to Access Resources Behind TMG after Enabling NLB
  

8. Ask Sgt Deb

QUESTION:

Hi Deb,

Anything I can do to improve performance on my ISA firewall? I've got the NICs configured right - only one DNS server and that's configured on the Internal interface. I've enabled Path MTU Detection, and configured the NIC to not auto-negotiate. Anything else you can think about? Thanks! - Ricky.

ANSWER:

Have you thought about changing the NetBIOS node type on the ISA firewall? If you configure the ISA firewall as a P-node host, it will stop NetBIOS name resolution through broadcast, which speeds up overall name resolution. Also, the firewall will not need to log all of these broadcasts, which also improves performance. To make this change, configure the following Registry value.

HKLM\System\CurrentControlSet\Services\NetBT\Parameters
Name = NodeType
Type = DWORD
Value = 2

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.