ISAserver.org Monthly Newsletter of October 2010 Sponsored by: Collective Software

Welcome to the ISAserver.org newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to dshinder@isaserver.org

1. Certificates and UAG DirectAccess

One of the more common questions regarding the UAG DirectAccess server relates to certificate requirements. The reason for this is that PKI is an important component of a DirectAccess solution. There are basically three places where you need to plan for certificate deployment in your UAG DirectAccess solution.

These three general areas include:

• Computer certificates
• Network Location Server certificates
• IP-HTTPS listener certificates

Computer Certificates

Computer certificates are used for client and server authentication on the UAG DirectAccess server and the DirectAccess clients. These certificates are usually generated by your private PKI using your Microsoft Certificate Server and deployed using autoenrollment. The computer certificates allow the clients to prove their identity to the UAG DirectAccess server and allow the UAG DirectAccess server to prove its identity to the DirectAccess clients. The certificates are required for authenticating both the intranet and infrastructure tunnels.

Network Location Server Web Site Certificates

A Network Location Server (NLS) is used by the DirectAccess client to determine if the DirectAccess client is on the intranet. If the DirectAccess client can create an SSL session with a Network Location Server on the intranet, then it knows that it's on the intranet and the DirectAccess turns off the Name Resolution Policy Table and uses the DNS server configured on the network interface, which is typically assigned to the client over DHCP. In order for the Network Location Server to enable SSL connects to itself, it needs a web site certificate bound to the web site hosted by the Network Location Server. There are no special requirements for the Network Location Server - it can be any SSL site - there is no specific or special content required.

IP-HTTPS Certificates

IP-HTTPS is an IPv6 transition protocol that allows the DirectAccess client to connect to the UAG DirectAccess server over the IPv4 Internet. IP-HTTPS encapsulates the IPv6 messages in an IPv4 header and then wraps that up in an HTTP header and then encrypts it with SSL. As you can imagine, there's a lot of overhead in the protocol, but it does allow the DirectAccess client to connect to the UAG DirectAccess server even when the client is located behind a port restricted firewall or even when the DirectAccess client is located behind a web proxy server. In order to create an IP-HTTPS listener on the UAG DirectAccess server, you need to acquire a certificate for the listener. In general, you should use a commercial certificate for this, since the DirectAccess client needs to be able to check the CRL for the IP-HTTPS certificate and commercial certificate providers have already built out a highly available CRL access infrastructure.

That's about it. The certificate requirements for UAG DirectAccess are not onerous or complex. There are no "special" certificates required, no special SAN entries, or any other "off-label" requirements. Most organizations will generate their own computer certificates and use autoenrollment, and most firms are going to create their own certificates for the Network Location Server. You could even use private certificates for the IP-HTTPS listener if you want, but you would then need to publish your private CRL. That's not too difficult, but you can make life easier using a commercial certificate, if for no other reason than that you don't need to create your own high availability solution for the CRL.

I hope you found this useful and that you'll find that PKI for UAG DirectAccess is pretty easy. If you have any questions on how to get your UAG DirectAccess PKI up and running, just let me know. Send me a note at dshinder@isaserver.org and I'll see what I can do to help you.

See you next month! - Deb.
dshinder@isaserver.org

======================
Quote of the Month - ?Most of what we call management consists of making it difficult for people to get their work done?. - Peter Drucker
======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

• Product Review: BNTC Software's Bandwidth Splitter
  
• More Basics: An Inside Look into TMG Firewall Networks
  
• Microsoft Forefront TMG - Using LDAP and RADIUS Authentication
  
• Controlling Internet Access: A short Primer on TMG Access Rules - Part 4: TMG Networks and Network Rules
  
• Microsoft Forefront TMG - Publishing RD Web Access with RD Gateway (Part 2)
  
• Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 1)
  
• Internet Access Monitor for MS ISA Server Voted ISAserver.org Readers' Choice Award Winner - Reporting
  
• Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics
  

4. ISA/TMG/UAG Content of the Month

Interesting collection of twitter posts on how to configure the TMG firewall in an SBS/ESB environment. While I didn?t go through every rule or recommendation to make sure they were valid, it does look like a useful list overall.

Check it out here.

5. Tip of the Month

Often there are performance issues with the ISA firewall. These can be due to DNS issues. For a good review of how to fix DNS issues related see this WindowsNetworking.com article. 

6. ISA/TMG/IAG/UAG Link of the Month

• Download TMG 2010 120-day trial here
  

7. Blog Posts 

• Want to Work for Microsoft as TMG and UAG Support Engineer
  
• TMG Firewall Malware Inspection - Where Bigger Isn't Better
  
• Jason Jones Awarded Forefront MVP Again
  
• Publishing OCS 2007 R2 Web Components using Forefront UAG
  
• Congratulations to Richard Hicks for Second Year as Forefront MVP
  
• More Free TMG Firewall Training from Richard Hicks
  
• ISAserver.org Top Posters
  
• More UAG Books For You
  
• New Forefront TMG UAG and Server Protection Books Available Soon
  
• Cool Task Pane in the TMG Firewall Console System Node
  

8. Ask Sgt Deb

QUESTION:

I've read that when you install UAG there is also TMG installed on the same computer. Can I use both the UAG and the TMG components? That is to say, can I configure the TMG like I would if the TMG were on a standalone box?

ANSWER:

While that might sound like a good idea - in general you should stay away from the TMG console. There are a limited number of supported scenarios where you should go into the TMG console. For a list of scenarios where TMG configuration is support on the UAG server, check out the UAG support boundaries document here.

Do you have any questions or ideas for content? Email me on dshinder@isaserver.org.