ISAserver.org Monthly Newsletter of September 2009 Sponsored by: Wavecrest Computing

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on ISA Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. The Future of Work - Remote Access with TMG and UAG

What is the killer app of the next few years? Many have said that social networking is The Next Big Thing. While that might be the case in terms of megatrends, there is something even more important happening right under our noses. I am talking about the remote access revolution that is happening quietly and quickly without most of us even taking note.

Why is remote access so important? You have to go back to basic economics and think about what has happened in the world economy in the last few years. How did we get where we are now? Most economists will say that business growth over the last decade was fueled by debt. The reasons for using a debt-based approach to business growth are past my pay grade and my educational background, but most agree that most firms depended on debt for growth. While some people might have considered this a type of Ponzi scheme, I'll leave that to the economic historians to decide.

What I do know is that firms will no longer be able to leverage debt to grow their businesses. Most firms I talk to these days tell me that it is almost impossible to get loans for business expansion. So, if you can not get loans and use debt to grow your firm, what will you use?

From what I can tell, the lowest hanging fruit for growth in the next few years is productivity and organizations are going to try to focus on productivity to grow their companies. I have talked to a few people relatively high in the pecking order on Wall Street, and they believe that advances in productivity are going to be placed squarely on the shoulders of IT. That is good news for those of us in IT!

But where are the efficiencies that IT can bring into the mix? There are a lot of places you can look but one of the best ways you can improve employee productivity is to make it easier for people to work and get work done. And probably the collection of technologies that are dedicated to enable people to get their work done more easily are those bundled under the moniker of "remote access".

This is where TMG firewalls and UAG secure remote access gateways come in. Both of these products enable you to provide secure remote access to resources on the corporate network from virtually anywhere, using almost any device, and at almost any time. The better your remote access solution, the easier it is for you users to get their work done. And it is likely that they will do more work from home, from hotel rooms, from conference centers, during their vacations and from their desktops, laptops, UMPCs, MIDs, and smart phones.

The trick is making it easy for your users. In the past I know that many of us (including myself) would put together remote access solutions using VPN, Web Publishing and Server Publishing and call it good. If users had problems with it, then it was clear that there was a problem with the user - not with our well-crafted remote access solution. We have got to change our thinking now. Instead, if we find that users have a hard time with the solution we provide, we have to think about what we might have done wrong and think about how to make it easier for our users.

For example, VPNs have been popular with users and many of them like them, in spite of what the media might tell you. However, users often became frustrated because their VPN connections would not always work. They might have been behind a firewall or router that did not support your VPN protocol, or maybe they needed to request a public IP address but one was not available. What did you do when that user called you? Chances are there was not a whole lot you could do other than tell them to use OWA or SharePoint or some other HTTP/HTTPS accessible site.

Now you are able to give them solutions that both of you can be happy with. How about upgrading your users to Vista SP1 or above or Windows 7? Then, can you give them access to SSTP VPN connections that will work from anywhere? Actually, it would not matter if they are behind a firewall or router that does not have a PPTP NAT editor or if they block outbound IPsec connections. SSTP will work in both those environments and it does not matter if the user has a public or private address.

Want to make your users' lives even easier? Upgrade them to Windows 7 and deploy DirectAccess in your company. With DirectAccess, users just need to turn on their computers and they will be connected to the corpnet. They would not even need to log on - which is nice from a management point of view, since your Group Policy and system management consoles can access these machines even when users are not logged on. When your users are logged on, they connect to corpnet resources just like they were there, without doing anything themselves - they are just connected, regardless if they are behind NAT devices, firewalls, Web proxies and whether or not they have public or private addresses. Nice!

TMG and UAG can help make remote access easier for you to configure, provide high availability, and delivery top performance. In most cases you will need to support a diverse mix of users and devices, so you will need to deploy a number of remote access solutions to get all of your users connected. But with TMG and UAG, you will be able to create a solution that you will be happy with, while at the same time making it as easy as possible for your users to get work done - making them more productive and thus helping your company grow.

See you next month...

Thanks!
Tom
tshinder@isaserver.org

For ISA and TMG and other Forefront Consulting Services in the USA, call me at Prowess Consulting on 206-443-1117.

=====================
Quote of the Month - "You can't turn back the clock. But you can wind it up again." - Bonnie Prudden
=======================

2. ISA Server 2006 Migration Guide - Order Today!

3. ISAserver.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Configuring a PPTP Site to Site VPN with Microsoft Forefront TMG
  
• Configuring TMG Beta 3 for SSTP VPN Connections (Part 1)
  
• Publishing Outlook Web Access with Microsoft Forefront TMG
  
• Microsoft Forefront TMG Behavioral Intrusion Detection
  
• Using ISA Server 2006 HTTP Security Filters to Block Instant Messaging
  
• Internet Access Monitor for MS ISA Server Voted ISAserver.org Readers' Choice Award Winner - Reporting
  
• Configuring TMG Beta 3 for SSTP VPN Connections - Part 2: Configuring the Firewall to Accept SSTP Connections
  
• Microsoft Forefront TMG ISP Redundancy Mode
  

4. KB Article of the Month

ISA Server 2004, ISA Server 2006, and Microsoft Forefront Threat Management Gateway, Medium Business Edition do not support traffic redirection

"When a client computer, that is behind Microsoft Internet Security and Acceleration (ISA) Server 2004, Microsoft ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition sends traffic to another internal computer, the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer may drop the traffic.

This behavior occurs when TCP packets in one direction follow a route that does not involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, and TCP packets in the other direction follow a route that does involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition.

For example, consider a client computer on a remote subnet that is behind an internal network. In this case, the remote subnet is separated from the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer by a router. When the client computer sends a packet to another client computer that is located on the internal network, the traffic is forwarded directly to the computer on the internal network.

When the client computer on the internal network responds, the packet is routed through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition because this computer has the IP address of the internal network defined as its default gateway. ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition has no route back to the remote subnet. Therefore, the source IP address is identified as spoofed.

This issue occurs even when the server has valid routes to both source and destination subnets. In this situation, the TCP connection request (SYN) from the client to the server bypasses ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition. However, the SYN-ACK packet is routed to the server and dropped with a TCP_NOT_SYN_PACKET error. In short, both sides of a TCP session must go through the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.

This behavior may not occur with User Datagram Protocol (UDP) traffic, or Internet Control Message Protocol (ICMP) traffic."

Source: http://support.microsoft.com/kb/888042

This is an important KB article because it shows that the ISA firewall must be the request/response path for communications. The ISA or TMG firewall cannot be only in the request path, and it cannot only be in the response path - it has to be in both the request and response path. Previous versions of the ISA firewall or Microsoft Proxy Server allowed this type of communications because they were not application stateful packet inspection on the internal interface. Now that the ISA and TMG firewalls perform stateful packet inspection, you can not do this kind of "bouncing" off the firewall like you used to do.

5. Tip of the Month

How to configure Web publishing rules to host multiple Web sites with host headers in ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition.

This article shows you how to add host headers to a Web site in IIS and also shows how to create Web Publishing Rules to publish sites based on those host headers. Check out this Microsoft how-to guide.

6. ISA/TMG/IAG Links of the Month

ISA Firewall fans and writers! If you publish an article or a blog post about the ISA firewall, let me know. I'll put links to your articles and posts in the newsletter. Just send the link to tshinder@isaserver.org

• The Road to RC Needs Telemetry
  
• URL Filtering Telemetry Package for Forefront Threat Management Gateway Beta 3
  
• ISA CSS and Arrays in a Nutshell
  
• Deep Dive Into DirectAccess - NAT64 and DNS64 In Action
  
• Deep Dive Into DirectAccess - Part 2
  
• Enhancing NAT with TMG
  
• Group Policy Processing Errors on ISA Server and Fun with Large ICMP Packets
  
• How to Clear the Change Tracking Log in ISA Server 2006 SP1
  

7. Blog Posts 

• Web Publishing with KCD and the Test Button
• Error Code 500 Internal Server Error Using ISA Server 2006 Web Farm Publishing
• Change Tracking Improvements in TMG
• Clearing the Change Tracking Log in ISA 2006 SP1
• Group Policy Processing Errors on ISA Server and Fun with Large ICMP Packets
• Behavioral Change on IE7 can affect Outbound access through ISA Server 2006 that is using Redirect on a Deny Rule
• Forefront TMG Network Inspection System Gets Its First 0-Day Signature Release
• TMG Firewall Network Inspection System and Flag for Attention
• Troubleshooting Scenarios Where the Primary CSS is Down
• Overview of the Firewall Client - Picture Style
  

8. Ask Dr. Tom

QUESTION:

Hi Tom,

We are using an old Watchguard firewall now and honestly, it is not very good. We would like something a bit more secure and focused on what firewalls can do in the 21st century. To that end, we are thinking about ISA 2006. The problem is we understand that TMG 2010 is coming out soon so we are not sure if we should wait, or go ahead and install ISA 2006 now and then upgrade.

What do you think?

Thanks!  - Tony O.

ANSWER:

I see where you are coming from. An old Watchguard is definitely a firewall living in the "old school". I agree that it is time to retire that old dog and bring in something new and shiny. And what better than an ISA firewall? Well, as you pointed out, a TMG firewall would be more new and shiny. The problem is that TMG is available only in beta right now. That is not to say that the beta is not good or stable, but when it comes to something as important as your network firewall, you want to be sure you are using an RTM version.

The best thing you can do now is get an ISA 2006 SP1 firewall up now. Get it configured the way you like. Get the Web Publishing Rules, Server Publishing Rules, outbound access rules, and VPN configuration set up to do the things you want them to do. By the time the TMG firewall is available to the public, you'll have a nice, stable ISA firewall configuration. The good news is that you will be able to migrate that configuration to a TMG firewall platform when you are ready.

Keep in mind that you would not be able to do an in-place upgrade, since TMG 2010 is a native 64-bit application that runs on Windows Server 2008 and Windows Server 2008 R2. However, you will be able to easily export your ISA 2006 SP1 configuration and import that into your TMG 2010 configuration. The process will be simple and you will be up and running on TMG in no time.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.