ISAserver.org - October 2009 Newsletter

-------------------------------------------------------
ISAserver.org Monthly Newsletter of October 2009
Sponsored by: Collective Software <http://www.collectivesoftware.com/Products/Captivate>
-------------------------------------------------------

Welcome to the ISAserver.org newsletter by Thomas W Shinder MD, MVP.
Each month we will bring you interesting and helpful information on ISA Server.
We want to know what all *you* are interested in hearing about.
Please send your suggestions for future newsletter content to: tshinder@isaserver.org

1. Multi-ISP Support - TMG Brings it On Home
--------------------------------------------------------------

Connectivity is key. If you are not connected to the Internet, there is a lot you can not do. While I spend a lot of time writing material about the value of "offline accessibility", let's face it - if you are not connected, it is likely that you can not do 90% of what you need to do. Anyone who works in IT knows that if the Internet is down, most people just give it up for the day. I have not seen too many cases where people say "oh, the Internet is down, let me see what I can do without it". The only case I can think of where people sometimes get work done when they are not connect is when they are on airplanes. That's a special case - and in most cases people think of flying as their "off the grid time" - where they can think without the work and interruption that are inherent in the Internet connected experience.

If connectivity is everything, then you need to make sure that you do not have a single point of failure. With ISA firewalls, your Internet connection was your single point of failure. Sure, you can deploy an enterprise array and have multiple ISA firewalls that use NLB, so that if one of them goes down, you can still connect to the Internet, but if the Internet connection that array uses fails, then you are out of luck. Time to take the rest of the day off if it does not come back up soon.

That story changes with the TMG firewall. With TMG, you will have what is called "ISP Redundancy" or "multi-ISP support". Actually, it should be called "dual ISP support" since the "multi" represents "two" with TMG. You can use a third ISP for redundancy.

But two is pretty good and will work for 99.9% of us. The TMG multi-ISP feature allows you to use your two Internet connections in one of two ways:

* Failover and load balancing
* Failover

When you use failover and load balancing, the TMG firewall will use both Internet connections and load balance the connections among the two ISPs, depending on the weighting you give each of the connections. If one of the connections fails, then all the connections are routing through the remaining ISP. When the failed ISP comes back online, connections will be routed through the link again.

Failover mode allows you to configure one Internet connection to be used at a time. If the preferred connection fails, then the TMG firewall fails over the connection to the secondary ISP. When the preferred ISP comes back online, then the TMG firewall will failback to the preferred ISP. This is useful if you want fault tolerance for the connection, but do not want to pay bandwidth costs for both of the ISPs.

There are some other things you can do with the multi-ISP feature. For example, if there are connections to a particular server that you always want to go through one of the ISPs, you can create a policy for that to happen. For example, if you always want your mail server to forward SMTP messages through one ISP, then mail will always go out through that ISP. However, if that ISP fails, the connection would not fail over to the remaining ISP, and you will have to wait for it to come back.

Another example of when you might want to use this feature is when you are using DNS forwarders. Let us say that you are using two DNS forwarders, one located at ISP1 and the other at ISP2. In that case, you want to make sure that connections to the DNS forwarder at ISP1 will always go through the ISP1 connection and connections to the ISP2 forwarder to the ISP2 connection. The reason for this is that most ISPs will accept DNS queries only from machines located on their own network. This helps reduce the risk of DoS attacks DNS server from botnets located throughout the Internet.

One thing to keep in mind regarding ISP support is that if you are using the new Enhanced NAT feature to control what IP address on the external interface of the TMG firewall an outbound connection will show as source IP address, that IP address would not fail over to a secondary ISP connection, since it will be bound to an address associated with a single ISP.

You can connect to your two ISPs using two NICs - one for each ISP, or you can bind addresses for both ISPs to a single NIC. I suspect the latter scenario will be more common, since most firms will be using CPE provided by their ISPs to connect to the Internet and therefore will use NAT for outbound connections from the TMG firewall.

I have written an article on multi-ISP support and you will see it this week. Part one goes through some of the interface configuration details you will need to know about, and then we go through the configuration. The second part of the article will show you how it works, and we will see what happens in the firewall console and in Network Monitor.

Bottom line: ISP redundancy works and if you need two ISPs, you are going to like it!

See you next month...

Thanks!
Tom
tshinder@isaserver.org

For ISA and TMG and other Forefront Consulting Services in the USA, call me at
Prowess Consulting <http://www.prowessconsulting.com>
206-443-1117

=======================
Quote of the Month - "An undefined problem has an infinite number of solutions." - Robert A. Humphrey
=======================

2. ISA Server 2006 Migration Guide - Order Today!
--------------------------------------------------------------

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA
Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his
illustrious team of ISA Firewall experts now present to you , ISA Server 2006
Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. This book
leverages the over two years of experience Tom and his team of ISA Firewall
experts have had with ISA 2006, from beta to RTM and all the versions and builds
in between. They've logged literally 1000's of flight hours with ISA 2006 and
they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with
their no holds barred coverage of Microsoft's state of the art stateful packet
and application layer inspection firewall.

Order your copy of ISA Server 2006 Migration Guide
<http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/>. You'll be
glad you did.

3. ISAserver.org Learning Zone Articles of Interest
--------------------------------------------------------------

We have a great group of articles in the Learning Zone that will help you get a
handle on your most difficult configuration issues. Here are just a few of the
newer and more interesting articles:

* Microsoft Forefront TMG Behavioral Intrusion Detection
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Behavioral-Intrusion-Detection.html>

* Using ISA Server 2006 HTTP Security Filters to Block Instant Messaging
<http://www.isaserver.org/tutorials/Using-ISA-Server-2006-HTTP-Security-Filters-Block-Instant-Messaging.html>

* Internet Access Monitor for MS ISA Server Voted ISAserver.org Readers' Choice Award Winner - Reporting
<http://www.isaserver.org/news/ISAserver-Readers-Choice-Award-Reporting-Internet-Access-Monitor-for-MS-ISA-Server-Jul09.html>

* Configuring TMG Beta 3 for SSTP VPN Connections - Part 2: Configuring the Firewall to Accept SSTP Connections
<http://www.isaserver.org/tutorials/Configuring-TMG-Beta-3-SSTP-VPN-Connections-Part2.html>

* Microsoft Forefront TMG ISP Redundancy Mode
<http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-ISP-Redundancy-Mode.html>

* Blocking Dangerous Sites with Domain Name and URL Sets
<http://www.isaserver.org/tutorials/Blocking-Dangerous-Sites-Domain-Name-URL-Sets.html>

* Configuring TMG Beta 3 for SSTP VPN Connections - Part 3: Configure TMG VPN Settings and Making the Connection
<http://www.isaserver.org/tutorials/Configuring-TMG-Beta-3-SSTP-VPN-Connections-Part3.html>

* Microsoft ISA Server 2006 - Secure FTP Server (FTPS) publishing with Windows Server 2008
<http://www.isaserver.org/tutorials/Microsoft-ISA-Server-2006-Secure-FTP-Server-FTPS-publishing-Windows-Server-2008.html>

4. KB Article of the Month
---------------------------------------------------------------

You receive a "Resource allocation failure" alert on your Internet Security and Acceleration Server 2006, ISA Server 2004, Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 computer

On your Microsoft Internet Security and Acceleration (ISA) Server computer or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer, the following alert may appear in the Management tool after you expand your ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer name, click Monitoring, and then click the Alerts tab:

Resource allocation failure

The alert description is similar to the following:

Description: The Web Proxy filter failed to bind its socket to IP_address port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure. The failure is due to error: 0x80072740.

Note:
The same description is repeated for the IP address 127.0.0.1.

If you restart the Microsoft Firewall service, the alert is logged again.

When you receive the alert, you may experience either or both of the following symptoms:

* Clients that are configured to use automatic discovery cannot connect to the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.
* Users cannot connect to a Web site that is published through a Web publishing rule on your ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer. The Web publishing rule uses a listener that is configured to use port 80.

For the cause and a workaround, check out:
<http://support.microsoft.com/kb/888650>

5. Tip of the Month
--------------------------------------------------------------

Whoa. You found that you like TMG Standard Edition so much that you want to take advantage of everything that Enterprise Edition has to offer you. However, you do not want to rewrite your entire configuration and create your firewall rules all over again. How do you do the upgrade with TMG?

Easy!

1. In the TMG firewall console, in the left pane, click the System node.
2. On the System tab, right-click the server name, and then click Properties.
3. Click the Product ID tab and then click Upgrade to Enterprise Edition.
4. Enter the TMG Enterprise Edition product key.
5. Click OK to close the Product Key Entry dialog box, and then click OK to close the Server Properties dialog box

Bam! That's it. Pretty nice, eh? This magic, compared to what you had to go through with the ISA firewall, is due to that fact that both Standard Edition and Enterprise edition use ADAM for policy storage.

6. ISA/TMG/IAG Links of the Month
--------------------------------------------------------------

* About Forefront TMG with Forefront UAG
<http://technet.microsoft.com/en-us/library/ee522953.aspx>

* Forefront UAG DirectAccess design guide
<http://technet.microsoft.com/en-us/library/ee406191.aspx>

* Exchange services access with Forefront UAG
<http://technet.microsoft.com/en-us/library/dd857315.aspx>

* Microsoft Forefront MVP Award Continues…
<http://blog.msfirewall.org.uk/2009/10/microsoft-forefront-mvp-award-continues.html>

* Group Policy Processing Errors on ISA Server and Fun with Large ICMP Packets
<http://blog.msfirewall.org.uk/2009/09/group-policy-processing-errors-on-isa.html>

* ISA 2006 Flood Mitigation Strategies
<http://tmgblog.richardhicks.com/2009/10/18/isa-2006-flood-mitigation-strategies/>

* IIS on ISA – The One Exception!
<http://tmgblog.richardhicks.com/2009/10/08/iis-on-isa-the-one-exception/>

* Microsoft Most Valuable Professional (MVP) 2009!
<http://tmgblog.richardhicks.com/2009/10/01/microsoft-most-valuable-professional-mvp-2009/>

7. Blog Posts
--------------------------------------------------------------

* Direct Access and UAG video - Deep dive with a Program Manager
<http://blogs.isaserver.org/shinder/2009/10/23/direct-access-and-uag-video-deep-dive-with-a-program-manager/>

* A Primer on IPv6 to Help You Get Started with UAG DirectAccess
<http://blogs.isaserver.org/shinder/2009/10/23/a-primer-on-ipv6-to-help-you-get-started-with-uag-directaccess/>

* A Little Bit on the SIP Filter
<http://blogs.isaserver.org/shinder/2009/10/23/a-little-bit-on-the-sip-filter/>

* TMG Client AD Based Autodiscovery
<http://blogs.isaserver.org/shinder/2009/10/23/tmg-client-ad-based-autodiscovery/>

* Forefront Threat Management Gateway 2010 Release Candidate
<http://blogs.isaserver.org/shinder/2009/10/12/forefront-threat-management-gateway-2010-release-candidate/>

* Microsoft Reputation Services Feedback Site Now Online
<http://blogs.isaserver.org/shinder/2009/10/12/microsoft-reputation-services-feedback-site-now-online/>

* Threat Management Gateway 2010 RC Now Available
<http://blogs.isaserver.org/shinder/2009/10/12/threat-management-gateway-2010-rc-now-available/>

* What about Hork Mode and ISP Failover?
<http://blogs.isaserver.org/shinder/2009/10/09/what-about-hork-mode-and-isp-failover/>

* Check Out the Forefront Experts Blog
<http://blogs.isaserver.org/shinder/2009/10/09/check-out-the-forefront-experts-blog/>

* Forefront TMG introduces the Preparation Tool to make setup easier
<http://blogs.isaserver.org/shinder/2009/10/04/forefront-tmg-introduces-the-preparation-tool-to-make-setup-easier/>

8. Ask Dr. Tom
--------------------------------------------------------------

* QUESTION:

Hi Tom,

First of all, I really enjoy all the articles and tutorials you have written for the ISA Server Community. Today, I was going through this particular tutorial <http://www.isaserver.org/tutorials/Publishing-Windows-Server-2008-SSL-VPN-Server-Using-ISA-2006-Firewalls-Part1.html> and since we are currently working with ISA 2006 Standard with all Windows 2003 Servers, we have just bought the new Windows 2008 Server because we wanted to implement the above tutorial. Today, we are using ISA with a simple PPTP to create VPN connections for our employees. The next step is to make this more secure (that is why we are using your tutorial).

However, does the ISA Server support the possibility of configuring a VPN using the Web interface? Sometimes employees go to https://vpn.example.com, login and click on connect (for example).
We have 2 goals; making it more secure and making it easier to implement.
Today we need to install the soft clients on each computer without pushing the soft clients (since not all employees are connected to the AD with their laptop).

Thanks in advance.
Greetings - Ivan Pudic

* ANSWER:

Hi Ivan,

Good to hear that you are interested in rolling out a SSTP VPN solution. SSTP has been a life saver for me and many of my friends ever since it was released with Windows Server 2008 and Windows Vista. It works from anywhere - I do not have to worry about my hotel not supporting my VPN protocol, and I have not found a conference center or even a partner network that did not allow me outbound SSL for my SSTP connection. SSTP is a VPN networker's dream come true!

I imagine you read my article on how to publish SSTP servers using the ISA firewall. While that is a good first step, I need to tell you that the TMG firewall is coming out soon, and you should consider using the TMG firewall as your SSTP VPN server. That way, you do not need a second server to act as the SSTP VPN server, as the TMG firewall will be the SSTP VPN server. In addition, you will benefit from the strong user/group/protocol/destination access controls, in addition to stateful packet inspection, and application layer inspection from Web and application filters, in addition to the TMG's Network Inspection System.

Now to answer your question. I think what you have in mind is more of an SSL VPN gateway – such as IAG 2007 or the upcoming UAG. Users are presented with a log on page where they can establish connections to servers and services on the internal network. They can even use SSTP, as UAG supports SSTP VPN connections.

If you find that UAG is a little too much for you, you can create a CMAK profile and publish that to a Web site. When the user downloads the CMAK profile, all he needs to do is double click on it and it installs it automatically. At that point, the user needs to enter his credentials and away you go.

You mention that your users are not part of your Active Directory. If that is the case, you can enter those users into the TMG's local user account database and allow them access in that way. Just make sure they are regular users and that you never create rules that allow VPN users local host access.

Got a question for Dr. Tom? Send it to tshinder@isaserver.org.

TechGenix Sites
--------------------------------------------------------------

MSExchange.org <http://www.msexchange.org/>
WindowSecurity.com <http://www.windowsecurity.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>

--
Visit the Subscription Management <http://www.techgenix.com/newsletter/>
section to unsubscribe.
ISAserver.org is in no way affiliated with Microsoft Corp.
http://www.techgenix.com/advert/index.htm for sponsorship
information or contact us at advertising@isaserver.org
Copyright c ISAserver.org 2009. All rights reserved.