Forefront Protection for Exchange – Still Number One!

Posted on July 2, 2010 by Shijaz Abdulla

The July 2010 issue of the VirusBulletin issued today has another comparative report on anti-spam solutions.

In the latest comparative report, Microsoft Forefront Protection for Exchange still leads the competition with the highest spam catch detection rate and the lowest (zero) false positives rate. This is the third consecutive time that Microsoft Forefront Protection for Exchange got the highest final score in the VBspam comparative report.

image

In this report (and also in the previous reports), Microsoft Forefront Protection for Exchange has shown remarkably better capabilities compared to Symantec, McAfee, Kaspersky, and other competitive solutions.

Quote from the VBspam report:

With the second best spam catch rate overall and just a handful of false positives on the last occasion, Microsoft’s Forefront Protection 2010 for Exchange Server seemed unlikely to improve on its past performance in this test. However, the product still managed to do that and a stunning spam catch rate of 99.96% combined with a total lack of false positives not only wins the product its sixth consecutive VBSpam award, but also gives it the highest final score for the third time in a row.

VirusBulletin’s detailed comparative reports can be downloaded by subscribers from www.virusbtn.com.

Do you already have Forefront Protection for Exchange?
It’s likely you already own the licenses for this award-winning anti-spam solution and you’re not aware of it.

  • If you run Exchange Server in your organization and you own Exchange Enterprise CALs for your users, then you are already licensed to use Forefront Protection for Exchange
  • If you have the Enterprise CAL Suite, you are already licensed to use Forefront Protection for Exchange
  • If you have the Forefront Security Suite in your license agreement, you are already licensed to use Forefront Protection for Exchange.

For more information, speak to your Microsoft account manager.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Uncategorized | Tagged , , , , | Leave a comment

TMG or UAG? Which one do I need?

Posted on June 30, 2010 by Shijaz Abdulla

Of late, I have seen that a lot of customers and even partners are confused between the capabilities of Forefront Threat Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).

The most important difference is that TMG is an “inbound AND outbound” access gateway that includes a network level firewall with stateful packet inspection & application filtering, forward and reverse web proxy, VPN server (for users and site-to-site). TMG is more focused on keeping the bad guys out and to a certain extent, allowing good guys in. On the other hand, UAG is an “inbound-only” secure remote access gateway that enables you to allow "the good guys” in more securely.

I need TMG if:

  • I need an inbound and outbound access gateway
  • I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
  • I need built-in IPS (Intrusion Prevention System) on that firewall
  • I need a secure forward proxy for users on my network to access the internet
  • I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
  • I need to be able to monitor my user’s web activity and firewall logging.
  • I need to be able to block unproductive websites and services (like IM, P2P, video sharing, etc)
  • I need to protect my users from web-based threats (web antivirus, web antimalware, block malicious websites)
  • I need Forward HTTPS inspection to protect users against web threats that are hidden inside HTTPS
  • I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
  • I need SSL bridging to protect my publish servers against threats embedded inside SSL
  • I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
  • I need site-to-site VPN
  • I need a VPN server for my users in addition to all the above

I need UAG if:

  • I need an ‘inbound only’ access gateway
  • I need to enable my users to securely access internal resources remotely (while they are outside the company network)
  • I need to enable Secure VPN access for users when they are outside my network
  • I need to quickly and easily enable DirectAccess for my Windows 7 users
  • I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
  • I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
  • I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
  • I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
  • I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
  • I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
  • I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
  • I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.

As you can see, each product is specialized to deliver very focused capabilities. Hence it is quite possible that some organizations need both solutions while others need only one. For many smaller organizations which need a one-product solution to protect their network and provide reasonably secure remote access, TMG would be the answer. However, for designs that focus purely on inbound access, UAG needs to be considered. If an organization has separate TMG/ISA Server arrays – one for inbound access and another for outbound access – the solution is simple – use a UAG array instead for inbound access and continue using TMG for the outbound array.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Uncategorized | Tagged , , , , | Leave a comment

Provide feedback and WIN a Microsoft shirt!

Posted on June 28, 2010 by Shijaz Abdulla

Attention: Microsoft Partners in Qatar!

Let us know the feedback about Partner Academy trainings held between August 2009 and June 2010 and win a Microsoft-branded formal shirt.

The feedback should be made as a comment on “Microsoft Partners in QatarFacebook group by clicking “Comment” on my status message (see below), email feedback does not qualify for the prize (although feedback will be heard)!

This Facebook group is open only by invitation, and only partners in Qatar and certain Microsoft employees can see posts and comments you make on this group. Not a member yet? Join our Facebook group today!

Feel free to forward this mail to other people in your organization.

The Rules:

  • This contest is only open to partners who have enrolled and attended Partner Academy training FY10.
  • The feedback should be made in our Facebook group, email feedback doesn’t qualify for the prize.
  • Each entry should include “what went right” and “what went wrong” in addition to your feedback. Each entry should also mention the course name.
  • Winner will be selected on July 4, 2010. The most complete and candid feedback stands a higher chance of winning. Winner will be announced on the Facebook group.

clip_image002

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Partners | Tagged , , | Leave a comment

Forefront Threat Management Gateway Service Pack 1 released

Posted on June 24, 2010 by Shijaz Abdulla

This is a repost from the TMG Team Blog.

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) got released on 23rd June 2010.

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) introduces following new features and functionality to Forefront TMG 2010 Standard and Enterprise Editions.

New Reports

  • The new User Activity report displays the sites and site categories accessed by any user.
  • All Forefront TMG reports have a new look and feel.

Enhancements to URL Filtering

  • You can now allow users to override the access restriction on sites blocked by URL filtering. This allows for a more flexible web access policy, in that users can decide for themselves whether to access a blocked site. This is especially useful for websites that have been incorrectly categorized.
  • You can now override the categorization of a URL on the enterprise level; the override is then effective for each enterprise-joined array.
  • Denial notification pages can now be customized for your organization’s needs.

Enhanced Branch Office Support

  • Collocation of Forefront TMG and a domain controller on the same server, which can help reduce the total cost of ownership at branch offices.
  • When installed on a computer running Windows Server 2008 R2, SP1 simplifies the deployment of Branch Cache at the branch office, using Forefront TMG as the Hosted Cache server.

Support for publishing SharePoint 2010

  • Forefront TMG SP1 supports secure publishing of SharePoint 2010.

Additional resources:

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Uncategorized | Tagged , , , | Leave a comment

Blocking YouTube videos and Flash content using Forefront TMG

Posted on June 13, 2010 by Shijaz Abdulla

In this post, I show you how to block users from playing YouTube videos on your network. I also show you how to block Flash content embedded on web pages (although in today’s times blocking all Flash content may not be such a good idea Smile)

image

Yes you could always block the URL youtube.com but this may not be effective as YouTube videos can be embedded in other websites and there are plenty of sites *like* YouTube out there. A more effective approach would be to block by MIME type, thanks to the enhanced content filtering capabilities built into TMG.

Before I get started, two important notes:

  • I mention YouTube because it is everyone’s favorite, but the steps below will work for Vimeo, and any other video sharing sites that rely on Adobe Flash technology.
  • The steps below can be used to block YouTube and flash content on ISA Server 2004/2006 too.

Blocking YouTube videos using TMG

1. On the TMG Console, right-click Firewall Policy, choose New Access Rule and create a new “Deny” rule named “Block Youtube” as follows:

Deny

Applies to: All Outbound traffic

From: Internal

To: External

All Users

Click Finish to close the wizard.

 

2. Do not apply the changes yet! Right click on the new rule you just created and choose Properties.

3. Open the Content Types tab. Click New.

4. Create a new Content Type Set as follows:

Name: YouTube

Available types: (type each of the below and click the Add button)

  • video/mp4
  • video/x-flv
  • video/x-ms-asf

image

5. Click OK. Ensure the check box next to your new content type set is enabled:

image

6. Click OK and apply your changes. Wait for the config synchronization to complete.

Test your changes by trying to play some videos on YouTube or other video sharing websites.

 

Blocking Adobe Flash Player content using TMG

1. Follow steps 1 to 3 above.

2. While creating a new Content Type set, use the following parameters:

Name: Flash

In the available types box, type:

application/x-shockwave-flash

3. Proceed with step 5 above.

 

Blocking additional MIME types

If you need to block something else, it is easy to find what content type to block. Simply monitor the Logging (Logs & Reports > Logging) in the TMG console. Once you encounter the log entry that allowed the content you want to block, expand the “Additional Information” and you will find the MIME type that you need to block.

 

image

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Uncategorized | Tagged , , , , , , , , | 3 Comments

Demystifying outbound HTTPS inspection in Forefront TMG

Posted on June 13, 2010 by Shijaz Abdulla

What is Forward HTTPS Inspection or Outbound HTTPS Inspection?

In ISA Server 2004/2006, we had Inbound HTTPS inspection, which we are familiar with by the name “SSL Bridging”. SSL Bridging or Inbound HTTPS inspection is used to protect published web servers from malicious requests originating from the Internet/external network. In essence, the ISA Server had the same SSL certificate that the web server had, along with its private key. When an HTTPS request reaches the ISA Server, it decrypts the request using the certificate and inspects it. If it is found to be safe, the ISA Server establishes another SSL session between itself and the published web server.

SSL Bridging was an excellent piece of technology for inspecting inbound HTTPS traffic, but ISA Server did not have a feature to inspect “outbound” HTTPS traffic.

Okay – so what’s Outbound HTTPS Inspection?

Outbound HTTPS traffic refers to the HTTPS requests originating from the internal network to the Internet, (for example, user’s internet browser). Why is this required? Often blocked websites or services can be accessed through an HTTPS session because the proxy servers do not have visibility of the content that is passing inside the HTTPS session.

This is often the technique used by many anonymizers, P2P software, and applications like Skype to evade being blocked by a proxy server. More dangerously, it is often used by modern malware to pass undetected between your internal network and the internet, as your edge security products simply cannot see what’s inside the SSL.

So, how does HTTPS Inspection work? I’m putting it down in *very* simple terms below:

1. TMG Server has an SSL CA Certificate on it (can be self-generated or from Active Directory). However, all client computers in your internal network must trust TMG’s HTTPS Inspection certificate.

2. User’s computer tries to access an HTTPS website (or other HTTPS content) on the Internet.

3. TMG does not blindly “proxy” the request to remote HTTPS server. Instead, TMG Server acts like a client and talks to the remote HTTPS website.

4. TMG validates the site’s certificate, copies the details of that certificate and creates a new SSL certificate with those exact same details and signs it with its own CA Certificate. It then returns this certificate to the internal client.

Since TMG pretends to be the client to the remote server, it gets to decrypt the content sent back and perform malware inspection and policy based filtering on the content returned.

5. What you get here is two different tunnels, one from TMG to the remote HTTPS server and another from TMG to the internal client – a perfect “man-in-the-middle attack”. I like to call it the “good-man-in-the-middle attack”. Smile With the connection being “cut” into two different tunnels, TMG server can decrypt, inspect and re-encrypt all communication between the client and the remote HTTPS server.

Let’s now roll up our sleeves and see how to turn on HTTPS inspection.

 

image_thumb20

  1. Right click on Web Access Policy. Choose “Configure” > “HTTPS Inspection”
  2. Choose “Enable HTTPS inspection”

    image_thumb23

  3. You can choose to Inspect traffic and validate site certificates (recommended).
  4. Under the HTTPS Inspection Certificate settings, you have two options – Use TMG to generate a certificate or Import a certificate already issued by your Enterprise Root CA trusted by your organization or issued by a third party certificate. In either case, all client computers in your network MUST trust the CA certificate.
  5. If you used Forefront TMG to generate the certificate, make sure you save the CA certificate in the Trusted Root CA store on all your computers. You can automatically deploy the certificate by clicking on the HTTPS Inspection Trusted Root CA Certificate Options button. You will need domain administrator credentials.

    image

Hope you enjoyed this article. Subscribe to this blog for more how-to’s on TMG and other Forefront products.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • HelloTxt
  • LinkedIn
  • Live
  • MySpace
  • RSS
  • StumbleUpon
  • Technorati
  • Twitter
Posted in Uncategorized | Tagged , , , | 4 Comments