by
Shijaz Abdulla on 05.04.2010 at 20:25
I was chatting with Tom Shinder this evening when he started an interesting discussion on setting up a Windows VPN connection to use SSTP to connect to the corporate network via Forefront Unified Access Gateway (UAG). This would allow Windows 7 users to connect via SSTP without having to log in to the UAG portal.
So far, we’ve seen it only being done on the UAG Portal – where the user has to log in to the UAG portal and open the Remote Network Access application.
So I fired up my UAG lab VMs to see if this is do-able – and we were successful in getting it to work! Here’s how we did it.
- Open the user’s properties in Active Directory Users & Computers. On the Dial-in tab, choose Allow Access under Network Access Permission. Alternatively, you can configure the NPS Network policy accordingly.
- On the Windows 7 client machine, create a new VPN connection. (Hint: Network & Sharing Centre –> Set up a new connection or network –> Connect to workplace)
- For the newly created connection, set the connection properties as below. The host name will be the same that’s configured on your UAG trunk.
- On the Security tab of the VPN connection properties, set the Type of VPN as Secure Socket Tunneling Protocol (SSTP). Select the option to automatically use te Windows logon name and password.
- You’re good to go. Make that connection!
by
Shijaz Abdulla on 13.03.2010 at 13:49
In this post, I am sharing the current position of Forefront Client Security (Forefront Endpoint Protection) and Forefront Protection for Exchange in the market, in comparison to similar solutions from other competitors.
1. Forefront Client Security:
We have very high comparative ratings from VirusBulletin – which does independent testing of antivirus solutions.
Below: Average result of multiple tests between August 2009 to February 2010.
How to interpret this chart: Higher reactive AND proactive detection is good. MS Forefront Client Security/Endpoint Protection is place HIGHER than Symantec and McAfee, among other competitors. Trend Micro does not seem to be included in the latest study, but it failed 3 previous tests and didn’t make it in the chart.
[Source: virusbtn.com]
2. Forefront Protection for Exchange Server
VirusBulletin, which conducts independent benchmarking of antivirus & antispam products has rated Microsoft Forefront Protection for Exchange highly. MS Forefront for Exchange won the VBspam award consistently. For more information register at virusbtn.com and view the reports.
How to interpret the chart: HIGH SPAM CATCH rate (SC) and LOW FALSE POSITIVE (FP) rate is good.
The latest March 2010 report (below) shows the MS forefront has the HIGHEST SPAM CATCH RATE (SC), while at the same time maintaining relatively LOWER FALSE POSITIVE (FP) compared Symantec, McAfee, McAfee and other popular anti spam solutions.
[Source: virusbtn.com]
It is worth noting that what goes into Forefront Protection for SharePoint and Forefront Protection for OCS is the same set of antivirus engines that goes into Forefront Protection for Exchange.
by
Shijaz Abdulla on 04.03.2010 at 16:13
I would like to thank those of you that attended my session on Microsoft Forefront Unified Access Gateway and DirectAccess yesterday at TechEd Middle East 2010. If you heard about this blog from my session, please take a moment to subscribe by email or RSS.
I cannot stress enough on how important your session evaluations are. If you attended my session, please take a moment to complete the evaluation online.
I would like to thank those who have already completed the feedback for giving me high ratings. It is your support that keeps me going. With all respect, let me also request the only one person who rated me low to re-evaluate the session open-mindedly:-). Honest feedback in the evaluation is important to me.
The presentation slide deck is now available for download on the TechEd website. You will have to login with your TechEd username and password.
Q&A
I have tried my best to answer all questions onsite. However, if you still have questions based on my session, feel free to post them below as a comment to this post. I will try my best to have them answered.
Thank You.
PS: Pictures will be uploaded soon.
by
Shijaz Abdulla on 24.02.2010 at 23:58
Countdown to TechEd – 4 days to go.
T minus 4 for the biggest tech event in Dubai — TechEd Middle East 2010.
Here’s a reminder of the session that I will be speaking at. Hope to see you there!
Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access
Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager, Network Administrator
Here’s what I will be covering:
- Overview of Microsoft Forefront Unified Access Gateway
- Demo of Unified Access Gateway features:
- Remote access with SSL-VPN,
- Secure Application Publishing,
- Secure File Access,
- Endpoint security
- Publishing RemoteApp and Remote Desktop Services
- Overview of DirectAccess
- Demo: Enabling Windows 7 DirectAccess feature with UAG
Recommended Pre-requisites:
There are no prerequisite sessions that you need to attend before my session. However, if you have an interest in understanding the darkest depths of DirectAccess and IPv6, I recommend that you also attend the following sessions by John Craddock.
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition technologies.
SVR402: DirectAccess Technical Drilldown, Part 2 of 2: Putting it all together.
I will be recapping some of the content covered in these sessions, but as my session focuses on Unified Access Gateway, I will not go in to the depths of how DirectAccess works.
Technical Learning Centre (TLC)
I will be available at the Technical Learning Centre at these times to attend to your questions around Microsoft Forefront products.
Monday, March 1: 11:45 to 15:45
Tuesday, March 2: 12:30 to 16:00
Feel free to drop in and ask your questions on ISA Server/Threat Management Gateway, Forefront Unified Access Gateway, Forefront Protection for Exchange/SharePoint/OCS, Forefront Endpoint Protection, Forefront Hosted Filtering for Exchange, Rights Management Services.
See you there!
by
Shijaz Abdulla on 22.02.2010 at 23:47
If you are publishing RemoteApp or Remote Desktop Services on Forefront Unified Access Gateway 2010, and have enabled Single Sign On (SSO) on the RDS application in UAG, you might find that UAG tries to perform user logon on the published server using computername\username instead of domain\username.
I’ve researched this issue and found that there’s nothing I can do about it, at least at the time of writing this, as it is listed as a known issue in UAG.
Workaround
A workaround would be to ask users to log in using “domainname\username” while logging on to the UAG portal instead of just “username”.
Just a thought – you might be able to automate the appending of “domainname\” to the username string by customizing the UAG login page code, although I haven’t attempted it.
by
Shijaz Abdulla on 22.02.2010 at 22:22
If you’re trying to publish Remote Desktop Services or RemoteApp on Microsoft Forefront Unified Access Gateway 2010, and if you encounter the following error, read on:
“Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server. Contact your network administrator for assistance”.
Before we look into how to fix this, we need to understand how RDS publishing works with UAG:
- A UAG client accesses a Forefront UAG portal using a Web browser and evaluating the endpoint compliance and session access policies defined on UAG by the administrator.
- The end user launches a Remote Desktop application in the portal. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint. If the ActiveX component doesn’t exist, it is installed.
- The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.
- The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RD Gateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.
- An RDP session is established from Forefront UAG to the backend RDS hosts.
As you can see in step 3 and 4, the HTTPS connection terminates on the Forefront UAG server, which also acts a Remote Desktop Gateway. The error appears because no SSL certificate is configured by default on the RD Gateway running on the Forefront UAG computer.
The Solution
- On the computer running UAG, open the RD Gateway Manager (Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager)
- You will see that “A server certificate is not yet installed or selected”. Click on View or modify certificate properties
- Choose the option Select an existing certificate from the RD Gateway <computername>. Click the Import Certificate button.
- Choose the certificate that matches the public DNS name of your UAG portal. In my case it is uag.tech.com – this is the URL that users connecting from outside your organization will type into the browser to get into the UAG portal. It can be the same certificate that you are using on your HTTPS trunk.
- Click Import and OK.
- Try to connect to the RDS Session Host from the UAG portal. It should work (if you have configured the application and your endpoint is compliant with the endpoint security policies that you defined).
by
Shijaz Abdulla on 18.02.2010 at 17:51
Microsoft Qatar did a Security event yesterday at the Four Seasons Hotel, Doha. We started off with an enthusiastic audience of 70+ people.
- We kicked off with a presentation on Microsoft Business Ready Security by good ol’ David Maskell, Security SSP – Microsoft Gulf, followed by technical demos.
- Fadel Lubbos, Senior Consultant from Information & Communication Technology WLL (ICT) did a demo on Forefront Threat Management Gateway (TMG) – pictured below. ICT is Microsoft Gold Certified Security Partner.
- Fazil Rahim, CEO of Entelyst, did a demo on Active Directory Rights Management Services (AD RMS). Entelyst is a Microsoft Gold Certified Partner specializing in security solutions.
Pictures from the Q & A session:
Photos: Lea Attieh
by
Shijaz Abdulla on 12.02.2010 at 23:14
I’m doing a breakout session at the Microsoft TechEd in Dubai. Here are the details:
Session: SIA308 – Secure Remote Access with Unified Access Gateway and Direct Access
Track: Security, Identity and Access
Speaker: Shijaz Abdulla
When: Wed, Mar 03, 2010 (13:30 – 14:30) | Breakout Session
Where: Sheikh Maktoum Hall A
Level: 300 – Advanced
Audience: Security Administrator, IT Manager
Here’s what I will be covering:
- Overview of Microsoft Forefront Unified Access Gateway
- Overview of DirectAccess
- Demo: Enabling Windows 7 DirectAccess feature with UAG
- Unified Access Gateway features: Remote access with SSL-VPN, Secure Application Publishing, Secure File Access, Endpoint security
- Demo: Unified Access Gateway features
See you there!
by
Shijaz Abdulla on 06.02.2010 at 00:29
While trying to request a certificate using the Certificates MMC snap-in on a computer running ISA Server, Threat Management Gateway (TMG) or Unified Access Gateway (UAG), you may encounter the following error:
“The RPC Server is unavailable”
This may be caused due to the RPC Filter in ISA Server/TMG. The RPC filter ensures security by monitoring RPC traffic flowing through the firewall. DCOM traffic is also dropped by this filter. However, DCOM is required to request a certificate.
To workaround this problem, disable strict RPC compliance setting on ISA Server/TMG. Here’s how to do it:
- Right click on Firewall Policy and choose Edit System Policy .
- Under Authentication, select Active Directory configuration group
- Uncheck the Enforce Strict RPC Compliance option.
- Click OK and apply your changes.
Of course, you will also need to create a firewall policy rule to allow all traffic from Localhost to Internal. Once you have requested the certificate you can revert these changes.
You can now request certificates from your ISA Server/TMG computer!
by
Shijaz Abdulla on 19.01.2010 at 09:03
< Previous postsNext posts >
