I thought I’d share this great video by Jim Harrison on considerations to make when planning to run Microsoft Forefront Threat Management Gateway (TMG) (or ISA Server, for that matter) on a virtualized environment.
In this video, he discusses:
Performance, security and management considerations
Why it’s not recommended to place TMG on the parent, and how to configure the parent partition
High Availability with TMG in a virtual environment
While trying to request a certificate using the Certificates MMC snap-in on a computer running ISA Server, Threat Management Gateway (TMG) or Unified Access Gateway (UAG), you may encounter the following error:
“The RPC Server is unavailable”
This may be caused due to the RPC Filter in ISA Server/TMG. The RPC filter ensures security by monitoring RPC traffic flowing through the firewall. DCOM traffic is also dropped by this filter. However, DCOM is required to request a certificate.
To workaround this problem, disable strict RPC compliance setting on ISA Server/TMG. Here’s how to do it:
Right click on Firewall Policy and choose Edit System Policy .
Under Authentication, select Active Directory configuration group
Uncheck the Enforce Strict RPC Compliance option.
Click OK and apply your changes.
Of course, you will also need to create a firewall policy rule to allow all traffic from Localhost to Internal. Once you have requested the certificate you can revert these changes.
You can now request certificates from your ISA Server/TMG computer!
Till December 2009 we had a very rewarding scheme with partners earning more than 30% of the estimated retail price as incentive for recommending and deploying our security solutions.
This year, some changes have been made to the SSA program, and I’d like to share the highlights here.
Recap: What is SSA?
The Security Software Advisor (SSA) program is an incentive program for Microsoft partners that provide implementation services on Microsoft security products.
Organizations that invoice hours of services (known as services partners) can earn incentive fees when they recommend and deploy Microsoft security software for new sales of specific Forefront products. Microsoft SSAs are eligible to earn fees of 10 to 20 percent of the estimated retail price (ERP) of each customer’s Microsoft Volume Licensing order of Forefront products, when they invoice customers for implementation services of those products.
Partners, what’s new in SSA for 2010?
The SSA program has been kept simple, easy to understand and rewarding this year:
I recently had a chance to look at the Web Access Policy capability that has been added to Threat Management Gateway (TMG), which is the latest version of ISA Server.
In this post, I will explain:
The Web Access Policy Wizard
The URL Categories feature
The HTTPS inspection feature
The Web Access Policy wizard lets you create all the rules you need to enable, block and cache web access with just one wizard. Here’s how you can use this feature in a web access policy in TMG.
A great new addition is URL Categories, which provide a dynamically updated list of websites based on content. This lets the administrator block websites featuring specific categories content like pornography, violence, politics, etc.
This has been a much-awaited feature, and one that is already available in products like Websense and I’m happy to see this included in the new release.
In the Forefront TMG console, click on Web Access Policy in the left pane.
Click on Configure Web Access Policy in the Tasks tab (right pane).
In the wizard, hit Next
Click Yes, create a rule blocking the minimum recommended URL categories. This will automatically block access to a list potentially malicious websites.
In the next screen, you can choose which URL categories you want to block. Note that some categories like Anonymizers, gambling, porn etc, are already selected to make things easier. However, you can add more URL categories to block or remove some.
To add another URL category, click Add. You can select more URL categories here. Hit Next.
In the next step, you can create exceptions to this rule, by choosing to allow unrestricted access to some users/groups. Hit Next.
You can choose whether you want to perform malware inspection on the website content. The block encrypted archives option blocks all compressed files that have a password set on them. Hit Next.
Another cool new feature in TMG is the ability to inspect HTTPS traffic for malware. Yes, you can now look inside HTTPS – this is done by using a certificate that lets TMG pose as the client machine to the website, to see what happens – this is similar to a man-in-the-middle attack, but it’s a “good man” in the middle. :). You can also choose not to inspect HTTPS, but block the traffic if the certificate of the web server is not valid. This avoids having to let the user make that choice on his browser.
If you enable this option, you need to specify what kind of certificate you need TMG to use. You also have the option of informing users that HTTPS content is being inspected, which might be required for legal disclosure. However, only users with a TMG Client installed on their computers will see this notification.
Depending on what certificate option you selected, you need to provide additional information. I chose to use the certificate automatically generated by Forefront TMG.
In the next step, you can choose to enable caching and configure it. Hit Next.
That completes the Web Access Policy Wizard!
Click Apply to save your changes to the configuration.
When you return to the TMG console you will see that a set of Web Access rules have been created automatically based on your selections in the wizard. It couldn’t get easier than this!
Check out HTTPS inspection in the logs:
While trying to access an HTTPS website that has an untrusted/expired certificate:
HTTPS inspection allowing a legitimate website
User notification when file being downloaded contains a virus.
This technology is SO exciting! Sometimes I miss being ISA Server MVP. 🙂
Threat Management Gateway (TMG), is the next generation of ISA Server, released earlier this month. I explained in detail the new features and benefits of Threat Management Gateway in an earlier post.
Forefront TMG includes new URL filtering, Web antimalware, and intrusion prevention technologies to protect businesses against the latest Web based threats. These technologies are integrated with core network protection features to create a unified, easy-to-manage gateway. The highly accurate Web security enforcement features are based on reputation information aggregated from multiple Web security. It also includes all the traditional network protections of ISA server, including firewall and secure application publishing.
Licensing Promo for customers:
The following promo is available till the end of December 2009:
35% off on Standard Edition on Licensing & Software Assurance
15% off on Enterprise Edition on Licensing & Software Assurance
Partners are eligible to earn SSA incentives (Security Software Advisor) on TMG as well. Remember that you will get an additional 50% bonus over your normal SSA incentive for each implementation of our security products you complete on or before December 31, 2009. [More details]
Microsoft Forefront Threat Management Gateway has been released to market on November 16, 2009 after completing three beta releases and receiving extensive customer feedback.
You can download the trial version of Threat Management Gateway here.
From the Forefront TMG team’s blog:
“Forefront TMG is a Secure Web Gateway (SWG) that improves security enforcement by integrating multiple detection technologies such as URL filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage solution. We have seen a lot of interest in the features that comprise this solution, so here is some information on what they do and how:
URL Filtering: URL Filtering allows controlling end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or nonproductive materials, based on URL categories. TMG features over 80 URL categories including security-oriented categories, productivity-oriented and liability-oriented categories. Forefront TMG uses Microsoft Reputation Services (MRS), a cloud-based categorization system hosted in Microsoft data center. To ensure the best bandwidth utilization and low latency, Forefront TMG has implemented a local URL cache. There is a lot more on URL Filtering available in an earlier URL Filtering post (on the TMG blog).
Anti Malware: Stopping malware on the edge significantly decreases the possibility that a virus will hit a computer with anti-virus signatures that are not up-to-date or a test computer without an anti-virus to protect it. TMG has integrated the Microsoft Anti Malware engine to provide world class scanning and blocking capability on the edge.
Network Inspection System (NIS): NIS is a generic application protocol decode-based traffic inspection system that uses signatures of known vulnerabilities, to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities, researched and developed by the Microsoft Malware Protection Center – NIS Response Team, as well as an operational signature distribution channel which enables dynamic signature snapshot distribution.NIS closes the vulnerability window between vulnerability disclosures and patch deployment from weeks to few hours.
In addition, HTTPS scanning has been introduced to enable inspection of encrypted sessions, eased the deployment and management with a set of easy to use wizards and significantly improved logging and reporting to provide full visibility into how your organization is accessing the web and whether it’s compliant with your organization’s policy.
VPN, Firewall, Email Protection and Infrastructure. Significant investments have been made to ensure that we keep delivering top notch VPN and Firewall functionality. We made quality improvements in Web Caching and made sure it works well with the new Windows 7 BranchCache feature. We have added several new features, among them: Email Protection, ISP redundancy, NAP integration with VPN role, SSTP, VoIP traversal (SIP support), Enhanced NAT, SQL logging and Updated TMG Client (previously known as the Firewall Client). In addition TMG was built as a native 64bit product that supports Windows Server 2008 R2, and Windows Server 2008 SP2, allowing better scalability and increased reliability.”
This article lists some of the common configuration mistakes and gives information on how to avoid them.
There is no such thing as a single interface firewall
A firewall has a minimum of two network interfaces. This means you need at least *two* NIC cards in your ISA box if you want it to work as a firewall. Theoretically you can run ISA on a box with a single NIC, but that will do little to secure your network. You might just use it as a proxy that your users can connect to the Internet with.
Tom Shinder of isaserver.org says: “Deploying a single-NIC ISA Firewall is like giving a soldier a Desert Eagle .50 and no ammo.”
In short, you’re not using ISA as a real firewall if you don’t have two interfaces on it!
Specify the default gateway on that published server!
You need to specify the internal IP address of the ISA server as the default gateway on the server that you want to publish on ISA. Or, make sure that there are appropriate static routes in place.
Rules that contradict each other
As can be seen from the diagram below, ISA processes your access rules in the order that you specify them, i.e. rule #1 processed first, then 2, 3, etc. If ISA finds that rule #1 is satisfying the conditions required for the access requested by the user, it skips all remaining rules and grants (or denies) access. However, if the condition is not matching for the current rule, it moves on to the next rule and so on.
If you happen to place a rule that ‘allows internet access to all users’ BEFORE a rule that ‘denies internet access to Peter’, then Peter will still have internet access. It might look simple but these mistakes happen all the time.
The external interface and internal interfaces on the ISA firewall must belong to separate IP ranges. You cannot have internal and external interface IP addresses from the same IP range.
IP Spoofing: In case there is an internal router that splits the internal network into two (see diagram above), and ISA Server is in one of these networks, make sure that ranges on either side of the internal router are entered in the Internal network address range on ISA. For example, if you have two internal (protected) networks 192.168.2.0/24 and 10.10.0.0/16 separated by a router, and the ISA is at (say) 10.10.0.4, the Internal range on ISA should ideally include 192.168.2.1-192.168.2.254 as well as 10.10.0.1 to 10.10.255.254.
Installing a service on Port 80 of the ISA Server
Avoid installing any service to listen on port 80 of the ISA Server as this is used by the Web Proxy service. A common mistake is installing a website to listen on port 80 on the ISA Server. Usually this is the result of installing certain third party components (like Trend Micro OfficeScan, which has a web-based console) installed on the ISA Server.
When port 80 is used for listening by another service, Web Proxy may run into problems or clients may be unable to access the other service running on port 80. A symptom of this problem is when you see results under Logging in the Monitoring console where the Source Network, Destination Network, Protocol fields are blank, but the Port field contains 80 and the Action field may be Failed Connection. ISA Console also generates an alert when this happens.
SMTP Fix-Up: ISA and Cisco PIX
When using ISA behind Cisco PIX (ISA being a second firewall), make sure you disable SMTP fixup on the Cisco PIX if you plan to publish Exchange behind ISA (see diagram). This can be done by typing the following command at the Cisco PIX console:
no fixup smtp protocol 25
Note: SMTP Fixup prevents you from telnetting on port 25 that is NATed on PIX to ISA Server, and NATed (published) on ISA Server to Exchange Server. When a telnet attempt is made, you get some asterisks (220*******************************************************0*2******0***********************
2002*******2***0*00) in the output. This can be avoided by disabling smtp fixup as explained above.
FTP is allowed, but users can’t put files on the remote FTP server
You create a rule to Allow FTP from Internal to External so that your users can access FTP sites on the internet. But still your users still can’t write/delete files on the FTP server? It’s because you have to explicitly specify it!
Right click on the rule and click Configure FTP. Clear the check mark next to Read Only.
Care while Installing Windows 2003 Service Pack 1 / Service Pack 2 and the Scalable Networking Pack
You are running ISA Server 2004 Standard Edition. One fine day, you decide to install Windows 2003 Service Pack 1 on your ISA Server. RPC traffic is blocked. You may not be able to browse the active directory for users from the ISA Server. Occasionally you get an error popup for RPC related errors.
If you install Windows Server 2003 Service Pack 2 or the Scalable Networking Pack, make sure that you read my KB article 555958.
Scheduling limitations that you need to be aware of
This is not a configuration mistake, but is something of an expectation that requires clarification. When you create a rule in the access policy that has a schedule (In the rule properties, select the Schedule tab), there are two things that you cannot do:
i. Once you have created a schedule and applied changes, you can’t edit it. You will probably need to create a new schedule object.
ii. Your schedule limits cannot be in half hours, i.e. you can configure a rule to apply between 2 PM to 3 PM but not between 2.30 PM to 3.30 PM.
Common name on Certificates
When you issue certificates from your CA (or obtain a commercial certificate), the common name should be the published name, i.e. DNS name that you would use to access the website/OWA/etc from outside. For example, if you are publishing a server webserver01.mydomain.local, and users will access thi
s using the internet name www.shijaz.com, then your SSL certificate common name should be “www.shijaz.com”. Else, your users will get a warning stating that “the name of the server does not match the name on the certificate”.
More than one Default Gateway
Never specify more than one default gateway on the ISA Server. Do not specify the default gateway on both the internal and external NICs.
DNS Server on more than one NIC
Never specify DNS on more than one NIC. For DNS best practices on ISA Server, see this article.
TIP: Keep a backup!
Keep an XML backup of your ISA configuration before you try out something with the access rules or the configuration. This will help you easily restore your ISA configuration in case you mess it up!
Also note that when you change the Network Template, you lose ALL your Access Rules and Network Rules!
You can now choose from which countries you need to allow access to your servers using ISA Server 2006!
If you were to do it manually, by obtaining IP ranges for different countries and keying them all in, this would have invariably been a mammoth task! Just to give an example: If I wanted to block China, I would need to enter 600 IP address ranges. Similarly, if I wanted to block Israel, I would need to enter more than 860 IP address ranges!
Now, it is not in my interest to start a geopolitical or censorship debate here. I agree the internet should remain open and that’s the way it was meant to be. However, we all acknowledge that there may be enterprise requirements from corporate and/or government customers which would actually need such policies. So here goes:
A list of ISA Server computer sets classified by country in XML format, compiled by Thor is available for download here. The list includes 234 countries. Good luck!
ISA Server 2006 Service Pack 1 will be released tomorrow (Wed, July 2, 2008)on the Microsoft Download Center. From July 22, the service pack will be available through the Microsoft Update channel.
This is a massive service pack with over 200 bug fixes and tons of new, visible features.
One of the most notable features is the change tracking feature, which is a much-awaited and highly requested feature from customers. ISA 2006 now keeps track of all changes done to the configuration and helps you track your actions all the way back. The ISA admin’s life just got better.
Here’s a preview of all the new features included in the service pack:
Configuration Change Tracking – explained above.
The "Test" button for Web publishing
Traffic Simulator – Simulates network traffic on the ISA rules engine and helps you visualize how your rules will be processed for the simulated traffic
Query on Diagnostic logging – For those who remember the ISA 2006 supportability pack – there was a diagnostic logging feature included. Now, SP1 adds a query feature on the diagnostic logging tool that helps you see only the log data relevant to the problem you are troubleshooting.
PLUS tons of improvements to existing features like support for certificates with multiple SAN (Subject Alternative Names), Multicast support for integrated NLB, etc.
I think this is really an exciting update as it contains much of the enhancements requested by customers. Microsoft is listening!