I thought I’d share this great video by Jim Harrison on considerations to make when planning to run Microsoft Forefront Threat Management Gateway (TMG) (or ISA Server, for that matter) on a virtualized environment.
In this video, he discusses:
Performance, security and management considerations
Why it’s not recommended to place TMG on the parent, and how to configure the parent partition
High Availability with TMG in a virtual environment
Microsoft Qatar did a Security event yesterday at the Four Seasons Hotel, Doha. We started off with an enthusiastic audience of 70+ people.
We kicked off with a presentation on Microsoft Business Ready Security by good ol’ David Maskell, Security SSP – Microsoft Gulf, followed by technical demos.
Fadel Lubbos, Senior Consultant from Information & Communication Technology WLL (ICT) did a demo on Forefront Threat Management Gateway (TMG) – pictured below. ICT is Microsoft Gold Certified Security Partner.
Below are pictures of me doing my demo on Microsoft Unified Access Gateway (UAG) and DirectAccess.
Fazil Rahim, CEO of Entelyst, did a demo on Active Directory Rights Management Services (AD RMS). Entelyst is a Microsoft Gold Certified Partner specializing in security solutions.
While trying to request a certificate using the Certificates MMC snap-in on a computer running ISA Server, Threat Management Gateway (TMG) or Unified Access Gateway (UAG), you may encounter the following error:
“The RPC Server is unavailable”
This may be caused due to the RPC Filter in ISA Server/TMG. The RPC filter ensures security by monitoring RPC traffic flowing through the firewall. DCOM traffic is also dropped by this filter. However, DCOM is required to request a certificate.
To workaround this problem, disable strict RPC compliance setting on ISA Server/TMG. Here’s how to do it:
Right click on Firewall Policy and choose Edit System Policy .
Under Authentication, select Active Directory configuration group
Uncheck the Enforce Strict RPC Compliance option.
Click OK and apply your changes.
Of course, you will also need to create a firewall policy rule to allow all traffic from Localhost to Internal. Once you have requested the certificate you can revert these changes.
You can now request certificates from your ISA Server/TMG computer!
Till December 2009 we had a very rewarding scheme with partners earning more than 30% of the estimated retail price as incentive for recommending and deploying our security solutions.
This year, some changes have been made to the SSA program, and I’d like to share the highlights here.
Recap: What is SSA?
The Security Software Advisor (SSA) program is an incentive program for Microsoft partners that provide implementation services on Microsoft security products.
Organizations that invoice hours of services (known as services partners) can earn incentive fees when they recommend and deploy Microsoft security software for new sales of specific Forefront products. Microsoft SSAs are eligible to earn fees of 10 to 20 percent of the estimated retail price (ERP) of each customer’s Microsoft Volume Licensing order of Forefront products, when they invoice customers for implementation services of those products.
Partners, what’s new in SSA for 2010?
The SSA program has been kept simple, easy to understand and rewarding this year:
Network Inspection System (NIS) is the vulnerability signature component of TMG’s Intrusion Prevention System (IPS). NIS is a brand new feature in TMG, and helps prevent zero-day attacks.
This post explains how NIS works. Let’s take a scenario.
A vulnerability is detected in a product and disclosed on the internet
Software vendors start developing patches for customers affected
At the same time, attackers are taking advantage these disclosed vulnerabilities – even before the patch is released for the vulnerability.
Software vendors can take weeks or even a month to develop and release a patch for a disclosed vulnerability. Till then, the vulnerability is out in the open. This means an attacker can compromise the system using the disclosed vulnerability even before the software vendor can develop a patch. This is called a zero-day situation.
How does NIS help in the zero-day situation?
NIS is a signature-based IPS. NIS will receive the signatures from the software vendor as soon as a vulnerability is disclosed.
While the patches are still being developed, NIS blocks all traffic matching this vulnerability signature, preventing attackers from compromising even unpatched systems.
So, what are the benefits?
Closes the ‘vulnerability window’ between vulnerability disclosures and patch deployment from weeks to just a few hours.
For Microsoft products that are retired (not supported by Microsoft), new security patches are not developed. As an example, Windows Server 2003 SP1 was retired in April 2009 and when Conflicker emerged, it attacked all unpatched machines – wreaking havoc.
NIS signatures for Microsoft products are updated free of charge for all TMG customers.
NIS is based on GAPA (General Application-level Protocol Analyzer) by Microsoft Research, and can also be extended to third party products, although at the moment it is protecting only Microsoft products.
How to enable NIS on TMG?
On the Forefront TMG console, go to Intrusion Prevention System.
In the Tasks pane, click Configure Properties.
Enable the checkbox “Enable NIS”
You can see the list of signatures. These are updated automatically and free of charge for Microsoft products (does not need a subscription license).
This is what happens when a user tries to browse a website that attempts to attack using a known vulnerability.
I recently had a chance to look at the Web Access Policy capability that has been added to Threat Management Gateway (TMG), which is the latest version of ISA Server.
In this post, I will explain:
The Web Access Policy Wizard
The URL Categories feature
The HTTPS inspection feature
The Web Access Policy wizard lets you create all the rules you need to enable, block and cache web access with just one wizard. Here’s how you can use this feature in a web access policy in TMG.
A great new addition is URL Categories, which provide a dynamically updated list of websites based on content. This lets the administrator block websites featuring specific categories content like pornography, violence, politics, etc.
This has been a much-awaited feature, and one that is already available in products like Websense and I’m happy to see this included in the new release.
In the Forefront TMG console, click on Web Access Policy in the left pane.
Click on Configure Web Access Policy in the Tasks tab (right pane).
In the wizard, hit Next
Click Yes, create a rule blocking the minimum recommended URL categories. This will automatically block access to a list potentially malicious websites.
In the next screen, you can choose which URL categories you want to block. Note that some categories like Anonymizers, gambling, porn etc, are already selected to make things easier. However, you can add more URL categories to block or remove some.
To add another URL category, click Add. You can select more URL categories here. Hit Next.
In the next step, you can create exceptions to this rule, by choosing to allow unrestricted access to some users/groups. Hit Next.
You can choose whether you want to perform malware inspection on the website content. The block encrypted archives option blocks all compressed files that have a password set on them. Hit Next.
Another cool new feature in TMG is the ability to inspect HTTPS traffic for malware. Yes, you can now look inside HTTPS – this is done by using a certificate that lets TMG pose as the client machine to the website, to see what happens – this is similar to a man-in-the-middle attack, but it’s a “good man” in the middle. . You can also choose not to inspect HTTPS, but block the traffic if the certificate of the web server is not valid. This avoids having to let the user make that choice on his browser.
If you enable this option, you need to specify what kind of certificate you need TMG to use. You also have the option of informing users that HTTPS content is being inspected, which might be required for legal disclosure. However, only users with a TMG Client installed on their computers will see this notification.
Depending on what certificate option you selected, you need to provide additional information. I chose to use the certificate automatically generated by Forefront TMG.
In the next step, you can choose to enable caching and configure it. Hit Next.
That completes the Web Access Policy Wizard!
Click Apply to save your changes to the configuration.
When you return to the TMG console you will see that a set of Web Access rules have been created automatically based on your selections in the wizard. It couldn’t get easier than this!
Check out HTTPS inspection in the logs:
While trying to access an HTTPS website that has an untrusted/expired certificate:
HTTPS inspection allowing a legitimate website
User notification when file being downloaded contains a virus.
This technology is SO exciting! Sometimes I miss being ISA Server MVP.
Threat Management Gateway (TMG), is the next generation of ISA Server, released earlier this month. I explained in detail the new features and benefits of Threat Management Gateway in an earlier post.
Forefront TMG includes new URL filtering, Web antimalware, and intrusion prevention technologies to protect businesses against the latest Web based threats. These technologies are integrated with core network protection features to create a unified, easy-to-manage gateway. The highly accurate Web security enforcement features are based on reputation information aggregated from multiple Web security. It also includes all the traditional network protections of ISA server, including firewall and secure application publishing.
Licensing Promo for customers:
The following promo is available till the end of December 2009:
35% off on Standard Edition on Licensing & Software Assurance
15% off on Enterprise Edition on Licensing & Software Assurance
Partners:
Partners are eligible to earn SSA incentives (Security Software Advisor) on TMG as well. Remember that you will get an additional 50% bonus over your normal SSA incentive for each implementation of our security products you complete on or before December 31, 2009. [More details]
Microsoft Forefront Threat Management Gateway has been released to market on November 16, 2009 after completing three beta releases and receiving extensive customer feedback.
You can download the trial version of Threat Management Gateway here.
From the Forefront TMG team’s blog:
“Forefront TMG is a Secure Web Gateway (SWG) that improves security enforcement by integrating multiple detection technologies such as URL filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage solution. We have seen a lot of interest in the features that comprise this solution, so here is some information on what they do and how:
URL Filtering: URL Filtering allows controlling end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or nonproductive materials, based on URL categories. TMG features over 80 URL categories including security-oriented categories, productivity-oriented and liability-oriented categories. Forefront TMG uses Microsoft Reputation Services (MRS), a cloud-based categorization system hosted in Microsoft data center. To ensure the best bandwidth utilization and low latency, Forefront TMG has implemented a local URL cache. There is a lot more on URL Filtering available in an earlier URL Filtering post (on the TMG blog).
Anti Malware: Stopping malware on the edge significantly decreases the possibility that a virus will hit a computer with anti-virus signatures that are not up-to-date or a test computer without an anti-virus to protect it. TMG has integrated the Microsoft Anti Malware engine to provide world class scanning and blocking capability on the edge.
Network Inspection System (NIS): NIS is a generic application protocol decode-based traffic inspection system that uses signatures of known vulnerabilities, to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities, researched and developed by the Microsoft Malware Protection Center – NIS Response Team, as well as an operational signature distribution channel which enables dynamic signature snapshot distribution.NIS closes the vulnerability window between vulnerability disclosures and patch deployment from weeks to few hours.
In addition, HTTPS scanning has been introduced to enable inspection of encrypted sessions, eased the deployment and management with a set of easy to use wizards and significantly improved logging and reporting to provide full visibility into how your organization is accessing the web and whether it’s compliant with your organization’s policy.
VPN, Firewall, Email Protection and Infrastructure. Significant investments have been made to ensure that we keep delivering top notch VPN and Firewall functionality. We made quality improvements in Web Caching and made sure it works well with the new Windows 7 BranchCache feature. We have added several new features, among them: Email Protection, ISP redundancy, NAP integration with VPN role, SSTP, VoIP traversal (SIP support), Enhanced NAT, SQL logging and Updated TMG Client (previously known as the Firewall Client). In addition TMG was built as a native 64bit product that supports Windows Server 2008 R2, and Windows Server 2008 SP2, allowing better scalability and increased reliability.”
. You can also choose not to inspect HTTPS, but block the traffic if the certificate of the web server is not valid. This avoids having to let the user make that choice on his browser.
