It is with great pleasure that I announce I have recently joined the team at Iron Networks. Iron Networks (formerly nAppliance) is a division of Iron Systems based in San Jose, CA. Iron Networks is a Microsoft OEM partner specializing in turn-key cloud security and access solutions and converged infrastructure platforms. I’ll be intimately involved with many familiar Microsoft technologies like Forefront UAG 2010, DirectAccess, Hyper-V, and System Center 2012. Iron Networks has some compelling solutions for secure remote access, including a comprehensive remote access appliance that includes both Windows Server 2012 DirectAccess and Forefront UAG 2010. The Unified Remote Access (URA) platform effectively addresses remote access needs for both managed and non-managed clients. In addition, Iron Networks has an interesting new solution aimed at simplifying private cloud deployment and public cloud integration. The Iron Networks MNV Cloud Gateway Appliance, using System Center 2012 Virtual Machine Manager SP1 and Hyper-V network virtualization technologies, is designed to ease the pain of migrating virtual workloads across subnets between on-premises datacenters or to hosted, public cloud datacenters. Finally, Iron Networks has a complete, ready to deploy private cloud solution that was recently featured in the keynote address at the Microsoft Management Summit 2013. After working for many years with niche technologies like ISA server and Forefront TMG 2010, I’m really excited about the opportunity to be more closely involved with mainstream technologies like Hyper-V, System Center 2012, and private, hybrid, and public cloud solutions. Of course I’ll be sharing my experiences with you here and across my various social media channels, so be sure to connect with me to stay in touch!
Are you planning to attend Microsoft TechEd this year? If so, I’m happy to announce that I’ll be delivering a session entitled “The Future Is Now! Next Generation Remote Access Today with Windows Server 2012 DirectAccess”. I’ll be presenting at both TechEd North America in New Orleans, LA, and at TechEd Europe in Madrid, Spain. Looking forward to seeing you there!
It’s that time again. TechDays San Francisco 2013 is fast approaching! The event will be held on May 2-3, 2013. This is an excellent event for IT professionals and developers alike to learn from some of the best and brightest. The speaker list includes industry experts Richard Campbell, Jeff Hicks, Laura Hunter, Mark Minasi, and more! I will be delivering a session on (you guessed it!) DirectAccess in Windows Server 2012. Registration is open now, so register today. Hope to see you there!
Today Fastvue announced the general availability of TMG Reporter v2.1, the latest release of their advanced reporting and alerting platform built specifically for Forefront TMG 2010. I’ve been working with some of the early release builds and although this is technically considered a minor release, this latest update includes some important new features that make this a worthwhile and compelling upgrade. Here are some of the great new features included with TMG Reporter v2.1:
Activity Reports – Easily the single most important feature included in Fastvue TMG Reporter v2.1 is the addition of detailed activity reports. Prior to v2.1 only overview reports were available. You can now create extremely granular reports on user, site, category, or application activity that include timestamps, full URLs, browse time, category, and disposition (allowed or denied).
Scheduled Custom Reports – Another excellent new feature in Fastvue TMG Reporter v2.1 allows the administrator to create custom reports using the new filtering interface and schedule them for automated delivery to recipients.
Comprehensive Filtering – Fastvue TMG Reporter v2.1 includes a powerful new filtering facility that allows security administrator to dig deep in to the logging data to find the pertinent information they desire. The new enhanced filtering feature is available for use on all reports.
Drilldown Reporting – Another feature that has been greatly improved in the v2.1 release is drilldown reporting. Previously executing a drilldown report resulted in the creation of a completely new and separate report. With v2.1, the new drilldown report now respects the initial filter settings, allowing the administrator to see detailed information as necessary while maintaining the context that the original report was created within.
SQL Server integration – This is one of my favorite (and most requested!) new features. TMG Reporter v2.1 now includes native support for SQL server logging. There are many compelling reasons to configure the Forefront TMG 2010 firewall to log to an external SQL server, and now TMG Reporter can connect directly to your TMG firewall’s configured SQL server to collect report data.
Full support for Windows 8 and Server 2012 – You can now install TMG Reporter on Windows 8 and Windows Server 2012! This is great news as many organizations are beginning to deploy Windows 2012 server and Windows 8 desktops. The TMG Reporter installer now detects which server platform you are installing on and installs the necessary prerequisites automatically. The TMG Reporter web interface is also fully supported on Windows 8 with Internet Explorer 10 (modern and desktop).
Since its initial release a few years ago, Fastvue TMG Reporter has continued to add features and functionality. If you’re running an older version, or if you haven’t yet made the switch to TMG Reporter, the new capabilities in TMG Reporter v2.1 may finally compel you to take the leap and implement or upgrade to TMG Reporter v2.1 for your Forefront TMG monitoring, alerting, and report needs. Download a free, fully functional evaluation copy of Fastvue TMG Reporter v2.1 today. You’ll be glad you did, trust me!
Recently I announced the availability of my Windows Server 2012 DirectAccess video training course at TrainSignal. Click here to read the full story!
My recent blog post about altering the SafeSearch enforcement rule in Forefront TMG 2010 to require authentication has sparked some discussion on Twitter and Facebook regarding unauthenticated, anonymous access, particularly to resources located on the public Internet. In a perfect world (ok, my perfect world!), all access to and through the TMG firewall would be fully authenticated. Unfortunately, for a variety of reasons, this isn’t achievable. To start, authenticating all traffic to and through the TMG firewall would necessitate that all clients be configured as explicit web proxy clients. In addition, if non web-based protocols are allowed by firewall policy the Firewall Client would need to be distributed to all clients. While this is ideal if we’re designing a solution on paper, in the real world many administrators don’t have the luxury of forcing proxy configuration or installing the Firewall Client on all their systems. For example, some systems may not be under the administrator’s control or they may be required to support non web-based protocols on platforms other than Windows, for which the Firewall Client is not supported. Also, as veteran ISA and TMG firewall administrators know all too well, there are some applications that simply don’t play nice with an authenticating proxy, even with the Firewall Client installed. Applications that don’t leverage Winsock for network communication or that use IP-based protocols such as ICMP or GRE also prevent us from realizing our goal of authenticating all network traffic through TMG. Windows Update traffic also poses challenges for authenticating all TMG traffic, as the Windows Update service often makes requests to the Internet for updates in the background and perhaps even if there is no interactive user logged on.
Just because out of necessity some traffic has to be allowed through the TMG firewall anonymously doesn’t mean that undertaking an effort to reduce unauthenticated traffic isn’t a worthwhile project. If you’re interested in doing something like this, have a look at the Fastvue blog and read Scott Glew’s excellent article detailing how to use TMG Reporter to identify and reduce unauthenticated traffic on the Forefront TMG 2010 firewall. Not using TMG Reporter? You’re missing out! Download a free evaluation here!
SafeSearch enforcement in Forefront TMG 2010 is a simple and effective way to prevent users on your network from accessing explicit adult content via popular search engines. Enabling SafeSearch enforcement is accomplished by opening the Forefront TMG 2010 management console, highlighting the Web Access Policy node in the navigation tree, clicking the Configure SafeSearch link in the Tasks pane and selecting the option to Enable SafeSearch.
When SafeSearch is enabled a rule is created that grants access to all users from the Internal network to all sites in the Search Engines category.
Effectively this grants unauthenticated access to many search engines including Bing, Google, and Yahoo. This level of access is quite broad and enables anonymous users to access quite a bit of content, which might not be desirable in some environments. It is not possible to change the users in the GUI either, unfortunately. However, it can be changed programmatically using COM and VBscript. For example, the following code will change the users from All Users to All Authenticated Users.
Dim Root, Array, Rule Set Root = CreateObject("FPC.Root") Set Array = Root.GetContainingArray() Set Rule = Array.ArrayPolicy.PolicyRules("SafeSearch") Rule.AccessProperties.UserSets.Add "All Authenticated Users", fpcInclude Rule.AccessProperties.UserSets.RemoveSpecified "All Users" Array.Save Array.WaitForReload
Important Note: This change is not officially supported by Microsoft. If you make this change it may potentially cause other issues, so please proceed with caution.
Once the script has completed the SafeSearch rule will now apply to All Authenticated Users and prevent unwanted anonymous access to web sites categorized as Search Engines.
Service Pack 3 for Microsoft Forefront UAG 2010 is now available for download. SP3 for Forefront UAG 2010 includes several important new features and enhanced functionality, including:
Support for Internet Explorer 10 on Windows 8 – Full support is provided only for Internet Explorer 10 in desktop mode. The modern UI version of Internet Explorer 10 does not provide support for browser add-ons. If a user accesses the Forefront UAG 2010 portal and the trunk is configured to install and launch the UAG client components, the user will receive a message indicating that the site requires add-ons which will require the desktop version of Internet Explorer 10.
Support for the Native Windows 8 Mail App – Windows 8 users can now connect to published Exchange servers using the built-in Windows 8 modern UI mail app
Remote Desktop Connection (RDC) 8.0 client support – Windows 8 users and Windows 7 users who have upgraded to the RDC client v8.0 can now access remote desktop resources published by Forefront UAG 2010 SP3
Exchange Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for Exchange Server 2013
SharePoint Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for SharePoint Server 2013
Support for Office 2013 applications – Publishing Office 2013 applications such as Outlook, PowerPoint, Word, and Excel is now natively supported in Forefront UAG 2010 SP3
You can download SP3 for Forefront UAG 2010 here.
Great news! Windows Server 2012 Security from End to Edge and Beyond is now available for pre-order! Yuri Diogenes along with Tom and Deb Shinder are the authors of this forthcoming title from Syngress Publishing which covers architecting, designing, planning, and deploying Windows Server 2012 security solutions. I have the privilege of serving as the technical reviewer of the book and I can tell you from experience it will be a vital reference that anyone working with Windows Server 2012 will want to have in their library. Pre-order your copy today!
Hotfix rollup 3 for Microsoft Forefront TMG 2010 with Service Pack 2 is now available for download. This latest hotfix rollup includes fixes for the following issues:
KB2700248 – A server that is running Forefront TMG 2010 may stop accepting all new connections and may become unresponsive
KB2761736 - All servers in a load balanced web farm may become unavailable in Forefront TMG 2010
KB2761895 - The Firewall service (wspsrv.exe) may crash when the firewall policy rules are reevaluated in Forefront TMG 2010
KB2780562 - PPTP connections through Forefront TMG 2010 may be unsuccessful when internal clients try to access a VPN server on the external network
KB2780594 - A non-web-proxy client in a Forefront TMG 2010 environment cannot open certain load-balanced websites when TMG HTTPS inspection is enabled
KB2783332 - You cannot log on when FQDN is used and authentication delegation is set to “Kerberos constrained delegation” in a Forefront TMG 2010 environment
KB2783339 - A closed connection to a domain controller is never reestablished when authentication delegation is set to “Kerberos constrained delegation” in a Forefront TMG 2010 environment
KB2783345 - Unexpected authentication prompts while you use an OWA website that is published by using Forefront TMG 2010 when RSA authentication and FBA are used
KB2785800 - A “DRIVER_IRQL_NOT_LESS_OR_EQUAL stop error may occur on a server that is running Forefront TMG 2010
KB2790765 - A “Host Not Found (11001)” error message occurs when an SSL site is accessed by using a downstream Forefront TMG 2010 server that has HTTPS Inspection enabled
You can download hotfix rollup 3 for Forefront TMG 2010 SP2 here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.575.