Archive

Posts Tagged ‘Forefront TMG 2010’

Forefront TMG 2010 Network Inspection System NIS Signature Updates

September 15, 2014 Leave a comment

When Microsoft announced the formal end-of-life for Forefront TMG 2010, they laid out in clear detail the support boundaries for the product going forward. Microsoft stated specifically that they would continue mainstream support for TMG until April of 2015, and extended support would terminate in April 2020. However, the Web Protection Service (WPS) updates for the URL filtering database, antimalware signatures, and the Network Inspection System (NIS) would only continue until December 31, 2015.

Unfortunately, it appears that Microsoft has abandoned the updating for NIS signatures. You may have noticed that a fully updated Forefront TMG firewall with the latest signature updates shows that the last NIS signature was released for security bulletin MS12-050 on July 20, 2012!

Forefront TMG 2010 Network Inspection System (NIS) Signature Updates

Forefront TMG 2010 Network Inspection System (NIS) Signature Updates

I find it difficult to believe that there hasn’t been a single vulnerability discovered or hotfix released since July of 2012 that wouldn’t benefit from NIS protection, so I have to assume that Microsoft is no longer supporting NIS in spite of their pledge to provide support for WPS through the end of 2015. If you are relying on NIS for essential network protection, it’s time to consider deploying a dedicated IDS/IPS solution or another solution that provides this functionality.

Recommended Forefront TMG 2010 SSL and TLS Configuration

September 8, 2014 Leave a comment

Last year I wrote an article for ISAserver.org that provided detailed guidance for improving security for SSL and TLS protected web sites using Forefront TMG 2010. Many people have reached out to me recently to ask about enabling forward secrecy, which my original article did not include because, at the time, it was not recommended to enable it. However, as times have changed, it is now recommended to enable forward secrecy so I recently wrote a short post with guidance on how to do that. The post was written with a very narrow scope and addressed only the enabling of forward secrecy for TLS. Many of you have since asked for guidance on overall security best practices with regard to SSL and TLS along with adding support for forward secrecy. In addition to the configuration changes detailed in my original ISAserver.org article, I also recommend the following list of SSL and TLS cipher suites be explicitly enforced using the method outlined here.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Using this configuration, the Forefront TMG 2010 firewall should receive an A rating from the SSL Labs test site (at the time of this writing).

Forefront TMG 2010 SSL Security Configuration

Enabling and supporting the above list of cipher suites will provide the best overall protection and performance for your SSL protected web sites. Note that the list above does not include support for SSL 3.0. If you need to support SSL 3.0 you should add the following cipher suites to the end of the list.

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Please note that this configuration may not work with older browsers on old, unsupported operating systems, for example Internet Explorer 6 on Windows XP. Before deploying this configuration in production I would encourage you to conduct some testing with your supported clients to ensure operability.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

August 28, 2014 Leave a comment

Last year I wrote an article for ISAserver.org that outlined in detail how to improve SSL and TLS security for web sites published using Forefront TMG 2010. In its default configuration, Windows Server 2008 R2 and Forefront TMG leave quite a bit to be desired in terms of SSL and TLS security. In the article I demonstrated how to dramatically improve the security posture of TMG when publishing web sites that use SSL and TLS. At the time I wrote the article it was not recommended to enable forward secrecy, so the changes I originally proposed resulted in an “A” score from the Qualys SSL Labs test site. However, times have changed since then, and with the recent revelations of wide spread government spying, it is now recommended to enable forward secrecy by default. Sites that don’t support forward secrecy will now receive a reduced grade.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

To accomplish this on the Forefront TMG 2010 firewall, open the Local Group Policy Editor (gpedit.msc) and navigate to Computer Configuration, Administrative Templates, Network, SSL Configuration Settings. Double-click SSL Cipher Suite Order and choose Enabled. Copy the list of SSL cipher suites to a blank notepad document and then move all of the cipher suites that begin with TLS_ECDHE_RSA_WITH_AES_ to the front of the list. Use caution here because the list cannot have any extra commas, line breaks, or spaces at all. Paste the updated list back in to the SSL Cipher Suites box and click Ok.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

The server will have to be restarted for the changes to take effect. Once complete, forward secrecy will now be used by modern browsers and you should once again receive an “A” grade from SSL Labs.

Enable TLS Forward Secrecy for Forefront TMG 2010 Published Web Sites

Hotfix Rollup 5 for Forefront TMG 2010 SP2 Now Available

June 28, 2014 11 comments

Hotfix rollup 5 for Microsoft Forefront TMG 2010 with Service pack 2 (SP2) is now available for download. This latest hotfix rollup includes fixes for the following issues:

KB2963805 - Account lockout alerts are not logged after you install Rollup 4 for Forefront TMG 2010 SP2

KB2963811 - The Forefront TMG 2010 Firewall service (wspsrv.exe) may crash when the DiffServ filter is enabled

KB2963823 - “1413 Invalid Index” after you enable cookie sharing across array members in Forefront TMG 2010

KB2963834 - HTTPS traffic may not be inspected when a user accesses a site through Forefront TMG 2010

KB2967726 - New connections are not accepted on a specific web proxy or web listener in Forefront TMG 2010

KB2965004 - EnableSharedCookie option doesn’t work if the Forefront TMG 2010 service runs under a specific account

KB2932469 - An incorrect value is used for IPsec Main Mode key lifetime in Threat Management Gateway 2010

KB2966284 - A zero value is always returned when an average counter of the “Forefront TMG Web Proxy” object is queried from the .NET Framework

KB2967763 - The “Const SE_VPS_VALUE = 2″ setting does not work for users if the UPN is not associated with a real domain

KB2973749 - HTTP Connectivity Verifiers return unexpected failures in TMG 2010

You can download hotfix rollup 5 for Forefront TMG 2010 SP2 here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.644.

Forefront TMG 2010 Computer Certificate Request or Renewal Fails

April 21, 2014 2 comments

When attempting to request or renew a computer certificate on the Forefront TMG 2010 firewall, you may receive the following error message:

Status: Failed
The RPC server is unavailable.

 

forefront_tmg_2010_certificate_01

This occurs because the Forefront TMG 2010 firewall does not, by default, allow the protocols and ports required to request or renew a certificate from a Certificate Authority (CA). Common workarounds suggest stopping the firewall completely or creating a rule allowing all protocols and ports from the TMG firewall to the CA. However, both of these workarounds are problematic. Stopping the firewall is a manual process that will cause a service disruption. It also leaves the firewall in an unprotected state. For edge deployment scenarios, the underlying operating system will be exposed directly to untrusted networks, which is a serious security risk. Creating an open access rule is not desirable because it violates the basic security principle of least privilege by allowing more access than is required.

To properly address this issue and allow for the secure request and renewal of certificates without disruption and with the least exposure, it will be necessary to create an access rule on the Forefront TMG 2010 firewall to allow all dynamic ports (TCP 49152-65535) from the local host network to the IP address of the CA for all users.

forefront_tmg_2010_certificate_02

Note: Allowing all dynamic ports (TCP 49152-65535) might also be considered too much access from the Forefront TMG 2010 firewall to the CA. It is possible to restrict the dynamic ports used by TMG and further tighten the access rule, if required. For information about restricting dynamic ports, click here.

In addition to the access rule allowing all dynamic ports, it will also be necessary to make a change to a system policy rule. To do this, right-click the Firewall Policy node in the navigation tree and choose All Tasks, System Policy, and then Edit System Policy. In the Authentication Services group highlight Active Directory and clear the checkbox next to Enforce strict RPC compliance.

forefront_tmg_2010_certificate_03

Once these changes have been made you can now request or renew a computer certificate on the Forefront TMG 2010 firewall successfully.

forefront_tmg_2010_certificate_04

Windows Azure Multifactor Authentication and Forefront TMG 2010

November 12, 2013 1 comment

When Microsoft first announced Windows Azure Multi-Factor Authentication, a cloud-based strong authentication solution, my first thought was “I wonder if it works with Forefront TMG 2010?” Being cloud-based, my first thought was perhaps not. However, once I started digging in to it I quickly learned that it includes a software component that can be installed on-premises and will even integrate with on-premises security solutions via a number of interfaces, including RADIUS. Forefront TMG 2010 has supported RADIUS authentication for many years, so I put together a test lab and in no time at all I had Windows Azure multi-factor authentication working with Forefront TMG 2010 remote access VPN. Forefront TMG 2010 integrated with Windows Azure multi-factor authentication provides the highest level of protection for remote access users. Leveraging Windows Azure cloud-based strong authentication is extremely cost effective, with very low per user or per authentication costs and no on-premises hardware to purchase. The Windows Azure public cloud, which is ISO/IEC27001:2005 certified, provides the most secure and reliable strong authentication service available today. To learn how to configure Forefront TMG 2010 to work with Windows Azure multi-factor authentication, click here.

windows_azure

Hotfix Rollup 4 for Forefront TMG 2010 SP2 Now Available

November 8, 2013 Leave a comment

Hotfix rollup 4 for Microsoft Forefront TMG 2010 with Service Pack 2 (SP2) is now available for download. This latest hotfix rollup includes fixes for the following issues:

KB2889345 – Accounts are locked out beyond the AccountLockoutResetTime period in Forefront TMG 2010 SP2

KB2890549 – Incorrect Performance Monitor values when queried from a .NET Framework app in Forefront TMG 2010

KB2890563 – “URL” and “Destination Host Name” values are unreadable in the web proxy log of Forefront TMG 2010

KB2891026 – Firewall Service leaks memory if Malware Inspection is enabled in Forefront TMG 2010

KB2888619 – A password change is unsuccessful if a user’s DN attribute contains a forward slash and an Active Directory LDAP-defined special character in Forefront TMG 2010

KB2863383 – “Query stopped because an error occurred while it was running” when you run a non-live query in Forefront TMG 2010 SP2

KB2899720 – Threat Management Gateway 2010 incorrectly sends “Keep-Alive” headers when it replies to Media Player WPAD file requests

KB2899716 – Firewall service (Wspsrv.exe) crashes when a web publishing request is handled in Forefront TMG 2010

KB2899713 – Access to certain SSL websites may be unavailable when HTTPS Inspection is enabled in Forefront Threat Management Gateway 2010

You can download hotfix rollup 4 for Forefront TMG 2010 SP2 here. After applying this update, the new Forefront TMG 2010 build number will be 7.0.9193.601.

Follow

Get every new post delivered to your Inbox.

Join 78 other followers

%d bloggers like this: