NMap, the venerable network security scanner, has recently been updated. NMap 5.21 includes a ton of new enhancements. If you are new to NMap or would simply like to enhance your skills I would strongly encourage you to read the NMap Network Scanning book, written by the author of NMap.
Forefront Threat Management Gateway (TMG) 2010 runs exclusively on 64-bit Windows Server 2008 or Windows Server 2008R2. This means you will not be able to install the TMG management console included with the installation media on any 32-bit Windows machine. What if you wish to manage your TMG firewalls from a 32-bit Windows operating system? The answer is simple. Download the 32-bit version of the TMG management console. After registering, click the download link and then download the file TMG_ENU_Management_x86.exe. Now you can manage your TMG firewalls from a 32-bit Windows desktop or server operating system!
The Microsoft Forefront Threat Management Gateway (TMG) 2010 Best Practices Analyzer is now available. Download it today!
Recently I encountered an issue when after installing and configuring Microsoft Forefront Threat Management Gateway 2010 (TMG) I was unable to gather performance data remotely. I found this puzzling because I was able to perform other management tasks such as connecting remotely with RDP and the TMG management console without issue. Since my management workstation was a member of the Remote Management Computers network object for the array, I assumed that I would have sufficient access to perform this task. Looking at the access logs revealed something interesting; traffic on TCP port 445 from my management workstation was being denied.
Upon reviewing the system policy I noticed that the Remote Performance Monitoring policy was not enabled. I’ve never had to enable this rule in the past to collect performance data remotely, but I tried enabling it anyway just for good measure.
Enabling this system policy rule did not resolve my issue, and the access log still showed my CIFS traffic being denied. A closer look at this rule shows that only NetBIOS protocols were included, not CIFS.
Under normal circumstances, enabling this rule isn’t required if you have the Allow remote management from selected computers using MMC system policy rule enabled (it is enabled by default). What made this situation unique, and ultimately caused the communication failure, was that NetBIOS over TCP/IP was disabled on all network interfaces.
To understand why monitoring performance remotely fails when NetBIOS over TCP/IP is disabled requires an understanding of Server Message Block (SMB) communication. SMB is an application-layer protocol that uses TCP for transport layer communication. In Microsoft operating systems prior to Windows 2000, all SMB communication took place over NetBIOS, which in turn ran on top of TCP/IP using the familiar TCP port 139. Beginning with Windows 2000, SMB runs directly on top of TCP/IP using TCP port 445. In Windows 2000 and later, the default behavior of SMB communication is to attempt to communicate directly over TCP/IP using TCP port 445 first, then if there is no response, an attempt to use NetBIOS over TCP/IP is made using TCP port 139 (provided NetBIOS has not been explicitly disabled). The performance monitor utility (perfmon.exe) communicates in exactly this way. Since NetBIOS over TCP/IP was disabled, communication only takes place over TCP port 445. In the absence of an access rule allowing Microsoft CIFS (TCP) inbound to the local host, the communication fails.
This issue can be resolved in several ways. First, enabling the Allow remote management from selected computers using MMC or the Allow remote performance monitoring of Forefront TMG from trusted servers system policy rule and enabling NetBIOS over TCP/IP on the network interface will resolve the issue. Since disabling NetBIOS over TCP/IP was required by security policy in this case, creating an access rule allowing Microsoft CIFS (TCP) inbound to the local host from Remote Management Workstations was the best choice.
Another option is to enable the Allow access from trusted servers to the local configuration storage server system policy rule, as this rule allows Microsoft CIFS (TCP) protocol inbound to the local host.
This may not be desirable because the rule includes additional protocols that aren’t required for remote performance monitor data collection, and increases exposure of services running on the TMG firewall needlessly.
The Customer Experience Improvement Program was created by Microsoft to allow the collection of information about how customers use their programs. Participating in the program allows you to effectively contribute to the design and development of Microsoft products. The program is purely elective and you can choose to opt out of the program at any time.
After installing Forefront Threat Management Gateway (TMG) 2010, open the management console and you will see a link inviting you to learn more about the program.
Clicking the link will present a dialog box where you can select the option to participate or not.
I would strongly encourage everyone to opt in to this program. Doing so will provide Microsoft with valuable information that will ultimately lead to a better product with more features. Microsoft will not be contacting you, nor will you receive unwanted e-mail or be asked to participating in any surveys. If you are concerned with information disclosure, please read the CEIP privacy statement.
If you haven’t done so already, please join in! Come on, support the team. Everyone will benefit!
Coming up in February I will be conducting TMG training for an event being hosted by Celestix UK distributor e92Plus. If you are interested in attending you can register for the event here. Hope to see you there!
I have some wonderful news to share with everyone. I am the newest contributing author for TechGenix’ ISAserver.org web site! This is a fantastic opportunity for me, and I am very much looking forward to sharing more information about Microsoft Forefront Threat Management Gateway (TMG) 2010. My first article will be published in the next few days, and going forward I’ll be producing new content each month. If you have any article suggestions, please don’t hesitate to share them with me!