Archive

Posts Tagged ‘Firewall’

Microsoft Reputation Services (MRS) Offline after December 31, 2015

December 15, 2015 4 comments

Microsoft Reputation Services (MRS) Offline after December 31, 2015As I recently mentioned, Microsoft has discontinued and will be terminating their Microsoft Reputation Services (MRS) cloud URL categorization service on or shortly after December 31, 2015. Today, Microsoft released additional information vital to TMG administrators everywhere who are still relying on this service for URL filtering. Specifically, what happens with TMG once Microsoft officially turns off MRS and it is no longer available?

Bad things.

First, any firewall rules that rely on URL categorization to allow traffic will fail closed. That is, they will block all traffic. Second, any rules using URL categorization to deny traffic will fail open and allow that traffic instead. Finally, there is potential performance degradation that may occur with TMG after the service is disabled by Microsoft.

What to do?

First, update any TMG firewall rules that use URL Categories or URL Category Sets. You can replace them with Domain Name Sets or URL Sets, if desired. Next, disable the use of URL filtering in TMG by opening the TMG management console, right-clicking Web Access Policy and choosing Configure and then URL Filtering. Uncheck the box next to Enable URL Filtering and then click Ok.

Microsoft Reputation Services (MRS) Offline after December 31, 2015

Finally, consider a replacement solution for TMG’s URL filtering. There are a number of solutions available, both on-premises and cloud-based, that are capable replacements. The Zscaler solution is highly effective, and if you’re looking for a low-buck alternative, consider something like OpenDNS. There are many more, I’m sure.

Good luck!

Using PowerShell to Determine Forefront TMG Build Number

December 14, 2015 Comments off

Using PowerShell to Determine Forefront TMG Build NumberIdentifying the current build number of your Forefront TMG 2010 installation is critically important when making changes or updates to the system. It is generally recommended that all TMG firewalls be on the same release, so having this information is essential. Many TMG administrators use the TMG management console to gather this information, but I can tell you based on experience that this is not always the most accurate method to use.

I much prefer to gather this information programmatically at the command line. In the past I’ve written about using VBScript to do this, but it’s almost 2016 now and we really should be using PowerShell whenever possible. To that end, here are a few lines of PowerShell code you can use to accurately determine which version and build number your TMG firewall is currently running.

$FPC = New-Object -ComObject FPC.Root
$Server = $FPC.GetContainingServer()
$Server.ProductVersion

Using PowerShell to Determine Forefront TMG Build Number

If you’ve done any work at all with VBScript and the TMG’s FPC COM object, you’ll no doubt be able to convert some of your existing scripts to PowerShell. Also, PowerShell, with its tab auto completion, is much more discoverable than using VBScript with COM, so I’m sure you’ll be able to do a lot more with TMG using PowerShell.

Enjoy!

ISAinfo Forefront TMG 2010 Configuration Reporting Utility

May 27, 2015 Comments off

Microsoft ISA Server and Forefront TMG 2010 ToolsWith the demise of isatools.org a few years ago, many ISA Server and Forefront TMG 2010 administrators have reached out to me to ask where they can find the ISAinfo tool that was previously found on that site. If you’re not familiar with ISAinfo, it was a great utility used for viewing the ISA or TMG configuration by parsing the configuration export. This tool is tremendously useful for providing support, as it includes all of the information required to provide context for troubleshooting. In addition it is an excellent documentation tool.

So, if you’re looking for a reputable location from which to download this tool, look no further. I’ve placed the isainfo.zip file along with the checksums for file verification on my public OneDrive. Enjoy!

ISAinfo.zip – http://1drv.ms/1Q8GOaA
Checksums – http://1drv.ms/1Q8GWqq

Publish DirectAccess with Forefront TMG 2010

January 26, 2015 Comments off

DirectAccess is a compelling remote access solution that provides seamless and transparent, always-on, bi-directional remote corporate network connectivity for managed Windows clients. In Windows Server 2008 R2 and Forefront Unified Access Gateway (UAG) 2010, the DirectAccess server had to be configured with two network adapters, with the external network interface configured with two consecutive public IPv4 addresses. Many security engineers were understandably concerned about exposing a domain-joined Windows server directly to the public Internet, which limited the adoption of the technology. Beginning with Windows Server 2012, DirectAccess is integrated in to the operating system and provides more flexible network configuration. DirectAccess can now be deployed behind an existing edge security solution performing NAT, and even supports single-NIC configuration.

The Forefront TMG 2010 firewall is an excellent choice to provide essential protection for the DirectAccess workload. When DirectAccess is deployed behind a NAT device, the only firewall port that needs to be opened is TCP port 443 (HTTPS).

When publishing DirectAccess with TMG, it is important to use a server publishing rule and not a web publishing rule. To publish DirectAccess, open the Forefront TMG 2010 management console, right-click Firewall Policy in the navigation tree, and then choose New Non-Web Server Publishing Rule.

Publish DirectAccess with Forefront TMG 2010

Provide a descriptive name for the rule, enter the IP address of the DirectAccess server, choose HTTPS Server for the protocol, and then select the network interface on which to listen for these requests.

Publish DirectAccess with Forefront TMG 2010

To ensure the proper operation of Receive Side Scaling (RSS) on the DirectAccess server, it is recommended that the server be configured to use TMG as its default gateway and to configure the publishing rule on TMG using the option Requests appear to come from the original client.

Publish DirectAccess with Forefront TMG 2010

Also, TMG does not support load balancing for server publishing rules, so it is not possible to deliver traffic to multiple back end servers using TMG. For high availability and to provide for scalability, it is recommended to configure load balancing for DirectAccess using NLB or an external load balancer (recommended) and publish the virtual IP address (VIP) using the steps described above.

To learn more about DirectAccess, visit http://directaccess.richardhicks.com/

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

November 20, 2014 5 comments

When performing POODLE attack mitigation on the Forefront TMG 2010 firewall by disabling SSL 3.0, you may encounter a scenario in which TMG’s SQL services fail to start after a reboot.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Looking through the Windows system event log you may see an error message logged by the Service Control Manager with event ID 36871 which states:

A fatal error occurred while creating an SSL server credential.
The internal error state is 10013.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

In addition you may also see an error message logged by the Service Control Manager with event ID 7024 which states:

The SQL Server (ISARS) service terminated with service-specific
error %%-2146893007.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

This can occur when SSL 3.0 is disabled at the same time that TLS 1.0 is also disabled. Even though TLS 1.1 and 1.2 might be enabled, TMG requires that TLS 1.0 specifically be enabled for SQL server services to function properly when SSL 3.0 is disabled.

To resolve this issue, enable TLS 1.0 Server in the registry by changing the value of Enabled to 1, as shown here. If these registry keys do not exist, create them.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Restart the server for the change to take effect.

Forefront TMG 2010 Network Inspection System NIS Signature Updates

September 15, 2014 2 comments

When Microsoft announced the formal end-of-life for Forefront TMG 2010, they laid out in clear detail the support boundaries for the product going forward. Microsoft stated specifically that they would continue mainstream support for TMG until April of 2015, and extended support would terminate in April 2020. However, the Web Protection Service (WPS) updates for the URL filtering database, antimalware signatures, and the Network Inspection System (NIS) would only continue until December 31, 2015.

Unfortunately, it appears that Microsoft has abandoned the updating for NIS signatures. You may have noticed that a fully updated Forefront TMG firewall with the latest signature updates shows that the last NIS signature was released for security bulletin MS12-050 on July 20, 2012!

Forefront TMG 2010 Network Inspection System (NIS) Signature Updates

Forefront TMG 2010 Network Inspection System (NIS) Signature Updates

I find it difficult to believe that there hasn’t been a single vulnerability discovered or hotfix released since July of 2012 that wouldn’t benefit from NIS protection, so I have to assume that Microsoft is no longer supporting NIS in spite of their pledge to provide support for WPS through the end of 2015. If you are relying on NIS for essential network protection, it’s time to consider deploying a dedicated IDS/IPS solution or another solution that provides this functionality.

Recommended Forefront TMG 2010 SSL and TLS Configuration

September 8, 2014 6 comments

Last year I wrote an article for ISAserver.org that provided detailed guidance for improving security for SSL and TLS protected web sites using Forefront TMG 2010. Many people have reached out to me recently to ask about enabling forward secrecy, which my original article did not include because, at the time, it was not recommended to enable it. However, as times have changed, it is now recommended to enable forward secrecy so I recently wrote a short post with guidance on how to do that. The post was written with a very narrow scope and addressed only the enabling of forward secrecy for TLS. Many of you have since asked for guidance on overall security best practices with regard to SSL and TLS along with adding support for forward secrecy. In addition to the configuration changes detailed in my original ISAserver.org article, I also recommend the following list of SSL and TLS cipher suites be explicitly enforced using the method outlined here.

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Using this configuration, the Forefront TMG 2010 firewall should receive an A rating from the SSL Labs test site (at the time of this writing).

Forefront TMG 2010 SSL Security Configuration

Enabling and supporting the above list of cipher suites will provide the best overall protection and performance for your SSL protected web sites. Note that the list above does not include support for SSL 3.0. If you need to support SSL 3.0 you should add the following cipher suites to the end of the list.

TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

Please note that this configuration may not work with older browsers on old, unsupported operating systems, for example Internet Explorer 6 on Windows XP. Before deploying this configuration in production I would encourage you to conduct some testing with your supported clients to ensure operability.