Forefront TMG 2010 is Common Criteria certified

Last year Microsoft have submitted Forefront Threat Management Gateway (TMG) 2010 to Common Criteria certification.

The Common Criteria process is evaluated by BSI, a German Federal office for Information Security. This is one of many proves that TMG 2010 can be safely put on the edge of any network, providing the most secure user and company experience. As long as the firewall admin does not messes with the configuration. If you’re not an ISA/TMG admin, you may ask how?

Well, most of not ISA/TMG admins think and use ISA/TMG firewall machine as a workstation, surfing web from there, sharing folder (make it acting as a file server) or like a “normal” server, installing other server services on it, like Microsoft IIS (Internet Information Services).

Keep in mind a firewall is a firewall and should be treated as such! It is not different when using ISA/TMG firewall.

That said, here is the link for TMG Common Criteria document. Enjoy your TMG EAL4+ certified firewall!

Regards,

Paulo Oliveira.

Posted in Computers and Internet, Information Technology, Security, TMG | Tagged , , , , | Leave a comment

Network issue when using VMWare Server 2.0 and Windows 2008

Hi,

recently I had a problem with a Windows Server 2008 virtual machine when using VMWare Server 2.0.

I installed this virtual machine and configured network settings to use DHCP. For some reason, it was not able to receive DHCP configuration, really strange because my DHCP server was working fine, since other machines were getting IP just fine.

My first action was to check the if the DHCP server had enough IP address to distribute to clients. The DHCP scope was fine. Next, I tried to assign a static IP to the VM. For my surprise, when I ran ipconfig command at the command prompt, the result was that the default gateway IP address was there, but no client IP address and mask.

Therefore, I started to look on the internet for some related problem. Unfortunately, no luck! Sad smile

Then I was about to start a new thread on Windows Server 2008 Technet forums, but one of the suggested answers from the forums was the right one to solve my issue.

I had to follow the steps below:

  1. Run netsh int ip reset, to reset IP configuration;
  2. Reboot the server;
  3. Create ArpRetryCount DWORD value on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters and set this value to 0 (zero).
  4. Reboot the server again.

There you go! My server was able to communicate to other network computers again using either DHCP or static configuration.

That’s it! If you are also having the problem mentioned above, it may worth try the fix above.

The Technet thread I referred to is: http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2networking/thread/d7bda315-6366-4e0a-bdcf-dc875ff6963e

Regards,

Paulo Oliveira.

Posted in Windows Server | Tagged , , , | Leave a comment

It is OK to install Windows 2008 R2 SP1 on TMG SP1 and UAG SP1

As I mentioned on my previous blog post, it is fine to install Windows 2008 R2 SP1 on machines running Forefront Threat Management Gateway (TMG) 2010 and Forefront Unified Access Gateway (UAG).

Yesterday ISA/TMG team blogged about this subject making an official statement: “TMG 2010 SP1 and UAG 2010 SP1 are fully compliant with the new Windows service pack.

Although, there are some points you should observe and order you should follow when planning deploy Service Pack 1 on TMG 2010:

1. Enterprise Management Servers (master and replicas – only for TMG deployments).

2. Array managers.

3. Array members.

Check ISA/TMG team blog post for more info.

That´s it! Plan, test and update!! In this very order Winking smile

Regards,

Paulo Oliveira.

Posted in Security, Service Pack, TMG | Tagged , , , , , | 5 Comments

Time to update your TMG–Rollup 3

Hi TMG Admins!

Today ISA/TMG team has released Rollup 3 for TMG Update 1. This new rollup includes a number of hotfixes which solve some problems reported to Microsoft by customers.

Many of this issues are related to HTTPS inspection mechanism, so if you enabled HTTPS inspection (as you should Alegre) on your TMG, it is definitly worth to take a look at the rollup.

As for prerequisites, you must have TMG Service Pack 1 and Software Update 1 installed on TMG machine.

For a complete list of what is been fixed: http://support.microsoft.com/kb/2498770

Regards,

Paulo Oliveira.

Posted in Rollup, Service Pack, TMG | Tagged , , , , | Leave a comment

Windows Server 2008 R2 SP1 is RTM! Should I install it?

Today Microsoft will release Service Pack 1 for Windows Server 2008 R2 and Windows 7. It brings new enhancements such as Dynamic Memory for Hyper-V and RemoteFX for Virtual Desktop Infrastructure (VDI). Besides, of course, all the released fixes until now.

The question here is: Should I install Windows 2008 R2 Service Pack 1 on my TMG 2010 machine? My friend, Yuri Diogenes, anticipated to me the answer: yes, you can!

The ISA/TMG Team will make a statement on their official blog about the supportability for this brand new Service Pack 1. So, stay tuned!

For more information about Windows Server 2008 R2 SP1, check Windows Server Division blog post.

Update: Link to download Windows Server 2008 R2 SP1.

Regards,

Paulo Oliveira.

Posted in News and politics, Security, Service Pack, SP, TMG, Windows Server | Tagged , , , , , | 4 Comments

Heads up for ISA Admins

Today, Philipp Sand, from Forefront ISA/TMG team published a blog post about a specific case where the ISA firewall process (wspsrv.exe) leaks memory if installed a Windows optional update and you use ISA connection verifier to check connectivity against web servers that uses Windows Integrated authentication.

If your ISA firewall is running under a heavy load environment, then the recommendation is to not install KB971737. Otherwise, ISA firewall will behave as described in his post.

Keep in mind that is always recommended and best practice to test an update into a test lab before release it to production servers, even though, the update it is not intended to ISA firewall itself. Remember ISA takes advantages of Windows resources for most of it’s tasks.

Regards,

Paulo Oliveira.

Update: Changed the name of the blog post author, according to Yuri’s comment.

Posted in ISA Server, Troubleshooting, Windows Server | Tagged , , , , | 3 Comments

Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 3

If you want to check out the other articles from this series:

Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 1

Using SSL Decoder to inspect outbound HTTPS traffic on ISA Server 2006 – Part 2

Introduction

This is the last part of a three parts articles about how to extend ISA’s functionality to inspect outbound SSL requests. In the first two, I presented what ISA Server Toolkit is and how we can benefit from one of it’s components, SSL Decoder. I also explained how it works, advantages and disadvantages and how to configure it to inspect HTTPS requests, when using ISA as an edge firewall scenario.

In this third part, I will cover the final steps to start use SSL Decoder to inspect outbound SSL requests and test it using a PoC (Proof-of-Concept).

Create an Access Rule to Allow ISA firewall download certificates

First thing we need to do is create an access rule allowing ISA firewall itself to access the internet, because ISA now needs to download objects and copy SSL certificates from websites on the internet, so it can impersonate website’s certificate to the client.

Redline Software support recommends the access rule to be applied to “All Authenticated Users” for security reasons. They will look like these:

ssldecoderaccessrule

After that the setup is done. When I trying to access a secure website (HTTPS), if you followed this article step-by-step, then you will get a warning like the following:

IE6_warning

[Internet Explorer 6 warning]

ie78_warning

[Internet Explorer 7 and 8 warning]

ie_warning

[Internet Explorer 9 RC warning]

This message appears because the certificate created for SSL Decoder is Self-Signed and the client machine does trust on it, by default. To make the warnings disappear, you must import the certificate created for SSL Decoder component into client’s Trusted Root Certificates Authorities store.

One thing really important to mention here is that SSL Decoder only works with Web Proxy clients. This means, if you configure your machine either as SecureNAT or TMG client (former Firewall client), ISA Server (SSL Decoder, in this case) will not be able to inspect outbound encrypted requests.

There you go! Your ISA firewall is ready to inspect outbound SSL requests!

Testing SSL Decoder inspection

Now it’s time to prove if ISA firewall really can “see” inside a SSL tunnel. First test we are going to try is to block a secure website (HTTPS).

I created a URL Set to block http://mail.google.com

deny_gmail_url

[ISA Logging message for URL Set]

deny_gmail_url_xp

[Client access denied message for URL Set]

I also created a domain name set to block Gmail. Here’s the result:

deny_gmail_domain

[ISA Logging message for Domain Name Set]

deny_gmail_domain_xp

[Client access denied message for Domain Name Set]

Conclusion

In this last part article we finished the configuration of ISA Server to work with SSL Decoder. Created proper access rule and made a PoC (Proof-of-Concept) blocking some secure websites. I hope this will help many ISA admins out there to protect against threats that may be inside SSL tunnels and better control traffic from inside the network, since many of you have not migrated to Forefront Threat Management Gateway (TMG) 2010.

Posted in Computers and Internet, ISA Server, Security | Tagged , , , , , | 2 Comments

Supportability for ISA/TMG co-location with a DC

Introduction

Hi,

this post was inspired by two sources. The first one is a question asked at the message boards from www.isaserver.org by a member named jamal007.

The second one is by a post from a friend of mine: Uilson Souza (in portuguese).

A brief from his post. He discuss a case where a client has a scenario of ISA Server installed on the same machine with a DC and a Exchange Server. I guess the client´s budgets was short (or at least let´s assume that).

Then

Consider a scenario where you want to co-locate ISA/TMG with a Domain Controller. In my opinion, it is not a very clever choice, since you will expose one of the most important server on your organization to the internet. However, most folks think because they can, they should do it.

For many years, Microsoft did not support such scenario (ISA/TMG+DC). The logical always prevailed. It was (is) too risk to put these roles on the same server, because it will have to open so many holes to make it work.

Every ISA administrator was aware it was not a supported configuration and highly insecure in many ways. So, it was always best practice (recommended) to not install, not only DC, but any other role on the same machine as ISA Server, THE network firewall. The very reason behind that is quite obvious, you don’t see other roles (or DC) installed on “hardware” firewalls. The attack surface of servers facing the internet (or protecting your whole business network) must not be increased!

Now

Nevertheless, Forefront Edge team published a couple years ago a paper describing the policies to be followed for ISA (TMG was not released at that time) co-location with a DC on a Branch Office. According to them, they did because many System Administrators were co-locating these two roles together in a insecure manner.

After the paper was published I was confused if the supported scenario was just for Brach Offices or any other scenario involving ISA and Domain Controllers (like ISA Server as backend firewall).

Then came Forefront TMG 2010 and made my head spin again. The Technet’s Unsupported configuration article claims:

Forefront TMG installed on a domain controller is not supported

Issue: Installing Forefront TMG or Forefront TMG EMS on a computer configured as an Active Directory domain controller is not supported.

Cause: This installation is blocked by the Forefront TMG installer.

noteNote:

Installing Forefront TMG Management console on a domain controller is supported.

Solution: Virtualization offers an alternative if both Forefront TMG and a domain controller must be on the same computer. For more information, see Forefront TMG support in a virtual environment and Security Considerations with Forefront Edge Virtual Deployments (http://go.microsoft.com/fwlink/?LinkId=178740)

What?? They published a paper about ISA co-location with a DC! Is this does not worth for TMG 2010??

Also, Forefront Edge team released Service Pack 1. One of the improvements was:

Support for installing Forefront TMG SP1 on a read-only domain controller

Forefront TMG can now be installed on a read-only domain controller in order to realize WAN optimization benefits related to local authentication in branch office scenarios.

At this point I didn’t know what was Microsoft’s official statement about installing ISA/TMG on the same machine with a Domain Controller.

Then came up a question on ISAserver.org message boards, as I said above.

So, I decided to check with Yuri Diogenes. He is a friend of mine which works at Microsoft and is part of Forefront Edge Team.

I asked him a couple of a questions:

1- Are ISA/TMG supported by Microsoft when installed with a Domain Controller?

The answer was: Forefront TMG 2010 is supported only when installed with a Read-Only Domain Controller (RODC). BUT,  you must have at least Service Pack 1 and Update 1 installed. The most common scenarios for that is for deployment of TMG with RODC in a Branch Office scenario. The other scenarios follow the statement quoted from Technet’s Unsupported configuration above.

2- And what about ISA?

Well, ISA is supported using the policies described at the Technet article: ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller in all scenarios, not only Branch Offices.

Conclusion

A conclusion we can take from this post is ISA/TMG are supported to be installed on the same machine as a Domain Controller, if some policies are correctly followed.

The lesson I hope you, ISA/TMG admins, must take is DO NOT co-locate ISA/TMG with a Domain Controller! Although, you can, it does not mean you should. I will always continue recommending you to not do such a sin. Smile

Regards,

Paulo Oliveira.

Posted in ISA Server, Security, TMG, Windows Server | Tagged , , , | 4 Comments

Somethings are really funny…

Hi,
 
did not planned to post again today, but I was reading some news on the internet when I faced the news about a newly discovered Java vulnerablity. Until now, nothing exceptional. 🙂
 
OK, the guy who wrote the article talks about the update released by Sun/Oracle and claims they are irresponsible, because did not gave enough credit to the security researcher who found out the vulnerability, according to them it was not a critical issue.
 
So, yesterday (I guess), they released an update that address the issue, however did not made any mention in the update´s release notes.
 
Now comes the funny part. At the last "section" of his post, he tells his experience when installing Java update. Using his words:
 
"Speaking of irresponsible, here’s what I saw when I applied the new Java update this morning.  Yes, checked by default.  Sigh."
 
Now you ask me, what did he see? Some bug? Some new feature? Some… (I don´t know what to say anymore, maybe I come out with something later 😛 )?
 
No, he saw the following screen:
 
 
 
OK, what´s the big deal about it?? Oh, yes! The option to install Bing Toolbar is checked, by default!!
 
I lost count how many times I saw this very same checkbox (on other softwares, don´t remeber for Java specifically) for Google´s Toolbar option, also checked by default!!
 
I hate these options to install Toolbar on my Internet Explorer browser. It doesn´t matter if it is Bing´s or Google´s Toolbar. What I want to say here is that when Google´s Toolbar was THE option, no one complained about it! What strange fact, hein!?
 
 
Regards,
Paulo Oliveira.
Posted in Computers and Internet | Leave a comment

Security Compliance Manager – quick post

Hi,
 
many companies today are worried about security and security related stuff (data leakage, security patches, security best practices, etc). Well, my friend Yuri Diogenes made a quick post on his blog talking about a new Microsoft tool that helps companies to manage the security and compliance process for the most used Microsoft technologies.
 
As always, Microsoft is willing to hear your feedback: mailto:secwish@microsoft.com?subject=SCM%20feedback
 
For more information about this tool, you can check Yuri´s blog.
 
Regards,
Paulo Oliveira.
Posted in Security | Leave a comment