Tuesday, March 02, 2010
Why Microsoft DirectAccess Represents a Real Paradigm Shift

 

 

Why Microsoft DirectAccess Represents a Real Paradigm Shift

 

Feed: The Edge Man
Posted on: Tuesday, February 23, 2010 8:37 PM
Author: tshinder-msft
Subject: Why Microsoft DirectAccess Represents a Real Paradigm Shift

 

DirectAccess is a new remote access technology enabled by the combination of Windows Server 2008 R2 and Windows 7. Unlike other remote access technologies such as reverse proxy, reverse NAT, SSL VPN gateways, and network layer VPNs, the goal of DirectAccess is to extend your network to any location in the world, so that your domain member client systems are always connected to the corpnet.

Think about the mix of remote access technologies you use now. Some of them might be in place to support partners, for which you want to provide very limited network access. But what about your employees? If you’re like me, you’ve probably spent most of your professional life trying to figure out how to give employees the information they need, in the most efficient way possible, so as to create the least frustration for both the employee and the Help Desk and IT overall. Most of all, you want to make sure this access is secure and that security doesn’t interfere with productivity.

There have always been two major stumbling points when providing productivity-enabling remote access to employees:

  • Employees often found it difficult to get the remote access solution working, or when they did, found the experience limiting in some way and therefore became less productive compared to when they were in the office
  • IT found it difficult to manage the security of the devices their employees were connecting from. Even in the ideal situation where you gave an employee a laptop with the corporate “golden image”, that image often fell out of compliance because the client system was not connected to the corpnet often enough to have the appropriate configuration settings applied through Group Policy or other desired configuration methods, such as System Center Configuration Manager. In addition, it was difficult to keep track of your off-campus fleet, since you never knew when they were going to connect to the corpnet again, if ever.

When you think about it, neither you nor your users ever wanted to use VPN. You never really wanted your employees to have to use SSL VPN gateways. You never actually wanted your users to have to gain access to resources over reverse proxies and NAT devices. You never really wanted to use any of the myriad number of remote access “artifices” that you’ve put in place.

But you did, because your goal was to provide your business an advantage by delivering out of office users access to information so that they could get their work done from anywhere.

But these solutions didn’t really didn’t do what they were supposed to do – at least not for you and your employee users:

  • How many times have you gone to a hotel an found out that it did not support PPTP or L2TP/IPsec?
  • How many times have you had all VPN access denied to you from your out of office location?
  • How many times have you had to deal with network ID collisions between the network you were on the corpnet ?
  • How many times did you need to use a web version of the application you wanted to use, because you couldn’t establish a VPN?
  • How many times have users called you or your help desk because the VPN connection did not work from the hotel room, conference center, partner network or customer’s office?
  • How many times did your users call regarding forgetting which name to use to connect to a resource when they’re out of the office, which of course is a different name when connected to the corpnet?
  • How many times did you wish that you had the same command and control over all your managed, domain member computers, regardless of their location?
  • How many times did you wish that all you had to do is turn on your computer, and you could connect to all the resources you were authorized to connect to, regardless of your location – the only thing you had to remember is to turn your computer on and enter your credentials?

No, we didn’t want these remote access solutions for our employees, but they were the best we could do.

What we actually wanted all this time was DirectAccess.

I can tell you that as a user, DirectAccess becomes a transformational experience. It completely changes the way I approach my work. In the past, if I left the office, I anticipated the traditional road warrior’s “negotiations with the remote access gods”.

The negotiations went something like this:

  • Please don’t assign me an address on the same network ID as my office
  • Please let L2TP/IPsec work
  • Please let PPTP
  • Please let secure Exchange RPC work
  • Please allow RDP to work
  • Please allow more than just HTTP/HTTPS outbound

You just never knew what the computing experience was going to be. If the network layer VPN worked, then almost everything worked. Of course, I’d have to fire off the VPN client first, and make sure the client was configured correctly (easy for me, not so easy for the average or even above average user). If neither network layer VPN protocol worked, then I spend my time living the second-class life of browser based applications. And file access experiences ranged from problematic to catastrophic.

There were often workarounds, but I could employ them because I’ve been doing networking for a long time. Average users would give up, call the Help Desk or try their best to do what they could with what they had – with the end result being a significant compromise in productivity and a flagging faith in the entire remote access experience and reduced expectations for what could be done when away from the office.

DirectAccess changes the game. Not only the game, but the entire playing field. So many of the problems related to remote access technologies that I’ve described so far are due to the users “location awareness”. While location awareness in the software is a very useful thing (and used by DirectAccess in the background), it’s not something you and your users want to worry about.

It’s the entire “location awareness” issue that creates problems for users:

  • Am I going to be able to use VPN?
  • What Web site URL do I use?
  • Am I going to have to reconfigure my application to work on the outside?
  • I’m going to have to do things differently when I’m on the outside

This “location awareness” creates both conscious and unconscious friction with the surface of user productivity. Energy is wasted and productivity is reduced. With DirectAccess, the entire “location awareness” issue is a non-issue. When you and your users connect with DirectAccess – the experience is the same all of the time.

  • The computing experience at work is the same
  • The computing experience at the ball game is the same
  • The computing experience at the hotel is the same
  • The computing experience at the conference center is the same
  • The computing experience at the customer site is the same

How is the computing experience the same in each of these scenarios? Because the following describes the computing experience for all five of the scenarios listed above:

  • Turn power on or wake the computer from sleep
  • Log on with your user name and password, or smart card and pin
  • Connect to corporate file shares, web sites, SharePoint sites, SQL servers, Exchange Servers, and just about any other server you can think of using their native application layer protocols
  • Close the computer lid and put the computer to sleep

Notice there was no “starting the VPN connection” or “connecting to the SSL VPN portal page” or anything else that required the user to be “location aware”.

This is what makes DirectAccess the paradigm shifting, transformational technology it is. And what really proves the point is how quickly you will take it for granted. That is a key component of what I consider to be transformational technology – you take it for granted because it was always supposed to be this way. In fact, you’ll find that the technology, over time, will seem boring to you. And for new computer users who have never experienced DirectAccess , they will find it really boring – or at least not exciting or transformational, because they will assume that is how remote computing should have always been done.

The story on the IT side of the house is just as compelling. Now you have access to the DA clients anytime a DirectAccess client is turned on; the user doesn’t even need to be logged on. You can apply patches, do “just in time” updates, install software, remove software, perform real-time remote management and configuration or assistance over RDP, and many more management tasks because the connection between DA clients and management servers is  bidirectional and always available between the management servers and DA clients.

Your DA clients will be in the same state of compliance as machines that never leave the corpnet and they have access to all the management, command and control systems you use to manage any machine on the corpnet.

The reason is that DirectAccess allows you to extend the corpnet and its management infrastructure to the DA client.

I know that you’ve heard about “paradigm shifts” and “transformational technologies” in the past. IPsec server and domain isolation had that potential. But it never caught on. Network Access Protection, something I can remember hearing a number of people at TechEd 2004 demand “I need it now!” But after it was released, sort of “hung in the stretch” (to use a horse racing term). Why? I don’t know if there are any official reasons why, but I suspect that these two fantastic, potentially game changing technologies were just too complex and the expected return on investment for dealing with such a level of complexity ended up being too low.

This can’t and must not happen to DirectAccess – there are two main reasons why I don’t see DA “dying on the vine”:

  • Although some in the media have communicated that it is complex, in fact, there are far fewer moving parts that you might think – most who consider it overly complex have not tried to set it up
  • Many of the moving parts are already deployed on your network and you can easily integrate them into your DirectAccess deployment
  • The gains in improved manageability will more than pay for the time it takes to learn the new technology
  • The gains in end user satisfaction and increased productivity will not be incremental, they will be differential – meaning that end user productivity will increase significantly after DA is deployed, and will continue to increase over time as the frictionless DirectAccess experience is fully integrated into the computer users’ ways of working

So there you have it – my reasons why DirectAccess will change the world, and it’s a world that both IT and end-users have always wanted to live in.

It’s also a world that I want to help you get to. In the following months this blog will be dedicated to UAG DirectAccess and provide you hints, tips, tricks, ideas, opinions, workarounds, designs, and experiences that will speed your path to DirectAccess deployment. Because the only way you’ll really know the joy of the DirectAccess experience is to experience it. And after that, you’ll take it for granted – but you’ll be taking for granted an all new world of computing – one that allows you to get more done faster without ever needing to think about where you are.

HTH,

Tom

Thomas W. Shinder MD

Microsoft ISDUA – UAG DirectAccess – Anywhere Access Team (AAT)

tomsh@microsoft.com


View article...

General | Microsoft | Virtual Appliances | Virtualization
Tuesday, March 02, 2010 5:49:30 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Wednesday, February 24, 2010
Increase DirectAccess Deployablility

 

Increase DirectAccess Deployablility

 

 

Feed: Forefront Experts
Posted on: Monday, February 15, 2010 11:39 AM
Author: Hal Berenson
Subject: Increasing DirectAccess Deployability 

Andrew Garcia over at eWeek has written an excellent article describing his experience testing Microsoft Forefront UAG 2010's capabilities for assisting deployment of Microsoft Windows' DirectAccess.  I thought I'd add a little color commentary to the deployment topic..

A little over a year before the release of Windows 7 and Windows Server 2008 R2 the UAG team looked at what it could do to incorporate DirectAccess as a technology in its overall "access" mission.  Later, a Microsoft-wide virtual team looked into what we could do to accelerate DirectAccess deployment.  These two activities have already born fruit, both in new features in UAG 2010 and the new DirectAccess Connectivity Assistant.

As an example, one of the key features UAG brings to the DirectAccess deployment story is support for the DNS64 and NAT64 IPv6 transition technologies.  The "64" refers to "6-to-4", as in IPv6 to IPv4 (as oppsed to the common usage implying something to do with 64-bits).  DNS64 and NAT64 are the latest technologies for allowing IPv6 clients to communicate with IPv4 servers.  They are in the process of replacing the earlier DNS-ALG and NAT-PT technologies that were found to be flawed and moved to historical status by the Internet Engineering Task Force (IETF).  As a result of DNS-ALG/NAT-PT's status customers may not be willing to deploy them and vendors (some of whom already support these technologies in shipping products) may not want to advocate their use.  That left a big gap for customers considering deployment of DirectAccess, how to enable communications with servers that only support IPv4?  UAG 2010 stepped in to help and is the first product to bring the newer DNS64 and NAT64 to market.  Others will certainly follow as the need to enable transition to IPv6 becomes more urgent

Although not part of UAG, the Microsoft DirectAccess Connectivity Assistant (DCA) is another important part of our efforts to accelerate DirectAccess deployment.    One piece of feedback we received from early adopters of DirectAccess was that their end-users loved DirectAccess so much that when it didn't work they were quite vocal about their frustration.  Perhaps it worked just fine from their home or hotel, but not when they were in their favorite coffee shop.  The lack of an indicator that DirectAccess was "on" and working properly added to end-user frustration.  The lack of an easy way to gather and deliver diagnostic information to IT, so they could help solve the problem, raised support costs.  DCA displays the status of DirectAccess connections in the Windows 7 notification area, gives the end-user assistance in solving connectivity problems, and provides diagnostic information should IT need to get involved in resolving connectivity problems.  DCA is now available for download on TechNet.

Making products easily deployable is a major focus for the Identity and Security Division and customers should start to see the result as we roll out new products.  For DirectAccess we continue to drive a Microsoft-wide effort to accelerate deployment.  In the short run you'll notice an increasing amount of deployment guidance becoming available.  I urge you to keep an eye on the Forefront UAG Product Team Blog for announcements as well as for hints and deep dives to help with your UAG deployments (DirectAccess and otherwise).


View article...

Forefront | Microsoft
Wednesday, February 24, 2010 3:51:33 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Friday, February 19, 2010
Microsoft DirectAccess Connectivity Assistant

 

Microsoft DirectAccess Connectivity Assistant

 

Feed: Bink.nu
Posted on: Saturday, February 13, 2010 4:48 PM
Author: Steven Bink
Subject: Microsoft DirectAccess Connectivity Assistant

 

Check out the Microsoft DirectAccess Connectivity Assistant, the newest edition to the Windows® Optimized Desktop Toolkit 2010 to help reduce costs and improve the experience of DirectAccess. 

The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience. This Solution Accelerator is part of the Windows® Optimized Desktop Toolkit 2010 (WODT 2010).

 The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience.

DCA informs mobile users of their connectivity status at all times; provides tools to help them reconnect on their own if problems arise; and creates diagnostics to help mobile users provide IT staff with key information if necessary—all to help customers operate with more efficiency, and at a lower cost.

DCA is the newest addition to the Windows® Optimized Desktop Toolkit 2010, which is designed to help IT pros plan, deliver, and operate the right desktop technologies for users across their organization.

The download includes the following components:

  • Microsoft_DirectAccess_Connectivity_Assistant.zip
  • Microsoft_DirectAccess_Connectivity_Assistant_x32.msi
  • Microsoft_DirectAccess_Connectivity_Assistant_x64.msi
  • Microsoft_DirectAccess_Connectivity_Assistant_DeploymentGuide.docx
  • Microsoft_DirectAccess_Connectivity_Assistant_Release_Notes.en.htm
  • DirectAccess Connectivity Assistant GP.admx
  • DirectAccess Connectivity Assistant GP.adml

Download details DirectAccess Connectivity Assistant

Send via e-mail | Submit to Digg | Add to Live Favorites

View article...

Desktop Virtualization | Microsoft | Virtual Appliances | Virtualization
Friday, February 19, 2010 8:34:40 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Friday, February 12, 2010
Forefront TMG 2010 Email Protection Updates

Forefront TMG 2010 Email Protection Updates

This recent article was published at Tales from the Edge, that explains how to configure Exchange Sync with Forefront TMG 2010, here it is the link for it: http://technet.microsoft.com/en-us/library/ee513174.aspx. Also, here is a reminder about the supported scenarios with Forefront TMG 2010 and Exchange 2007 Edge role, for the support matrix click here.

From: http://blogs.technet.com/isablog/archive/2009/11/10/email-protection-in-forefront-tmg-2010-release-candidate.aspx

The * on this table says:

Recently a blog post was published by the Exchange team saying that they reconsidered and are planning to support Windows Server 2008 (SP2). To read more about it please follow this link: http://msexchangeteam.com/archive/2009/11/04/453026.aspx

There is a newer update on that, which is the one below:

“…we will be adding support for Exchange 2007 on the Windows Server 2008 R2 platform.   While we had hoped to add this application/operating system combination quickly, unfortunately adding this support requires code changes to setup in Exchange 2007.  Therefore, our vehicle for adding this support will be via a third Service Pack for Exchange 2007 in the second half of calendar year 2010.”

From: http://msexchangeteam.com/archive/2009/11/30/453327.aspx

In other words: If you want to deploy Exchange 2007 Edge role on Forefront TMG 2010 you will need to:

  • Windows Server 2008 SP2
  • Exchange 2007 SP2

If you already installed Forefront TMG 2010 on Windows Server 2008 R2 and want to install Exchange Edge role to enable EMail Protection feature your current supported options are:

  • Install Exchange 2010 Edge Role
  • Wait for Exchange 2007 SP3 to come out so you can install Exchange 2003 Edge Role on Windows Server 2008 R2

Author

Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Technical Review

Noam Ilovich
Program Manager
Microsoft Forefront Edge Team

View article...

Forefront | Microsoft | TMG
Friday, February 12, 2010 1:34:33 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Forefront TMG 2010 Web Protection Services Licensing

Forefront TMG 2010 Web Protection Services Licensing

Introduction

Forefront TMG 2010 adds two new subscription-based features, known collectively as Forefront TMG Web Protection Services (WPS). These features include URL Filtering (URLF) and Anti-Malware or Enhanced Malware Protection (AM or EMP). One thing that makes these features unique within Forefront TMG is that they are licensed separately from Forefront TMG itself. This blog will discuss the various licensing and purchasing options available for URLF and EMP subscriptions and guide you through managing the license details in Forefront TMG management.

WPS Purchasing and Pricing

The first thing most people want to know is “How do I get a Forefront TMG WPS license and how much does it cost?”

Forefront TMG WPS is subscription product licensed per user or per device.  This subscription is only offered through Microsoft Volume Licensing programs, and must be purchased separately from Forefront TMG 2010. Forefront TMG WPS is included in Forefront Protection Suite and ECAL.  You can find information on purchasing Forefront TMG WPS through Microsoft or a Microsoft partner at http://www.microsoft.com/forefront/threat-management-gateway/en/us/purchase.aspx.

The Forefront TMG WPS pricing structure is outlined in http://www.microsoft.com/forefront/threat-management-gateway/en/us/pricing-licensing.aspx.

Verifying the Evaluation License

You may want to take advantage of Forefront TMG WPS while you wait for your license to arrive; or perhaps you want to give WPS a test drive before you decide whether you want to purchase a license. Regardless, TMG provides a free 120-day trial subscription that goes into effect as soon as you deploy Forefront TMG 2010.

Using the Getting Started Wizard (GSW)

The Getting Started Wizard (GSW) provides one way to configure these options. During this process, you can choose to enable HTTPS Inspection, URLF and EMP as well as whether to use the evaluation license (selected by default). The following steps show you where you make these choices in the GSW.

Note: if the TMG computer is a member of an array, the GSW is not available. In this case, you must use the Without the GSW steps

View article...

Forefront | Microsoft | TMG
Friday, February 12, 2010 1:13:38 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Thursday, February 04, 2010
Direct Access FAQ's

Still confused about what Direct Access really is and what it can mean for your business?  Bookmark the DirectAccess FAQ for answers to many of your DirectAccess questions.  Learn how your users can be seamlessly and securely connected to your network any time they have an internet connection.  Keep your users up to date with security and system health policies using DirectAccess. 

General | ISA | Microsoft | TMG
Thursday, February 04, 2010 11:04:26 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Forefront TMG Case Studies

Forefront TMG Case Studies – Many of our customers will wait a while and look to see how a software product performs in the real world before making the decision to adopt a new technology.  The same goes for the Microsoft Forefront TMG product, the successor to the popular and proven Microsoft ISA technology.  Customers want to know why TMG is being adopted, why they should change from their current ISA platform, and what benefits they will realize when they decide to make the move.  A great way to answer those questions is through real world case studies such as those found here where customer testimonials can help illustrate some of the benefits found in Microsoft TMG. 

Forefront | ISA | Microsoft | TMG
Thursday, February 04, 2010 10:46:46 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Tuesday, February 17, 2009
Forefront TMG (ISA Server) Product Team Blog : Error installing a replica of ISA Server 2006 CSS

 

Error installing a replica of ISA Server 2006 CSS

1. Introduction

When you attempt to install a replica CSS, you may encounter the following error message:

Figure 1 – Error while installing ISA Server 2006 CSS.in replica mode

When ISA Server 2006 Setup displays the “Setup failed to start the configuration agent” message, this means that the Microsoft ISA Server Storage Control Service was unable to perform certain tasks that were supposed to be completed at that point in time. To understand this error, we need to review the ISA Sever 2006 Setup Log files.

2. Reviewing Setup Log files

ISA Server 2006 Setup log files are located in %windir%\temp, for this specific issue the log file that we should review starts with ISAFWSRV_NNN.log, which contains Firewall service setup information. The relevant part of this error in the setup file is shown here:

14:52:30 ISA setup CA INFO : Source path = C:\ISA Server 2006 Enterprise\FPC\Program Files\Microsoft ISA Server\msfpcstg.dll

14:52:30 ISA setup CA INFO : GetHandleToDllEx(msfpcstg.dll) succeeded

14:52:30 ISA setup CA INFO : LoadStorage succeeded

14:52:30 ISA setup CA INFO : StorageInitialized OK

14:52:30 ISA setup CA INFO : This is a deferred CA - ADAM server name should be already set in registry

14:52:30 ISA setup CA INFO : ADAM server name is: mycss.contoso.com

14:52:30 ISA setup CA INFO : Server=mycss.contoso.com, Username=(null), Domain=(null)

14:52:31 ISA setup CA ERROR : MixerSetup() failed, hr=0x80004005

Setup failed while initializing configuration agent.

MSI (s) (E4!E4) [15:09:26:746]: Product: Microsoft ISA Server 2006 -- Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : (Error 37060) Setup failed while initializing configuration agent.

15:09:26 ISA setup CA ERROR : EXIT: InitConfigurationAgent, Custom Action failed (0x643)

15:09:26 ISA setup CA INFO : msfpc.DLL was successfully unloaded from delay-load list

The error code 0x80004005 is a very generic error, it actually means “unspecified failure” according to Common HRESULT Values MSDN article..

3. ISA Data Packager

One approach that can be used in scenarios like this is to get an ISA Data Packager in repro mode. . The following action plan can help you understand and resolve CSS replication problems encountered during installation:

1) On the original CSS, download the latest version of ISA BPA from www.isabpa.com and install it.

2) Go to Start / Programs / Microsoft ISA Server / ISA Tools and click ISA Data Packager

3) Click the option "Collect data using one of the following repro scenarios"

4) Select "Configuration Storage Server" and click Next;

5) Click Modify Options

6) Select:

a. ISA BPA

b. ISA Info

7) Click Start data collection

8) The Data Packager will start to run. When the option "Press spacebar to start the capture" appears, press the spacebar to begin the data capture

9) Try to install the CSS replica.

10) When the error message appears, click OK; wait until the installer completes the roll back process,

11) Return to the original CSS and press spacebar again to stop the capture. Wait until the CAB file is generated on the desktop.

4. Reviewing ISA Data Packager Result

One of the files within this CAB file that you can review to see if the whole ISA Data Packager collection was done successfully is called IDP.yyyy-mm-dd.hh-mm-ss.time.trace.log (for example IDP.2009-1-23.15-29-13.trace.log). This is a log that the IDP (ISA Data Packager) writes the details of the steps that were performed during the data collection. In this case one thing that didn’t look correct was the error below:

* -- Accessing "FPC.Root"

* Connecting to CSS "mycss.contoso.com"

* Connecting to "Containing" Array..

* -- Exporting ISA configuration (this may take some time)...

* *** Failed to gather ISA configuration data.

*

* Error Number : 8000FFFF

* Description : Catastrophic failure

*

* The error occurred on object 'My Application Protocol' of class 'Protocol Definition' in the scope of array 'mycss'.

When ISA Data Packager runs it tries to exports the ISA Server configuration to an XML file. In this case the export action failed with error 8000FFFF (Catastrophic failure). According to this log, the object “My Application Protocol” which is located in the “Protocol Definition” container in the “mycss” array couldn’t be exported.

5. Solution

When ISA Storage Control Service is initializing, the agent tries to gather ISA configuration data by synchronizing with the existing CSS . This action fails because of a corrupted object in the existing CSS. Putting the pieces together, it makes sense that the installation of the CSS replica would have failed.

The solution I this case is to manually remove the “My Application Protocol” object. ISA storage mechanisms can’t access the corrupted custom protocol object becaue of the schema validation that is performed during object access. Thus, you must use ADAM management tools to do this. You can use a similar approach as described in Method 2 of the KB935767 to access ADAM and make a manual modification. The actual DN (Distinguished Name) of the problematic object will be unique, but in the case of a protocol definition, it would be located in CN={ProtocolUUID},CN=ProtocolDefinitions,CN=RuleElements,CN={ArrayUUID},CN=Arrays,CN=FPC2

Author

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront Edge Team

Technical Reviewers

Jim Harrison

Program Manager - Microsoft Forefront Edge

Mohit Saxena

Technical Lead - Microsoft CSS Forefront Edge Team

Published Tuesday, February 17, 2009 12:26 AM by isablog

Filed under: ISA, BPA

Forefront TMG (ISA Server) Product Team Blog : Error installing a replica of ISA Server 2006 CSS

ISA | Microsoft
Tuesday, February 17, 2009 11:46:52 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Tuesday, January 20, 2009
Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)

 

IsaServer logo

Site Search

Advanced Search


Web security and Web filtering for ISA Server
Monitor, control and protect your ISA Server users with filtering policies, real-time monitoring and multiple virus scanning engines
Learn more and download 30-day trial

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)

Case study: Migrating a unihomed ISA 2000 firewall configuration to a multihomed ISA 2006 firewall configuration.

Thomas Shinder photo

If you would like to read the other parts in this article series please go to:

Introduction

In the first two parts of this series on ISA and TMG networking, I discussed the concepts of ISA/TMG Firewall Networks and Network Rules. In those articles I tried to make it clear that you need to have a good understanding of how the ISA/TMG firewall sees the networked world before you can get the most out of your firewall configuration.

Now that you have a good understanding of ISA/TMG Firewall Networks and Network Rules, let us take a look at a case study. In this case study the client wanted to migrate from ISA 2000 to ISA 2006. As you might know, there is no direct upgrade path from ISA 2000 to ISA 2006. I do not consider this a major problem (in most cases) because the networking model used by ISA 2004 and ISA 2006 firewalls is completely different than that used in ISA 2000. It is better to start over and determine what the requirements are, and see how the new network model and new features included with the newer firewall version can help meet and optimize those requirements.

The client was using the ISA 2000 firewall for Web Publishing Rules only. It was not used for outbound access in any way. Its only duty was to perform reverse Web proxy for a number of applications hosted on an internal Web server. The client did use the ISA 2000 firewall to route requests to different Web sites based on the path in the request. Because of this, internal clients needed to connect to the Internal Web sites through the ISA firewall.

Current Infrastructure: Unihomed ISA Firewall on Internal Subnet

Figure 1 shows the old network configuration that’s relevant to our ISA firewall design. As you can see, there is a front end ASA gateway connecting the customer’s network to the Internet. The ASA gateway is the device that enables all inbound and outbound access into and out of the network.

There was a core router that routes to a number of internal network IDs. There is a unihomed ISA firewall on one of these network IDs. Since the ISA 2000 firewall is unihomed, all networks are considered internal. However, this observation is somewhat moot since the ISA 2000 firewall didn’t see network world in terms of ISA Firewall Networks. The default gateway for the old ISA 2000 firewall is local IP address on the LAN router.


Figure 1

Figure 2 shows the old traffic path used by internal clients when they tried to connect to the company’s Web sites. When planning out ISA or TMG firewall deployments, it's critically important that you understand the current network infrastructure and the request/response paths used by both internal and external clients to reach those resources. The old request/response path for internal clients can be described in the following steps:

  1. Client on one of the internal subnets sends a connection request to the unihomed ISA firewall. This request must cross network IDs and thus packets must be sent to the core router for routing.
  2. The core router forwards the packets to the ISA 2000 firewall.
  3. The ISA firewall proxies the request to the Web site, which is on the same network ID as the ISA firewall.
  4. The Web site responds to the ISA firewall’s request for information.
  5. The ISA firewall forwards the response to the internal client that made the request. The request must be forwarded to a different network ID than where the ISA firewall exists, so response packets are sent to the ISA firewall’s default gateway, which is the core router.
  6. The core router forwards the response to the internal client that made the request.


Figure 2

After understanding how internal clients reached the Web sites through the unihomed ISA 2000 firewall, the next step was to figure out how external clients reached the Web sites. Figure 3 shows the request/response path:

  1. An external client resolves the name of the Web site to an IP address on the external interface of the ASA gateway.
  2. The ASA gateway does reverse NAT to forward the request to the unihomed ISA 2000 firewall. In order to reach the remote subnet on which the ISA firewall exists, the ASA gateway forwards the packets to the core router’s local IP address.
  3. The core router forwards the packets to the ISA firewall.
  4. The ISA firewall does reverse Web proxy and forwards the request to the Web site.
  5. The Web site sends its response to the ISA firewall.
  6. The ISA firewall sends its response to the client that made the request. Since the source IP address is an Internet IP address, the ISA firewall sends the request through it’s default gateway, which is the local IP address on the core router.
  7. The core router uses the ASA gateway as its default gateway, and forwards the packets to the ASA.
  8. The ASA forwards the packets to the client that made the initial request for the Web content.


Figure 3

Now that we have a good understanding of the request/response paths for connections to the ISA firewall for Web content, we can now think about how to redesign the configuration so as to provide a much higher level of security using the new networking model included with the ISA 2006 firewall.

New Network Configuration: ISA Firewall as Inline Network Security Device

We decided to increase network security by changing from a unihomed ISA firewall configuration to a dual homed, inline network device configuration. When the ISA firewall is deployed in this way, attackers would not be able to bypass the firewall to obtain content on the internal Web servers. In addition, this configuration enables the ISA firewall to shore up the security weaknesses inherent in the ASA gateway, thus providing a dual layer of protection for both inbound and outbound access. Our initial design did not include outbound access control, but it would be something to consider in the future. For now, we will focus only on using the ISA firewall for reverse proxy.

As you know now, ISA and TMG firewalls need to have Networks defined in order to allow traffic to cross them. In addition to defining these Firewall Networks, we need to configure Network Rules to connect the Firewall Networks.

In figure 4 you see how we deployed the new ISA firewall. First, the ISA firewall was placed behind the ASA gateway and it uses the LAN interface of the ASA gateway as the ISA firewall’s default gateway. The other NIC on the ISA firewall was connected to the default Internal Network. The default Internal Network is defined by all IP addresses located behind the internal interface of the ISA firewall. In this case, since there were multiple internal subnets behind the ISA firewall, we had to add all of these IP addresses to the definition of the default Internal Network.

In addition, we had to make sure that the ISA firewall was configured with routing table entries that let the firewall know to use the core router to forward connections to different network IDs within the default Internal Network. We needed to do this because the ISA firewall’s default gateway was the LAN interface on the ASA gateway, which represents a departure from the previous ISA firewall’s configuration, where it was using the core router as its default gateway.

We also needed to configure an ISA Firewall Network for the DMZ segment between the ISA firewall’s external interface and the LAN interface on the ASA gateway. The reason for this was that they were currently using the ASA at their VPN gateway. External VPN clients connect to the ASA and need access to content behind the ISA firewall. After creating the ISA Firewall Network for the DMZ, we set a Network Rule to Route connections between the DMZ and default Internal Network. The ASA had to be configured to inform the VPN clients to use the ISA firewall’s external interface as the gateway address for all the internal network IDs.

The other Network Rule applying to this configuration is one enabling traffic between the default Internal Network and the default External Network. This Network Rule set a NAT relationship between the default Internal and default External Networks.


Figure 4

Figure 5 gives you a look at the request and response traffic between an external client and the Web servers that the new ISA firewall configuration will provide access to:

  1. The external client resolves the name of the Web site to an IP address on the external interface of the ASA gateway that will perform reverse NAT on the connection.
  2. The ASA gateway forwards the packets to the external interface of the ISA firewall.
  3. The ISA firewall needs to forward the request to the Web server on a remote subnet. In order to do this, it forwards the packets to the local interface on the core router.
  4. The core router forwards the packets to the Web server.
  5. The Web server responds to the request. Since the request appears to come from the IP address of the ISA firewall (the default setting for Web Publishing Rules), it sends its response through its gateway address, which is the local address on the core router.
  6. The router forwards the packets to the internal interface of the ISA firewall.
  7. The ISA firewall returns the response to the requesting client through the ASA gateway.
  8. The ASA gateway forwards the packets from the ISA firewall to the requesting client.


Figure 5

The next problem we had to deal with is how internal clients reach the Web servers. Since I prefer to not loop back through the ISA firewall to reach internal resources, I proposed that the following should be the optimal request/response path (figure 6):

  1. The internal client makes a connection request to the Web server that is on a remote network ID. In order to do that, it uses it’s default gateway, which is the local IP address on the LAN router.
  2. The router forwards the packets to the Web server.
  3. The Web server responds to the client request. Since the request came from a client on a remote subnet, it forwards the response through the local IP address on the core router.
  4. The router forwards the response to the requesting client.


Figure 6

While that would have been the optimal solution in terms of performance and simplicity, this “direct access” method would not work in our scenario. The client was using the ISA firewall to do some neat routing tricks based on the path statement in the request, so both internal and external clients need to go through the ISA firewall to make the solution work. This required that the Web Listener used in the Web Publishing Rules be configured to listen on both the internal and external interfaces of the ISA firewall. In addition, a split DNS infrastructure needed to be put into place, so that internal clients resolved the names of the Web sites to the IP address on the internal interface of the ISA firewall.

With those configuration settings in place, the new request/response path would look like this:

  1. The internal client makes a request for the Web site. The site name resolves to the IP address on the internal interface of the ISA firewall. Since the client is on a subnet remote from the internal interface of the ISA firewall, the request is forwarded to the client’s default gateway, which is the local IP address on the core router.
  2. The core router forwards the packets to the IP address on the internal interface of the ISA firewall.
  3. The ISA firewall reverse proxies the request to the Web site on a remote subnet. To do this, the ISA firewall sends the packets through the core router to reach the remote subnet on which the Web server is located.
  4. The router forwards the packets to the Web server.
  5. The Web server returns the response to the source IP address of the request, which is the internal IP address on the ISA firewall. In order to reach this IP address on a remote subnet, the Web server sends the packets to the local interface of the core router.
  6. The core router forwards the packets to the ISA firewall’s internal interface.
  7. The ISA firewall sends the response to the client that made the original request. In order to reach the client on the remote subnet, the ISA firewalls sends the packets to the local address on the core router.
  8. The router sends the packets to the client that made the original request.


Figure 7

Summary

In this last article of our three part series on how the ISA and TMG firewalls see the network, I went over a case study were we migrated a unihomed ISA 2000 firewall configuration to a multihomed ISA 2006 firewall configuration. In order to make the migration a success, we needed to understand how ISA/TMG Firewall Networks work and how to configure Network Rules to connect those Networks. We needed to make sure that all the appropriate addresses were configured in the default Internal Network, and we also created another ISA Firewall Network to support VPN clients terminating on the ASA gateway in front of the ISA firewall. Finally, a detailed understanding of the request/response paths between clients and published servers was critical to making the solution work.

Since we have spent so much time on network designs the last few weeks, let us take advantage of this momentum and examine some network designs for unihomed ISA firewalls. While concepts of ISA Firewall Networks and Network Rules do not apply to unihomed ISA Firewalls, there are still some routing options, as we can take advantage of Web Routing Rules to do some neat things work unihomed ISA firewalls. See you then! –Tom.

If you would like to read the other parts in this article series please go to:

About Thomas Shinder

Thomas Shinder photo Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

AddThis

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

Latest articles by Thomas Shinder

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 3)

Forefront | ISA | Microsoft | TMG | Tom Shinder
Tuesday, January 20, 2009 3:28:59 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Tuesday, January 13, 2009
Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

 

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

Understanding the concept of Network Rules.

Thomas Shinder photo

  • Published: Jan 13, 2009
  • Updated: Jan 13, 2009

If you missed the first part in this article series please read Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

Introduction

In our last article on ISA and TMG firewall networking, I talked about how ISA and TMG firewalls use Networks to control traffic moving through and to the firewall. To recap, ISA and TMG Firewall Networks are collections of IP addresses located behind a specific NIC on the firewall. The addresses can be on and off-subnet for the specific NIC, but in order for a client behind any NIC on the TMG or ISA firewall to reach a destination through the firewall, that client’s IP address must be included in the definition of the ISA or TMG Firewall Network from which it connects. If the client’s IP address is not part of the ISA Firewall Network definition for the NIC that receives the request, the connection will be dropped as spoofed.

If you have not read part 1 of this series on ISA and TMG Networking, or want to brush up on what ISA/TMG Firewall Networks are all about, click here.

Now that you understand the details of ISA/TMG Firewall Networks, the next step is to understand how to connect those Networks. In order a host on one ISA/TMG Firewall Network to connect to a host on another ISA/TMG Firewall Network, the source and destination Networks must be connected. The way you connect ISA/TMG Firewall Networks is by creating a Network Rule.

Network Rules connect ISA/TMG Firewall Networks in one of two ways: NAT or Route. When you connect ISA/TMG Firewall Networks to each other, you also define the route relationship between the Networks.

Note:
Pay attention to the capitalization when I refer to networks. A “network” with a lower case “n” is a generic network, while a Network with an upper case “N” is an ISA/TMG Firewall Network.

When you define a NAT relationship between the source and destination Network, all IP addresses on the source Network are hidden from the destination host. The destination host sees the source IP address as the primary IP address on the external interface of the ISA/TMG firewall. The primary IP address is the IP on top of the IP address list (when there is more than one IP address bound to the external interface of the ISA/TMG firewall). A NAT route relationship is one-way. When you NAT from source to destination, you do not NAT from destination to source. For example, when you NAT from the default Internal Network to the default External Network, you do not NAT from the default External Network to the default Internal Network.

In general, when there is a NAT relationship between the source and destination Network, you create Access Rules to allow connections from the NATed to the non-NATed Network (for example, from the default Internal Network to the default External Network) and Publishing Rules to allow connections from the non-NATed Network to the NATed Network (for example, from the default External Network to the default Internal Network).

When you define a route relationship between two ISA/TMG Firewall Networks, the route relationship is reciprocal. That is to say, if you create a route relationship from source to destination Network, then there is also a route relationship between the destination and source Network. When there is a route relationship, no IP addresses are hidden, and the source IP address is always preserved.

In general, you use Access Rules to allow traffic in both directions when there is a route relationship between source and destination Networks. For example, if you have a route relationship defined for connections from the default Internal Network to a DMZ Network, then you can use Access Rules to allow connections from the default Internal Network to the DMZ Network, and you can use Access Rules to allow connections from the DMZ Network to the default Internal Network.

An example Network Rule appears in figure 1 below. In this example, there is a Network Rule that connects the DMZ Network to the default Internal Network and the route relationship is Route.


Figure 1

Remember, there must always be a Network Rule that connects the source and destination Network. Even if you create an Access Rule that allows a connection from a host on one Network to a host on another Network, the connection attempt will fail because the Networks are not connected by a Network Rule. This problem can be hard to troubleshoot because when you check the ISA/TMG firewall’s log files, you will see that the connection attempt is denied, but there would not be any information indicating that the problem is a missing Network Rule. Well, that’s been true for ISA firewalls. I have not yet tested this with TMG firewalls. However, the problem should be less frequent with TMG firewalls, since when creating a new TMG Network, you are asked to define the Network Rule before the Network is created. In contrast, with the ISA firewall, you could create a Network without creating a Network Rule.

Network Rule Examples

To get a better understanding of how Network Rules work in connecting ISA/TMG Firewall Networks, let’s look at a few examples. In figure 2 below, you will see a typical configuration for an ISA/TMG firewall with a default Internal and default External Network. In this example, there is a Network Rule connecting the default Internal and External Networks, and the Network Rule defines a NAT relationship between the Networks.

When clients on the default Internal Network try to connect to hosts on the default External Network, the source IP address seen by the host on the default External Network is going to be the primary IP address on the external interface of the ISA/TMG firewall. In effect, the ISA/TMG firewall is “hiding” the IP address of the source client.


Figure 2

ISA and TMG firewalls can be configured with multiple NICs. There is no limit on the number of NICs you can install in an ISA or TMG firewall. In fact, you can even create virtual NICs using 802.1q VLAN tagging, as long your NICs and NIC drivers support this configuration. When you have multiple NICs installed on the ISA firewall, you can create an ISA/TMG Firewall Network for each of the NICs (recall our discussion of ISA/TMG Firewall Networks in part 1 of this article series, where each NIC represents the “root” of each ISA/TMG Firewall Network).

In the figure below, you can see that there are three NICs installed on the ISA firewall. One NIC is connected to the default External Network one NIC is connected to the default Internal Network, and one NIC is installed on a DMZ Network. There are two Network Rules configured on the ISA Firewall:

  • A Network Rule connecting the default Internal Network to the default External Network, and the route relationship is NAT
  • A Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is Route

In this configuration, connections from the default Internal Network to the default External Network will be NATed, and the destination hosts will see the source IP address of the connection as the primary IP address on the external interface of the ISA firewall. When hosts on the default Internal Network connect to hosts on the DMZ Network, the destination hosts on the DMZ Network will see the source IP address as the actual IP address of the host on the default Internal Network. Likewise, since the route relationship is reciprocal, when a host on the DMZ Network tried to connect to a host on the default Internal Network, the host on the default Internal Network will see the source IP address as the actual IP address of the host on the DMZ Network.

In this next example (figure 3), connections from the default Internal Network to the default External Network are allowed by using Access Rules. Connections from the default External Network to the default Internal Network are allowed by publishing rules (either Web or Server Publishing Rules). Connections from the DMZ Network to the default Internal Network, and from the default Internal Network to the DMZ are allowed using Access Rules.


Figure 3

What do you think will happen if a host on the DMZ Network tries to connect to a host on the default External Network? Since there is no Network Rule in place connecting hosts on the DMZ Network to the default External Network, the connection attempt will be denied, as seen in figure 4 below. Even if there is an Access Rule allowing the connection, the connection attempt will fail because there is no Network Rule connecting the Networks.


Figure 4

Let us say that we create a Network Rule that connects the DMZ Network to the default External Network and define the route relationship as NAT. When there is a NAT relationship, we can use either public or private addresses on the source Network. Connections from hosts on the DMZ Network to the default External Network are allowed by using Access Rules, and connections from the default External Network to the DMZ network are allowed by using publishing rules.


Figure 5

Figure 6 below shows a slight alteration in the configuration. In this case, there is a route Network Rule connecting the DMZ Network to the default External Network. Because there is a route relationship, we must use public addresses on the DMZ Network, because private addresses are not routable over the Internet. We can use Access Rules to allow connections from the DMZ Network to the default External Network, and we can also use Access Rules to allow connections from the default External Network to the DMZ Network.

Up to this point, I’ve been telling you that when you have a route relationship, you can use Access Rules to control traffic in both directions. However, it is possible to use publishing rules. In the case or Web Publishing Rules, the route relationship isn’t an issue, because the connections are always proxied from the source and destination Network, so no actual “routing” at an IP level actually takes place. However, the situation is a little different with Server Publishing Rules.

When there is a route relationship between the source and destination Network, you can allow incoming connections using either an Access Rule or a Server Publishing Rule. In some cases, you might want to use a Server Publishing Rule instead of an Access Rule, because application layer inspection filters are bound to some Server Publishing Rules that can’t be bound to access rules.

For example, in the example configuration noted in the above figure 5, there is a route relationship because the default External Network and the DMZ Network. Suppose you have an SMTP server on the DMZ Network. You want to allow incoming SMTP messages from the Internet to the SMTP server on the DMZ Network. In this case, you could create an Access Rule to allow incoming SMTP connections from the default External Network to the DMZ Network, or you could create a Server Publishing Rule that publishes the SMTP server on the DMZ Network.

The advantage of using a Server Publishing Rule in this scenario is that the SMTP filter can be bound to the “SMTP Server” protocol. “Server” protocols are for inbound connections only. The SMTP filter can’t be bound to the “SMTP” protocol, which is used for Access Rules. Thus, a Server Publishing Rule using the SMTP Server protocol allows us to apply application layer inspection on the incoming connections.

I should note here that when you do use Server Publishing Rules to publish servers in a scenario where this is a route relationship between the source and destination Network, you still publish the machine using the actual IP address of the published server. However, the ISA or TMG firewall then performs a bit of magic to intercept the connection so that application layer inspection can be performed. The firewall does what is called “port stealing” on the Server Publishing Rule, so that when connections destined to the actual IP address of the published server are made, the firewall “steals” the connection and passes it to the application layer inspection filters. If the connection passes inspection, then it is forwarded to the published server. If the connection does not pass inspection, then it is dropped.


Figure 6

Now let us change our focus and look at the connectivity between the DMZ Network and the default Internal Network. In figure 7 below, you can see that we have a Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is NAT. Because the route relationship is NAT, when hosts on the default Internal Network try to connect to hosts on the DMZ Network, the DMZ Network hosts will see the source IP address of the connection to the be primary IP address on the DMZ NIC.

To allow connections to the DMZ Network from the default Internal Network, you need to create Access Rules. To allow connections from hosts on the DMZ Network to hosts on the default Internal Network, you need to create publishing rules. What you cannot do when there is a NAT relationship from the default Internal Network to the DMZ Network is create Access Rules allowing connections from the DMZ Network to the default Internal Network.


Figure 7

Figure 8 shows a reversal of the Network Rule connecting the DMZ Network to the default Internal Network. In this case, the Network Rule defines a NAT relationship from the DMZ Network to the default Internal Network. When hosts on the DMZ Network try to connect to hosts on the default Internal Network, the hosts on the default Internal Network will see the source IP address of the connection request as the primary IP address on the Internal Network NIC. Access Rules are allow connections from hosts on the DMZ Network to the default Internal Network and publishing rules allow connections from hosts on the default Internal Network to the DMZ Network. You cannot create Access Rules to allow connections from the default Internal Network to the DMZ Network because the hosts on the default Internal Network are on the non-NATed Network.


Figure 8

The next scenario looks at a scenario that is a common point of confusion: the back to back ISA/TMG firewall configuration. In a back to back firewall configuration, there is a front-end ISA/TMG firewall that is connected to the Internet, and there is a back-end ISA/TMG firewall that is connected to a DMZ behind the front-end firewall and an internal network behind the back-end firewall.

In the typical case, the front-end ISA/TMG firewall has a NAT route relationship between the DMZ network behind the front-end firewall and the default External Network. The back-end ISA/TMG firewall has a NAT relationship between the default Internal Network and the default External Network.

What you should appreciate here is that in this typical scenario, the DMZ network in front of the back-end ISA/TMG firewall is part of the back-end ISA/TMG firewall’s default External Network. Because it is part of its default External Network, the route relationship is going to be NAT. Therefore, if hosts behind the back-end ISA/TMG firewall need to connect to machines on the DMZ network between the firewalls, then you will create Access Rules to enable those connections. If there are machines in the DMZ network between the firewalls that need to connect to hosts behind the back-end ISA/TMG firewall, then you will need to create publishing rules to enable those connections.


Figure 9

Now let’s look a variation of the above scenario. In this case, on the back-end ISA/TMG firewall we create an ISA/TMG Firewall Network for the DMZ between the firewalls. Then we create a Network Rule that connects the default Internal Network on the back-end ISA/TMG firewall to the DMZ Network and define a Route relationship between the Networks. Now when hosts connect to resources on the DMZ Network, an Access Rule is used to allow the connection and the hosts on the DMZ Network see the source IP address as the original client IP address. This configuration also allows you to create Access Rules to allow hosts on the DMZ Network to connect to hosts on the default Internal Network behind the back-end ISA/TMG firewall.

This scenario is important because many people would like to terminate VPN connections at the front-end firewall. When VPN clients are terminated at the front-end ISA/TMG firewall, they are given IP addresses that are part of the DMZ Network. Thus, they act as DMZ Network hosts. You can then create Access Rules that allow the VPN clients access to resources on the default Internal Network behind the back-end ISA/TMG firewall. The take home point is that since the VPN clients are given IP addresses that belong to DMZ Network definition on the back-end ISA/TMG firewall, you can use Access Rules instead of publishing rules due to the route relationship between the two Networks.

There is one more thing you should be aware of in this back to back configuration where there is a route relationship between the back-end ISA/TMG firewall’s default Internal Network and the DMZ Network. When hosts on the back-end ISA/TMG firewall’s default Internal Network try to connect to the Internet, the connections must go through both firewalls. When the front-end ISA/TMG firewall receives the outbound connection request from hosts on the back-end ISA/TMG firewall’s default Internal Network, the source IP address is going to be the actual IP address of the host making the request.

Normally, the default Internal Network for the front-end ISA/TMG firewall will include the IP addresses on the DMZ Network. However, since there is a route relationship between the DMZ Network and the back-end ISA/TMG firewall’s default Internal Network, you need to include the addresses in the back-end ISA/TMG firewall’s default Internal Network in the addresses that define the front-end ISA/TMG firewall’s default Internal Network. If you fail to do this, the front-end ISA/TMG firewall will see the source address as one that doesn’t belong to it’s default Internal Network and will drop the connection as spoofed.


Figure 10

Summary

In this, part two in our series about ISA/TMG Network concepts, I went over some scenarios that were designed to help you understand the concept of Network Rules. Network Rules are required to connect Networks. If source and destination Networks are not connected, no communications will be allowed between those Networks, even if there are Access Rules configured to allow the connections. When defining a Network Rule to connect a source and destination Network, you also define the route relationship. The route relationship can be either NAT or Route. Access Rules and publishing rules are supported in a different way, depending on the route relationship between the source and destination Networks.

Next week we will look at a case study where we had to have a good understanding of how ISA/TMG firewall Networks work in order to get a working solution. This case study involves migrating an old ISA 2000 firewall to ISA 2006. Not only that, but the migration also includes changing over from a unihomed ISA firewall to a dual-homed firewall. As you might imagine, there were several network issues that needed to be addressed. You find out what the problems where and how we solved them in the next article. See you then! –Tom.

If you missed the first part in this article series please read Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

About Thomas Shinder

Thomas Shinder photo Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

AddThis

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

Latest articles by Thomas Shinder

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)

Forefront | ISA | Microsoft | TMG | Tom Shinder
Tuesday, January 13, 2009 11:23:08 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

 

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

What ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions.

Thomas Shinder photo

  • Published: Dec 16, 2008
  • Updated: Dec 16, 2008

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

Last week I did a blog post asking our ISAserver.org members what kind of content they would like to see on the site. I expected the typical stuff, such as “more articles on integrating with other networking equipment vendors” and “more information on how NLB works” and “more articles on how to make ISA and TMG work with Exchange 2007, SharePoint and OCS” and maybe even “more stuff about ISA and TMG add-ons”. I was not disappointed. I did get requests for all of that kind of content.

There was also another comment that I thought was interesting. Someone wrote to me and said that what he would like is some information on the basics. For example, the basics of ISA networking. This fellow said that many Microsoft admins who use ISA have a basic understanding of TCP/IP networking but do not have a good grip on how the ISA firewall see the networked world and any information that would help along those lines would be very helpful.

The comment was a timely one for me, as it dovetailed with some other experiences I was having last week. Therefore, in the spirit of this request for some return to the basics and my experiences last week, we will go over some of the basics of ISA/TMG firewall networking.

ISA/TMG Firewall Networks

NOTE:
Pay close attention to the capitalization I use in this article. Network with a capital “N” refers to an ISA/TMG Firewall Network – which is a network objects that the firewall uses to define collections of IP addresses directly accessible from a specific network interface. In contrast, when a lower case “n” is used for network, I am referring to a generic network or network segment.

ISA and TMG firewalls see the networked world based on the concept of the Network network object. The Network network object defines traffic that moves through the firewall. All traffic that moves to or through the firewall must source from one Network and have a destination to another Network. If the source and destination traffic are on the same Network, then the traffic doesn’t move through the firewall. However, there are times when traffic with the same source and destination Network can bounce off the firewall. We will take a look at this example later.

What is an ISA Firewall Network? An ISA/TMG Firewall Network is a collection of IP addresses that can directly reach a NIC on the firewall without having to traverse the firewall. For example, consider a simple scenario where the ISA firewall has two NICs: an internal interface with an IP address of 10.0.0.1 and an external interface with a public IP address. There is a host connected to the same network as the firewall’s internal interface and that client has an IP address of 10.0.0.2. In this example, the internal interface and the client at 10.0.0.2 are part of the same network, since the client can directly reach that interface without crossing the firewall. In addition, the client can’t be on the same network as the external interface of the firewall, since it would have to cross the firewall to reach that interface.

The figure below depicts this example. The internal interface has the IP address 10.0.0.1 and the client behind that interface has IP address 10.0.0.2. The client behind the internal interface can reach the internal interface directly. The client behind the internal interface cannot reach the external interface directly. Therefore, the client could never be a member of the ISA Firewall Network that the external interface belongs to.


Figure 1

As I mentioned earlier, an ISA Firewall Network is defined as a collection of IP addresses that can be reached directly through one of the interfaces on the ISA or TMG firewall. However, this does not mean that all of those IP addresses have to be on the same network ID as the interface on the ISA firewall.

For example, in the figure above, the internal interface of the ISA firewall was on network ID 10.0.0.0/24 and the client was an “on subnet” client that was also on network ID 10.0.0.0/24. The ISA Firewall Network defined for that interface was 10.0.0.0-10.0.0.255.

What if there is a router behind the ISA firewall’s internal interface and there are remote network IDs that need to connect to the Internet through the ISA Firewall’s internal interface? For example, in the figure below you see that I have added a router and a remote network ID behind that router, which in this case is 192.168.1.0/24. Will the ISA Firewall need to see connections from the 192.168.1.0/24 network ID as being on the same ISA Firewall Network as connections from the 10.0.0.0/24 network ID?

The answer is YES. The reason for this is that both 10.0.0.0/24 and 192.168.1.0/24 in this example have to connect to and through the ISA firewall using the same NIC. Since the ISA Firewall see each NIC as the root of an ISA Firewall Network, all connections made directly to and through the firewall on that interface are part of the same ISA Firewall Network.


Figure 2

However, in order to make this work, you need to add those addresses to the definition of the ISA Firewall Network. In this example, the definition of the default Internal Network would include the addresses 10.0.0.0-10.0.0.255 and 192.168.1.0-192.168.1.255. All of these IP addresses are part of the default Internal Network and reach the ISA firewall through the same network interface card.


Figure 3

The reason we need to include all the addresses that are behind a specific NIC on the firewall is that if there is a host that tries to connect through the ISA firewall on that NIC from a source IP address that is not part of that ISA Firewall Network, the connection request will be dropped as a spoof attempt. The ISA or TMG firewall sees the connection attempt as a spoof because the IP address is not part of the definition of that ISA Firewall Network.

For example, check out the figure below. We have defined the default Internal Network in this example as all IP addresses in the 10.0.0.0/24 and 192.168.1.0/24 ranges (note that I have included all the addresses in each network ID – that is not a requirement. I could have included only a subset of those IP addresses if I wanted to). What if a host with the IP address 172.16.0.2 tried to connect to the ISA Firewall through the NIC that represents the “root” of the default Internal Network?

The connection attempt would fail. The reason why it would fail is that 172.16.0.2 is not part of the definition of the default Internal Network in this example. Since the ISA Firewall does not recognize this source IP address as part of the default Internal Network, it will not allow the connection through the NIC that defines the “root” of the default Internal Network. It will call out this connection as a spoof attempt. All spoof attempts are blocked by the firewall.


Figure 4

What if you wanted to allow connections from that host at 172.16.0.2? It is a simple matter of adding that IP address to the definition of the ISA Firewall Network that this host uses to connect to and through the ISA firewall. In this case, you could add just that IP address, or if you have other hosts on that network ID, you could add the IP addresses of those hosts, or you could add all the addresses in that network ID.

You define that addresses that belong to a specific ISA Firewall network in the Properties dialog box for that Network. In the figure below, you can see the addresses tab for the default Internal Network. This default Internal ISA Firewall Network includes all addresses on the network ID 192.168.1.0/24.


Figure 5

You can create multiple ISA Firewall Networks on a single ISA Firewall. For example, suppose you wanted to create an ISA Firewall Network for wireless guest computers to connect to the Internet. In this case, you would add a third NIC to the ISA firewall (the other two interfaces are for the external interface and the internal interface). The third NIC would become the “root” of a new ISA Firewall Network. You would then assign addresses to that ISA Firewall Network. Each NIC on the ISA firewall needs to be on a different network ID, so after installing the third NIC, we assign it an IP address on a network ID that is different than the other two NICs. Then we assign IP addresses for the new ISA Firewall Network. In the figure below, you can see that all addresses on network ID 192.168.0.0/24 are part of the Guest ISA Firewall Network.


Figure 6

It is important to remember that an IP address can participate on a single ISA Firewall Network. You can not assign the same IP address to two different ISA Firewall Networks. If you do, you will receive an error message.

Out of the box, the ISA or TMG firewall will have the following Networks defined:

  • The default External Network – the default External Network is defined by all IP addresses that are used by any other ISA Firewall Network. Any address that is not used by any other ISA Firewall Network will automatically be included as part of the default External Network. The NIC that defines the default External Network is usually the NIC with the default gateway bound to it. ISA and TMG MBE firewalls support a single default gateway
  • The default Internal Network – this is the network you define during setup that represents your primary internal network. You can have multiple internal networks if you like, but there is only one default Internal Network which you set up during installation of the ISA firewall. The default Internal Network typically contains your key infrastructure services, such as DNS, DHCP and Active Directory domain services. The default Internal Network is important because much of the ISA and TMG firewall’s System Policy is configured to access resources on the default Internal Network
  • The Local Host Network – The Local Host Network is defined by the IP addresses bound to all NICs on the ISA or TMG firewall. For example, if the firewall had two interfaces, one with IP address 2.2.2.2 bound to it and the other with 10.0.0.1 bound to it, then IP addresses 2.2.2.2 and 10.0.0.1 are members of the Local Host Network. Note that this breaks one of the rules of ISA/TMG Networks – in that these IP addresses are also members of the Networks to which those NICs are connected. The 2.2.2.2 is likely a member of the default External Network and the 10.0.0.1 is a member of the default Internet Network.
  • VPN Clients Network – The VPN Clients Network contains the IP addresses of connected VPN clients. There are two ways to assign IP addresses to VPN clients: using a static address pool and using DHCP. If you assign IP addresses to VPN clients using a static address pool, then you must remove those IP addresses from any other Network that might contain them. For example, if you want to assign on-subnet addresses to VPN clients (such as 192.168.1.200-192.168.1.225/24 when the internal interface is on 192.168.1.1/24), you must remove those addresses from the definition of the on-subnet network.
    In contrast, if you want to use DHCP to assign IP addresses to VPN clients, then you do not have to remove those addresses from the definition of any other Network that might also be using those addresses. It makes sense, since when you use DHCP to assign these addresses; you know that no other host should be able to use the same IP address on any other Network. In contrast, if you assign static addresses to VPN clients, you do not know for sure that there might be an error that would lead you to use the same addresses on another Network. Addresses are automatically added and removed from the VPN clients Network when they are used and released by the VPN clients. Note that this represents a second exception to our rule that an IP address can belong to a single Network – since you use DHCP to assign IP addresses to VPN clients, those addresses can belong to another ISA/TMG Firewall Network.
  • Quarantined VPN Clients Network – The Quarantined VPN Clients Network contains the IP addresses of VPN clients that have not yet passed VPN quarantine control. This is configured as a separate Network from the VPN Clients Network because you might want to create Firewall Rules that allow quarantined VPN clients access to resources on a Protected Network (a Protected Network is any ISA/TMG Network that isn’t the default External Network) or even on the Internet so that they can remediate themselves. IP addresses are automatically moved from the Quarantined VPN Clients Network to the VPN Clients Network when the VPN client passes quarantine control checks.


Figure 7

Summing up what we know at this point:

  • ISA/TMG Firewall Networks are used for spoof detection. If a source IP address arrives at an interface that is a root of an ISA Firewall Network that isn’t an IP address defined for that Network, then the connection attempt is dropped as a spoofed connection attempt
  • An IP address can be assigned to a single ISA/TMG Firewall Network. The only exceptions to this rule are seen with the Local Host Network and the VPN Clients and Quarantined VPN Clients Networks when you use DHCP to assign addresses to VPN clients.
  • An ISA/TMG Firewall Network can contain IP addresses from multiple network IDs. What all these IP addresses have in common is that if they need to connect to and through the ISA or TMG firewall through the same NIC

ISA/TMG Firewall Networks also are used to do one more important task: define whether connections are routed or NATed from the systems on a particular Network to another Network. In order to hosts on a Network to communicate with hosts on another Network, the two Networks must be connected using a Network Rule. The Network Rule accomplishes two things:

  • Enables communications between the two ISA/TMG Firewall Networks
  • Sets a routing relationship between the two Networks

I’ll go into more details on Network Rules and connecting Networks to one another in the second part of this series on ISA/TMG firewall networking.

Summary

In this article, we went over what ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions. We saw that an IP address can belong to only a single Network, with the exception of the Local Host Network and the VPN Clients and Quarantined VPN Clients Networks. We then finished off with a brief overview of the default ISA/TMG Firewall Networks. Next week I will continue the story by showing you how ISA/TMG Networks are used to connect hosts on one Network to another, and how Networks are used to define a route relationship between source and destination. See you then! –Tom.

If you would like to be notified of when Tom Shinder releases the next part in this article series please sign up to our ISAserver.org Real-Time Article Update newsletter.

About Thomas Shinder

Thomas Shinder photo Dr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

Click here for Thomas Shinder's section.

Share this article

AddThis

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!

Latest articles by Thomas Shinder

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

Forefront | ISA | Microsoft | TMG | Tom Shinder
Tuesday, January 13, 2009 11:20:38 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Sunday, October 12, 2008
Thomas Shinder Blog » Blog Archive » Jim Harrison LIVE (sort of) - Virtualize Your ISA or Forefront TMG Servers

 

Thomas Shinder Blog RSS

All Blogs  »  Thomas Shinder Blog  »  News ISA Central  »  Blog article: Jim Harrison LIVE (sort of) - Virtualize Your ISA or Forefront TMG Servers

Jim Harrison LIVE (sort of) - Virtualize Your ISA or Forefront TMG Servers

From the site:

“In the past, ISA has had very limited or no support on Microsoft’s virtualization platform.  Now, ISA and Forefront Threat Management Gateway (TMG) is supported .  I met up with Jim Harrison to get some guidance on what you need to think about when you virtualize your ISA/TMG servers.  We quickly dive into a whiteboard session on the various ways you can configure Hyper-V / virtual server to work with ISA/TMG and dig into the advantages and disadvantages of each network configuration such as:

  • Performance
  • Management
  • Administration
  • Security

Some other things we talk about:

  • Why placing TMG on the parent is a bad idea and how you should configure the parent partition
  • Configuration options of the actual ISA/TMG server
  • Failover, Clustering, and Quick Migration with ISA / TMG in a virtual environment
  • Configuration changes you should make for any host which faces the Internet

View the security considerations for virtualized ISA / TMG deployments guide / whitepaper Jim wrote.

See KB article 957006 which states ISA (and other) products are officially supported on Hyper-V.”

=====================================

Head on over to http://edge.technet.com/Media/Virtualize-your-ISA-...rvers/ to watch and listen to Jim Harrison’s great presentation on deploying an ISA or TMG firewall in a virtualized environment. You’ll be glad you did!

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

This entry was posted on Sunday, October 12th, 2008 at 9:54 am and is filed under News, ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Thomas Shinder Blog » Blog Archive » Jim Harrison LIVE (sort of) - Virtualize Your ISA or Forefront TMG Servers

Forefront | Hyper-V | Microsoft | TMG | Virtual Appliances | Virtualization
Sunday, October 12, 2008 5:29:01 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Thursday, September 18, 2008
Intelligent Application Gateway Product Team Blog : ISA 2006 SP1 and IAG 2007 Supportability Statement

 

ISA 2006 SP1 and IAG 2007 Supportability Statement

Introduction

Occasionally you find the combination of two things that result in something better than the sum of the individual parts. Some combinations that come to mind are peanut butter and chocolate, steak and lobster, and ISA Server 2006 and IAG 2007. You can’t eat ISA and IAG but combined in the IAG 2007 product they create an awesome SSLVPN with rich features. Just like a good soup, IAG 2007 benefits from high quality ingredients. For more information on this “better together” approach review the articles below:

http://www.microsoft.com/forefront/edgesecurity/iag/en/us/secure-remote-access.aspx

http://www.microsoft.com/Forefront/edgesecurity/iag/en/us/faq.aspx

Real World Experience

Recently, I began seeing questions about the addition of ISA 2006 SP1 on customers IAG 2007 systems. After some research it turned out that Windows update was detecting the lack of ISA 2006 SP1 and prompting administrators to install the service pack on their IAG 2007 servers. If you are familiar with IAG 2007 predecessor eGap 3.6 you will remember that the internal server was protected by a SCSI interface that shuttled between the external and internal servers. In IAG 2007 the external server and SCSI interconnect have been removed and replaced by ISA 2006. In this configuration ISA 2006 protects the external interface of IAG 2007 amongst other things.

Since SP1 for ISA 2006 includes feature updates as well as security updates, just like any other windows application it is essential to make sure there is no security vulnerability that might affect the ISA application. Hence it is important to make sure the ISA server is also updated from time to time.

When you first initialize the IAG 2007 system you will notice that ISA server 2006 is installed as well. As applications are added to the portal trunk, rules are created in ISA 2006 to allow the specific traffic types that IAG 2007 will publish. If IAG 2007 is configured for automatic updates or you visit the Windows update site, SP1 for ISA 2006 will be queued for installation if it is not already installed. You can review the benefits of SP1 for ISA 2006 by following this link: http://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx

As you can see from reading the list we fixed a few things in ISA 2006 with SP1. In addition, patch management is part of the Desktop, Device, and Server security process best practices that IT professionals should be following. Recently, while testing IAG 2007 SP2 our product group tested with ISA 2006 SP1 installed and found no issues related to this service pack. So go ahead and add ISA 2006 SP1 to your IAG 2007 system. I bet you will find it’s a great combination and is a high quality ingredient in your security soup.

Author
Dan Watson
Security Support Engineer –IAG Team
Microsoft – NC

Technical Reviewers
Yuri Diogenes
Security Support Engineer – ISA/IAG Team
Microsoft – Texas

Mohit Saxena
Security Technical Lead – ISA/IAG Team
Microsoft – Washington

Published Thursday, September 18, 2008 8:02 PM by edgeaccessblog
Filed under: Intelligent Application Gateway, ISA Server 2006 SP1

Intelligent Application Gateway Product Team Blog : ISA 2006 SP1 and IAG 2007 Supportability Statement

IAG | ISA | Microsoft
Thursday, September 18, 2008 7:12:15 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 
Forefront Team Blog : Independent research firm recognizes Microsoft NAP as a leader in Network Access Control

 

Independent research firm recognizes Microsoft NAP as a leader in Network Access Control

Published 18 September 08 12:45 AM | Forefront Blogger

Microsoft’s Network Access Protection (NAP) solution was cited as a leader (the top category) in a recent independent report, “The Forrester Wave: Network Access Control, Q3 2008.”  Microsoft was one of the many network access control (NAC) vendors invited to participate in the report.

Forrester placed a lot of emphasis on different access control scenarios for the evaluation and the different vendors were evaluated around twelve different scenarios as well as strengths across technology, strategy and market presence.

“Microsoft has the strongest NAC product for managed endpoints,” the report stated. The report goes on to state that even though its official product has only been shipping since the inception of Windows Server 2008, Microsoft has already established itself as a critical thought leader and contributor to the standardizations of NAC. “Microsoft has the overall highest score among the 12 scenarios we evaluated,” the report added.

Microsoft Network Access Protection ships with Windows Server 2008 and Windows Vista and XP SP3, and has a framework that provides interoperability with over 100 different vendors. The NAP statement of health (SOH) has also been adopted as a standard by the Trusted Computing Group’s Trusted Network Connect (TNC).

More information about Microsoft NAP can be found here http://www.microsoft.com/nap

Forefront Team Blog : Independent research firm recognizes Microsoft NAP as a leader in Network Access Control

Microsoft
Thursday, September 18, 2008 7:10:08 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0]  | 

Theme design by Jelle Druyts

Pick a theme: