Announcing: Forefront Threat Management Gateway, Medium Business Edition

I am pleased to announce that the first version of the new Forefront Threat Management Gateway (TMG) has been released to manufacturing as part of the Windows Essential Business Server 2008 (EBS) release. As I first blogged in April of this year, Forefront TMG is a new era for the ISA Server product line. It is taking us and our customers into new and innovative protection directions based on the ever-increasing threats we are seeing on the Internet today.

Forefront TMG, Medium Business Edition is fully integrated in Windows Essential Business Server and installed by default. One of the unique capabilities of this edition is the simplified setup and configuration – without taking away the ability for customers or value added service providers to provide the customization or control they may require for their specific environments. We took a specific approach in this release by asking the administrator what he/she wants to achieve, not how to do it. The end result is a server pre-configured with best practices for the most common security and access needs including Internet access, remote access and common firewall rules.

Not only does Forefront TMG include a fully featured and highly rated corporate firewall capability, but it adds a Unified Threat Management (UTM) capability to the EBS installation. It truly provides a comprehensive, all-in-one integrated edge security solution, for both the headquarters and the branch offices. The real value comes through the tight integration of the different UTM components, as well as with the other applications and solutions encompassing EBS. The integrated anti-virus subscription services provide administrative relief to IT professionals from having to constantly monitor the security threats and changing edge policies. The “Am I Secure?” page provides an easy, at a glance view of the security state and statistics of the system avoiding the need for complex understanding and expertise to provide protection for the business.

As our software, hardware and appliance partners announce exciting value–add offerings, I will keep the community informed. In addition, I will be announcing future details around the public beta for the next edition of TMG later this year on this blog. I think you will be excited and surprised and certainly well worth the wait when we announce. Stay tuned to this channel for continual updates!

David B. Cross

Product Unit Manager

Published Tuesday, September 16, 2008 1:13 PM by isablog

Forefront TMG (ISA Server) Product Team Blog : Announcing: Forefront Threat Management Gateway, Medium Business Edition

ISA 2006 SP1 and IAG 2007 Supportability Statement

Introduction

Occasionally you find the combination of two things that result in something better than the sum of the individual parts. Some combinations that come to mind are peanut butter and chocolate, steak and lobster, and ISA Server 2006 and IAG 2007. You can’t eat ISA and IAG but combined in the IAG 2007 product they create an awesome SSLVPN with rich features. Just like a good soup, IAG 2007 benefits from high quality ingredients. For more information on this “better together” approach review the articles below:

http://www.microsoft.com/forefront/edgesecurity/iag/en/us/secure-remote-access.aspx

http://www.microsoft.com/Forefront/edgesecurity/iag/en/us/faq.aspx

Real World Experience

Recently, I began seeing questions about the addition of ISA 2006 SP1 on customers IAG 2007 systems. After some research it turned out that Windows update was detecting the lack of ISA 2006 SP1 and prompting administrators to install the service pack on their IAG 2007 servers. If you are familiar with IAG 2007 predecessor eGap 3.6 you will remember that the internal server was protected by a SCSI interface that shuttled between the external and internal servers. In IAG 2007 the external server and SCSI interconnect have been removed and replaced by ISA 2006. In this configuration ISA 2006 protects the external interface of IAG 2007 amongst other things.

Since SP1 for ISA 2006 includes feature updates as well as security updates, just like any other windows application it is essential to make sure there is no security vulnerability that might affect the ISA application. Hence it is important to make sure the ISA server is also updated from time to time.

When you first initialize the IAG 2007 system you will notice that ISA server 2006 is installed as well. As applications are added to the portal trunk, rules are created in ISA 2006 to allow the specific traffic types that IAG 2007 will publish. If IAG 2007 is configured for automatic updates or you visit the Windows update site, SP1 for ISA 2006 will be queued for installation if it is not already installed. You can review the benefits of SP1 for ISA 2006 by following this link: http://blogs.technet.com/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx

As you can see from reading the list we fixed a few things in ISA 2006 with SP1. In addition, patch management is part of the Desktop, Device, and Server security process best practices that IT professionals should be following. Recently, while testing IAG 2007 SP2 our product group tested with ISA 2006 SP1 installed and found no issues related to this service pack. So go ahead and add ISA 2006 SP1 to your IAG 2007 system. I bet you will find it’s a great combination and is a high quality ingredient in your security soup.

Author
Dan Watson
Security Support Engineer –IAG Team
Microsoft – NC

Technical Reviewers
Yuri Diogenes
Security Support Engineer – ISA/IAG Team
Microsoft – Texas

Mohit Saxena
Security Technical Lead – ISA/IAG Team
Microsoft – Washington

Published Thursday, September 18, 2008 8:02 PM by edgeaccessblog
Filed under: Intelligent Application Gateway, ISA Server 2006 SP1

Intelligent Application Gateway Product Team Blog : ISA 2006 SP1 and IAG 2007 Supportability Statement

Independent research firm recognizes Microsoft NAP as a leader in Network Access Control

Published 18 September 08 12:45 AM | Forefront Blogger

Microsoft’s Network Access Protection (NAP) solution was cited as a leader (the top category) in a recent independent report, “The Forrester Wave: Network Access Control, Q3 2008.”  Microsoft was one of the many network access control (NAC) vendors invited to participate in the report.

Forrester placed a lot of emphasis on different access control scenarios for the evaluation and the different vendors were evaluated around twelve different scenarios as well as strengths across technology, strategy and market presence.

“Microsoft has the strongest NAC product for managed endpoints,” the report stated. The report goes on to state that even though its official product has only been shipping since the inception of Windows Server 2008, Microsoft has already established itself as a critical thought leader and contributor to the standardizations of NAC. “Microsoft has the overall highest score among the 12 scenarios we evaluated,” the report added.

Microsoft Network Access Protection ships with Windows Server 2008 and Windows Vista and XP SP3, and has a framework that provides interoperability with over 100 different vendors. The NAP statement of health (SOH) has also been adopted as a standard by the Trusted Computing Group’s Trusted Network Connect (TNC).

More information about Microsoft NAP can be found here http://www.microsoft.com/nap

Forefront Team Blog : Independent research firm recognizes Microsoft NAP as a leader in Network Access Control

Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication

One of the most popular questions we get regarding the ISA firewall and Exchange Server is how to get transparent authentication for the Outlook client. Most users prefer to store their passwords and don’t want to enter their passwords each time they open Outlook. The problem is that if you use basic authentication at the client and at the ISA firewall’s Web Listener, you will always need to enter credentials when Outlook starts up.

Thomas Shinder Blog » Blog Archive » Publishing Exchange 2007 Services with ISA Server 2006 - Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication

Tales from the Edge is Online

Today we are launching in the Forefront Edge Community page a new session called: Tales from the Edge. Jim Harrison and I will host articles about Forefront Edge Suite bringing real world scenarios and documenting things that were not documented yet. In this new wave we are going to release four brand new articles with very precious information about Edge products. Visit the new Forefront Community Page at:

http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687298.aspx

Filed under: ISA Administration

Yuri Diogenes's Blog : Tales from the Edge is Online

Wednesday, August 06, 2008 5:58 AM yuridio

Intermittent Performance Problem while Accessing Internet through ISA Server 2006

1. Introduction

One of the most challenges for the ISA Admin is to determine the culprit for an intermittent issue. This gets worse when the issue is related with performance. While there are many elements that can impact ISA Server’s performance, this post will describe an interesting case where the client was having problems to browse Internet through ISA Server. The web sites were coming up really slow and regardless of the browser (IE6 or IE7) the issue was happening.

Read more at the source.

Source: Yuri Diogenes's Blog : Intermittent Performance Problem while Accessing Internet through ISA Server 2006

Wednesday, July 30, 2008 3:06 PM yuridio

Do you really know what is and what is not supported on ISA Server?

Last two months for some reason were pretty busy of calls for ISA Server issues where customers were running on a non supported scenario. Interesting enough, the articles for non supported configurations are out there since ISA Server 2004. Maybe it is time to refresh your favorites and to start add those articles to it. Here you will find supportability boundaries, limitations and unsupported scenarios:

Article: Troubleshooting Unsupported Configurations

Description: In the above article you will find nice explanations about some behaviors, including the reason why ISA Server does not support multiple default gateways.

Article: Best Practices for Performance in ISA Server 2006

Description: this article will explain the options to deploy ISA Server 2006 in a virtual environment.

Article: Configuring ISA Server 2004 on a Computer with a Single Network Adapter

Description: this article is also valid for ISA Server 2006 and it has the limitations and unsupported scenarios for ISA Server when running in a single NIC system.

Besides the official ISA Server TechNet Library articles, we (ISA Server Team members) are documenting in the ISA Team Blog behaviors that are expected. Here are the articles that were published so far:

Understanding By-Design Behavior of ISA Server 2006: Buffering and Streaming Web Publishing Rule Content

Understanding By-Design Behavior of ISA Server 2006: Using Kerberos Authentication for Web Proxy Requests on ISA Server 2006 with NLB

Files larger than 512MB are not served from cache after ISA Server firewall service is restarted

The tip for the IT professionals that are implementing ISA Server 2006 is to review those articles before start any deployment. I know how frustrate it is to build the whole infra-structure and when call to CSS to open a ticket get the bad news that the environment is not supported. Although this can be a frustrated experience, you should feel glad that this product has very known and public supportability boundaries. This helps you to understand what can and what cannot be done before start deploying your ISA Server.

Filed under: ISA Administration

Yuri Diogenes's Blog : Do you really know what is and what is not supported on ISA Server?

Winfrasoft’s Backup for ISA Server Goes RTM

Until now there has been no real way of fully backing up your ISA Server deployments. Some may think that restarting servers, manual exports and custom scripting is the solution. However, many hours will be spent re-installing, importing settings, re-configuring and tweaking – but inevitably losing log data. The result is loss of data and productivity due to system down time.

Restores may not work as expected and even more time will be lost as everything is rebuilt from scratch.
Now you can backup on the fly and restore again in minutes!

Major Features

• Backup of ISA Server configuration
• Backup of ISA Array configuration
• Backup of ISA Enterprise policy
• Backup of Firewall logs
• Backup of Web Proxy logs
• Backup of IP and Routing information
• Backup Array log data from a single server
• Scheduled backup jobs
• High security - AES 256bit encryption
• Small size - PPMd compression (over 95%)
• Central network storage of backups
• Supports selection files
• Command line interface for scripting
• Slick .NET based Wizard driven user interface
• ISA Server 2004 and 2006 support
• Native support for Websense Security Suite*

Minimum Server System Requirements:

• Windows Server 2003
• ISA Server 2004 Standard Edition or Enterprise Edition or
• ISA Server 2006 Standard Edition or Enterprise Edition

Languages:

• Backup for ISA Server is compatible with multi-lingual versions of Windows Server 2003, however, it is only available in UK English.

• Although multi-lingual versions of Windows Server 2003 can be used, Backup for ISA Server is ONLY compatible with the English version of ISA Server. Non-English versions of ISA Server are NOT supported.

For more information and downloads, check out:

http://www.winfrasoft.com/BackupForISA.htm

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Thomas Shinder Blog » Blog Archive » Winfrasoft’s Backup for ISA Server Goes RTM

Virtual Appliances Offer Effective, Scalable Messaging Security

July 2, 2008

Click Here To Download:
•White Paper: Virtual Appliances Offer Effective, Scalable Messaging Security

Variability in spam traffic forces organizations to make an awkward choice: whether to maintain peak-load messaging security capacity—and incur the associated high costs—or to prepare for routine loads, a less costly approach but one comes with the risk of under-capacity when spam levels spike. Now, there is a new approach to resolving this dilemma: virtual appliance-based messaging security solutions. With hardened, ready-to-deploy appliance images and per-seat licensing, organizations can meet a spam or virus crisis quickly, efficiently, and economically.

Virtual appliance solutions use exactly the same code and update methodology as their physical counterparts—but combine them with all the utilization, management, and cost benefits of virtualization. Although physical appliances and other solutions will still be appropriate in some circumstances, the advantages of virtual appliances are compelling.

Virtual appliance–based security solutions combine security, performance, and flexibility to adapt quickly and effectively to the requirements of any network environment—and any level of threat.

Click Here To Download:
•White Paper: Virtual Appliances Offer Effective, Scalable Messaging Security

Virtual Appliances Offer Effective, Scalable Messaging Security

ISA Server 2006 SP1 is Out

The ISA Server 2006 SP1 was release today (couple of minutes ago) and you can download from the link below: http://www.microsoft.com/downloads/details.aspx?FamilyId=D2FECA6D-81D7-430A-9B2D-B070A5F6AE50&displaylang=en

We do have some good articles out there already that talks about the functionalities of this release, review some of them:

Jim Harrison reveals ISA Server 2006 SP1

ISA Server 2006 SP1 Demos by Yuri Diogenes

Your New ISA Firewall: ISA 2006 Service Pack 1 (Part 1) by Tom Shinder

ISA Server 2006 Service Pack 1: New features and enhancements by Marc Grote

Filed under: ISA Administration

Yuri Diogenes's Blog : ISA Server 2006 SP1 is Out

June 30, 2008 9:48 AM PDT

Hyper-V is not hype

Posted by Jon Oltsik 7 comments

Microsoft did something that it rarely does last week when it announced availability of its Hyper-V server virtualization technology months ahead of schedule. Unlike Microsoft Virtual Server which ran as an application, Hyper-V is a true hypervisor capable of hosting multiple instances of Windows and even Suse Linux.

OK, so Microsoft is in the game, but can it compete with server virtualization king VMware? Yup. According to ESG Research, 69 percent of organizations planning to adopt server virtualization are considering Microsoft technology, 59 percent are considering VMware, 10 percent contemplating XenSource, and 4 percent are kicking the server virtualization tires with Virtual Iron.

Microsoft understands that server virtualization is a strategic IT initiative and it has the potential to really disrupt the server licensing landscape. In other words, server virtualization could take a bite out of Windows sales if VMware wins in a landslide. Microsoft just won't let that happen.

As Hyper-V gains visibility my colleague Mark Bowker expects Microsoft to:

1. Throw money and programs at its OEMs
Microsoft will use its vast resources to run joint-marketing programs, educate customers, and generate leads with server vendors like Dell, Hewlett-Packard, and IBM. The goal? Maximize visibility of Hyper-V in a hurry.

2. Use management as a Hyper-V complement
Microsoft is currently in beta with its System Center Virtual Machine Manager (SCVMM), a management platform that controls Hyper-V and VMware ESX. As this becomes available, Microsoft can play a low-cost management card to introduce its hypervisor into VMware accounts.

3. Target the midmarket
VMware is surprisingly strong in the SMB space, along with feisty Virtual Iron. Nevertheless, Microsoft has an army of channel partners and Windows consultants who should be able to quickly penetrate this windows-centric market segment.

VMware is way too ubiquitous and strong to be "Netscaped," but Microsoft will certainly make the server virtualization space more competitive--in a hurry.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

Hyper-V is not hype | Tech news blog - CNET News.com