The Private Cloud Man

Troubleshooting DirectAccess Manage Out Connections

2013-04-01T15:00:20Z

The following are some troubleshooting steps if you run into problems getting inside-out management working. Inside-out management is the ability for a machine on the internal corporate network, such as a helpdesk machine, to be able to initiate communications to remote, internet-based DirectAccess clients, such as by using RDP sessions, remote registry, or mapping drives.

1. Ensure the remote DirectAccess client has registered its IPv6 address and name in DNS and that it can be resolved by the Inside-Out management machine. The IPv6 address will correlate to which ever connection mechanism the client is using, either:

a. Native IPv6 (unlikely)

b. 6to4

c. Teredo

d. IP-HTTPS

Note. A link local IPv6 address will not work.

2. Ensure the Inside-Out management machine is configured with IPv6 via ISATAP (this could also be native IPv6 but we will assume ISATAP).

Note. A link local IPv6 address will not work.

If the Inside-Out management machine is not receiving an ISATAP address, check

a. All the ISATAP IP addresses are registered (see point 4 below)

b. That all the ISATAP IP addresses are all in the same subnet, and that the subnet mask allocated is correct

c. That the Intranet firewall is allowing Protocol 41 (See point 5 below)

3. Ensure the Inside-Out management machine has registered its IPv6 address and name in DNS and can be resolved successfully. This will be the machines ISATAP IPv6 address.

If the helpdesk machine does not have an ISATAP address refresh ISATAP (and other) settings from the command line using one of the following commands:

i. SC CONTROL IPHLPSVC PARAMCHANGE

Or

ii. NET STOP IPHLPSVC then NET START IPHLPSVC

4. Ensure the ISATAP router name is resolving to the internal interfaces of the DirectAccess server acting as the ISATAP router from the internal network, or other ISATAP router if you are using one.

a. In a WNLB 2-node array, this would be the 2 x servers dedicated IP addresses plus the virtual IP address, so 3 addresses in total all resolving to the ISATAP name.

5. Ensure that the Intranet Firewall is allowing Protocol 41 (IPv6 encapsulation) to UAG servers in both directions. Do not confuse Protocol 41 with Port 41. IPv6 Encapsulation is a protocol like TCP or UDP, not a Port.

6. Ensure any required client side firewall rules are in place on the remote DirectAccess clients with Edge traversal allowed

a. ICMPv4 for pinging IPv4 addresses

b. ICMPv6 for pinging IPv6 addresses

c. F&P for whichever services you require, such as SMB file share mapping

d. Remote Desktop

e. Etc. Etc.

7. Ensure all the DirectAccess Servers have a valid ISATAP configuration.

a. NETSH INT IPV6

a.1. Find the index number for ISATAP

b. NETSH INT IPV6 SH INT Index#

b.1. Ensure that Forwarding, Advertising and Advertise Default Route, are all enabled

b.2. If not

b.2.1. NETSH INT IPV6 SET INT Index# FORWARDING =EN ADVERTISE=EN ADVERTISEDEFAULTROUTE=EN

b.3. Validate changes

b.3.1. NETSH INT IPV6 SHOW INT Index#

b.4. NET STOP IPHLPSVC

b.5. NET STOP IPHLPSVC

8. Collect some trace logs:

a. NETSH TRACE START SCENARIO=DIRECTACCESS CAPTURE=YES REPORT=YES

b. NET STOP IPHLPSVC

c. NET START IPHLPSVC

d. Wait 10 seconds

e. NETSH TRACE STOP

The logs are called NETTRACE.ETL and NETTRACE.CAB files and will be located in the %TEMP%\NetTraces folder. Either analyse the logs yourself or send them to your support representative.

9. Note. If you want to be able to manage the remote DirectAccess computers even when no one is logged on to them, add the Inside-Out management machines to the management servers group on the DirectAccess servers, where you define Domain Controllers, SCCM and AV machines. Machines defined in these groups can access the client when only the infrastructure tunnel is up, i.e. before the remote user logs on and establishes the Intranet tunnel. If you have been trying to connect to a remote machine that is not logged on, this could be your problem.

Finally, if the troubleshooting steps have still not helped, just be aware of the issue in this knowledge base article, DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010, caused by custom security policies regarding the local security rights for the DirectAccess Manage-Out machine and clients (e.g. modifying the setting "Access this computer from the network").

If you are still having problems you will need to set up network traces from the inside-out management machine, the DirectAccess servers, and the remote DirectAccess client to see where things are going wrong.

HTH.

Colin Brown, Architect.

Microsoft Consulting Services.

Identity Management White Papers for Cloud and Hybrid IT

2013-01-29T16:23:06Z

One of the hottest topics in IT these days is identity management. Sure, IdM has been important for a long time but with the advent and the acceleration of cloud computing, it’s taken a prominent position on the IT stage. There are a lot of issues that you need to consider with the new computing paradigms that we didn’t have to deal with before. But how do you figure out what’s important and what’s not?

Typically, you’d go do a Bing search and see what’s out there. That’s what I did. The problem I ran into was that there really wasn’t a lot of good information on identity architecture. Most of the information I found was very product specific, so the assumption was that you were already an identity architect and therefore you already knew about foundational issues and essential capabilities. Too bad for me, since I was not an identity architect.

So what was the solution to the problem? Since I work at Microsoft, why not take advantage of the fact that we have some pretty smart people who work as identity architects in Microsoft Consulting Services? That’s what my colleague Gaiana Bagdasaryan and I did – talk to the these architects who have had many years of experience architecting, designing, planning, deploying an operating identity management solutions.

The result of this effort is a collection of two papers:

The Four Pillars of Identity: Identity Management in the Age of Hybrid IT

Identity Infrastructure Capabilities: Identity Management in the Age of Hybrid IT

I think we did pretty good with these papers, at least for a start. But there’s still a lot of work to be done. These are architectural papers, so we tried to keep the amount of product and technology specifics to a minimum and focused on what the problems are and what capabilities are required to solve these problems. We plan to follow up on these by providing more information on Microsoft technologies that can be used to solve many of the problems you’ll encounter when architecting an identity management solution.

Let me know what you think of these papers and please feel free to share any ideas you have on how to make them better and what kind of information you’d like to see moving forward.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

Go Social with Private Cloud Architecture!
Private Cloud Architecture blog
Private Cloud Architecture Facebook page
Private Cloud Architecture Twitter account
Private Cloud Architecture LinkedIn Group
Private Cloud TechNet forums
TechNet Private Cloud Solution Hub
Private Cloud on the TechNet Wiki

Tim Rains Introduces Windows Server 2012 Security from End to Edge and Beyond

2012-11-08T12:54:05Z

Windows Server 2012 is the greatest operating system Microsoft has ever unleashed on your data center. There are so many new features and capabilities that it would take several books to illuminate them all. And with all that goodness comes a number of new and improved security technologies. This is what the book Windows Server 2012 Security from End to Edge and Beyond written by me, Yuri Diogenes and Debra Littlejohn Shinder is all about.

Why did we pick the name “From End to Edge and Beyond”? The “End” is the endpoint – the client device that connects to server based applications and services and the servers themselves. The “Edge” is the edge of the network, a firewall or a remote access server. And “Beyond” is about the cloud. Windows Server 2012 Security from End to Edge and Beyond addresses all of these issues, security has it applies to the endpoint, network edge and the cloud.

What’s inside? Check this out:

Chapter 1 – Planning Platform Security
Chapter 2 – Planning Server Role in Windows Server 2012
Chapter 3 – Deploying Directory Services and Certificate Services
Chapter 4 - Deploying ADFS and ADRMS in Windows Server 2012
Chapter 5 – Patch Management with WSUS Role in Windows Server 2012
Chapter 6 – Virtualization Security
Chapter 7 – Controlling Access to your Environment with Authentication and Authorization
Chapter 9 – Secure Client Deployment with Trusted Boot and Bitlocker
Chapter 8 – Planning Endpoint Security
Chapter 10 – Mitigating Application’s Vulnerabilities
Chapter 11 – Mitigating Network Vulnerabilities
Chapter 12 – Planning for Anywhere Access Security
Chapter 13 – Seamless and Secure Connection with DirectAccess
Chapter 14 – Protecting Legacy Remote Clients
Chapter 15 – Cloud Security

And there’s an added bonus – Tim Rains from the Microsoft Trustworthy Computing Group will be writing a forward for the book! Tim Rains is the Director of Product Management in Microsoft’s Trustworthy Computing group. Tim and his team of product managers support the Microsoft Security Response Center (MSRC), the Microsoft Malware Protection Center (MMPC), and the Microsoft Security Engineering Center (MSEC) which includes the Security Development Lifecycle (SDL) and Security Science. Among other things, Tim’s team manages production of the Microsoft Security Intelligence Report (www.microsoft.com/sir). Tim has worked in several roles at Microsoft including the Senior Public Relations Manager of Security Response at Microsoft, Senior Product Manager of the Microsoft Malware Protection Center, Program Manager of the Windows Network Diagnostics team, Technical Lead on the Security Incident Response team in the Product Support Services (PSS) Security team and Technical Lead on the PSS Windows Server Networking team.

It’s quite a compliment to have Tim endorse our book. Not only will he write a forward for the book, he has made several key suggestions that enhance the overall value of the book to any security minded administrator who needs that extra leg up to secure his data center. Yuri, Debi and I truly appreciate Tim’s insights and we hope you will benefit from Tim’s input into this book.

We just about done with the writing and expect that the book will be available in December or January. Stay tuned!

HTH,

Tom

Goodbye Edge Man–Welcome to the Private Cloud

2012-03-03T00:32:49Z

Hey folks,

You might have noticed that the old Edge Man hasn’t posted for almost a year. The Edge Man blog began as part of my work with UAG DirectAccess. I think we did a lot of great work here and provided some keen value for all of you who were working with UAG DirectAccess and even for those who were using the Windows DirectAccess. For you DirectAccess fans, I can assure you that DirectAccess is alive and well and I think you’ll find some welcome improvements as we move forward to the next version of DirectAccess. If you want to know more about that, then check the TechNet library.

While those were good times, its good to expand one’s horizons and explore new technologies and ways of thinking. I’ve since moved on from the UAG DirectAccess team and now work on the Server and Cloud Information Experience Solutions Group (that’s a mouthful!) Our primary focus is private cloud and you can find the body of our work in the Private Cloud Solutions Hub on TechNet.

My perspective on private cloud is that it provides you an opportunity to start over. I don’t see many people running data centers today who feel that their current datacenter is what they would have built on purpose. There are a number of reasons for this, but due to a confluence of things under their control and not under their control, their datacenters aren’t the well architected, well-designed, smooth running machines that they’d like them to be.

This is where private cloud represents a unique opportunity to start over. The private cloud provides you the chance to start over, to rebuild your datacenter into what you want it to be. And while some say (including myself) that the “cloud” presents a new paradigm for delivering software and services, the fact is that private cloud does all the things our current datacenters do – but does it in a way that enables them to be cheaper (sometimes), faster, more reliable, and better at delivering services to our customers.

So there you have it. The Edge Man has become the Private Cloud Architecture man. Does that mean I’m going to always have my head in the clouds and stick with conceptual stuff? Not likely. I’m doing a lot of work now on the technologies included in the Windows 8 operating system that enable the cloud. I’ll take a lot about those technologies in the future – but if you want an early glimpse of what I’ve been working on, check the TechNet library HERE.

As we move forward, I’ll run fun things like contests, games, and other things that will put some lightening into the cloud! Looking forward to you all joining my on this trek. It’s going to be a wild ride!

Thanks!

Tom

Tom
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

A New Tech Talk Show–Security Talk with Yuri Diogenes and Tom Shinder

2011-05-02T18:18:52Z

Yuri Diogenes and I have worked together on a number of projects over the years – last year we published three new books on TMG, UAG and Forefront Security for Exchange. You can find more information on these books on Yuri’s blog at http://blogs.technet.com/b/yuridiogenes/archive/2010/07/08/new-forefront-books-by-microsoft-press.aspx

We also worked together on the TMG Firewall Administrator’s Companion which you can find at http://blogs.msdn.com/b/microsoft_press/archive/2009/12/09/forefront-tmg-2010-administrator-s-companion-a-unique-reading-experience-is-coming.aspx

So with four books in the can, where do we go from there? Well, Yuri recently moved from CSS Security to Windows Server iX so we thought “how about we do a security talk show?” Sounded like a good idea to me, and thus Security Talk with Yuri Diogenes and Tom Shinder was born.

Unlike Talk TechNet (http://technet.microsoft.com/en-us/gg558001), Security Talk with Yuri Diogenes and Tom Shinder is like a television talk show – we plan on recording two shows a month and if the thing takes off, we’ll consider doing four shows a month so that you can enjoy the fun once a week.

While the official launch won’t be until after TechEd, we took advantage of the fact that Jim Harrison was in town from Redmond (Yuri and I live in the Dallas/Ft. Worth area in Texas) and did a “practice” session.

Head on over to the Security Talk with Yuri Diogenes and Tom Shinder blog for more information and to view the v0.5 of the program!

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

A Solution to the “Forwarding on the 6to4 Interfaces Cannot be Enabled” Error

2011-04-20T14:11:37Z

Ben Ari posted an answer to the Forwarding on the 6to4 Interface cannot be enabled error that you might see when you try to activate the DirectAccess configuration on the UAG DirectAccess server.

When you activate the configuration, it will look something like this:

Check Ben’s blog post at http://blogs.technet.com/b/ben/archive/2011/01/27/forwarding-on-the-6to4-network-interface-cannot-be-enabled.aspx for the reason and a fix.

Thanks Ben!

HTH,

Tom

URL and Antivirus Filtering for DirectAccess Clients

2011-04-20T00:44:17Z

The question on how to handle DirectAccess clients and Internet security for those clients is always a popular topic. As I’ve mentioned many times in this blog, the overall threat and management profile of the DirectAccess client should be little different than a client that is on the intranet.

However, there is one major difference between the intranet client and the DirectAccess client – and that’s an Internet gateway that protects the client from Internet threats with URL filtering and web antimalware.

With this in mind, the following question is topical and I’ll use it to drive the discussion.

====================================================================

“UAG providing direct access over HTTPS to a large set of demo computers in retail stores. They are a wireless ISP so all the computers in the offices are connected directly to the Internet, rather than a corporate network. We are using DA to manage group policy on the demo boxes to ensure they are tightly locked down.

We have a need to also provide some sort of content filtering/web site blocking on these boxes. One thought is to leverage UAG to act as a filtering proxy server for these boxes. The customer is concerned about using UAG “normally” because traffic would then flow across the DA/HTTPs link which would be the slowest option and may impact the performance of these demo boxes. Thus they would like to configure their UAG box to act as a proxy server out on the Internet with some authentication for clients to connect.

So my questions to the group are:

Is this totally crazy?

Can this be done in a supported way?

Is there a better way for them to do this”

====================================================================

First we have to get clear on the scenario. It sounds like these machines are configured as DirectAccess clients and are configured to use IP-HTTPS to connect to the UAG DirectAccess servers. It’s not clear why this is being used instead of 6to4 – maybe there is a device in the path between these DirectAccess clients that blocks IPv4 Protocol 41. What it appears they want to do is provide some gateway based security for these clients. The proposed idea is to use the UAG DirectAccess server as an outbound proxy for the DirectAccess clients. There are two problems with this possible solution:

It’s not supported
It won’t work

Given those two facts, we need to think of some other way to enable Internet gateway security for these clients. This is what I’d propose:

Enable force tunneling on the clients – this will force all traffic, including Internet bound traffic, through the DirectAccess tunnels
Consider configuring the browsers on the DirectAccess clients to use a web proxy. You can configure the proxy address in the UAG DirectAccess wizard
Consider configuring the DirectAccess clients to “bounce” off the UAG DirectAccess server to reach the Internet
If the second option is chosen, then configure the UAG DirectAccess servers with a gateway address that will force the outbound connections through a URL filtering and antivirus gateway

The figure below shows what the request path would look like when you configure the DirectAccess clients to use a Web proxy. Note in this scenario that you can have the outbound connection use a different gateway to the Internet than the one used by the DirectAccess server itself.

The figure below shows what it looks like when you configure the DirectAccess clients to “bounce off” the UAG DirectAccess server. The difference in this case is that the web filtering gateway is most likely going to be in a DMZ. You will need to be careful here, because the DirectAccess server can only have a single default gateway, which means that the web filtering gateway is going to need to be in the DirectAccess request/response path between the DirectAccess client and server. In the figure below, you can see that the outbound connections are leaving through the same firewall that they DirectAccess tunnel connections came in through.

If you want to see how this configuration works in a test lab, then check the Force Tunneling Test Lab Guide. You can find a complete list of Test Lab guides at http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

HTH,

Tom

Does Removing ISATAP for the DNS Block List Impact Security?

2011-04-19T17:24:33Z

If you choose to deploy ISATAP to support your DirectAccess deployment, one of the things you need to do is remove the name ISATAP from the DNS block list if you’re using a Windows DNS server running Windows Server 2003 SP2 or above. By default, these DNS servers will not resolve queries for the names WPAD and ISATAP. Even if there is a resource record for WPAD or ISATAP in DNS, the DNS server will not return a response for those names if they are on the DNS query block list.

The reason for this is that it’s possible for a rogue device to dynamically register these names in DNS. If that happens, there is the possibility that client systems will auto-configure themselves to use the rogue device as their web proxy, or configure their ISATAP adapters to use the rogue device as their ISATAP gateway. Both of these scenarios are enabled by the fact that Internet Explorer uses auto-discovery by default to configure the web proxy, and the ISATAP adapter is enabled by default if the name ISATAP can be resolved and the client can contact an ISATAP router.

If you check this link you will find a document that contains the following statement:

“By default, the DNS Server service in Windows Server 2008 and later blocks name resolution for the name ISATAP through the DNS Global Query Block List. To use ISATAP on your intranet, you must remove the ISATAP name from the list for all DNS servers running Windows Server 2008 and later. For more information, see Remove ISATAP from the DNS Global Query Block List in the DirectAccess Deployment Guide..”

The question then is “if ISATAP responses from the DNS server is considered unsecure, then isn’t deploying ISATAP on the network considered unsecure?”

The answer is “no”. The reason for this is that when you deploy ISATAP on your network and enable the DNS server to answer queries for ISATAP, you will enter a static Host (A) record for ISATAP. When you configure the static DNS resource record, it will not be overwritten by dynamic registrations by potential rogue hosts. Therefore, the security implications of removing ISATAP from the DNS block list are mitigated since no one can dynamically overwrite the static ISATAP record you created.

However, if you decide that you don’t want to use ISATAP, or at least don’t want to use DNS to inform ISATAP hosts of the ISATAP router, then you should put ISATAP back into the DNS block list and remove the ISATAP resource record from your DNS server.

You can find out more about the DNS query block list HERE.

HTH,

Tom

IPv6 and DirectAccess Troubleshooting Cheat Sheets

2011-04-19T14:56:25Z

What would you be willing to pay for a really cool IPv6 and DirectAccess troubleshooting cheat sheet?

$5? $10? $100? ONE HUNDRED BILLION DOLLARS?

Would you pay one hundred billion dollars for these cheat sheets?

Since these cheat sheets are priceless we’re going to give them away. Thanks to DirectAccess guru and all around good guy Pat Telford, we’re making the .vsd file for these cheat sheets available for download.

You haven’t seen these cheat sheets? Here’s what they look like:

You can download the .vsd for these sheets HERE.

HTH,

Tom

Choosing Between Forefront TMG or Forefront UAG for Publishing Scenarios

2011-04-19T14:24:25Z

Your first decision when planning a publishing solution using Forefront TMG 2010 (TMG) or Forefront UAG 2010 (UAG) is to determine which of the two products best fits the needs of the deployment.

Both TMG and UAG can securely publish Exchange, SharePoint, Terminal Services and web-based line of business applications to the Internet. However TMG and UAG offer some features or support some scenarios that the other does not. So, the first step in choosing which product to use is deciding what features you need or think you may need.

Some deployments may actually benefit from using both TMG and UAG to satisfy specific requirements. For example, you might use UAG to provide a unified portal experience for your inbound Web-based client access, use TMG to protect Internet access for your internal users, and use Forefront TMG to provide certificate-based authentication to your mobile device-enabled workforce.

The following table compares both products at a functional level:

Feature or Capability	Forefront Threat Management Gateway 2010	Forefront Unified Access Gateway 2010
Scale Out Using Arrays Arrays enable you to apply the same configuration setting to multiple machines participating in the same array	X	X
Network load balancing of the publishing array Network Load Balancing (NLB) enables high availability and transparent failover for participants in the NLB array	X	X
Load Balancing of Back-End Servers Integrated Web Farm load balancing enables you to load balance connections to back-end web servers, removing the need for a hardware load balancer behind the web gateway	X	X
Single network interface deployment The web gateway can be deployed in a single NIC configuration, so that NICs do not span multiple networks	X
Enterprise Management (multiple nodes in one array) Enterprise Management enables the administrator to manage multiple arrays located throughout the organization from a single management interface; in addition, configuration for all arrays is stored in a centralized location which located off any of the array members	X
Integrated Windows Authentication Integrated Windows Authentication enables SPNEGO, Kerberos or NTLM authentication with the web gateway	X
Support two-factor authentication for web applications Two-factor (multi-factor) authentication enables the administrator to require users to present two or more pieces of information to access resources	X	X
Certificate Authentication with ActiveSync Certificate authentication with ActiveSync increases the overall ActiveSync security scenario by requiring the device to present a certificate before allow access to Exchange Server resources	X
Upgrade Path from ISA 2006 While it’s not possible to do an in-place upgrade from ISA to TMG (because ISA was 32bit only and TMG is 64bit only), there is a clear and easy to perform upgrade path.	X
Authorization Using Endpoint Policies Endpoint detection determines the state of the device connecting to the gateway and enforces access policy based on the results of the endpoint detection		X
SharePoint rich client support (MSOFBA) MSOFBA is a protocol that provides forms based authentication, instead of basic authentication, when you use Office client applications		X
Federation support with ADFS Use integration support for ADFS to enable federated identity scenarios		X
Endpoint Session Cleanup Endpoint session cleanup provides a mechanism to remove information obtained from the server during the course of the session; removal takes place on log off.		X
Port Scalability Port scalability enables you to publish more resources while using fewer ports on the receiving interface of the web gateway		X
Password Lockout Protection (at a node level) Password lockout protection protects the user account from being inadvertently locked out by either a friendly or malicious user; user is locked out of the gateway, but not in the Active Directory.		X
Granular access policies Granular access policies enable the administrator to control access to applications and to components of applications, based on the results of user and device assessments.		X
Support for DirectAccess DirectAccess is a new remote access technology that enables users to be always connected to the intranet and enables IT to always be connectivity to the users – all done transparently without user intervention		X
Portal functionality to publish multiple line-of-business applications Portal functionality enables users to connect to a single URL to access a portal page that contains applications and services available to the user, based on the results of user and device assessment.		X
Load balancing support for HTTP-based protocol access from the Internet Load balancing enables an array of web gateway to handle more requests more efficiently by evenly distributing connections among members of the load balanced array.	X	X
Highly Customizable Customizable according to the support guidelines and the development policies and processes for Microsoft partners		X
Built-in Wizards for Exchange Built-in wizard for publishing Exchange web services makes it simple to publish these resources using a secure default configuration	X	X
Outlook Web Access “Look and Feel” Both UAG and TMG provide a log on page experience that is similar to the one provided by Exchange Outlook Web Access (OWA).	X	X
Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication Forms based authentication enables users to enter credentials in an easy to use form to authenticate with the web gateway	X	X
Publish Outlook Anywhere using Basic or NTLM authentication	X	X
Publish Microsoft Exchange ActiveSync using Basic authentication	X	X
Support two-factor authentication for Exchange ActiveSync	X
Provide certificate-based authentication for Exchange ActiveSync, Outlook Web App, and ECP	X
Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server Email inspection can be performed on the web gateway to protect against spam and malware	X
Protect and filter Internet access for internal users from malware and other Web-based threats The web gateway can perform URL filtering to block undesirable web sites and scan and block malware delivered from the web	X
Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses UAG has a Port Scalability feature that allows UAG to use multiple source IP address on its internal interface to contact the published CAS servers, allowing it to overcome the limit of 60000 ports maximum in a single IP address.		X
Check a client computer accessing Outlook Web App for presence of approved antivirus software, updates, etc. Endpoint detection can be performed to insure that the client attempting to access the OWA Exchange web service meets corporate security standards before allowing access		X
Built-in features for SharePoint publishing The web gateway has wizards and other technologies that make intelligent decisions on how to best publish SharePoint resources	X	X

Thanks to Fernando Cima and Carsten Kinder for developing this table.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder