More great news from Forefront TMG Documentation Team, here it goes a series of new articles that were recently published on Microsoft TechNet Library about Forefront TMG 2010:
Enjoy it !!
Here it is a great XMas gift for you !!
After a long road and rounds of updates the Forefront TMG Team just released the new version of the famous Unsupported Configurations, this is great article to read PRIOR to deploy TMG. The reason why I’m emphasizing “prior” is because the worst thing that it can happen is to deploy TMG (or any software) and when a problem arise, you call support and you find out that the way that you did deploy (or configured) is not supported.
Read the full document here: http://technet.microsoft.com/en-us/library/ee796231.aspx
Happy Holidays !!
My previous post about redirect explained a typical loop scenario while implementing the Deny rule on ISA Server. Looks like people just hate typing the /owa (or /exchange) these days, maybe because they already have too many things to memorize (I don’t blame them). Since many users are migrating to Exchange 2007 (and now also to Exchange 2010) the scenarios of coexistence with Exchange 2003 may reduce, but it is still very common. With those two challenges in their hands (redirect and legacy coexistence), many time administrators want to achieve the following goal:
On the redirect perspective we have another catch, by using the typical redirect approach, which is: creating a deny rule for https://mail.contoso.com and redirect to https://mail.contoso.com/owa, users that have their mailboxes located on Exchange 2003 will receive the following error message after logon in the FBA page:
Outlook Web Access could not find a mailbox for DOMAIN\USERNAME. If the problem continues, contact technical support for your organization and tell them the following: The mailbox may be stored on a Microsoft Exchange 2000 or Microsoft Exchange 2003 server, or the Active Directory user account was created recently and has not yet replicated to the Active Directory site where this Client Access server is hosted
This is actually expected, since you can’t access legacy mailboxes by using /owa. In order to fix that you need to change your redirect rule on ISA to be:
Simple tip that can save you some deployment headaches.
Greetings Forefront Edge Admins, Microsoft released this week Forefront UAG 2010 evaluation version for you to download and test it on your environment. This evaluation version has a trial period of 120 days and it is full functional. You can download it from here http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=740bd005-5ff9-426e-9c17-a93ae8629582 and read more about the installation/migration from http://technet.microsoft.com/en-us/library/ee428841.aspx.
Microsoft just release the IPD (Infrastructure Planning and Design) for UAG, this is the type of document that you MUST read if you are planning to deploy UAG on your network. The document goes from the design process and proceeds with:
The document also has Job Aids and other appendixes that extends the core message about this important phase of any project, which is the planning and design phase. Download the full document from IPD for UAG.
Introduction
This post is about an interesting issue where a third party application that was configured as service was failing to establish a connection with the destination server because ISA Server was denying the traffic. For this brief description it really sounds like a trivial issue where you just need to create an access rule and resolve the problem, however the scenario a quite more complex. In order to explain it is important to known the scenario first. Diagram below shows the network topology:
Figure 1
As you can see we have four networks and the switch layer 3 is routing traffic through the networks. The problem resides on srv01.contoso.com, this application runs as service and for the application to work it needs to start using local system account. When the administrators starts the service this application tries to reach farmapp.contoso.com:portx (where portx is the port used by this application), oddly the application was sending the request through ISA Server instead of sending the request directly to the application server. In order to confirm that I used the Procmon tool and the result was similar to this one below:
Thatsthecustomapp.exe TCP Send farmapp.contoso.com:portx -> isasrv.contoso.com:8080
You might be thinking: time to check your IE settings, looks like you got a problem there. That’s what I thought too, however IE was clear, no proxy settings at all.
Moving Forward
Keep moving forward on the troubleshooting, next attempt it was to run proxycfg tool to see if there is anything in the registry and the result was:
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Direct access (no proxy server).
Apparently nothing on registry….this server was also not using ISA Server as default gateway, so there is no apparently reason why the traffic was going to ISA Server instead of going directly to the destination server. The key for the problem was: the problem only happened if the third party service started as Local System account.
A friend from the Windows Performance team helped me out and suggested to get a Dependency Walker result from the third party executable file. We got it and the result was:
Figure 2
Eric Kotz from Windows Performance engineer confirmed that this implementation was not supported and pointed out the article that explains that, where it says:
The problem with running WinInet in a service is that WinInet uses settings from the registry for SSL information, proxy information, and more. Services do not load the HKEY_CURRENT_USER registry hive, so this information is not available.
Warning: Microsoft does not support using WinInet APIs within the context of a System Service.
From: KB 238425 WinInet Not Supported for Use in Services
Fair enough, after running the command psexec -is c:\program files\internet explorer\iexplore.exe (-i to interact with desktop and -s to run on the context of system account) it was possible to see that the proxy settings were there, after removing it the application started working just fine.
The other day I was talking to a friend of mine that asked how it was to work on this TMG Book project and having two more heads to write and one to review, I was like: it was amazing !! The reality is that due each one of us have such unique profile we were able to combine the ideas and create a really good content. This story is fully shared at MS Press Blog, see http://blogs.msdn.com/microsoft_press/archive/2009/12/09/forefront-tmg-2010-administrator-s-companion-a-unique-reading-experience-is-coming.aspx for full details.
Yesterday Microsoft released six security updates and there is one in particular that is very important for VPN scenarios that uses IAS for RADIUS authentication. MS09-071 describes that Servers using IAS are only affected when configured to use PEAP with MS-CHAP v2 authentication (described in CVE-2009-3677). The vulnerability happens due an incorrect way to copy into memory messages received by the server when handling PEAP authentication attempts. This vulnerability is classified as critical. More information about December 2009 Security bulletin read the MSRC Blog:
http://blogs.technet.com/msrc/archive/2009/12/08/december-2009-security-bulletin-release.aspx
My buddies and co-authors of the Forefront TMG 2010 book (Jim Harrison and Mohit Saxena) recorded a nice interview for Microsoft Edge Technet to explain more details about TMG Migration (chapter 6 of our book). Watch the interview at http://edge.technet.com/Media/ISA-to-TMG-Migration-Guidance/
Today Microsoft Forefront TMG Product Team released a comprehensive white paper called Guide for Configuring, Monitoring and Troubleshooting the Network Inspection System (NIS) in Forefront Threat Management Gateway (TMG) 2010. The document has 60 pages of pure technical aspects related to this feature, in this white paper you will learn more about NIS, how it works, NIS Architecture (including details about GAPA) and how to troubleshoot NIS on TMG 2010.
Download this paper from the link below:
http://download.microsoft.com/download/F/4/0/F40887FD-648B-40E1-B79B-AAE43CEDCA4C/NIS%20in%20TMG%20Whitepaper.docx