1. Introduction
The new URL Filtering option on Forefront TMG 2010 allows you to manually add web sites to a specific category; such feature is called URL Category Override. This can be a good approach when you want to force a specific site to be categorized in such way that it fits into a category that currently you have on your block rule. This post will describe a scenario where the TMG Administrator added a web site to the “dubious” category as shown below:
The goal was to block access to this web site due company security policy. To test if this configuration was working fine, TMG administrator used the Category Query feature and there it was possible to see that the new categorization was working fine as shown below:
When the client was trying to access this URL from his workstation he was getting the expected error message.
2. The Problem
The problem on this case is that users figured out a way to bypass this by typing https:// in front of the URL, in order words if they type https://www.facebook.com they were able to access the web site. You might be thinking: how is that possible? Well, that was my question when I first heard the TMG Administrator explaining his problem to me, but then after reviewing the environment and client configuration it was possible to understand why such behavior was happening.
The problem is that client workstation was configured as Secure NAT client, no web proxy configuration. You need to remember that URL Filtering doesn’t do HTTPS categorization for Secure NAT requests, therefore such behavior was expected. On the article that me, Jim and Mohit wrote for TechNet Magazine (March 2010 issue) we say:
“…the ability of URL filtering to evaluate the request is dependent on two criteria:
- Is the connection directed to the default HTTP port? If so, the Web proxy may be able to intercept this request and pass it to URL filtering for comparison. If not, the request will not be seen by URL filtering and thus cannot be compared to the database.
- If the connection is directed at the default HTTPS port, is HTTPS inspection enabled? If so, HTTPS inspection can bridge the connection, and URL filtering will have an opportunity to compare the request to the database.”
Based on that you can imagine how to fix this problem, correct? Let’s take a look on the options that we have here.
3. The Solution
In scenarios like this there are a couple of solutions:
- Enable HTTPS Inspection: with HTTPS Inspection enabled, it will be possible to enforce the URL Filtering for requests that use HTTPS and are coming from SecureNAT clients.- Use Web Proxy Client: by using web proxy client, URL Filtering will work regardless of the protocol.
For this particular scenario the administrator preferred to use Web Proxy Client and deploy a GPO to force all IE users to go out to the Internet using this particular TMG. For that the following AD policies were used:
Policy 1 – Used to force the proxy server setting:
Policy 2 – Used to disallow users to change their proxy settings
4. Conclusion
It is always important to analyze all the possible options and which one will best fit on your environment. Sometimes concentrate all the policy enforcement on the edge it is good, however there are many times on which you will need to make sure that your infrastructure as a whole is enforcing the company security policy. By leveraging Windows security capabilities to enforce policies you can facilitate the overall administration overhead and have multiple layers of policy enforcement in place.
Sometimes I receive questions like: I don’t want that user’s use the application XYZ to grab content on the Internet. How can TMG block this application on my Web Proxy Client? This is a classical question and it can be done on TMG if you have TMG Client installed, but if this is just a web proxy client, then the approach should be different. It comes back to the subject of enforcing company’s security policy end to end. Ask yourself the questions below and you will realize that there are much more to be concern about:
- Why this client is running a non approved application on company’s desktop in first place?- Why not use software restriction policy via GPO for the company workstations? - Even if you block on the edge, who guarantees that this non approved application is not trying to harm other internal clients?
As you can see there are many questions that need to be answered on this area before try to fix a particular non compliance concern by solely use a fix on the edge.
Many companies are starting to budget for the second half of calendar year 2010, some companies actually start the fiscal year 2011 now in July, regardless of which scenario are you in the fact of the matter is that during this time of the year many companies are getting ready to overcome currently challenges, re-evaluate the current technologies in place and analyze migration options across the core platforms. In recently conversations that I had with ISA Server admins I notice that there are some common scenarios where ISA Server capabilities are limiting the company to achieve their business goal. The good thing is that TMG can indeed help on that.
On this post I will enumerate the top 5 scenarios where TMG can overcome ISA limitations in order to achieve the desired goal.
Scenario 1 - Consolidation and Dynamic Control
“Currently I have ISA Server 2006 that works pretty well on my company, but as our business is growing and the IT people in my team are shirking I would like centralize many things on the perimeter in order to facilitate the administration. For inbound scenario my main problem is E-Mail, it will be cool if I could have one single server to manage firewall policies as well as Exchange spam filtering capabilities. For outbound scenario I would like to have more control over the sites that my users can access in a dynamic manner, I’m can’t keep up with all suspicious site and add them to my Block List, which is a URL Set that I created. There is anything on ISA that can help me with that?”
Solution
No, ISA can’t help too much here. However, with TMG you can integrate Forefront Protection for Exchange, Exchange Edge and TMG itself in a single box. The combination of those products will allows you to implement the E-Mail Protection feature and manage all the policies in single location, which is TMG console. For your outbound challenge, TMG can indeed help here. You can use URL Filtering capability that uses MRS in order to dynamically categorize URLs that your users will access. Yes, this is the end of your endless attempt to keep up will all sites on the URL Set.
Scenario 2 – Protection against Malware
“Recently we got hit by a malware, it was pretty bad but we were able to contain the damage and cure all affected machines. After that we started a post mortem analysis to understand how this happened since all corp net workstations have anti virus, sadly we found the breach. Our guest network was not enforcing that guest computers have antivirus and I remember why we disabled that enforcement there, it was a political decision. The problem is that I have no idea if the user brought the malware or got this malware while browsing Internet through our proxy. We now need to be able to have a type of protection on the edge that can block attempts to download malicious content and help to protect unmanaged workstations that have no antivrus. Not sure if ISA can do that, please advise.”
No, ISA cannot do that. This is actually a very strong point on TMG Malware Inspection feature. With this feature enabled you can keep up the latest signature, regardless of the client workstation state (managed or unmanaged). If TMG detects an attempt to download a file that is infected, TMG will try to clean this file and if it can’t clean it will block the access to it (according to administrator's choice). The user name, file name, threat and URL will be stored on the TMG logging and you can quickly identify who attempted to download the infected file and the site that the user was trying to download it from. Yeah, I know, it’s awesome.
Scenario 3 – Keep up with the updates
“My currently ISA deployment it’s is using the 3-Leg template, I have some servers on the DMZ. Those servers are highly utilized and I’m having hard time to keep up them updated based on the monthly patch Tuesday Microsoft update cycle. The whole change request process to install new updates on the server plus the request to restart the server can take up to two weeks, in order words: my servers that live on the DMZ can be out of date for up to two weeks. In a recently internal auditing process the auditors saw that breach and we need to come up with a solution where we can mitigate that without reduce the two weeks gap that we have to apply security patches. Can ISA help us on that?”
ISA will not be able to help you to achieve this goal but TMG will. With TMG Network Inspection System you can mitigate known Microsoft vulnerabilities from being exploited via a traffic that cross TMG networks. NIS will grab the updates from Microsoft Update Service and will inspect all traffic that cross TMG, since your servers are on DMZ, NIS will evaluate traffic that are going to the DMZ (or coming from the DMZ) and verify if that traffic matches with any NIS signature, if it does and the action is set up to block, TMG will block the traffic and trigger an alert so you can easily identify a potential exploitation attempt. Now this is cool, isn’t it?
Scenario 4 – Controlling Remote Users
“We just migrate all of our domain to Windows Server 2008 and we are now implementing NAP. Since our VPN solution is based on ISA Server 2006 I would like to integrate NAP with ISA 2006, can I do that? Also, we want to allow user to connect to our VPN via SSTP. Does ISA supports SSTP?”
ISA does not integrate with NAP neither offer built in SSTP capabilities, good thing is that TMG does both. With TMG you will take advantage of Windows Server 2008 x64 bits platform which is much more robust and will be able to natively integrate with NAP via TMG Console. On top of that, TMG will also be able to help you to enable users to connect via VPN using SSTP protocol since this feature comes built in with the product. “Two birds with with single stone”, this is what I’m talking about.
Scenario 5 – We can’t stop
“Our company is growing in a fast pace, which is great, but we are becoming more and more dependent on the Internet. Recently we had an outage on our Internet connectivity with our ISP because our border router broke and we had to replace it. This replacement took two hours, it was a chaos in our company without Internet connectivity. Since this day my manager is under pressure to implement a backup plan so we have fault tolerance Internet connectivity in case the main connectivity with our ISP goes down again. I want to use ISA 2006 for that, but I’m not sure how. Any clue on how to do that?”
ISA Server 2006 doesn’t offer a built in ISP Redundancy capability that can assist you on that, but TMG does. With the new ISP Redundancy capability on TMG you can have two paths to the Internet that can be used as fail over mechanism or load balancing mechanism. This will allow you to achieve your goal and be up and running with Internet connectivity in a matter of seconds if your main ISP goes down. You’re welcome.
These are only 5 of many other scenarios that TMG can assist you to overcome the challenges that your company might be facing to keep up the business running in a secure manner. If you have ISA Server 2006, 2004 or even the almost dead ISA 2000 (extend support finishes April 2011) you should be planning your TMG migration and I will remember you again: chapter 6 of the TMG Book is your friend for that.
Many administrators are planning the migration to Forefront TMG 2010, during this planning phase it comes out many questions regarding support and on the learning plan for TMG. What should I read about it before deploy TMG? I didn’t find any MOC training, how can I learn more about TMG?
Here it is a list of resources that can assist you to learn more about Forefront TMG:
Book
Online Resources
Webcast
Videos from the Edge
Labs/VMs
Training
For Microsoft Premier Customers
For General Public
I hope that this help you to get ready to deploy and maintain Forefront TMG 2010.
Recently I received a question from a TMG Admin saying that can’t install DebuDiag on Windows Server 2008 since it is not supported and therefore don’t know how to catch a user mode dump of the wspsrv.exe process on TMG 2010. The good news is that with Windows Server 2008 the task of getting a manual dump of a process is even easier since it doesn’t need any additional tool; this capability is built in on the system. Just open Task Manager, go to Processes tab, highlight the wspsrv.exe process, right click on it and choose Create Dump File.
Easy isn’t it?
Having a dump of the wspsrv.exe process using this approach can be useful for the following scenarios:
Recently I worked in a case in collaboration with Exchange team where the messaging administrator was experience a double authentication prompt while accessing the Exchange Control Panel through OWA. Exchange Control Panel is a new feature of Exchange 2010, to read more about it access the article New Features and Improvements in Exchange Server 2010.
2. Background
First you need to understand that the Exchange Publishing Wizard on ISA Server 2006 doesn’t add the /ecp vdir like TMG 2010 does (see figure below from TMG 2010).
The solution for ISA Server 2006 is to add the /ecp/* manually after creating the OWA Publishing rule.
3. Why it was failing?
In this particular scenario there was two publishing rules sharing the same listener and the same public name:
Rule Number
Name
Destination
Affinity
1
Outlook Anywhere
Exchange Farm
IP-Based
2
OWA Publishing rule
Session-Based
In this case the administrator added the /ecp/* in the Outlook Anywhere rule as well. What it was happening was that when accessing OWA the rule that was processed was rule number 2, but when the user clicked on the Options to launch Exchange Control Panel (within OWA), ISA had to re-evaluate the request for the /ecp/* path, since the evaluation is top down it was hitting the rule number 1 first and recreating the connection (due the affinity), hence it re-prompt for authentication.
Enjoy your Exchange 2010 Publishing !!
The Microsoft Security News letter for this month (May 2010) has a quick note on Forefront TMG Book under Security Events and Trainings section. Besides that there are much more content including some great upcoming webcasts for IT and Security professionals Make sure to check it out at http://technet.microsoft.com/en-us/dd162324.aspx Thanks Tim Rains and Heather Poulsen for the note.
Next month I will be again (after one year) at my hometown (Fortaleza) in Brazil and will use this opportunity to deliver a presentation about Forefront TMG 2010, the event is sponsor by Microsoft Fortaleza, SecrelNet and CoreSec with the support of the local Microsoft IT community. Prizes (such as signed TMG books) will be given. For more information and registration see the link below:
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032453033&Culture=pt-BR
See you there.
Here what you were waiting for, a Demo environment ready to be used with the latest Forefront technology. The Microsoft Business Ready Security trial environment provides an end to end trial experience across all of the Business Ready Security solutions. The environment provides an opportunity to evaluate protection, access, management and identity technologies as a pre-configured set of VHDs.
Go get it at http://www.microsoft.com/downloads/details.aspx?FamilyID=726f943e-d107-4b4d-a86e-dfb605e30ce5&displaylang=en
Enjoy it !!