This week Microsoft released a major update of Forefront TMG 2010 and many TMG Admins are very excited with the new features that were announced in the Forefront TMG team blog, such as the support for Kerberos authentication in an array scenario, the improved error pages and the new site activity report. These are already three reasons to apply SP2 on your TMG, but instead of only adding two other features I’m going to give you five more reasons to apply this update. Here are those:

1. Forefront TMG 2010 SP2 makes TMG startup operation ten times faster.

• If you were in my presentation at TechED Brazil you already know that because I explained this during the presentation. But the fact of the matter is that Forefront TMG Development team did a great job enhancing the startup time on TMG. In a test done in lab the startup time decreased from 26 minutes to 3 minutes (ok, almost ten times).

2. Do you remember KB2498831? No need to run that script anymore, with TMG 2010 SP2 a new option was added in the screen to allow you to do that as shown below:

3. Performance improved for cloud migration.

• Read this post where I explain the scenario where TMG 2010 SP2 enhances that.

4. Improvement in the E-Mail Protection feature

• Some of the problems with this feature were fixed. More details on KB2555840 (once is live)

5. Account lockout enhancements for FBA.

• More details on KB2555840 (once is live).

That’s it…go grab TMG 2010 SP2 and remember: in order to apply TMG 2010 SP2 you need TMG 2010 SP1 + Update 1.

If you are following my blog for a long time you probably read the post TMG E-Mail Protection Feature x Exchange 2010 SP1 (first published more than an year ago) when we were dealing with a major E-Mail protection issue on TMG. Due the nature of the integration between Forefront TMG and E-Mail Protection feature (Forefront for Exchange and Exchange Edge) I also wrote this presentation to assist you while troubleshooting this feature.

The good news is that Forefront TMG 2010 SP2 brings to you the following fixes that will alleviate lots of the issues that were present in the past with this integration:

• 2591744 FIX: The Email Policy Integration feature that redirects spam email messages to a quarantine mailbox address does not work when Forefront Protection for Exchange 2010 is installed on Forefront Threat Management Gateway 2010
• 2591719 FIX: "0x80070057 (The parameter is incorrect)" error message is logged, and the Forefront TMG Managed Control service cannot start, when you enable and configure the "Email Policy" feature for Forefront Threat Management Gateway 2010
• 2619992 FIX: The email policy configuration is reapplied when you configure email policy settings in Forefront Protection for Exchange that are not configured in a Forefront Threat Management Gateway 2010 environment
• 2591729 FIX: The Exchange Edge default Receive connector is disabled unexpectedly when the "Email policy integration" feature is not configured in Forefront Threat Management Gateway 2010

Go get SP2 and enjoy it!!

One of the presentations that I delivered this year at TechED Brazil was about On-Premise Security while Migrating to the Cloud. There are many reasons to migrate to the cloud and during this presentation I emphasized the three core elements below:

	New Economics Pay for what you use Lower and predictable costs Accelerate speed to value
	Reduced Patch Management No patching, maintenance Faster deployment Robust multi-layered security Reliability and fault-tolerance
	Increase Productivity Latest software for users Internet collaboration Anywhere access Instant self-provisioning

While those core elements sounds very good, we must also be alert for the new challenges that comes with this adoption, such as:

New Threat Landscape Internal Threats On-premise Security Endpoint Protection Trusting Vendor’s Security Model Obtaining Support For Investigation Indirect Administration Accountability

The presentation was really focus on the second bullet (on-premise security). Some of the reasons why this is still an important point to address include:

• Key parts of the overall solution still remain on premises
• Parts which, if broken, would compromise the security of the entire solution
• The customer organization is very likely the weakest link in the security model
• Attackers know this and are actively targeting end users and on-premise servers

The misconception that the migration to the cloud means offloading your security to the cloud provider is just plain wrong. You need to be diligent because at the end of the day it is your data that could get compromise if you relax the on-premise security. You should adopt a defense in depth approach. All the elements from the endpoint to the cloud must be secure, not only the hosts, but the path and the remote clients. Here is a typical example of how this will look like:

There are five key elements in this diagram

• Internal client security: you must continue the effort to protect your on-premise client. Nowadays the end user is way more exposed to social engineers attacks and one mistake from them can compromise your company’s data.
• Server Security: most likely there will still be some servers running on-premise (such as legacy application, file servers, etc). You must adopt security policies and best practices to protect those servers.
• Edge Security: regardless of which edge solution you use, always try to identify a solution that can offer the elements described in the diagram above.
• Remote Client Security: while most of your internal clients will take a lot of advantage of accessing cloud services without having to connect to the internal network, there will still be scenarios where the internal client will access some kind of resource located in the internal network. You must validate this access before allowing the client computer to access those internal resources.

In summary the path to the cloud requires a lot of planning to make sure that your users can have a seamless experience while you keep your data secure.

Hello Folks,

I want to give you a quick update in a new blog that our friends from the TechNet Wiki put out there. A lot of IT PROs (and DEVs) out there still don’t know the full potential of the TechNet Wiki and I think this blog will clarify a lot of that. So, start reading the post below:

http://blogs.technet.com/b/wikininjas/archive/2011/10/30/welcome-to-wiki-ninjas.aspx

Once you finish that, take a look on the interview that I gave to the WikiNinja Ed Price and understand why I think this platform rocks:

http://blogs.technet.com/b/wikininjas/archive/2011/10/31/monday-interview-with-a-wiki-ninja-yuri-diogenes.aspx

…and if you still having questions about how to contribute, watch the interview that I gave to David Tesar last March.

Enjoy the TechNet Wiki!

Last week I was in Brazil and I had a chance to participate in the biggest Microsoft event in Latin America, TechED Brazil. One of the sessions that I delivered there was SIA301 (more info in Portuguese in this post), where I co-presented with Alberto Oliveira, a Microsoft Forefront MVP. 

We divided the session in two main parts, first we talked about the current security landscape and some major security threats. In the second part we talked about Windows Security. One of the things that we covered in the Windows Security part was the Threats and Countermeasure Guide. The team that I work for at Microsoft is responsible to maintain this content available here. I also want to use this opportunity to bring awareness that our team is reviewing this content and you have a chance to give feedback about it, please read this post and make sure to participate on that.

During this presentation we talked about the fact that SPAM is still a big threat, mainly because of the social engineering behind many phishing e-mails. One of the videos that we showed in this presentation which is related to this subject was the recent case that Microsoft took down the Rustock botnet. You can watch the video below:

Another subject that we covered was the importance of thinking of security right in the beginning of the project, when you are writing the code for your application. For that we presented the SDL concept and demonstrated the SDL Threat Modeling Tool. In this video you can see a demo about this tool and also how to use it. 

Throughout the next few days I will be posting more about TechED Brazil and the content that I delivered there. Stay tune!

Introduction

Consider a scenario where a client migrated from on-premise Exchange to Exchange Online and after this migration the users are experiencing issues while sending e-mail. During high peak times Outlook clients can’t send e-mails. Messages are getting stuck in the Outbox . When this issue was happening the event 31212 also was showing up on TMG:

One important point here to add is that when this issue was happening users were able to browse HTTP sites, but not HTTPS.

Data Collection

For this scenario we most likely will need:

• Client: Network Monitor trace on the client
• Server:
• TMG Data Packager
• Perfmon
• User mode dump

Data Analysis

When analyzing data of this nature you need to add to perfmon the core OS subsystems (memory, network, processor and disk), as well as the core Forefront TMG components. The diagram below shows an interesting trend where the Memory Pool for SSL Requests (black line in the diagram below) starts to decrease, it increases again to 100% and suddenly drops to zero.

This is exactly the time that users start to experience issues with Outlook getting messages stuck in the Outbox.

Solution

This problem happens because TMG was running out of memory pool for SSL requests. In order to fix that you need to change the registry key ProxyVmvmAlloc1pSize to a higher value (default is 1024). You can follow the guidelines from KB842438 (also applies to TMG) in order to adjust this value or you can install Forefront TMG 2010 SP2 (just released) that changes this value to 4096. For this particular case we noticed that after changing this value to 4096 the users didn’t experience this problem anymore and the server’s perfmon start looking way better even under heavy load, as shown below:

Takeaway

There are a couple of key takeaways regarding this scenario that I want to call out:

• Don’t go directly to the cloud without proper planning, you might experience issues like the one described in this article and you could potentially think that the cloud services is the one causing problem.
• Remember that when you start moving your main applications (Exchange, CRM, Sharepoint, etc) to the cloud the traffic from inside to outside will increase and you need to have your edge device (regardless of which one you use) ready for that.

Planning is definitely the key for a success migration, but in order to have a good planning you really need to know your own environment, your traffic profile and your plan to grow. In order to reduce the impact during the cloud migration you should be able to determine that and perform a migration in different waves (not all users nor all applications at the same time).

Hello folks!

Long time ago I wrote this post about how IAG 2007 Can Mitigate Against SQL Injection Attacks, this post was also presented during TechED Brazil 2008, where I showed live this demo. Today I’m here to challenge you, here it is the deal:

• I want you to re-write this article in the TechNet Wiki platform, but now for UAG 2010.
• The VMs that you can use to prepare the steps are available here.
• The SQL Injection Demo is available here.
• Make sure to add the following paragraph right in the beginning of your TechNet Wiki Article:
• [Note: this article was originally posted at http://blogs.technet.com/b/edgeaccessblog/archive/2008/09/19/how-iag-2007-can-mitigate-sql-injection-attacks-demo-scenario.aspx ]
• This is a common approach and I’ve done that in the past, see this example here.
• Yes, MVPs are welcome to participate

The first one that write this article, post it on the TechNet Wiki and send me a message via Twitter saying: @yuridiogenes, here it goes the UAG and SQL Injection article [link_to_the_article_at_TNWIKI] #TNWIKI , will receive by mail a signed copy of the UAG Deployment Guide book.

Make sure to:

• Test your findings before you post. You must use UAG 2010 and update all screenshots for UAG 2010.
• You can copy the text from the original post that I wrote, not a problem, just keep the reference and keep a good format on the page.
• Write the article at TechNet Wiki, if you write on your own blog you won’t be eligible to get the book.

Are you in?

Remember, I will give the book to the first person that tweet me the phrase that I previously mention. There is no timeline for that, first one will get it…so run and do it!

This week was all about the new SIR 2011 version, lots of buzz about Microsoft findings and interesting perspective on that. I use the SIR report findings in many situations, recently when I was presenting at TechEd Brazil I had at least two slides where the content came from SIR Report 2010. The graphic below shows a summary of how SIR report gather data to produce this great piece of content.

If you didn’t download the report yet, go ahead and do it now using one of the following versions:

Security Intelligence Report v11 (Full Report)

Key findings summary in different languages

• English
• Chinese Simplified
• French
• German
• Italian
• Japanese
• Korean
• Portuguese-Brazilian
• Russian
• Spanish

Also take some time to watch the video below about the new SIR Report and some of the findings: