Check this out this nice tool that allows you to analyze IIS logs and see if the ASP pages were victim of SQL Injection attack:
http://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=WSUS&ReleaseId=13436
1. Introduction
IAG 2007 SP2 hits the ground running with many customers applying it and realizing that not only this service pack introduces lots of changes but it also has some UI changes. It’s all about having a better experience for the end user / administrator. In this post I’m going to talk about three majors UI enhancements:
· Getting Start Wizard
· Network Configuration
· Policy Editor
2. Getting Start Wizard and Network Configuration
The new getting start wizard has the same format of TMG (already in RTM with TMG MBE) Getting Start Wizard. The idea is to assist the administrator to correctly configure IAG 2007 by an organized set of procedures. You can access getting start wizard by choosing the option Getting Start Wizard in Admin’s menu as show below:
Figure 1 – Accessing Getting Started Wizard.
The first screen has the core steps that this wizard will guide you through:
Figure 2- Getting Start Wizard.
Instead of guide you through each window I will leave it open so you can explore this feature. The step by step is very intuitive and I doubt that you will get stuck while following this wizard. It is important to mention that prior to even execute this wizard is important that you have the following elements already defined:
· How your IAG Network Configuration will be used - what is it considered internal and external?
· Domain membership - what is the domain name that IAG will belong to?
· Trunk configuration - which IP are you going to use to create the trunk?
· Application – what application are you going to publish it?
What is interesting is that the first option in this Wizard also can be accessed individually by Admin menu and choosing the option Network Configuration. The screen below will appear:
Figure 3 – Network configuration.
Either here or in the Getting Start Wizard you can specify network configuration for you IAG 2007.
3. Policy Editor
The other UI change that SP2 introduced was the new Policy Editor. This new UI was improved to make it easier to the administrator to create new policies based on specific platform, such as: Windows, Mac, Linux and other (see square A in the figure below). It also allows you to create new policy from expression without having to use a different window as it was before (see square B in the figure below):
Figure 4 – New Policy Editor.
4. Conclusion
The goal of this post is just present you some of the new UI enhancements of IAG 2007 SP2 and how the product is getting more mature by offering a better user’s experience. Go ahead and try SP2, I’m sure you will not regret.
Quick post just to bring awareness about this new KB that explains how to manually remove Conficker. Follow the steps from:
http://support.microsoft.com/kb/962007
The reason why I’m saying “demystifying” is because many people are still having wrong concepts and therefore making wrong assumptions about how networks are configured on ISA Server/TMG. Although this is well documented at TechNet (since it is a core concept), sometimes due the massive amount of information you feel like: ah…I already know all this, I don’t need to read it.
Wrong assumption and this makes me go back in the day that I was Professor in a university in Brazil. I was teaching Operating System using the classic Tanenbaum’s book about OS and I remember that there was a student that clearly thought he knew all that stuff. He didn’t attend that much and when he did attend he didn’t pay attention. Well, that’s fine, let’s give the benefit of the doubt and assume that he knows what he is doing. Six months later he comes to me saying that he needs help to better understand preemptive multitasking and confessed that he missed that class because he thought he knew and preferred to do other stuff on that day. Moral of the story: never think that you know everything, even if the subject is the same that you read or heard many times. The person that is writing or telling you something usually have a different perspective and insight of the same subject that can show you things that you didn’t realize before.
Sorry, off topic, but I couldn’t resist. Anyway, since I’m a lover of self explanatory pictures combined with a decent walkthrough I think that this is probably one of the most intuitive explanations about networks concept on ISA/TMG. I’m talking about the series of two articles written by my friend Tom Shinder that will make you digest all you need to know about networks on ISA.
Check it out at here:
http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part1.html
http://www.isaserver.org/tutorials/Overview-ISA-TMG-Networking-ISA-Networking-Case-Study-Part2.html
This is another one of those cases where ISA Server Service mysterious crashes once a day, at the same time and nothing changed in the environment. This just make me really fell that the lack of communication between the teams that deals with technology is getting far beyond of what should exactly be. Many companies are investing money in putting Security in place by adding layers and layers of technology but they are still missing two important elements: process awareness and change control procedures. The absence of those elements can directly impact availability of the environment. Why availability? Well, I will tell you later when I finish this post.
2. Analyzing the Data
In this case ISA Server Service was crashing with the following errors:
Event Type: Error
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 14197
Date: 01/10/2009
Time: 2:58:03 AM
User: N/A
Computer: MYISA
Description:
ISA Server was unable to write content to the cache file.
Event Source: Microsoft Firewall
Event ID: 14057
Time: 2:52:37 AM
The Firewall service stopped because an application filter module C:\Program Files\Microsoft ISA Server\w3filter.dll generated an exception code C0000005 in address 64754CD5 when function CompleteAsyncConnect was called. To resolve this error, remove recently installed application filters and restart the service.
The event 14057 is clear about one thing: this was an access violation exception (C0000005) on the filter module W3Filter.dll. Too broad, can be many things including issues with the filter itself, so we need to get a crash dump of this guy to better understand what is going on. Following the approach of one of my posts we can use DebugDiag to attach to wspsrv.exe and get the dump. After getting the dump you can use this other post as an example of how to analyze it. Unfortunately this is one of the cases where the public symbols don’t help that much as you can see below:
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
2b37fe10 6476e6df 27441f80 647717fe 275a5558 0x3a6169
2b37fe24 64778438 00000001 2bf579a0 64703de0 W3Filter!DllUnregisterServer+0x45ede
2b37fe90 0046d701 275a5558 00000000 00000040 W3Filter!DllUnregisterServer+0x4fc37
2b37fefc 0046e461 00000000 00000000 00000000 wspsrv+0x6d701
2b37ff20 0046e568 2bf57818 0046e3d7 2b37ff50 wspsrv+0x6e461
2b37ff30 0046d4ba 00000000 00000000 00000000 wspsrv+0x6e568
2b37ff50 00455fd7 2bf578bc 00000000 00000000 wspsrv+0x6d4ba
2b37ff7c 00456c8e 2bf578bc 00000000 00000000 wspsrv+0x55fd7
2b37ffb8 77e64829 00000015 00000000 00000000 wspsrv+0x56c8e
2b37ffec 00000000 00456b26 00000015 00000000 kernel32!GetModuleHandleA+0xdf
FAULTING_THREAD: 00001d88
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_BAD_INSTRUCTION_PTR_CODE_RUNNING_ON_STACK
FOLLOWUP_IP:
W3Filter!DllUnregisterServer+45ede
6476e6df 8b4624 mov eax,dword ptr [esi+24h]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: W3Filter!DllUnregisterServer+45ede
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: W3Filter
IMAGE_NAME: W3Filter.dll
STACK_COMMAND: ~50s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: W3Filter.dll!base_address_c0000005_SOFTWARE_NX_FAULT
The !analyze result showed above will make you under the impression that W3Filter.dll is the culprit and it is exactly the opposite, this guy is only a victim.
3. Conclusion
After deeply analyze the dump using the private symbols we got to a conclusion that someone was locking the cache file when the Web Filtering was trying to write to it. Guess who was locking it? Once upon a time there was a system administrator that was following a plan that he received from his management to install backup software in all Windows Servers, so he installed this backup software on ISA and configured a Job to run every night…
The backup software was backing up the whole server (all hard drivers) including the driver where the ISA Cache was located. For this reason customer was saying that the issue just happened when the ISA Server Cache was enabled, if they disabled the cache the issue didn’t happen. Well make sense and the recommendation to exclude cache from backup as not new, as a matter of fact the article that recommends this is out there since October 2004, which is the following one:
Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server computer
http://support.microsoft.com/kb/887311
Now the answer for: Why Availability? Because the ISA Server service in this case was crashing due and addition of a new product in the ISA Box without testing it in a lab environment (where the change control procedure is?). The Windows OS maintenance was responsibility of the System Administrator that with all the good intentions configured the Backup Software to back it up the whole hard drive. However the Firewall Admin wasn’t aware of this addition since it was out of the scope of his duty (where the process awareness is?) and he swear since the begging that nothing change in the environment and ISA was crashing from nothing L. But, this story had a happy end at least, so let’s finish this post with a smiling face J.
Microsoft TechNet Magazine February 2009 Issue is online now and the Security Watch column brings an article about Malware Inspection on TMG MBE written by myself, Mohit Saxena and Jim Harrison:
For more information check:
http://technet.microsoft.com/en-us/magazine/2009.02.securitywatch.aspx
If you read the article you will see at the end that we are writing the forthcoming MSPress TMG Book and we are glad to have onboard Tom Shinder as Tech Reviewer and bringing with him all the experience with all these years working in the ISA community and leading isaserver.org.
Yuri Diogenes, Mohit Saxena, Jim Harrison and Tom Shinder
This picture was taken last year in Seattle when we were in the TMG CTP3 Event for the TAP Program. We are enjoying working on this project and I hope you like the book when comes out.
Happy New Year everybody!
I hope you enjoyed your new years eve because now you might want to take a look on this worm that is causing lots of headaches to all IT Admins. MMPC (Microsoft Malware Protection Center) has a report about this malware and how to proceed to avoid infestation:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B
Good news is that ISA Server and TMG can block outbound requests for this worm and yesterday night (before midnight) our IR (Incident Response) Team in partnership with ISA Server Team brought together an action plan to allow ISA/TMG to block that. Jim Harrison automated this process by creating a script that you can use to create policies to block conficker and you can download from here:
http://jim.isatools.org/tools/block_conficker.vbs
Enjoy your day off and be sure to implement those actions ASAP.
We just published a new article at Tales from the Edge Community Site that describes how to troubleshooting LDAPs authentication through ISA Server 2006. Check it out at:
http://technet.microsoft.com/en-us/library/dd316279.aspx
One last Christmas present for IAG administrators!! It was launched this month the IAG TechNet Library which will be the main source of documentation for IAG. This means that old PDFs for IAG will be retired of updates, those PDFs are still valid for reading and understanding the core concept of IAG and also to have a foundation of the product, however from now on make sure to add the link below to your favorites:
http://technet.microsoft.com/en-us/library/cc303240.aspx
This post is about an interesting case where customer was publishing a web site through ISA Server 2006 and he wants to receive an authentication prompt when users access the web site rather than show the Forms Base Authentication page. No problem on that, but the issue was that when the external users were trying to access the web site by typing the URL one authentication prompt showed up (which was expected), after typing the credentials and click OK another authentication prompted showed up again (which was not expected). Here is the authentication window that appears when tried to logon:
Figure 1 – First authentication window.
After authenticate on this window, it comes the same prompt again and again. If the user keeps trying to authenticate it will end up with the error message below:
Figure 2 – Second authentication window.
If you careful read this error message you will see that it shows the 401.2 Unauthorized from IIS. This should already raise a flag that the issue might not be on ISA. However, to be on a safe place let’s move on to the data gathering.
2. Gathering Information
In scenarios like this, where the error message is flagged by IIS the first thing that you should do is to review the IIS logs and see if the traffic is indeed reaching the back end web server. By default IIS logs are located at %systemroot%\system32\LogFiles\W2SVC1, however is always good to double check where the Web Admin stored this file. Open IIS Manager, go to Web Site’s properties and click in Properties button under Web Site Tab / Enable Logging session as show in Figure 3.
Figure 3 – IIS Log Location
After opening this folder, check the log file that corresponds to the latest access from the test that you did from outside and check if you see the error code (401) in there. See where you should look in Figure 4:
Figure 4 – IIS Log with detail information.
That’s nice to see (at least for the ISA Admin J); now we know for sure that ISA is not the one sending the 401 to the client. But then it comes the question from the Web Admin: but why from the Internal network it works just fine?
To be able to answer that you need to review the IIS configuration and check if it matches with ISA Publishing rule. Let’s see the relevant parts for ISA Server first:
Figure 5 – Listener used in this scenario.
As you can see, in this case we are using HTTP Basic and Windows Authentication for validation method.
Figure 6 – Delegation Tab in the Publishing Rule.
ISA is not delegating credentials; it is passing through the traffic to the Web Server and letting the web server to authenticate the request.
Figure 7 – Users Tab in the Publishing rule.
Since the listener is requesting authentication we have All Authenticated Users here by default. Now let’s see the only par that really matters on this case for the IIS configuration, which is the Directory Security:
Figure 8 – Authentication on IIS.
3. Wrapping Up
As you could see in Figure 8, IIS is using Integrated and Basic Authentication, this means (per KB258063):
Windows Integrated authentication, also known as Windows NT Challenge/Response, must be enabled in the Web site properties in IIS. Anonymous authentication is attempted first, followed by Windows Integrated authentication, Digest authentication (if applicable), and finally Basic (clear text) authentication.
This pretty much explains why it works internally, the internal client that it is already logged in the domain will use Windows Integrated first and it will authenticate. When we are trying to connect from outside ISA requests the first authentication (based on the listener configuration that is using Basic), since ISA Server is not delegating it sends the authentication request to IIS, which prompts again for authentication. IIS fails to negotiate the authentication method with the client (IE) and prompt again; at that point the attempts to authenticate are logged in the IIS logs as we saw. ISA Server externalize that the user was not able to be authorized by logging the event below:
Figure 9 – ISA Logging.
There are two ways to resolve that: changing the directory security on IIS or changing the delegation on ISA Sever. Most of the time the administrators prefer to make changes on ISA Server, which is understandable. The options on ISA could be:
· Change the Users tab for All Users: not good since we want to pre-authenticate and allow only authorized users.
· Change the Authentication Delegation for Basic: not good since internally the traffic is not encrypted (he is using HTTP on port 82).
· Change the Authentication Delegation for NTLM: best option for this scenario. It will resolve the issue and keep the traffic secure.
After agree in choose this option, we just need to open the publishing properties and change the delegation to NTLM as show below:
Figure 10 – New Delegation Tab.
After make this change and apply the traffic flowed perfectly and we could see the HTTP 200 on IIS Logs as show below:
Figure 11 – Successfully authentication.
4. Additional References
Here some great resources to troubleshooting IIS authentication issues:
Troubleshooting HTTP 401 errors in IIS
401.1 and 401.2-Authentication Problems (IIS 6.0)
HTTP Status Codes in IIS 6.0 (IIS 6.0)
This post could easily be called “Slow Internet through ISA Server”, but I decided to change the title and the focus. I’m doing that for a simple reason: people still thinking that only Windows system needs to be patched. What an untrue statement this is and how I’m convinced more and more that if you don’t think secure in all layers you soon or later will be owned.
This post is about of a phone call with a friend of mine that was supposed to be just 10 minutes but it took one hour to finish. He was having a problem on his network and as usual “nothing change” but “Internet access stopped to work”. Believe or not this is one of the rare scenarios where this was true. Nothing really change on his network, on his ISA Server but suddenly his ISA was timing out for all Internet access request.
His topology was like this here:
ISA Server was only in use for proxy/cache purpose, all the web proxy clients were pointing to this ISA box to have internet access. According to some tests that were done if we point directly to his edge firewall as gateway he was able to access Internet.
The Problem
After capturing a simple netmon while client was trying to access Internet I could see a very interesting behavior:
16:56:53.121 192.168.1.1 192.168.1.10 ICMP ICMP:Redirect Message
16:56:53.136 192.168.1.1 192.168.1.10 ICMP ICMP:Redirect Message
16:56:53.152 192.168.1.1 192.168.1.10 ICMP ICMP:Redirect Message
16:56:53.168 192.168.1.1 192.168.1.10 ICMP ICMP:Redirect Message
There were tons of those ICMP Redirect packages from the router to the ISA Server while the communication was happening. This was a déjà vu for me, those ICMP packages flowing in the network makes me remember the old times where Windows NT was vulnerable to ICMP Attack and we had lots of server hanging issues. Anyway, by opening the ICMP Package it was possible to see an even more interesting detail:
+ Ipv4: Src = 192.168.1.1, Dest = 172.16.4.80, Next Protocol = ICMP, Packet ID = 43969, Total IP Length = 56
- Icmp: Redirect Message
Type: Redirect Message, 5(0x5)
Code: Redirec datagrams for the host 1(0x1)
Checksum: 43532 (0xAA0C)
GatewayIPAddress: 192.168.1.111
The gateway address in red is explained in RFC 792 as “Address of the gateway to which traffic for the network specified in the internet destination network field of the original datagram's data should be sent.”
Looking to the diagram you might be thinking: who is 192.168.1.111? Well that’s was exactly my question. For my surprise, it was a workstation!! We unplugged this workstation from the network, disabled ICMP Redirect in the router (#no ip icmp redirect), restarted the router and everything started to work just fine. Hum, not ISA Server again right? Exactly!!
Conclusion
His old Cisco router was completely out of date and vulnerable to Cisco IOS Route Manipulation via ICMP Redirects. That’s an old vulnerability that was already fixed, but as I said in the beginning of the post: people sometimes think that only Windows system needs to be patched. Although this is a buddy of mine I told him that he forgot to do his homework on this case and that was pretty much his fault. The next course of action for him was to scan that network and to see if there was any kind of malware on it and also update the router and switches.
Do you want to know how TMG plays in the EBS solution? If you do, than next week is your chance to get a full clarification from Amy Babinchak and Tom Shinder in a live presentation. For more information check out Tom’s blog:
http://blogs.isaserver.org/shinder/2008/12/09/amy-babinchak-and-tom-shinder-present-on-the-ebs-tmg-firewall/
I would like to share with you this article that I wrote for Microsoft Security Tip of the Month (November 2008). This article was reviewed by Yury Berezansky, Senior Developer from TMG Team in Haifa and responsible for the Malware Inspection feature in TMG.
Check it out the complete article here:
http://technet.microsoft.com/en-us/library/dd253247.aspx
1. Another error 64?
After posting one of the reasons why ISA Server 2006 can come up with the generic error 64 in one of my posts, some readers asked me if this is the ultimate reason for this error. The answer is: it is not! Since the error 64 is generic it needs to be carefully interpreted, my previous post about this error mentions the “error 64” with the message: “host not available”.
This post will explain in more details why the error message below showed in the ISA Server 2006 Logging could occur while you are browsing Internet.
Figure 1 – Another error 64.
The error above was caught while the user was trying to browse www.fabrikam.com and download the Windows XP SP2 file. To simulate this problem I used the following lab:
Figure 2 – Lab used to simulate this problem.
2. Understanding the nature of this error
The 64: "The specified network name is no longer available" is a win32 error originally called ERROR_NETNAME_DELETED, this error is mapped in the winerror.h as:
//
// MessageId: ERROR_NETNAME_DELETED
// MessageText:
// The specified network name is no longer available.
In the network level, this problem could be cause by:
Network connectivity problems have various causes, but they typically occur because of incorrect network adapters, incorrect switch settings, faulty hardware, or driver issues. Some connectivity symptoms are intermittent and do not clearly point to any one of these causes.
Per KB325487.
Which means that is more under the TCP/IP level, which is controlled by the Windows OS rather than ISA Server itself.
3. Simulating the Problem
To simulate this problem I used a tool called Network Emulator for Windows and added high latency and random packet loss. Besides I also used the Web Application Stress Tool to add more load to my web server and really simulate a situation where server is busy. Now let’s take a look in the netmon trace got from the external interface of the ISA Server:
ISA Server sends the HTTP GET for the destination server:
12:39:13.355 192.168.1.113 192.168.1.95 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Via: 1.1 ISACONTN1
If-None-Match: "304054985f13c91:4b2"
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: www.fabrikam.com
If-Modified-Since: Wed, 10 Sep 2008 16:09:25 GMT
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF
Destination server sends the answer:
12:39:13.745 192.168.1.95 192.168.1.113 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
A HTTP GET is sent to get the XP SP2 file:
12:39:31.751 192.168.1.113 192.168.1.95 HTTP HTTP:Request, GET /XPSP2.zip
Destination server answers:
12:39:32.142 192.168.1.95 192.168.1.113 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /XPSP2.zip
The file starts to be transferred:
12:39:32.242 192.168.1.95 192.168.1.113 TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=2050
12:39:32.242 192.168.1.113 192.168.1.95 TCP TCP:Flags=...A...., SrcPort=2050, DstPort=HTTP(80)
Suddenly the destination server resets the connection:
12:39:32.424 192.168.1.95 192.168.1.113 TCP TCP:Flags=.....R.., SrcPort=HTTP(80), DstPort=2050
12:39:32.584 192.168.1.95 192.168.1.113 TCP TCP:Flags=.....R.., SrcPort=HTTP(80), DstPort=2050
At this point the session was lost and the error showed in figure 1 appeared in the log.
What it is important for you after reading this post is to really understand that ISA Server for scenarios like this only externalize the problem. You need to focus on the real problem and start that by verifying:
· Which device is in between ISA and Internet?
o Don’t think that just because you have only a router in front of ISA Server that you will be “free of errors”. Routers do have updates and potential problems also.
· Can you sniffer the outside traffic to have the real picture of what comes into your network before hits the external interface of ISA Server?
o If you get the netmon trace only on the external interface of ISA and you have more devices in front of it you could be masquerading the real issue since you can’t see the clear traffic.
· If ISA is really the edge device, make sure that network interface card is update, the switch where ISA is connected is working properly, etc.
o Many administrators are only concern with updates on the OS level and forgot to address key updates do the drivers and active network devices.
Almost of the time the investigation of those errors occurs around ISA Server rather than in ISA Server itself. Keep your mind open to a broader set of possibilities instead of focus all our time and efforts in troubleshoot only ISA Server.
Last week we (ISA Server Team in Texas) faced an interesting issue where remote Outlook Clients using RPC over HTTPs were not able to communicate with the internal Exchange Server. Pretty challenge case since on the ISA Server side there was nothing really obvious missing, netmon also didn’t help that much, but the old netstat tool was “The MAN” to alert us about the issue. The problem ended up to be caused by Port Exhaustion on ISA Server 2006 and netstat helped us to identify that. The approach used was the same as explained by this great post from DS Team about Port Exhaustion.
It is important to bring here the scalability problem when the ISA is not correctly sized, mainly when you are publishing Outlook Anywhere. To really know the impact that Outlook Anywhere (AKA RPC over HTTPs) can cause read the article Outlook Anywhere Scalability with Outlook 2007, Outlook 2003, and Exchange 2007. After reading this article, make sure to correct size your ISA Server 2006 using the ISA Server 2006 Capacity Planning Simulator.
For tuning purpose you also can use the TcpTimedWaitDelay registry key to faster release TCP socket connection, read the article Avoiding TCP/IP Port Exhaustion for more details. Although this article is for BizTalk, the context of the problem is the same since it is something related to the Windows OS level where the application (in this case ISA) is affected.
My fellow friend Tom Shinder wrote this week about the articles that we were migrating from ISA to TMG and he was surprise with the TMG in Hork Mode (as he said), later he posted about the difference between TMG MBE and TMG EBS in another post. I understand the confusion since it was not 100% clear and this is what we also trying to do when we are reviewing the articles. If you observe the session “applies to” it will have TMG MBE or EBS (or both).
However today we have all the remaining answers for you in the following new site:
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/threat-management-gateway-mbe.aspx
What about system requirements?
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-system-requirements.aspx
Wonder about license? Check more info here:
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-pricing-licensing.aspx
Enjoy TMG (with or without EBS) J
We just released an update for ISA (2000, 2004 and 2006) and TMG MBE for the behavior that Jim Harrison explained in a post about MS08-037 on ISA Team Blog.
They are available at:
957298
Forefront Threat Management Gateway, MBEhttp://www.microsoft.com/downloads/details.aspx?FamilyId=E974422F-42B0-426C-8852-FF8E67264909
956570
ISA Server 2006 update
http://www.microsoft.com/downloads/details.aspx?FamilyId=E96A6E20-0C04-4C7D-9F3E-207B02AE29CC
956637
ISA Server 2000 update
http://www.microsoft.com/downloads/details.aspx?FamilyId=1455D4E6-A0B5-4583-82F1-EE8239FCA207
958024
ISA Server 2004 Standard Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0AB83F12-653B-4BE1-BEFE-594C4EF62BAA
ISA Server 2004 Enterprise Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=55CE3623-2F7B-4900-9A2F-7E2AA2FE9C50
Yesterday I was playing a little bit with IE8 when I received the following warning message in IE window:
Internet Explorer has modified this page to prevent a potential cross-site-scripting attack.
Yep, that’s right: IE8 now mitigates XSS attack by using the built in XSS Filter. Do you want to know more about this? Check this great explanation/demo below:
http://msdn.microsoft.com/en-us/library/cc994337(VS.85).aspx
Also, you can review why IE Team adopted this new approach to prevent XSS attack:
http://blogs.msdn.com/ie/archive/2008/09/29/statistical-validation-of-the-ie8-xss-filter.aspx
Have you ever received one of the errors below while browsing a web site?
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.
Technical Information (for support personnel) Error Code: 502 Proxy Error. The HTTP message includes an unsupported header or an unsupported combination of headers. (12156)
This could be caused due a response from a web server that begins with a space or tab character in the HTTP Header. If you have ISA Server 2006 SP1 the fix for that is already built in, however you still need to create the registry key described in KB935693. This KB has an example of the HTTP header that was captured using Netmon and how it looks like.
Note: This KB was also reviewed for TMG MBE and also applies to it.
The global Forefront Edge Security Team worked hard for the last 45 days to review and validate the old ISA articles and see if they were applicable for TMG. As result we have the first wave of articles already live at Microsoft KB Web Site. You can review it here.
One question that arrives sometimes is how to get a fully updated ISA Server 2004 SP3 (plus post SP3 updates) system upgraded (in place) to ISA Server 2006 with SP1 on it. This question comes in a really good moment because I can raise two recent situations that can drive you to make this decision of not use RTM version while upgrading to ISA Server 2006:
· If you have ISA Server 2004 with SP3 you are already used to Logging improvements. By upgrading to ISA Server 2006 RTM you will lose those functionalities since the RTM version of ISA Server 2006 doesn’t have that.
· Some previous experiences showed me that after making an in place upgrade from ISA Server 2004 SP3 to ISA Server 2006 RTM we can potentially get a blue screen (STOP 0x0000007f - UNEXPECTED_KERNEL_MODE_TRAP) due an issue that was fixed by KB944824. This issue was fixed in almost one year ago (previous to SP1) but guess what, RTM version does still having this issue.
So if you are planning this upgrade in place take the following steps to make sure that you are upgrading to ISA Server 2006 with SP1 built in:
1. Copy ISA Server 2006 CD to the C:\ISA Server 2006 Standard\ folder
2. Copy ISA Server 2006 SP1 to the C:\ISA Server 2006 Standard\FPC folder
3. Apply SP1 in the ISA 2006 Installation file by running:
C:\ISA Server 2006 Standard\FPC>Msiexec /a MS_FPC_Server.msi /p ISA2006-KB943462-X86-ENU.msp
4. Follow the Wizard to Apply the SP1.
5. After finish it, launch the Autorun.exe from the C:\ISA Server 2006 Standard folder.
6. Follow the wizard to upgrade you ISA Server 2004 Standard to ISA Server 2006 SP1.
For more information about in place upgrade from ISA Server 2004 to ISA Server 2006 use the official Microsoft Article for each version as show below:
Upgrade Guide for ISA Server 2006 Enterprise Edition
Upgrade Guide for ISA Server 2006 Standard Edition
This week at TechEd EMEA in Barcelona there will be lots of news about TMG and IAG/UAG. But one of that upcoming news was already announced yesterday, which is the new IAG SP2. For more information about that access the IAG Team blog at web site:
http://blogs.technet.com/edgeaccessblog/archive/2008/11/02/iag-sp2-it-is-all-about-the-application.aspx
Yesterday we published a new article in the Tales from the Edge Community Page. This article describes in details how it works the new logging feature in TMG. To give you a better perspective about what this means at the end I created this video demo that shows what the article explains.
I decided to do that because recently I was answering a question on ISA Server 2006 Forum where the ISA Admin was saying that every time that he shutdown or restarts his SQL Server for maintenance his ISA Server stopped. Well, while this is expected on ISA Server we can always show that this won’t happen in TMG.
You can watch online here:
But if you prefer, you also can download the WMV file from here:
Enjoy it.
How many times were you wonder what the difference between HKEY_LOCAL_MACHINE\IsaStg_Eff1 and \IsaStg_Eff1Policy is? Well, yesterday we posted an article on ISA Server Team Blog that will demystify that and much more. Check it out here:
http://blogs.technet.com/isablog/archive/2008/10/29/isa-policy-storage-101.aspx
The Microsoft Windows Server 2008 Event Viewer is a whole new program inside the Operating System, the changes made to it were completely significant and rich in new features. There are so many things that you can now do with Event Viewer that it is worth to take some time off and play with it. The new Event Viewer in Windows Server 2008 bring also new security capabilities for auditing and more in depth explanation of the events. In this area my recommendation is that you read the following article Auditing and Compliance in Windows Server 2008 from TechNet Magazine.
I’m also pointing out about this because recently I worked again in an ISA case where the infamous 5783 was happening and again the challenge was to get the data while the issue was happening. During the call I was explaining that the new eventmon can assist a lot on that since we can attach an action to the event, as you can see below:
Obviously the "wow" came out due this feature that we asked so much for many years and the “what” was followed by the statement: so are you saying that TMG still have this problem?
Let me clarify this once more: there is no bug when ISA Server lose the secure channel with the DC, there is no option to turn on or turn off this error. This problem can happen due many circumstances as I explained and demo on my blog about that. The fact is that if the circumstances are still in place, the 5783 can potentially happen in TMG. The old MaxConcurrentAPI registry key is still there in Windows Server 2008 and can be used to tuning authentication performance as you can see in the “Increase the Number of NPS Concurrent Authentications” article.
So what it is our hope to once for all stop dealing with this problem? Well, the main hope is that the companies start to use a Web Browser that supports Kerberos authentication, such as Internet Explorer 7 or higher. This can dramatically decrease the authentication pressure in ISA and in the DC, making this problem go away.