Yuri Diogenes and I have worked together on a number of projects over the years – last year we published three new books on TMG, UAG and Forefront Security for Exchange. You can find more information on these books on Yuri’s blog at http://blogs.technet.com/b/yuridiogenes/archive/2010/07/08/new-forefront-books-by-microsoft-press.aspx

We also worked together on the TMG Firewall Administrator’s Companion which you can find at http://blogs.msdn.com/b/microsoft_press/archive/2009/12/09/forefront-tmg-2010-administrator-s-companion-a-unique-reading-experience-is-coming.aspx

So with four books in the can, where do we go from there? Well, Yuri recently moved from CSS Security to Windows Server iX so we thought “how about we do a security talk show?” Sounded like a good idea to me, and thus Security Talk with Yuri Diogenes and Tom Shinder was born.

Unlike Talk TechNet (http://technet.microsoft.com/en-us/gg558001), Security Talk with Yuri Diogenes and Tom Shinder is like a television talk show – we plan on recording two shows a month and if the thing takes off, we’ll consider doing four shows a month so that you can enjoy the fun once a week.

While the official launch won’t be until after TechEd, we took advantage of the fact that Jim Harrison was in town from Redmond (Yuri and I live in the Dallas/Ft. Worth area in Texas) and did a “practice” session.

Head on over to the Security Talk with Yuri Diogenes and Tom Shinder blog for more information and to view the v0.5 of the program!

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

Ben Ari posted an answer to the Forwarding on the 6to4 Interface cannot be enabled error that you might see when you try to activate the DirectAccess configuration on the UAG DirectAccess server.

When you activate the configuration, it will look something like this:

Check Ben’s blog post at http://blogs.technet.com/b/ben/archive/2011/01/27/forwarding-on-the-6to4-network-interface-cannot-be-enabled.aspx for the reason and a fix.

Thanks Ben!

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

The question on how to handle DirectAccess clients and Internet security for those clients is always a popular topic. As I’ve mentioned many times in this blog, the overall threat and management profile of the DirectAccess client should be little different than a client that is on the intranet.

However, there is one major difference between the intranet client and the DirectAccess client – and that’s an Internet gateway that protects the client from Internet threats with URL filtering and web antimalware.

With this in mind, the following question is topical and I’ll use it to drive the discussion.

====================================================================

“UAG providing direct access over HTTPS to a large set of demo computers in retail stores. They are a wireless ISP so all the computers in the offices are connected directly to the Internet, rather than a corporate network.  We are using DA to manage group policy on the demo boxes to ensure they are tightly locked down.

We have a need to also provide some sort of content filtering/web site blocking on these boxes.  One thought is to leverage UAG to act as a filtering proxy server for these boxes.  The customer is concerned about using UAG “normally” because traffic would then flow across the DA/HTTPs link which would be the slowest option and may impact the performance of these demo boxes.  Thus they would like to configure their UAG box to act as a proxy server out on the Internet with some authentication for clients to connect.

So my questions to the group are:

• Is this totally crazy?
• Can this be done in a supported way?
• Is there a better way for them to do this”

====================================================================

First we have to get clear on the scenario. It sounds like these machines are configured as DirectAccess clients and are configured to use IP-HTTPS to connect to the UAG DirectAccess servers. It’s not clear why this is being used instead of 6to4 – maybe there is a device in the path between these DirectAccess clients that blocks IPv4 Protocol 41. What it appears they want to do is provide some gateway based security for these clients. The proposed idea is to use the UAG DirectAccess server as an outbound proxy for the DirectAccess clients. There are two problems with this possible solution:

• It’s not supported
• It won’t work

Given those two facts, we need to think of some other way to enable Internet gateway security for these clients. This is what I’d propose:

• Enable force tunneling on the clients – this will force all traffic, including Internet bound traffic, through the DirectAccess tunnels
• Consider configuring the browsers on the DirectAccess clients to use a web proxy. You can configure the proxy address in the UAG DirectAccess wizard
• Consider configuring the DirectAccess clients to “bounce” off the UAG DirectAccess server to reach the Internet
• If the second option is chosen, then configure the UAG DirectAccess servers with a gateway address that will force the outbound connections through a URL filtering and antivirus gateway

The figure below shows what the request path would look like when you configure the DirectAccess clients to use a Web proxy. Note in this scenario that you can have the outbound connection use a different gateway to the Internet than the one used by the DirectAccess server itself.

The figure below shows what it looks like when you configure the DirectAccess clients to “bounce off” the UAG DirectAccess server. The difference in this case is that the web filtering gateway is most likely going to be in a DMZ. You will need to be careful here, because the DirectAccess server can only have a single default gateway, which means that the web filtering gateway is going to need to be in the DirectAccess request/response path between the DirectAccess client and server. In the figure below, you can see that the outbound connections are leaving through the same firewall that they DirectAccess tunnel connections came in through.

If you want to see how this configuration works in a test lab, then check the Force Tunneling Test Lab Guide. You can find a complete list of Test Lab guides at http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

If you choose to deploy ISATAP to support your DirectAccess deployment, one of the things you need to do is remove the name ISATAP from the DNS block list if you’re using a Windows DNS server running Windows Server 2003 SP2 or above. By default, these DNS servers will not resolve queries for the names WPAD and ISATAP. Even if there is a resource record for WPAD or ISATAP in DNS, the DNS server will not return a response for those names if they are on the DNS query block list.

The reason for this is that it’s possible for a rogue device to dynamically register these names in DNS. If that happens, there is the possibility that client systems will auto-configure themselves to use the rogue device as their web proxy, or configure their ISATAP adapters to use the rogue device as their ISATAP gateway. Both of these scenarios are enabled by the fact that Internet Explorer uses auto-discovery by default to configure the web proxy, and the ISATAP adapter is enabled by default if the name ISATAP can be resolved and the client can contact an ISATAP router.

If you check this link you will find a document that contains the following statement:

“By default, the DNS Server service in Windows Server 2008 and later blocks name resolution for the name ISATAP through the DNS Global Query Block List. To use ISATAP on your intranet, you must remove the ISATAP name from the list for all DNS servers running Windows Server 2008 and later. For more information, see Remove ISATAP from the DNS Global Query Block List in the DirectAccess Deployment Guide..”

The question then is “if ISATAP responses from the DNS server is considered unsecure, then isn’t deploying ISATAP on the network considered unsecure?”

The answer is “no”. The reason for this is that when you deploy ISATAP on your network and enable the DNS server to answer queries for ISATAP, you will enter a static Host (A) record for ISATAP. When you configure the static DNS resource record, it will not be overwritten by dynamic registrations by potential rogue hosts. Therefore, the security implications of removing ISATAP from the DNS block list are mitigated since no one can dynamically overwrite the static ISATAP record you created.

However, if you decide that you don’t want to use ISATAP, or at least don’t want to use DNS to inform ISATAP hosts of the ISATAP router, then you should put ISATAP back into the DNS block list and remove the ISATAP resource record from your DNS server.

You can find out more about the DNS query block list HERE.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder

What would you be willing to pay for a really cool IPv6 and DirectAccess troubleshooting cheat sheet?

$5? $10? $100? ONE HUNDRED BILLION DOLLARS?

Since these cheat sheets are priceless we’re going to give them away. Thanks to DirectAccess guru and all around good guy Pat Telford, we’re making the .vsd file for these cheat sheets available for download.

You haven’t seen these cheat sheets? Here’s what they look like:

You can download the .vsd for these sheets HERE.

HTH,

Tom

Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management/ICG
Anywhere Access Group (AAG)
The “Edge Man” blog : http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: http://twitter.com/tshinder
Facebook: http://www.facebook.com/tshinder