Yuri Diogenes's Blog

I’m really happy for the invitation that I received from FGF (Faculdade Grande Fortaleza) Academic Director to deliver a presentation to the professors and students about information security emphasizing TMG role in the network protection. FGF is the university where I graduated and also where I was Professor back in 2003, there I taught two disciplines: Computer Networks and Operating System. It was an amazing time and I hope to see former students, coworkers and professors.

The presentation will be next Tuesday, June 30th, 6:40 PM at the university’s campus and on the same day I will be also participating in a TV Show (FGF TV Channel) to discuss about information security with other professors and students. For more information check the FGF’s web site at www.fgf.edu.br. A former student of mine also posted about the event in his web site: http://www.jorgebarata.eti.br/269.

Lately we had received some calls where ISA Server was not using the latest updates, which is fine although is not recommended. However when the subject is Service Pack then it might be a supportability blocker if ISA Server is not running within the supported Service Pack level. ISABPA does a great job in warning an ISA administrator that his ISA Server 2004 is not running with SP3 as shown below:

But today the issue is not only having the system with the latest update, is really a supportability matter. ISA Server 2004 SP2 is not supported since January 13th 2009 as shown in the table below:

From: http://support.microsoft.com/lifecycle/?p1=2108

Same applies to ISA Server 2006 RTM (without SP1), which the support will end July 14th 2009 as shown in the table below:

From: http://support.microsoft.com/lifecycle/?p1=11928

So if you are in an unsupported scenario (or about to get into this stage) make sure to plan your update as soon as possible to avoid supportability concerns when opening an incident with Microsoft CSS.

A friend of mine from Brazil (Paulo Oliveira) that already contributes a lot with ISA Community answering questions at www.isaserver.org has now his own blog. Paulo has a lot of skills on ISA Server and his contributions throughout the years demonstrate that. Take a look at Paulo’s blog at:

http://paulooliveirasilva.spaces.live.com/blog/

For all of you that were at SEBRAE - CE last Friday I would like to say THANK YOU VERY MUCH (MUITO OBRIGADO). Without your participation this event couldn’t happen. See you again next time.

1. Introduction

I was Proxy 2 administrator back in 1997 in a technology school, in 2000 I took my Proxy 2.0 exam and when ISA 2000 was released I was really like: WOW, that’s a huge change. It was indeed a great moving from a simple Proxy to a more robust Proxy with Firewall capabilities. But when I see TMG changes and I compare to ISA 2006, I have a great feeling that this is also a huge step towards an even better firewall with tremendous capabilities. There are so many good things on TMG that sometimes we overlook the hard work that the Product Team had to make the administration and management easier.

In this post I want really to emphasize some new features that are not related to security, but related to how a Firewall administrator’s experience was improved in this release.

2. More than a Getting Start Wizard

Do you know how many times I received a call where the firewall administrator was unable to make the basics? What basics? Allow secure web access for example. I had many situations in the past that creating a rule in the right manner was a nightmare for the administrator with less experience. The idea behind the getting start wizard is really to improve the administrator’s experience with the product and allow him to perform the essential configuration after install the product.

A buddy of mine (Daniel Mauser) from PFE (Premier Field Engineer) read my previous post about SSTP and sent me a note about his thoughts on the PKI side of the house (since is his specialty). The notes about the troubleshooting and planning phase from my previous post are:

·         For troubleshooting purpose we can disable the CRL Check on the client side (not recommended in the production, as he said: only for troubleshooting purpose). To do that follow http://technet.microsoft.com/en-us/library/dd458982.aspx

·         The certificate that I created had URLs for LDAP and HTTP for the CRL. Since the client workstation review those links in that order (top down), the LDAP will be checked first, since it can’t access the LDAP path it will try the HTTP path. This can cause performance issue on the client side. Make sure to change the search order in the CA prior to issue the certificate, this way the CA will issue certificates using the HTTP first.

Thanks Daniel for those tips.

My friend Tom Shinder is inspired this month; he already posted some great info in his Blog the last two weeks. From his recently posts I personally recommend you to review the following ones:

http://blogs.isaserver.org/shinder/2009/06/14/the-directaccess-challenge-nat-traversal/

http://blogs.isaserver.org/shinder/2009/06/14/direct-access-versus-directaccess-know-the-difference/

Another friend of mine that is also helping out the community is Richard Hicks, last month he posted a great article about SQL Logging. Check it out here:

http://tmgblog.richardhicks.com/2009/05/29/remote-sql-logging-with-microsoft-isa-server-2006/

Last but not least you have to read this post from Jason Jones about ADAM, very precious piece of information:

http://blog.msfirewall.org.uk/2009/05/using-adam-sites-tool-with-isa-server.html

Figure 2 – First error due the cert name.

That was pretty self explanatory, but just to confirm the name that I used to issue the certificate I got a netmon trace and got the subject name:

To quick fix this I edited my host file and created a manual entry there. But then right after that I got:

Figure 3 – Now is the CRL.

Looking to the properties of the certificate it was possible to see that the CRL was poiting to my internal CA: 

When I first planned this presentation I was thinking to talk about Forefront TMG Beta 2 features, but now with TMG Beta 3 available, I’m also going to cover some of the cool features available in this release. We already have 150 people enrolled, so if you didn’t enroll better to do it quickly because the venue is almost full. Enroll at:

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032416163&Culture=pt-BR

Michael Hawker  (Network Monitor PM) just release a video about the first Network Monitor Experts Day. Watch it at:

http://channel9.msdn.com/posts/MichaelHawker/Network-Monitor-Experts-Day-Part-1-The-Experts-Story/

Also, talking about Netmon, check it out the news about the new capability that we have to analyze Firewall Client traffic using Firewall Client Parser for Netmon:

http://blogs.technet.com/isablog/archive/2009/06/04/fwc-parser-for-netmon-3-3-on-codeplex.aspx

1. Introduction

When we think that we had covered all scenarios to mitigate possible issues with change password feature through ISA Server 2006 something new happen. This quick post is about a scenario where only users that belong to a specific OU were unable to change password through ISA Server 2006. The users that were located in this scenario in the OU called Adm/Fin as shown in Figure 1:

Figure 1 – ISA Server 2006 web publishing rule with a deny action.

2. Troubleshooting

The articles below were used to initially troubleshoot this issue:

1.       The "change password" feature does not work as expected after you install ISA Server 2006 Service Pack 1
http://support.microsoft.com/kb/957859

2.       Configuring and Troubleshooting the Password Change Feature in ISA Server 2006
http://technet.microsoft.com/en-us/library/cc514301.aspx

3.       Troubleshooting Forms Base Authentication using Secure LDAP Authentication on ISA Server 2006
http://technet.microsoft.com/en-us/library/dd316279.aspx

4.       Unable to Change Password through ISA Server 2006
http://blogs.technet.com/isablog/archive/2009/04/28/unable-to-change-password-through-isa-server-2006.aspx

After all the efforts to fix the issue using the articles above one little piece of information was gathered within the isalog.bin (which is part of ISA Data Packager as explained in one of my articles). The information found in the log says that ISA failed to change the password because of the error 80005000, which means E_ADS_BAD_PATHNAME.

Interesting having this error because the user could logon just fine, which means that the path was correct, besides the same user was able to change the password through a Windows workstation logged internally in the domain.

3. Solution

After collaborate with DS Team we found the following statement in one article about LDAP:

If the name of an organizational unit contains a forward slash character (/), the system requires an escape character in the form of a backslash (\) to distinguish between forward slashes that separate elements of the canonical name and the forward slash that is part of the organizational unit name.

Source: http://technet.microsoft.com/en-us/library/cc977992.aspx

The problem was the name of the OU that has a slash character, this problem is because LDAP parses the slash as a break and this makes the query to fail. After rename the OU to remove the slash the user was able to change the password.

I’m really pleased to announce that my friend Ben Ben Ari from IAG Team is going to be the moderator of the new IAG/UAG Public Forum available at Microsoft Technet http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag

Make sure to post your questions about IAG/UAG there and our IAG Team will be happy to help you out. Let’s build this new community and make it stronger really rich of great information.

One thing that most of the Firewall’s administrators struggle with is how to provide a secure outbound control without hurting the user’s experience. Users don’t want to receive an error saying “unable to access the page” or a straight forward “access denied”. Users want a better feedback about what is going on and why they can’t access the web site that they thought it was okay to access.

TMG enhances this experience by allowing you to customize the error message from one single place….yeah, that’s pretty cool. Now when you can create a Deny rule and instead of redirect to another URL (which you can still able to do) you can type in there which error messages you want that the user receives as shown in Figure 1:

Introduction

Sysinternals tools are just amazing to troubleshoot a huge amount type of issues: networking, AD, core OS, etc. But, one thing that many security administrators don’t realize it yet is that those tools also are great to troubleshoot ISA Server issues in different scenarios. Before move on to the tool that I want to talk about, here are some other articles that I wrote where Sysinternals tools were used:

Now, let’s play with a cool tool called: ADInsight.

Using ADInsight to Track ADAM Calls

ADInsight is a tool that allows you to view LDAP calls on the fly from a nice GUI interface. For the purpose of this example I’m going to follow the steps below to generate some data:

1. Launch ADInsight

2. Launch ISA Server 2006 Management Console

3. Review the data created by this operation

As soon as we execute step two ADInsight starts to collect information and notice in the sample below that the process is still MMC.exe but it is already accessing the local ADAM on port 2171:

Figure 1 – Initial information when launch ISA Management Console.

After complete load the ISA Server Management console the process changes and if you click in one of the lines in the upper pane and the lower pane will show in more details the parameters that were used during that operation:

Figure 2 – LDAP information with more details in the lower pane.

Now you can dig in and see more what’s going on behind the scenes. Enjoy it !!