Yuri Diogenes's Blog

My fellow friend Tom Shinder wrote this week about the articles that we were migrating from ISA to TMG and he was surprise with the TMG in Hork Mode (as he said), later he posted about the difference between TMG MBE and TMG EBS in another post. I understand the confusion since it was not 100% clear and this is what we also trying to do when we are reviewing the articles. If you observe the session “applies to” it will have TMG MBE or EBS (or both).

However today we have all the remaining answers for you in the following new site:

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/threat-management-gateway-mbe.aspx

What about system requirements?

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-system-requirements.aspx

Wonder about license? Check more info here:

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-pricing-licensing.aspx

Enjoy TMG (with or without EBS) J

Yesterday I was playing a little bit with IE8 when I received the following warning message in IE window:

Internet Explorer has modified this page to prevent a potential cross-site-scripting attack.

Yep, that’s right: IE8 now mitigates XSS attack by using the built in XSS Filter. Do you want to know more about this? Check this great explanation/demo below:

http://msdn.microsoft.com/en-us/library/cc994337(VS.85).aspx

Also, you can review why IE Team adopted this new approach to prevent XSS attack:

http://blogs.msdn.com/ie/archive/2008/09/29/statistical-validation-of-the-ie8-xss-filter.aspx

Have you ever received one of the errors below while browsing a web site?

This could be caused due a response from a web server that begins with a space or tab character in the HTTP Header. If you have ISA Server 2006 SP1 the fix for that is already built in, however you still need to create the registry key described in KB935693. This KB has an example of the HTTP header that was captured using Netmon and how it looks like.

Note: This KB was also reviewed for TMG MBE and also applies to it.

The global Forefront Edge Security Team worked hard for the last 45 days to review and validate the old ISA articles and see if they were applicable for TMG. As result we have the first wave of articles already live at Microsoft KB Web Site. You can review it here.

This week at TechEd EMEA in Barcelona there will be lots of news about TMG and IAG/UAG. But one of that upcoming news was already announced yesterday, which is the new IAG SP2. For more information about that access the IAG Team blog at web site:

http://blogs.technet.com/edgeaccessblog/archive/2008/11/02/iag-sp2-it-is-all-about-the-application.aspx

Yesterday we published a new article in the Tales from the Edge Community Page. This article describes in details how it works the new logging feature in TMG. To give you a better perspective about what this means at the end I created this video demo that shows what the article explains.

I decided to do that because recently I was answering a question on ISA Server 2006 Forum where the ISA Admin was saying that every time that he shutdown or restarts his SQL Server for maintenance his ISA Server stopped. Well, while this is expected on ISA Server we can always show that this won’t happen in TMG.

You can watch online here:

But if you prefer, you also can download the WMV file from here:

Enjoy it.

How many times were you wonder what the difference between HKEY_LOCAL_MACHINE\IsaStg_Eff1 and \IsaStg_Eff1Policy is? Well, yesterday we posted an article on ISA Server Team Blog that will demystify that and much more. Check it out here:

http://blogs.technet.com/isablog/archive/2008/10/29/isa-policy-storage-101.aspx

The Microsoft Windows Server 2008 Event Viewer is a whole new program inside the Operating System, the changes made to it were completely significant and rich in new features. There are so many things that you can now do with Event Viewer that it is worth to take some time off and play with it. The new Event Viewer in Windows Server 2008 bring also new security capabilities for auditing and more in depth explanation of the events. In this area my recommendation is that you read the following article Auditing and Compliance in Windows Server 2008 from TechNet Magazine.

I’m also pointing out about this because recently I worked again in an ISA case where the infamous 5783 was happening and again the challenge was to get the data while the issue was happening. During the call I was explaining that the new eventmon can assist a lot on that since we can attach an action to the event, as you can see below:

Obviously the "wow" came out due this feature that we asked so much for many years and the “what” was followed by the statement: so are you saying that TMG still have this problem?

Let me clarify this once more: there is no bug when ISA Server lose the secure channel with the DC, there is no option to turn on or turn off this error. This problem can happen due many circumstances as I explained and demo on my blog about that. The fact is that if the circumstances are still in place, the 5783 can potentially happen in TMG. The old MaxConcurrentAPI registry key is still there in Windows Server 2008 and can be used to tuning authentication performance as you can see in the “Increase the Number of NPS Concurrent Authentications” article.

So what it is our hope to once for all stop dealing with this problem? Well, the main hope is that the companies start to use a Web Browser that supports Kerberos authentication, such as Internet Explorer 7 or higher. This can dramatically decrease the authentication pressure in ISA and in the DC, making this problem go away.

Last post I explained how Netmon 3.2 can be used to identify an expected traffic and this week I received an email that says: “…is nice that Netmon 3.2 can be used to that but sometimes this happen while we are out of the office and it is hard to track it more information about that traffic. How I can trigger an action when this event happens in the ISA Server?”.

Very interesting question and thanks for asking that! We actually do have a way to take an action based on this ISA Server 2006 Alert.  The ISA Server 2006 Alerts can be customizable in such was that you can trigger an action when it happens. So for example, let’s say that you want to trigger an action when the following alert occurs:

1. Understanding the Problem

I already worked in many cases where customer wants to know why ISA is alerting that it might be under attack by logging events such as:

Who went to TechEd Brazil last week will be able to access the content through the website www.teched.com.br. All the sessions will be available for download, but it will take a couple of weeks to do that happen. My friend Danilo Bordini from Microsoft Brazil already published on his Blog the slides for his presentations and you can download it here. While the content is not available in the web site, you can also download my two presentations here. Enjoy it !!

Last Tuesday at TechEd Brazil I was pleased to have around 200 people in the audience with a high expectation about what comes with TMG. This was the first official Microsoft presentation about TMG in Brazil and you can imagine how people were watching closely. While my presentation was about TMG MBE, there were many questions that were not applicable for this release, but we know that the future is coming and Beta 2 is closer than you can imagine. Although the felling of “I want to know more” was a reality during this 1 hour and 15 minutes of presentation, the audience was also amazed by some of the new features that come with TMG, such as Malware Inspection, new Logging architecture (LLQ), Policy Enforcement and NAP Integration.