Addressing TMG Update

Dear Readers,

I’ve received overwhelming emails and LinkedIn messages from my peers who expressed interests in TMG’s end.  By now, everyone knows the news but the question is, what do I do now?

I see this in a few different ways.  TMG is still one of the best Threat Gateways on the marketplace today.  Microsoft is still supporting it for a few more years so if you’re an existing TMG customer, don’t worry – there is no immediate threat.

New potential customers?  Migrating from ISA to TMG? See comment above.  TMG is one of the best gateways, but one of a few.  As a security professional, whether its your firewall, AV or the locks to the server room, always know your options!   Please, keep in mind that Microsoft is no longer selling TMG licenses as of Dec 2012.

Now to address the most common question…  Can I move from TMG to UAG?  The answer is, it depends.   What are you using TMG for?   If you’re using it as a true edge firewall (port blocking, site-2-site VPN, outbound content control, ISP redundancy, etc…) then UAG isn’t the right product for you.

UAG is a remote access product so definitely keep researching.  However, if you were using TMG to perform web\socket publishing then UAG might be the right option for you.   The common scenarios are publishing SharePoint, OWA, Active Sync or even your corporate website.  UAG also supports smartcards which is very common for government entities.

Thank you!
Dennis Lee

Advertisements
| Leave a comment

UAG SP2 is finally released!

Dear Reader,

I’m happy to report that UAG 2010 – SP2 is finally released.   The SP2 adds increased functionality for ADFS v2.  For those of you who have been following cloud adoption and the increasing request for claims based authentication — UAG SP2 really shows the commitment that Microsoft is bringing to drive this technology.

I’d want to also add that UAG SP2 fixes many issues that highlighted on the main patch notes but within another sub-section.

  • External ActiveSync client sessions may be able to view other user mailboxes in Forefront UAG 2010 SP1.
  • Passwords that contain special characters may not be recognized for Nokia Mail for Exchange users in Forefront UAG 2010 SP1.
  • Configuration activation time may increase significantly after you apply Forefront UAG 2010 SP1.
  • Errors may occur when a user cannot connect to the Remote Desktop Virtualization Host after you publish Remote Desktop Services or RemoteApp programs in Forefront UAG 2010.
  • A client who tries to use Forefront UAG to open an Office document that is stored on a Microsoft SharePoint site may receive multiple authentication prompts.
  • A client who uses Forefront UAG to browse to an Outlook Web Apps (OWA) site may find that error 500 is randomly displayed to the OWA user instead of a Forefront UAG error page.
  • When Forefront UAG tries to authenticate users against an Active Directory schema, Forefront UAG tries to query the domain controller instead of the global catalog.
  • Users who are logging on to a Forefront UAG portal are not prompted to change their expired password when Forefront UAG is not joined to the user’s domain.
  • The digital signature of the Forefront UAG Java client components expired on March 24, 2012.
  • The Forefront UAG Web Monitor does not show events correctly after event 18 is generated in a Forefront UAG array deployment.
  • Forefront UAG does not correctly enforce the authorization settings for the Exchange ActiveSync application.
  • When you try to add a new Microsoft Outlook profile on a client computer that connects to the client access license (CAL) server through Forefront UAG, the profile creation fails.
  • You use Forefront UAG to browse to an Exchange OWA 2010 site. However, some OWA functionality is blocked, and you receive an Invalid URL error page from Forefront UAG.
  • Forefront UAG does not enforce the configured authorization settings for application access when the authorized users are members of an Active Directory primary group and Forefront UAG is not domain joined.
  • When you browse to an application (such as Exchange OWA 2003) that is published through Forefront UAG, users experience intermittent error 500 messages.
  • This service pack includes fixes for some stability issues.

    It’s time to backup your UAG server and start testing.   UAG SP2 includes all previous patches and can be installed on top of the base install of UAG.

Download Here:
http://blogs.technet.com/b/edgeaccessblog/archive/2012/08/06/forefront-unified-access-gateway-2010-service-pack-2-is-available-for-download.aspx

Thank you!
Dennis Lee
ForeFront MVP

| Leave a comment

How to host a website on your UAG server

Introduction

The UAG veterans know to never create a website on your UAG server.  Why? Because it will get deleted upon activation!   However, many times it comes in handy to have a test website that runs on your server.   You may need to demonstrate publishing a website but have limited access or no backend resources.   You might have a spectacular idea for a value-add that belongs on the UAG server but it keeps getting deleted.

My blog post will discuss how to create a website on your UAG server that doesn’t get deleted by UAG upon activation.

Why is my website getting deleted?

UAG has a security and troubleshooting mechanism built in that deletes ALL websites that run on your UAG server during the activation process.    The reason for this feature goes back to the origins of the product.  Back then, it was very common for an activation to fail hence, you may have a non-fully functional UAG website.  I still see this problem often today so I’m glad this feature is still around.  You can just re-activate your UAG configuration and be back in business because UAG deleted and then recreated the website that’s associated to your trunk.

The website delete offers some security benefits: What if someone unintentionally changed one of the settings for your UAG trunk in IIS?  This could cause your UAG portal to expose something unintentionally, or the portal may become unavailable.

The screenshot below shows the UAG Configuration Message that alerts you about deleting a non-UAG trunk – a website that you just created.

How to create a website on your UAG server?

UAG runs on IIS (Internet Information Services), therefore you leverage that to host your website.

1)      Start  >> Run >> “iismgr”.

2)    Start the “Add Web Site” wizard and fill in the details:

Remember!  Don’t use port 80, 443 because your UAG server already uses those ports.
I like to use 8181, but you can choose something unique.   Also, remember the Site name you assigned –  you’ll need it later on when you tell UAG not to delete this site.

How do I stop UAG from deleting my site?

There is a registry key setting that is undocumented by Microsoft which allows you to tell UAG not to delete your site!  Always back up your registry before making changes.

1)      Start >> Run >> “regedit”.

2)     Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Configuration

3)     Right click on “Configuration” >> New >> Key >> enter in “RWS”.

4)     Create another key within RWS >> Right click on “Configuration” >> New >> Key >> enter in the name of your website as shown in IIS.

Many times modifying the registry requires a reboot but this change doesn’t.

Below is a screenshot of a website I’m publishing through UAG.  This website is actually hosted on the UAG server itself.

Rinse and repeat the steps above if you have multiple UAG servers.

You are all set!!!  Remember this blog post when you need a reference on how to prevent UAG from deleting your website that’s being hosted on the UAG server.  This is how I typically setup a demo that runs on VMware workstation on my laptop.

Thank you for reading my post!

Dennis Lee
UAG Expert

Posted in UAG 2010 | Leave a comment

Cloud security, how can you protect yourself and your community?

Dear Reader:

I wanted to take a break from my usual blog post about Microsoft Forefront security to bring some attention to cloud security, personal information protection and corporate responsibility. What is the cloud first of all? A marketing genius took the iconic cloud symbol used by IT professionals around the world that represents the Internet and leveraged it as a concept that now has global recognition. Cloud computing or Software as a Service (SaaS) isn’t anything new, I’ve had my Y! Mail account for over 13 years now. But it is new that more and more people now use cloud services not only for entertainment but also for personal and professional business applications. Your company or school may be using products like Microsoft Office 365, Google Apps and SalesForce, so you have no choice but to go to the cloud. Cloud service usage has increased in general due to recent marketing ads on TV, billboards, etc.; you may need to use it for online banking and to pay your bills. But it doesn’t matter if you are an IT security guru, or live next door to one; you have to put your trust and thus stake your security in that company when you use their cloud space.

Now I know I don’t need to lecture anyone reading my blog about personal security because you are either in this field or have interest in it. But I do want to stress that as IT professionals, it’s our job, really our duty to protect our workplace and our community. Your community is extremely vulnerable, so you should teach your friends, people at your church or clubs, those folks you can, about how to better protect themselves and their families. Below are some basic suggestions for personal data security. Make sure you know how to protect yourself and what to pass on. Also, I would appreciate any suggestions that you can offer to help improve and increase the list:

• Use a personal firewall and updated antivirus as well. Platforms that have been considered safe travelling are now getting criminal attention; keep informed and reevaluate risk. (No need to send any flames, I respect that your evaluation may rightfully indicate you don’t need to exchange privacy/performance for monitoring/security).

• Use a complex password and change it often.

• Use a different password for your email account. Why? Because your email may be a vector for hackers to break into other resources; for example, that online group you used to participate in, or the music stream you paid for. While email providers generally put a lot of money into their systems and monitor them constantly, they can’t protect you if a hacker gets your password from somewhere else.

• Don’t sign up for online/cloud services that you don’t need or won’t use often enough to monitor. Close accounts you no longer use.

• No one is really giving you a million dollars (or anything else) from Africa (or anywhere else); be skeptical and avoid emails from people you don’t know. If you get a suspicious or vague email from one of your contacts, check with them to make sure their email or messenger service isn’t compromised. If it wasn’t compromised and they really want to give you 1,000,000 dollars, then, people – do share their contact information with me.

Why shouldn’t you trust your online bank, social networking sites, or other software as a service companies? It doesn’t matter if they are a multibillion-dollar company, there is bad PR, and getting hacked is it. Going a step further, companies get hacked all the time and don’t even know about it! Your home address, phone number, credit card number, email address, and password could be, as you read, getting traded by criminals.

A company bears the responsibility to use encryption technologies, hire independent security auditors, maintain software updates, employ qualified security personnel, and most importantly, it should encourage HR/IT departments to perform end user online security training. If your company isn’t doing all of this, consider speaking up. There are many great products like Microsoft UAG, TMG and SunFive’s Boole Server that can protect company resources with firewall security, SQL injection protection, DoS mitigation, data protection, and general communication encryption.

Also consider, what could the response be when a company you trust does get hacked? Recent events aren’t necessarily reassuring. I saw coverage on CNN.COM before I heard anything from a company who just had well-known breach through which username and passwords were compromised. I saw another company that posted a very small notice on their website telling users it had been hacked. Interestingly enough, that notice was removed after 5 days. So, did you see the notice I am talking about? Are you one of the folks that could now be compromised?

http://www.slate.com/id/2277768/ http://www.computerworld.com/s/article/9217273/Sony_Pictures_falls_victim_to_major_data_breach

Come on! Free service or not, People who signed up for a service expect diligence to protect their information and a heads up if the protection fails. If it’s not possible, or practical, it should be stated up front what the risks are and what the response will, or won’t be. I encourage companies to take corporate responsibility seriously and inform users about security breaches that affect them. On the user end of things, people need to start speaking up when they find out about security breaches through third parties instead of service providers; they should contact both the company and elected representatives to ask why details haven’t been disclosed or why they weren’t contacted directly as a victim. http://www.usa.gov/Contact/Elected.shtml

My plan is to speak at community events to teach people how to protect themselves and I challenge you to do the same.

Thank you, and remember. The cloud isn’t going anywhere; it’s our job to spread knowledge to help protect ourselves, our workplace and our community.

Dennis Lee
Security Professional

| Leave a comment

Publishing MOSS 2010 with KCD

Introduction

This blog post will show you how to configure Kerberos & KCD (Kerberos Constrained Delegation) from start to finish for MOSS 2010 and UAG 2010.

A powerful feature of UAG is its ability to support KCD internally between UAG and the SharePoint 2010 server.  This feature helps reduce traffic between the servers because NTLM is considered very network chatty.  Also, KCD allows for a truly seamless SSO experience for smartcard users.

Configuring Kerberos Authentication Internally – SharePoint Side

You can’t have KCD support if you don’t have Kerberos working internally!  I will show you an easy way to setup Kerberos authentication for SharePoint 2010.

1)      Go to the SharePoint Central Administration  >> Manage Web Application >> then click on your SharePoint Site >> Authentication Providers

 

2)     A MOSS 2010 configuration window will come out displaying a link labeled “default”.  Click it and scroll down until you find “IIS Authentication Settings”.

 3)     Under “IIS Authentication Settings” check the box that says “Negotiate (Kerberos),” & click “Save”. 

The term negotiate means that if Kerberos doesn’t work, then fall back to NTLM.

 4)     Restart IIS!!! Start >> run >> “CMD” >> type in “iisreset”

Configuring Kerberos Authentication Internally – Active Directory

Forget the SetSPN application, many administrators find it difficult to use.  I will show you the manual way to configure SPN’s which is pretty much foolproof.  If you are using Server 2003, then you may need to download the ADSI Editor MMC.  The ADSI editor comes built-in with Server 2008.  Do NOT enter multiple SPN’s.

1)      Open the ADSI editor >> find the Service Account used to run IIS Services|Application Pool for your SharePoint Server or SharePoint Farm.  In the case of a farm, it should still be the same account across all servers.

 

2)     Click Properties and scroll down until you find “ServicePrincipalName”.  Click Add and enter in your SharePoint site name such as:  http/sharepoint.domain.com

 3)     Run “Active Directory Users and Computers” >> Find the account we just added the SPN to >> click “Delegation”.

  A nice thing to note is that the “Delegation” tab is not available until you configure the SPN. 

4)      Check the box that says “Trust this user for delegation to any service (Kerberos Only)”.  Click OK and allow enough time for your changes to replicate.

 Verifying that Kerberos works

It is very important to verify that KCD is working internally before preceding to configuring UAG.

1)      Open up the event viewer on your SharePoint Server and click “Security”

 2)     Filter by event ID “4624” to make sure you only see logon and logoff logs

 3)     Look for a user logging in and scroll down and make sure you see the logon process was verified using Kerberos.

Publishing SharePoint 2010 – UAG 2010 Side

There any many ways to publish SharePoint 2010 through UAG and the method used should reflect how you want SharePoint and UAG configured.  Below describe the steps for a typical deployment where your internal and external SharePoint URLs are different.

 1)      Click “Add” and Select “Web Application” >> Enter in an Application Name >> Single server.

 2)     Under Addresses, make sure to enter in the server name used for the SPN.

3)     Select the proper authentication server, which should be AD-based.  At this time you cannot select KCD.

Keep clicking next and configure SharePoint the way you want it.  Typically, I will click the boxes that allow you to bypass trunk authentication.

4)     Go into the application properties for the application created above >> Authentication >> check the box that says “Use Kerberos constrained delegation for single sign-on”.

 5)     Enter in the SPN name accordingly, as shown below:

Configuring Delegation in AD

In the official Microsoft documentation, the articles teach you how to use the LDIF file.  In doing so, you get a nasty warning saying existing data will get deleted.  Don’t worry!  You won’t replace all your AD data; however you will replace existing delegation data inside your UAG computer object.   Let me explain: let’s say you configured delegation in UAG before for MOSS 2007;  well, MOSS 2007 is gone now and you have MOSS 2010. If you didn’t clean up AD, then a delegation rule under UAG for MOSS 2007 should still be there.   Your LDIF import will clean up that rule.

Next, I will show you how to manually configure delegation in AD.

1)      Run “Active Directory Users and Computers” and search for your UAG Server computer object.  

 2)     Click the “Delegation” tab >> check the box that says “Trust this computer for delegation to specified services only” and click “ADD”.

 3)     Type in the name of your SharePoint Server as its name in AD.  Scroll down in the list until you find HTTP and select it.

 4)     Click Apply and you are done!!!  Rinse and repeat the above steps if you have multiple UAG servers or Celestix WSA Appliances.

 If you would like to import the LDIF file then that’s OK, too.  After you are finished with the SharePoint wizard and authentication change to KCD, do the following.

1)      Admin >> Export KCD Settings to Active Directory >> click “Export Settings to an LDIF file”.

 2)     Copy the LDIF file from your UAG server to your Domain Controller.

 3)     Open a command prompt and type in the following:

LDIFDE –i –f c:\pathhere\filenamehere.ldif

 You are all set!!!  Remember to log into UAG and then check your SharePoint logs to make sure you are truly using KCD.   You will need to configure AAM in SharePoint. 

 Note that setting up Kerberos on the inside doesn’t mean you will get a truly SSO experience internally.  You may need to add the SharePoint URL to your Trusted Zone.

 If you are publishing SharePoint 2010 without Kerberos, then go through my article and set it up.  Trust me, in an environment of 500+ users the savings in bandwidth is well worth it.

 Thank you for reading my post!

Dennis Lee
Celestix Networks

Posted in UAG 2010 | 1 Comment

Microsoft Forefront UAG Configuration Manager Not Starting!

Introduction

The UAG Configuration Manager Service needs to run in order for the administrator to manage their UAG configuration.  When you are installing UAG SP1, the first thing the installer does is rename the executable that’s associated to that service.  If you ran the installer and hit cancel, that .exe which was renamed is not changed back!   Microsoft documents this problem in a TechNet article on how to deploy SP1 but left it out in their troubleshooting paper.  Recently however, I came across successful SP1 installs that never renamed the file back and this is why I am posting this article.

Identifying the Issue

The first thing you will notice is that you will get the dreaded “Configuration cannot be retrieved from TMG storage. An unrecoverable error has occurred. The application will close.”.  Come on, I know everyone has seen this error message at least once.   Usually restarting your TMG Storage, Firewall and related dependencies will fix this issue.    But when the service is disabled and the executable is renamed—restarting services will not help.

Go into services and you will see that the UAG Configuration Manager Service is disabled. 

You will encounter the following error below if you were to enable and run the services.

Fixing the Issue

The fix is quick to make and you can continue using UAG SP1.

a)      Goto the following folder:
C:\Program Files\Microsoft Forefront Unified Access Gateway\common\bin

b)      Look for “ConfigMgrCom.exe.bak” and rename it to “ConfigMgrCom.exe”

c)       Go ahead and start the services again

You are back in business!  It’s my recommendation that you uninstall SP1 and install it again because you never know what else might have failed during the installation process. 

References

How to install SP1:
http://technet.microsoft.com/en-us/library/gg281604.aspx

SP1 Troubleshooting Tips:
http://technet.microsoft.com/en-us/library/ff806834.aspx

Blog post I made about upgrading to SP1 and getting an “corrupted” install error…

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/9cada5eb-c9c8-4573-a674-6316c0ddb0ec

Thank you!
Dennis Lee
Celestix Networks

| Leave a comment

The Forgotten Contact Us Button

Introduction

The bigger and more colorful Email icon stands out on the UAG Portal Home Page and quickly catches the eye of the UAG Administrator.   The less noticeable ‘Contact Us’ link is thus often untouched and forgotten.  My blog post today was defends the lonely Contact Us link and brings it forth to its rightful place on the UAG Portal Home Page.   The also included advanced section which will challenge your thinking on how to use the links.

Before we begin our quest, let’s first take a look at the Email icon link and see how it’s configured.

Configuring the UAG Portal Home Page – Email Icon

The Email Icon is a 32×32 graphic that lives in the following directory:

C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\images\Toolbar\mailAdmin.gif

It can be changed if you wanted to add more flare to its current appearance.  Configure the mailto: link (left blank by default) as follows:

1)       Copy the “web.sitemap” file from “C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\ToolBar\” to “C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\ToolBar\CustomUpdate”

2)      Open the copied file  using a text editor such as notepad.

3)      Look for the following code toward the end of the file and append an email address after mailto: as shown below:

<siteMapNode url=”mailto:email@domain.com
title=”$Resources:Resource, 113″
description=”$Resources:Resource, 113″
imageUrl=”~/images/ToolBar/mailAdmin.gif”
DisplayMode=”OnlyImage”
target=”_blank” />

4)       Activate to save your changes.

UAG Portal Home Page – The Forgotten Contact Us Link

The Contact Us link is located on the bottom of the UAG page (in the Footer).  It is a simple text link.  Configuring an email address for the Email Toolbar Icon does not change this link which many UAG administrators find troublesome.  In my post, I will show you how to configure it and describe some advanced techniques.

1)      Copy the “LeftFooter.sitemap” file from “C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\Footer” to “C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\Footer\CustomUpdate”

2)      Open the copied file using a text editor such as notepad.

3)      Look for the following code toward the beginning of the file and append an email address after where it says mailto: as shown below:

 <siteMapNode url=”mailto:
title=”$Resources:Resource, 182″                     
description=”$Resources:Resource, 182″
imageUrl=””
displayMode=”OnlyText”
target=”_blank” />

             4)      Activate to save your changes.

Please continue reading


Advanced Changes – Adding Flare

Many of my customers note that they found the email links on the portal page unhelpful.   Given that the Mailto: link assumes you are on a workstation that has an email client installed and configured, it’s a valid point.  If you are publishing Outlook Anywhere or have an external email configured, then it works fine.  However, most customers are on home computers setup with their ISP|personal email address.   Can you imagine your IT Staff being sent an email by CFO John Doe who’s using a home computer he shares with his daughter?  All of a sudden your IT Staff gets an email from ILoveJustinBeiber@domain.com with a description of his UAG problems.

I hope my post here will help you challenge the default UAG placeholder which many of us accepted to be a Mailto.  Microsoft provided ‘mailto:’, so we just add the email address and we are done configuring our UAG server.  Some of us rarely stop to think on how we can better utilize this link.

Customizing the Mailto Links:

The mailto link is URL scheme that is registered with the IANA and defines the scheme of SMTP, POP and IMAP email addresses.   By knowing these schemes you can do more customization, like adding a predefined subject, add additional email address, CC and even BCC.

                Add additional Email address:

                          mailto:helpdesk@domain.edu;itsupport@domain.EDU

                Add Predefined Subject Link:

                          mailto:ithelpdesk1@domain.edu?Subject=UAG Portal Page Help

You can learn more about mailto schemes and customizations by visiting:
http://www.ianr.unl.edu/internet/mailto.html

Eliminating the Mailto Format:

I described the issue of using a Mailto link through a corporate SSL VPN Gateway which is meant to be used by company employees and affiliates.   Many of us simply follow the template and don’t think about the consequences.   Here is some food for thought, instead of using the mailto link you can do the following:

               Corporate Contact Us Form:  

Many companies already have a public website where you can submit your helpdesk information by using a form.   Instead of using the ‘MailTo:’, enter in the URL of your contact us form.  For example, if I was setting this up for Celestix Networks, I would use the following link instead of mailto: 

http://www.celestix.com/index.php?option=com_content&view=article&id=68&Itemid=59&lang=en

               Published OWA Link:  

Published OWA Link:   You may already have UAG configured to use OWA, so use it!!!  Instead of using ‘mailto:’, enter in the URL of your UAG OWA Link:  For example:  https://mail.domain.com/owa

If your company uses cloud based email such as Microsoft Office 365 and Google Email Apps then you can simply link users there.  For Example:  https://home.microsoftonline.com/

Final Thoughts

I hope you found this posting helpful in configuring the Email icon/Contact Us link, and that you learned other simple techniques for these placeholders.

Thank you again,
Dennis Lee
Celestix Networks

References:
http://www.ianr.unl.edu/internet/mailto.html

RFC 2368
http://tools.ietf.org/html/rfc2368

Posted in UAG 2010 | 1 Comment