SSL Client Certificate Authentication allows users authenticate to TMG using smart cards. This post explains how to configure TMG and Active Directory for certificate authentication.

In my previous article I explained the use of one-time passwords with Forefront Threat Management Gateway (TMG). Today, I will discuss an alternative to this method that leverages smart cards and Public Key Infrastructure (PKI). I will describe how to use certificates that are published on the TMG.

For this to work, you don’t’ have to deploy an Enterprise Certification Authority. You can use any certificate issued by a public or private CA. Two things are required for this:

1. The CA that issued the user certificate has to be added to the Certificate trust list (CTL) on the TMG Listener
2. The user certificate has to be mapped to the user’s Active Directory credentials

First, locate the Listener from our previous articles.

(more…)

Access to corporate resources from external computers requires secure authentication methods. This article explains how to configure One-Time Password pre-authentication.

In the previous article of this Kerberos Delegation series, you learned how to configure Kerberos Constrained Delegation. Today, I will discuss pre-authentication methods that are not based on Active Directory. Users can pre-authenticate using Windows Active Directory authentication, RADIUS OTP authentication, Certificate authentication or LDAP authentication, and even with PKI certificates.

In the example here, we will use a one-time password solution that provides a simple, user friendly and very secure solution that is ideal for securing access to corporate resources when used with Microsoft (TMG) and Kerberos Constrained Delegation. I will describe how Protocol Transition works with TMG, i.e. how you can authenticate users with one method and then pass the credentials to the backend using Kerberos.

(more…)

This article describes how to configure Active Directory to use Kerberos Constrained Delegation with Forefront TMG.

As Alex already explained in a previous article, TMG secures backend servers as a proxy by reducing the attack surface. Primarily it reduces the number of ports that are accessible from the Internet and it allows only authenticated traffic to access backend servers running Outlook Web Access, Sharepoint and other Web Servers and applications.

Kerberos Constrained Delegation vs. Basic Delegation

TMG contains a mechanism that is called credential delegation, the simplest one being Basic delegation. Basic authentication is enabled on the TMG listener and the credentials that the user provides are simply forwarded to the published backend server, which also has to use Basic Authentication. If the Backend server is configured with Integrated Authentication, it will not work. Basic Delegation is simple and effective.

(more…)

This step-by-step guide explains how to install the SSL-certificate, create a web listener, a web farm, and an Exchange publishing rule to secure Exchange 2010 with Forefront TMG.

In my last post I introduced Forefront TMG’s functionality to secure Exchange 2010. Today, I will show you how to configure Exchange and Forefront to work together.

Install the SSL-Certificate

1. Open the „Exchange Management Console“ and export under „Server Configuration – > Exchange Certificate“ the Exchange certificate by right clicking „Export Exchange certificate“.
2. Name the certificate, enter a password and save it as a *.pfx file.
3. Copy the file to your Forefront TMG server.
4. Open a „Microsoft Management Console“ on the Forefront TMG Server by typing “mmc” in the Command Shell.
5. Add the Certificate Snap-in by „File -> Add/Remove Snap-In“ and choose the “local Computer” in the „Computer account“ dialog.
6. Open the certificate-tree (Local Computer) and select „Personal“.
7. Right click on the „Personal“-folder and select „All Tasks -> Import…“
8. Import the *.pfx file. You have to choose *.pfx as the file-type instead of the default *.cer. In the next dialogs keep the default settings.

(more…)

In this article, you will learn how to use the advanced features of Forefront TMG to improve security of Exchange 2010.

An essential part of an Exchange 2010 deployment is the availability of e-mail everywhere at any time. For your users, this feature eases work; for you as an administrator, it means more work, because you have to secure the Exchange Server against attacks from outside your corporate network.

I often see that Exchange 2010 is published directly to the internet by allowing access to the various ports from the internet. However, this approach undermines most of the security features of Forefront TMG. Forefront supports Preauthentication, which means the users do not authenticate with the Exchange Server but with Forefront. Forefront then passes the privileges to the Exchange Server.

(more…)

Submitted by Edward Lansink – Blog: GFI Tech blog GFI WebMonitor Freeware is a freeware web filtering and web security solution for ISA Server, ideal for SMBs. It lets administrators monitor what websites users are currently browsing and what files are being downloaded in real-time. Through user and site bandwidth monitoring features, the administrator has the ability to track download and upload traffic and the number of URL hits over time.

GFI WebMonitor Freeware

Rate this tool: (3 votes, average: 3.67 out of 5)

 Loading ...

Submit a free admin tool | Free admin tools index | Browse free admin tools

Windows Firewall was introduced with XP, but only the version for Windows Vista was powerful enough to replace third party desktop firewalls. Actually, Vista’s firewall is better than many of the personal firewalls I have ever seen. Compared to these enhancements, Windows 7 only has a tiny improvement to offer. However, in some environments, it might turn out to be very useful.

You probably know that Windows distinguishes between Public, Home, and Work networks. Whenever you connect to a new network, Windows will ask what type of network it is. Each network has its own firewall profile, which allows you to configure different firewall rules depending on the security requirements of the user’s locations. You can use the Windows Firewall with Advanced Security’s snap-in filter to display only rules for specific locations. The corresponding firewall rule sets are Public (Public), Private (Home / Work), and Domain (when a domain-joined workstation detects  a domain controller) (see comment below).

(more…)

Microsoft acquired Whale Communications in 2006. Its SLL-based VPN appliance became Intelligent Application Gateway (IAG) 2007. Wikipedia gives a good overview of this product. Basically, it is a Web application firewall and endpoint security management solution offering more sophisticated features than the ISA Server. According to Microsoft, the new features of IAG 2007 SP2 are simplified deployment, interoperability for environments not running Windows, enhanced application support, improved user experience, and improved performance. You can download IAG 2007 SP2 or try it in a virtual machine.

• How to enable Remote Desktop on remote computers through remote registry. http://snurl.com/2c2w0 #
• VMware Workstation 6.0.4 officially supports Vista SP1. I am using 6.0 and never experienced problems with Vista SP1. http://snurl.com/2c2vg #
• My DSL modem is broken and so I was forced to use my Windows Mobile toy as modem for my laptop. Setup costed me less than a minute. Cool! #
• Lukas Beeler blogs about his first impressions of Windows Small Business Server 2008 RC0. http://snurl.com/2br3d #

(more…)

On Tuesday, Service Pack 2 for Windows Server 2003 will be available thru Automatic Update. I recommend waiting to deploy it for some time. Recently, we updated a machine running ISA Server 2004 with SP2. This improved significantly the security of Microsoft’s firewall since all traffic was blocked after the update. Okay, the disadvantage was that the computers behind ISA were not able anymore to access the Internet.

(more…)

Tom Shinder has a detailed article about the new features of Service Pack 3 for ISA Server 2004, Microsoft’s gateway firewall. Some of them are really quite useful.

(more…)

Today, I played a little with the new features of Windows Firewall. If you are familiar with the desktop firewall in Windows Vista, you already know the most important new features. There are, however, some server-related peculiarities.

(more…)

Sometime ago there was a debate on 4sysops about the use of outbound filtering for personal firewalls. Some argued that once malware got started on the desktop, it is already too late to stop it with a personal firewall. I recently tested the outbound filter of Vista’s firewall. In my view, it makes sense for standard users to use it, but not, probably, for administrators.

(more…)

Just saw it at Microsoft’s Download Center. A 180 day trial version of ISA Server 2006 final is now ready for download. As with former versions there is a Standard Edition and an Enterprise Edition. I already played with the beta version a while ago. My review is long overdue. I hope I will find some time to have a closer look soon.

Marius Ducea discussed three ways how to block brute force attacks under Linux using iptables, PAM and fail2ban. All three posts are quite detailed and well written.

(more…)