Tom Decaluwé

I finished reading chapter 3  and managed to get my UAG up and running all be it I hit another unexpected issue as you will be able to read in just a bit.

- What I loved:

Overall if found this chapter great and finally started to give me an insight into how UAG works.

- After reading this chapter Trunk, application and group will make sense and it’s explained and associated in such a way that you start to wonder why you didn’t work out earlier what they where in UAG.

- The detailed breakdown of trunks gave a great insight into what types there are and where to position it into web servicing. I also especially liked the fact that even though ADFS trunks will not be explained in detail in the book a nice link was provided for those of us that might need this information more down the line. I have always found that books like this should reference more official documentation links when parts are not explained in detail. It shows real dedication to getting as much information out as possible.

- It’s all about applications in UAG and this clearly shows in this chapter. A summary of top-level and sublevel applications show just how versatile UAG is out of the box and you get a good view on more than just web app publishing done by client/server publishing,…

- I loved the fact that for the first time a book talks about the new way Win2k8 selects it’s primary ip address. For those of you that haven’t noticed yet and yes we TMG guys have run into this a lot, this is totally different than win2k3. The primary ip in the TCP stack basically doesn’t count for anything more than any other ip does. Don’t know what I’m talking about? click this link

- Good first glance of the Authentication dialog. I expect we will be seeing more of this later down the line but it does help in getting that first UAG app up and running.

- At the end of the chapter the writers explain in detail what kicks in and what’s changed when you press the apply/activate a new configuration and create a trunk. Even though there is probably much more behind the scene it give you the confidence that you have control and you not just in a black box situation.

- What I missed:

- There is a little paragraph about URL signing, and how it works. As I’m reading this if first very shortly read about how this is the enabler for multi server publishing on one ip and port. And then a few lines down it’s all about adding unique strings to published URL’s for enhanced security. I had to read this paragraph twice to figure out what it was all about. I believe URL signing is a key security feature for UAG and a concept you need to understand well. The paragraph is just to short and confusing for me and could do with splitting it up more clearly and adding some extra example / scenario. I don’t know how to explain it better but I’m guessing the experts will.

- Certificates are key for UAG and almost any other TMG, IIS or other web based deployment. However spending 6 pages on certificates to me seems out of scope for a book on UAG and we would use this page realastate to explain core UAG tech in more detail like URL signing and just reference a good MS technet post or other MS press book on this subject. However my finding is based on the fact that I have extensive knowledge of certificates so this might be a great requirement for novice users and is essential for any UAG deployment. What i would have liked is a reference / link or explanation towards these novices on how to use MS PKI to quickly generate a home made Cert for you to use on a lab deployment. People with PKI knowledge hardly need these 6 pages and those that do need these 6 pages will not know how to quickly and at no cost get a Cert to continue the book. It might be worth even putting some kind of self generated contoso certificate on the publishers website and reference that url later in the book for people just playing with the product in a lab.

- My problem:

As always you can’t expect all to go well for me on my first deploy can you. After configuring my first trunk by the book and checking everything I was still presented by a nasty IIS page instead of the hoped for UAG logon page. The page got was:

After doing a quick bing around the world it turned out I needed to restart the IIS and that would fix my issue. Sure enough it did, however there was nothing in the book about this potential hiccup but looking at the bing results I’m surely not the only one that ran into this.

Well that’s all for now, this covers all three published chapters of the RAW book up until now. I’m really looking forward to continuing our journey down UAG lane as soon as the next chapters are published and I have heard we can expect them sooner than later ;-)

Getting swampped by the amount of RDP connections you open every day? Want to keep them manageble and in a clear overview?

Don’t want to buy 3de party tools like visionapp’s,…

MS heeft een freetool om dit voor u te doen: http://www.microsoft.com/downloads/details.aspx?FamilyID=4603c621-6de7-4ccb-9f51-d53dc7e48047&displaylang=en

Yep, the summer is hot down in Moskou and MS know’s we need something here in Belgium to heat things up for us so the launched wave 3 of the summer campaign yesterday.

Check it out what’s hot:

- MSDN: Windows Phone 7:

NL: http://msdn.microsoft.com/nl-be/ff872142.aspx

FR: http://msdn.microsoft.com/fr-be/ff872142.aspx

- TechNet: Deployment:

NL:  http://technet.microsoft.com/nl-be/ff898349.aspx

FR: http://technet.microsoft.com/fr-be/ff898349.aspx

- Architects: Cloud Patterns:

NL: http://msdn.microsoft.com/nl-be/ff877815.aspx

FR: http://msdn.microsoft.com/fr-be/ff877815.aspx

I found some spare time this week to work my way through chapter two and get my UAG up and running in the lab. Even though the install most of UAG’s install is a next > next > next > finish type install it’s important to understand what the screens say and know what you are doing so don’t skip it.

Despite the simple and straight forward install I still ran into an issue during install not really covered by the book so read-on, you might end-up needing this info.

- What I loved:

In a chapter like this visual referencing is important as an image often says more than 100 words and they really come through on this. The whole install is neatly screenshot in the book and each setting explained.

- The install checklist and post install verify list are great to know what you need to do before and can check after the install.

- A very clear overview is given of all the different components that will be installed by the setup and indicating an ETA of install for each component.

- Very illustrated overview of the second faze of the install, the getting started wizard and again each setting explained to the level you expect and gives confidence you know what you are clicking.

- What I missed:

- We know what’s being installed like the SQL, Ajax,.. and even how long each component on an average takes but a tee bit more insight into the different components and what UAG uses them fore will help when things go wrong so you know what to check. Just knowing a bit of what the ISATGCTRL does could point you in the right direction of checking this service is running if X or Y is not doing what you expect. I don’t know if it’s possible but an addition to the verify overview indicating what breaks if  X is not working would be nice.

- Surprising for me to see was the ever old debate of domain vs workgroup where clearly the WG edition is being promoted as more secure. This does conflict a bit with what I read many years ago in the ISA books and what we have been promoting for so long => domain join is better. Of course this will always be a tricky thing to answer and I guess the real answer is chose what best works for you but I definitely don’t believe domain joining is in any way less secure than WG.

- In the trouble shooting section there are some common know issues mentioned and that great, the only thing I was missing here (apart from the below error I had) was a reference to  the install log. TMG during install does some very extensive logging through the windows installer interface and outputs it all to the %windir%\temp (click for more info). Of course I don’t know if UAG has this type of log location but if it does i would expect it in this chapter and as TMG is a core UAG component some mention of these files would have been nice. When thing go wrong you need somewhere to find out why and most of all that is done is logged somewhere we just don’t generally know where.

- My install error:

To my surprise however the install did not go as expected despite following the book to the letter. I ended up with an error during the very first step of the install and the book had given no info on this situation or where to look so. I ended up using the Bing to find the answer.

After inserting the ISO into my Virtual system and hitting the install UAG on the splash screen I got the following nasty message on the screen

After reading on the internet it seems this is a know issue and can have a number of different reasons: NIC mis-config , RDP issues,…

I was installing the server through RDP as this method is mentioned throughout the book and should work fine. I had followed all the checklists to the letter so had no idea why this was happening. In any case I logged of the RDP and went in through the remote console and sure enough the error was gone and install ran exactly as in the book.

After the install however I was faced with a second challenge  but luckily this hit my trusted TMG field and I knew exactly what was going on: “When you install TMG using RDP an allow RDP system policy is automatically activated, however if you go through the console this rule is not created. End result was a UAG box I could not reach to configure through RDP :-(

As I was told by the book not to change config straight in the TMG interface I explored the UAG interface to find how I could enable RDP without success. To be quite honest I didn’t really expect to find it but had a quick poke just for the sake of it. In the end I went down to the TMG interface and reconfigured the system policy and sure enough, problem solved. And my system was ready for chapter 3 ;-)

Stay tuned for a quick rap-up of the third and currently final published chapter.

Tom

After contacting Packet Publishing they provided me with a new download for my RAW copy of the UAG book.

I’ll be reading the book chapter by chapter when I get some time and I’m deploying in a test lab to see how I get along. As this is somewhat my first serious contact with UAG and I’m suing the book as my lead I though I would start the concept of RATW (Review as they write).

I’ll start of today and review each chapter as I read them and as they are published. I will not go into detail about the content as you should buy the book for the content but I do want to give you some insight as to what I thought of each chapter why I liked it or what I think it’s lacking. If you too are reading the book feel free to add your comments on each post . I can then bundle all the feedback and provide it to the writes.

Well let’s get started on Chapter1 “Planning your deployment”

- What I loved:

On a whole I really did like this chapter and found it filled in exactly what I should have done. I answered my questions on

- What UAG is and what it does and clearly explains the difference with TMG.

- Clearly explains how and where you can position your UAG on the network and what you need to think about during the deploy.

- In chapter one you will already get a nice insight into the Core of UAG being the ISAPI filter.

- Finally the words Trunk and Application make sense in UAG :-)

- Good first glance into what really happens when you head out to a UAG site, what client are supported and the fact that in the background an ActiveX/Java is installed.

- Explains the fact that you install UAG your self or by a ready made appliance and tell’s you what you will need as hardware and what you need to think about when doing it yourself.

As to the reading I found this chapter light en enjoyable. It gives good technical and design background and add's a pinch of humor to keep you going.

- What I missed:

- I would have loved if they would have taken a bit of page space to illustrate UAG being part of MS’s Forefront technologies and positioning it within these products something like this. It would be great as it can help you know if you are choosing the right product of you need and open new horizons for follow-up projects.

- The chapter explains why UAG is better than a standard firewall but I would have loved to see more on what makes UAG so unique towards competing devices. It’s nice to know that UAG add’s values compared to a standard L4 firewall but most of us will know this already. However when you all know that when you are in the field you need some key things to get UAG to sell towards competing software just a few fact’s that explain why it’s so unique or what makes it really good.

- ISAPI is very important for UAG and you get some background but it would be nice to get a link to extra reading on what ISAPI is and does as it’s so important for UAG and I think the more back ground you have on that technology the better you will understand how it really works.

- In the explanation of why and if you should domain member you UAG it’s illustrated 5 functionalities require domain membership. KCD is mentioned and as far as I can think I’m guessing this is Key Distribution Center but I was unfamiliar with this term so I’m guessing if I’m not sure a lot of readers might need some help to know what it is and and mentioning the full name might be handy.

Have fun reading the book yourself and let me know what your thoughts are.

Stay tuned for a quick rap-up of the other chapters.

Tom

For those of you that have been following the MS forefront products you will know a lot of emphasis has been placed on UAG lately as THE publishing software and publishing internal systems to the internet has been DE-emphasized for TMG.

The only problem i have heard from everybody is there is no book,… on UAG just the standard MS documentation.

Well, fear no more Ben Ben Ari and Ran Dolev are writing a book on UAG, to be published by PACKT Publishing (planned for early 2011). And the great news is you don’t need to wait until then as its a RAW book (Read as we Write).

You can order the book at: https://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook/book

I have ordered my copy but the download link was not working at the time I’ll let you all know when they get it fixed and what I think of the book once i have the first few chapters.

But at least now we have something to work and wait for!

Microsoft Belgium is running a really nice summer campaign at the moment focusing on some key technologies you can spend your precious free moments on.

The topics being covered this summer are: Visual Studio 2010, Silverlight 4, Windows Phone 7, the Windows Azure Platform, Cloud Computing Strategy, SharePoint 2010, Desktop Deployment and Virtualisation. The Visual Studio 2010, Silverlight 4, Cloud Computing Strategy & SharePoint 2010 summer pages are already live, and the others will be coming in August.

Check out the great content at

MSDN:

Dutch: http://msdn.microsoft.com/nl-be/ff718229.aspx

French: http://msdn.microsoft.com/fr-be/ff718229.aspx

TechNet :

Dutch: http://technet.microsoft.com/nl-be/default.aspx

French: http://technet.microsoft.com/fr-be/default.aspx

Hi everyone, for those of you that are not following TMG’s evolution to the minute, SP1 was released last week Wednesday! One great new feature is custom blocking pages that we will be looking at in detail during one of my upcoming Live meetings together with all the rest SP1 has brought us.

For those of you that can’t wait that long, check out these two posts for a quick overview.

http://blogs.technet.com/b/forefront/archive/2010/06/23/available-now-forefront-threat-management-gateway-2010-service-pack-1.aspx

http://blogs.technet.com/b/isablog/archive/2010/06/24/forefront-tmg-service-pack-1-now-available.aspx

Tom

NIC binding order is an important setting to optimize your TMG setup. This has been the case since the ISA days and there is a great post on this subject by a fellow MVP Jason Jones  http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Update: Jason informed me there is a more up to date blog post covering for UAG and TMG in Win2k8 you can find it here:  http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html

The only problem is the option has been hidden in Win 2008

the correct binding order is as follows

and can be set by heading out to the advanced network config screen and pressing alt + N to call the advanced menu option

I’m giving a live meeting next week on TMG and Network connectivity.

During this session we’ll deep dive into the existing ISA and new TMG network features of this great firewall product.

If you have ISA/TMG in your network or are planning to deploy be sure to attend this live meeting:

https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032443242&EventCategory=2&culture=nl-BE&CountryCode=BE

We are back and better than ever! After a few months of silence from our side due to some major changes in life it’s time to dust off your laptops and recharges those batteries and note down some key dates in your busy schedules. You will also see we are changing lactations after spending more than two years in Kuurne and Gent we have found a new locations offering a better and more comfortable environment both for us as an organization and specially you as attendee.

The past few months have not only spawned great changes but also great new challenges. Exchange 2010 deployments are popping up everywhere and the big questions CTO’s, CIO, IT managers and IT administrators have been facing is “ do we upgrade our messaging infrastructure to the latest and greatest or do we outsource to the cloud”.

The good thing is nothing is decided yet, but if the above question has not sparked your organization yet, it’s high time go get up to speed.

The great news is It-Talks is here to share with you the knowledge and we have no-one less than industry specialists Ilse Van Criekinge from Microsoft to lead the way.

The sessions we have lined up:

1) IT-ShortTalk: Thursday 10 June 2010 - 19u00 – 21u30

Titel: Messaging on-premise – in the cloud

Abstract: During this session Ilse will shed some light on the pro’s and con’s of on-premise or in the cloud messaging. She will highlight all that exchange 2010 can bring you and the BPOS suite has to offer. It will be a great opportunity to ask you questions on this very hot subject and network with people facing the same questions.

Speaker: Ilse Van Criekinge

Registration required: http://ittalksshorttalk.eventbrite.com

Where: conxion.be (The offices are next to the Sportcentrum) - Hoogstraat 134 – 136    8540 Deerlijk

2) IT-FullTalk: Saturday 19 June 2010 - 10u00 – 17u30

Titel: Migrating Exchange 2003/2007 to exchange 2010

Abstract: During this session Ilse will guide us through the on premises upgrade of an existing exchange infrastructure to the latest and greatest exchange 2010. As always this session will be all practical do it your self.

Speaker: Ilse Van Criekinge

Registration required: http://ittalksfulltalk.eventbrite.com

Entry fee: 15€ for food and drinks all day

what you need: As with all your session you will need to bring:

• your own laptop 64 bits virtualization capable.
• HyperV or VMware workstation / Server / Player (pre-installed and opperational)
• A power socket cable with multiple outlets
• A network cable of 5m or more

Where: conxion.be (The offices are next to the Sportcentrum) - Hoogstraat 134 – 136    8540 Deerlijk

Events are sponsored by:

When working on a windows 2008 R2 server with outlook installed I was trying to configure outlook locally with multiple mail profiles. However when I headed down to the Control Panel I couldn’t find the mail icon. After doing a quick bing I found the answer. The CPL files for 32bit app’s are not shown by default in the 64bit Control panel on win2k8. But you can view the 32bit cpl’s separately.

Today I got a question regarding why it takes X time between hitting apply in TMG and the policy actually being applied. Without having a full background and insight into the TMG setup this person was using I did take the opportunity to shed some light on what happens behind the screen when you hit TMG apply.

With TMG the process is equal in both Standard and Enterprise edition. With ISA there used to be a difference in where the config was written. Std edition used to commit to the registry while now TMG always commits config to the CSS central storage.

After the config is written to the CSS it needs to be converted into a TMG engine friendly format and then loaded into memory. Only after this last step is completed can the TMG box being to react to your new setup.

This whole process cycle is clearly visible when you fire up resource monitor on your TMG box. After hitting apply you will see two spikes in the graph illustrating the two phases of the config deploy. If you are in a multi node deployment you need to wait for all the nodes to load the config before we can speak of total convergence and policy activation.

The speed of this process is mainly influenced by the speed of your server system.

- The first of the two spikes is illustrated in this view. The green line illustrates all CPU activity while the orange line illustrates the CPU cycles generated by the process is selected. In this spike we are writing the config to the CSS

- The second spike is illustrated below. Again you can see the total CPU load and a selection of processes that build the majority of that spike. Here you can see the engine loading the config.

- After the policy applied there is one last thing you need to take into account before new policies affect clients and that’s the session time. A session is only evaluated once during the session setup and then never again for the total remainder of the session. A great example of this is opening an FTP session from a client leave it open > create a deny FTP rule > try and download a file. This will work just fine until you hit quit in the FTP client and then try to reconnect. Only then will the new rule apply and will you be denied FTP access. If you want to force one or all clients to ad hear to you new policy you should head down to the session tabs in monitor and reset the sessions.

Yesterday Microsoft released two new NIS signatures aimed at combating commonly used exploit techniques of Cross-site scripting and SQL injection.

http://blogs.technet.com/isablog/archive/2010/05/02/network-inspection-system-nis-adds-signatures-to-help-in-sql-injection-and-cross-site-scripting-prevention.aspx

It’s great to see how GAPA is being used not only to defend against explicit exploit code but to see how MS is crafting powerful new signature and fighting general attack techniques using a single signature.

These two new common signatures should go a great way in keeping the internet more secure.

For those of you that are new to NIS in TMG  and want to know more about this create new feature check out the my Techdays recording: http://edge.technet.com/Media/TechDays-2010-Deep-dive-into-Forefront-Threat-Management-Gateway-Network-Inspection-System/

Well, MS Techdays are coming close and I’m very happy to announce a number of IT-Pro community groups are joining forces this year to bring you two highly interactive Chalk Talk sessions.

The concept is very simple, If you have that one question you have been dying to ask a leading technology expert, this is your chance.

Bring your question and join our pane of MVP’s and tech experts during the lunch breaks 31-03 Room2 and 1-04 Expo area. Pose your question live and see how the panel thinks and analyses your problem from there expertise and where possible formulate answers or research options to help you solve your real world issues.