Archive

Archive for November, 2010

SCM wiki wiki, wiki wiki

November 30th, 2010 No comments

Whenever I hear the word wiki I always hear a sound like a DJ scratching a record – wiki wiki. 🙂

I’m happy to announce the SCM team has started an SCM Wiki on TechNet . This is the part of the blog post where I invite you to contribute to…(read more)

Categories: SCM, Security Compliance Manager Tags:

SCM wiki wiki, wiki wiki

November 30th, 2010 No comments

Whenever I hear the word wiki I always hear a sound like a DJ scratching a record – wiki wiki. 🙂

I’m happy to announce the SCM team has started an SCM Wiki on TechNet . This is the part of the blog post where I invite you to contribute to…(read more)

Categories: SCM, Security Compliance Manager Tags:

SCM wiki wiki, wiki wiki

November 30th, 2010 Comments off

Whenever I hear the word wiki I always hear a sound like a DJ scratching a record – wiki wiki. 🙂

I’m happy to announce the SCM team has started an SCM Wiki on TechNet . This is the part of the blog post where I invite you to contribute to…(read more)

Categories: SCM, Security Compliance Manager Tags:

Windows Update fails for some workstations behind TMG when using WPAD

November 30th, 2010 Comments off

Introduction
This post is about a recent scenario where TMG Administrator was receiving complains that some workstations that were using TMG as proxy were failing to run Windows Update. The interesting part of this issue was that only some workstations were having such problem and only if they were using “Automatic Detection” settings (which use WPAD). But all other workstations were using the same setting and were working just fine.

Data Gathering
In order to troubleshoot this I started TMG Data Packager in repro mode using Web Proxy and Web Publishing template and performed the following steps in the client workstation that was having the issue:

  1. Clear the wpad cache by executing the following command in an elevated command window: del \wpad*.dat /s
  2. Restart Windows Update service
  3. Wait for the error to happen on Windows Update.

Data Analysis
I started the data review by looking to the TMG Logging and notice that when it failed the following URL was sent it back to the client:

http://www.update.microsoft.com/microsoftupdate/v6/errorinformation.aspx?error=-2145107946&ln=en-us&IsMu=true&wgaerrorcode=0&wgaend=http://www.update.microsoft.com/microsoftupdate/v6/default.aspx

Notice that this URL returns the error -2145107946 (in decimal), which corresponds to 0x80244016 (in Hex), which means the following:

WU_E_PT_HTTP_STATUS_BAD_REQUEST wuerror.h
# Same as HTTP status 400 – the server could not process the
# request due to invalid syntax.

Having that info, it was time to review the netmon trace to understand why the request was invalid and after reading the trace, it was possible to understand why it was invalid.

Conclusion
By using Netmon it was possible to see the moment that client downloads the WPAD file and tries to access the TMG. But, in it can’t access for some reason (in this case it was a networking routing issue) and switches to another TMG. I wasn’t aware that this environment had another TMG, so I opened the WPAD file and found the following entry called BackupRoute:

BackupRoute="FFTMGEEN2.contoso.com";
UseDirectForLocal=true;
ConvertUrlToLowerCase=false;

This was a backup TMG that was supposed to be used only if the main one was down. So the problem here was:

  1. Both TMG servers were listening for CERN proxy requests on the default port 8080.
  2. They were also listening for WPAD requests on port 80.
  3. The CONNECT requests sent from the client to the FFTMGEEN2.contoso.com was done on port 80 (wpad listener).This caused the failure (error 0x80244016) since the only valid request to this listener is GET /wpad.dat or GET /array.dll?GetRouting.Script.

Solution
In order to fix this it was necessary to change the entry on the Alternate Forefront TMG field within TMG console to be as shown below:

image

Once this change was done, the WPAD file changed to have the following entry on the backup route:

image

Have a happy Windows Update process behind TMG !!

Author
Yuri Diogenes
Senior Support Escalation Engineer
Microsoft CSS Forefront (ISA/TMG) Team

Categories: TMG, Troubleshooting, windows update Tags:

Post-Thanksgiving food coma ends – baselines restored

November 30th, 2010 No comments

If you experienced trouble downloading baselines last week , we are very sorry about the trouble! We realized the problem on Tuesday November 23 rd and had a bit of a “snow delay” getting the baselines restored. I am happy to report all is…(read more)

Post-Thanksgiving food coma ends – baselines restored

November 30th, 2010 No comments

If you experienced trouble downloading baselines last week , we are very sorry about the trouble! We realized the problem on Tuesday November 23 rd and had a bit of a “snow delay” getting the baselines restored. I am happy to report all is…(read more)

Post-Thanksgiving food coma ends – baselines restored

November 30th, 2010 Comments off

If you experienced trouble downloading baselines last week , we are very sorry about the trouble! We realized the problem on Tuesday November 23 rd and had a bit of a “snow delay” getting the baselines restored. I am happy to report all is…(read more)

Support for NLB on VLAN Tagged or Teamed Network Adapters

November 30th, 2010 Comments off

One of the most common questions we get is about TMG’s support for NIC Teaming and VLAN tagging with NLB enabled.

We have recently released Software Update 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1. This is a regular rollup of hotfixes which is available through Microsoft Customer Service and Support.

One of the issues fixed in this update is TMG’s support for NLB on VLAN Tagged or Teamed network adapters (See KB article 2449122).

With this update installed, Teamed and VLAN tagged NICs become supported scenarios (see NLB’s support statement for VLAN Tagging and teaming adapters for details)

This fix will also be included in future service packs released for TMG.

 

Author:

Ori Yosefi, Senior Program Manager, Forefront TMG.

 

Reviewer:

Jonathan Barner, Software Design Engineer, Forefront TMG

Categories: Uncategorized Tags:

NIS Signature Types (or why some signatures are disabled by default)

November 30th, 2010 Comments off

NIS Signature set released last month (8.32) contained 4 signatures that were disabled by default:

We’ve received a number of questions about why these signatures were off by default and thought it may be worthwhile to write about the NIS signature types again.

As explained in the NIS in TMG whitepaper, there are three different NIS signature types:

1. Vulnerability-based: These signatures will detect most variants of exploits against a given vulnerability.

2. Exploit-based: These signatures will detect a specific exploit of a given vulnerability.

3. Policy-based: These signatures that are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.

Whenever possible, we write vulnerability based or exploit based signatures. These are accurate signatures which have a very low rate of false positives or false negatives.

However, in some cases we aren’t able to write a vulnerability/exploit signature so we write a policy based signature. These are less accurate and can cause some false alarms so it is up to the administrator to make a conscious decision to enable them despite the risk of false positives.

This is why we make policy based signatures available in a “disabled by default” mode.

 

Author:

Ori Yosefi, Senior Program Manager, Forefront TMG

 

Reviewer:

Dror Zelber, Senior Program Manager Lead, Forefront TMG

Categories: Uncategorized Tags:

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 Comments off

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

When accessing TMG report hosted on IIS, images are not displayed

November 24th, 2010 Comments off

Consider the following scenario:

You have configured reporting with TMG, and you have published the generated reports content on an IIS 7.5 Server (Windows 2008 R2) so that TMG administrators in your organization can access these reports from their workstation using a standard browser like Internet Explorer.

Problem:

The Reports are not displayed correctly in the browser. You notice that images are missing, hence the “red cross” error as we can see in the below screenshot.

clip_image002

Cause:

As you know TMG is using SQL Server Reporting Services to generate reports based on the TMG activity logs.

The root cause of the problem here is that no file extension (such as .png) is given to the image files returned as a stream of data by Reporting Services.

In addition, IIS 7.5 won’t serve by default, files that don’t have any known MIME type. Instead IIS will respond with a 404.3 error (see http://technet.microsoft.com/en-us/library/cc753281(WS.10).aspx)

As a result, when the browser sends the requests for the images included in the report, IIS will respond with 404.3 for all them as they are not mapped to a known MIME type.

This error can be easily seen in the IIS log when the client browser is accessing the report.

Workaround:

While this issue is currently investigated by the TMG and Reporting Service product groups there’s an easy workaround that can be implemented on IIS to solve it.

This workaround consists in adding a “.” file name extension mapped to the application/octet-stream MIME type to the MIME types list known by IIS. By doing this, we instruct IIS to serve files that don’t have any extension.

The screenshots below summarized the steps to be done in IIS.

clip_image004

clip_image006

As a result, IIS will respond to such requests (without file extension) with 200 OK with a MIME type of application/octet-stream.

Then the client browser will manage how to render the response. In this case, IE detects that it is an image and will render it as such.

Note: I recommend hosting the reports inside a dedicated virtual directory and adding the above mentioned setting at this virtual directory level.

Author

Eric Detoc

Escalation Engineer – Microsoft CSS Forefront Security Edge Team

Technical Reviewer

Franck Heilmann

Escalation Engineer – Microsoft CSS Forefront Security Edge Team

Categories: Uncategorized Tags:

Whoops, sorry about the baseline troubles!

November 23rd, 2010 No comments

If you haven’t heard, Seattle was hit hard by snow and ice yesterday. It took some people up to 10 hours to get home last night . Holy cow! I was lucky – my boss advised I go home yesterday at about 12 noon and I was sitting in my apartment…(read more)

Whoops, sorry about the baseline troubles!

November 23rd, 2010 No comments

If you haven’t heard, Seattle was hit hard by snow and ice yesterday. It took some people up to 10 hours to get home last night . Holy cow! I was lucky – my boss advised I go home yesterday at about 12 noon and I was sitting in my apartment…(read more)

Whoops, sorry about the baseline troubles!

November 23rd, 2010 Comments off

If you haven’t heard, Seattle was hit hard by snow and ice yesterday. It took some people up to 10 hours to get home last night . Holy cow! I was lucky – my boss advised I go home yesterday at about 12 noon and I was sitting in my apartment…(read more)

DirectAccess Policy Management – Have it your way!

November 22nd, 2010 Comments off

Forefront UAG 2010 makes extensive use of group policy objects for client provisioning, corporate servers, and the gateway itself. Customers familiar with this capability asked for more. More flexibility defining objects, and more control over their naming, placement and creation. Here are a couple of enhancements we’ve made in SP1 to meet these requests.

Organizational Units

Prior to SP1, you could define security groups that contained applicable end-users for DirectAccess. With the service pack are able to choose organizational units (OUs) instead.

clip_image002

Support Multiple Domains

In some scenarios the end-user’s machine is joined to a different domain than the one that user is authenticating against. For example, Bob is authenticating against CORPUSER domain while his machine belongs to domain CONTOSO. This scenario is now possible with UAG SP1, because you can define separate domains for clients’ computers and authentication.

clip_image004

Control Policy Names & Creation

Some customers use their own naming conventions for objects, so with SP1 you can not only change the name of the GPO, but also pre-create it, and let UAG fill in the designated containers. This can be useful when edge and GPO management responsibilities are handled by different administrators.

clip_image006

Categories: DirectAccess, UAG 2010 SP1 Tags:

“No network adapters could be identified” error when choosing a network template in TMG

November 19th, 2010 Comments off

Introduction
Some of our customers have experienced the problem described below when doing the initial network configuration of a fresh TMG installation. I wanted to share here the cause and solution to this issue.

Consider the following scenario
You have installed Forefront TMG 2010, but when running the Getting Started wizard, you get the error “No network adapters could be identified. The wizard cannot continue” when choosing the Network Template, see screenshot below:

image

Cause
We’ve seen this issue on servers where Operating System hardening has been applied prior to TMG installation. As a result, some services required by TMG to operate properly have been wrongly disabled causing the problem described above.

Solution
The solution and only supported way to perform hardening of a TMG machine is to execute the Security Configuration Wizard (SCW) tool and use the TMG security configuration template (XML file) matching your deployment in order to harden properly the server.

Note: By default, the SCW does not include support for the TMG 2010 role nor TMG Enterprise Management Server (EMS) role. To support these roles, download and install TMGRolesForSCW.exe included in the TMG 2010 Tools and Software Development Kit (SDK), available here.

Author
Eric Detoc
Escalation Engineer – Microsoft CSS Forefront Security Edge Team

Technical Reviewer
Franck Heilmann
Escalation Engineer – Microsoft CSS Forefront Security Edge Team

Categories: hardening, SCW, TMG, Troubleshooting Tags:

New version of SCM causes peace on Earth

November 18th, 2010 No comments

Well… I might be exaggerating just a bit about the “peace on Earth”, but it’s a worthy goal isn’t it!? 🙂 I’m writing this post for a couple reasons:

1. Announce an updated version of Microsoft Security Compliance…(read more)