Friday, 16 December 2011

Thinking of Customising Forefront UAG? This Upcoming Book Might Help!

When it comes to customising Forefront UAG (and its predecessor IAG) there is limited information available. There is some good content available over at ForefrontSecurity.org (thanks Idan) and also in various wikis/blogs, but even with code samples you can find dotted around the web, it can still be pretty difficult to put the customisations into place without a better understanding of how UAG customisation really works.

I have done some UAG customisation work to various levels (but no way near as much as some of my fellow Forefront MVPs like Idan Plotnik and Alexandre Giraud) but I am certainly not a web developer and found it pretty hard going at times to be honest.

So, why am I telling you all this? Well, two friends/colleagues from Microsoft named Erez Ben-Ari and Rainier Amara have come to your (and my!) rescue by writing a book all about UAG customisation. It will be called, not surprisingly; Mastering Microsoft Forefront UAG 2010 Customisation and can be ordered in various formats from the link below:

Mastering Microsoft Forefront UAG 2010 Customization

The book is available to pre-order now and should be finally released in February 2012. I have already pre-ordered my eBook copy and I am looking forward to finding out all the secret sauce about UAG customisations that these guys can dish up! Yum Yum Smile 

One of my other good friends and fellow Forefront MVP, Richard Hicks, is also technical reviewer for the book (you might notice we like to ‘keep it in the family’ here in the Forefront MVP club) for which I am very envious, as he gets to see the book before the rest of us mere mortals!

So, go pre-order (or order if you are reading this blog after the book is released) your copy now!!

If you work with UAG as part of your day, or are looking at implementing the product, I think this book will become a must read guide and a great addition to your technical bookshelf.

Good luck with the book guys and thanks for all your efforts!

P.S. I look forward to celebrating the release with all the other Forefront MVPs and friends when in Seattle for the 2012 MVP Summit in late February…

Tuesday, 6 December 2011

Forefront TMG/UAG: Useful Tools and Scripts

I spend a fair bit of time deploying both Forefront TMG and Forefront UAG for customers and therefore have defined a pretty good build checklist that I follow for every deployment. This makes implementations easier to support as we have a standard build and standard toolset available for every customer. As part of these deployments, I install some core tools and also run several scripts to provide a solid foundation for both products.

I thought it may be useful to share my experience and provide the community with some advice for more polished and supportable TMG/UAG deployments.

image

Please Note: As Forefront UAG includes an instance of Forefront TMG, it is recommended to install all tools, but only run the scripts defined in the ‘Scripts: General’ section on UAG servers.

Tools

In terms of tools, my standard build would normally include the following tools:

Forefront TMG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront TMG installation and configuration.

Forefront UAG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront UAG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront UAG installation and configuration.

Network Monitor which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG/UAG server to aid troubleshooting when the time comes. Network Monitor is also a prerequisite for using the Data Packager element of the Forefront TMG Best Practice Analyser.

Please Note: Additional Forefront TMG tools can also be downloaded from here, but I don’t tend to install all of these by default.

Scripts: General (Applicable to TMG and/or UAG)

In terms of general scripts, my standard build would normally include:

SetNetBTNodeType.reg which can be downloaded here.

This script is used to prevent NetBIOS broadcast traffic (and thereby dramatically
improve TMG performance) by configuring Windows as a peer-node host using the NetBT NodeType registry value. Props for this particular registry setting goes to the Microsoft Forefront TMG Administrators Companion book, which is highly recommended! Winking smile

SetServiceDependencies.bat which can be downloaded here.

Since Forefront TMG Service Pack 1 and above, I have had numerous occasions where Forefront TMG server takes a long time to reboot. These problems are well documented on various forums and blogs and I am still unsure if the issue has been fully fixed, even in the latest service pack level. To combat these problems, we which lies with the failure to start the Microsoft Forefront TMG Control service (isactrl) within a timely fashion, it is possible to change/reset the dependencies of the Forefront TMG Control service, thereby eliminating the problem.

An example blog post detailing the problem can be found here.

RemoveWeakVersions2k8.reg which can be downloaded here.

This script is used to disable SSL version 2 which is enabled by default with Windows Server 2008/R2.

Disabling SSL v2 is a well versed security recommendation as it suffers from several cryptographic flaws and has been deprecated for several years. You can validate this change has been completed successfully using the Qualys SSL LABS: SSL Server Test available here.

Scripts: Web Proxy (N/A to UAG)

In terms of web proxy specific scripts, my standard build would normally include:

SetTemporaryStorageSettings.vbs and ShowTemporaryStorageSettings.vbs which can both be downloaded here.

Until quite recently, I was unaware that Forefront TMG Malware Inspection imposed a maximum disk space, in megabytes, that may be allocated for temporary disk storage for a single client  during malware inspection. The default maximum disk space is set at 50MB, which sometimes needs adjusting depending on the different customer environments. This script can therefore be used to set (or show) the default temporary storage limits to something more appropriate. It is a shame you cannot modify these parameters from within the Forefront TMG console, but this makes the script all the more useful and valuable.

More information (including other temporary storage limit settings) can be found here.

UseDNSforWPAD.vbs which can be downloaded here.

Based upon information provided in this blog article and personally experiencing problems with the WPAD.DAT file containing the IP address of the RAS adapter instead of the correct server primary internal IP address; I started using this script which instructs TMG to use the DNS name of array members (or server) instead of IP addresses in the WPAD script.

Please Note: With the advent of Forefront TMG SP2, using Kerberos with an NLB web proxy array is now much improved as discussed here.

Scripts: Web Publishing (N/A to UAG)

In terms of web publishing specific scripts, my standard build would normally include:

EnableSP2FBACookieSharing.vbs which can be downloaded here.

By default, a Forefront TMG forms-based authentication cookie is only valid on the array member that generated the cookie. If a client request that contains an authentication cookie from one array member is sent to a different array member, the client is asked to re-authenticate. This behaviour may occur when a node is taken offline. Or, this behaviour may occur if the client source IP changes between requests that affect which array member handles the incoming request.

Forefront TMG Service Pack 2 added functionality to support cookie sharing across array members. To do this, SP2 enables support for the cookie encryption keys to be shared across array members.

Please Note: To support sharing cookie encryption keys, the array members must be domain-joined. Be aware that this script does not work for workgroup-based array members.

As this is a pretty significant change in functionality, for the better, I now run this script by default when deploying standalone or EMS-managed arrays where array members meet the domain joined prerequisite.

More information on this new SP2 feature is available here.

Other Important Build Configuration

I wasn’t planning on talking about standard build configuration as this blog post was meant to be dedicated to tools and scripts, but I think they are actually hugely relevant when deploying TMG/UAG server. Hence I have included two key baseline configuration tasks for any TMG/UAG implementation

In addition to installing the above tools and scripts, it is also vital to configure TMG and UAG server network adapter settings and bind order appropriately. More information on this particular aspect is provided in the following TechNet Wiki articles:

Recommended Network Adapter Configuration for Forefront TMG Standard Edition Servers

Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Recommended Network Adapter Configuration for Forefront UAG Servers

And finally, make sure you have applied the latest updates and service packs for TMG and/or UAG; at the time of writing, this is Forefront TMG Service Pack 2 (build version 7.0.9193.500) and Forefront UAG Service Pack 1 Update 1 (build version 4.0.1773.10100).

I hope you find these tools and scripts useful and have learned something new to improve your own TMG/UAG deployments. If you have other tool and scripts recommendations, please drop me a comment below and I will endeavour to add these to the list.

Forefront TMG: Antivirus Exclusions Process Path Correction

I noticed recently that the TechNet documentation titled Considerations when using antivirus software on FF Edge Products available here contains an error within the Forefront TMG section.

image

The process exclusion for ReportingServicesService.exe is defined with a path of:

%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\ReportingServicesService.exe

and this should actually read:

%ProgramFiles%\Microsoft SQL Server\MSRS10.ISARS\Reporting Services\ReportServer\bin\ReportingServicesService.exe

I have provided feedback on the page, but until this gets changed, you may want to update your existing deployments with the correct process exclusion path.

Hope this helps!

Friday, 2 December 2011

Forefront UAG: The DirectAccess NLB Helper Driver Cannot be Activated Error

This is a rare problem but I have personally experienced this problem twice now and as there appears to be no other reported instances on the Internet, I thought it might be useful to share it in case anyone else experiences the same issue.

The customer in question has a three node UAG array and without warning, the first built node (which is also the Array Manager) failed to activate with a The DirectAccess NLB Helper Driver cannot be activated error. This was also accompanied by the following event log entries:

image

image

The other two array members appeared to activate just fine, and DirectAccess connections appeared to be working as usual across the array. However, I suspected that DA connections via the problematic array member would actually be failing to operate correctly, or new connections may not establish successfully. Either way, it needed fixing ASAP!

The UAG DirectAccess NLB Helper driver is discussed in more detail here and basically provides bi-directional affinity for DA clients when using NLB for a Forefront UAG DirectAccess array. This helper is also commonly termed ‘daeng’.

The first time I saw this problem, I spent quite a bit of time on it and also contacted some of my Microsoft contacts to see if they had seen this before – I came up blank. Microsoft hadn’t seen the issue before from what I could tell and due to time constraints I had no option but to rebuild the UAG server (I was still in the build/deployment stage of the project and had no server backups at that time).

After seeing the problem occur again whilst looking at another UAG array issue, this time the customer managed to fix it themselves (I hate it when they do that Smile) with the following solution:

By issuing the following command:

sc query daeng

they received a response of Driver not running and upon investigation found that the daeng.sys file was actually missing from the %Program Files%\\Microsoft Forefront Unified Access Gateway\common\bin\ folder.

They copied the daeng.sys file from one of the other array members and then issued the following command:

sc start daeng

the driver now successfully started (strangely enough!); a reboot later and UAG then successfully activated on that array member – all  was calm in a world called UAG Smile

I am not 100% sure what caused the problem, but it appeared to be primarily related to missing files on the affected Forefront UAG server. Why the files were missing is something I (or they) haven’t been able to solve (which worries me) but it is still interesting to understand the solution that was required in any case.

Hope this helps!