Sunday, 16 December 2012

DirectAccess Hotfix Summary

I thought it might be useful to provide a summary list of DirectAccess related hotfixes from the past and present that may be of use to those embarking on a DirectAccess deployment for the first time, or those experiencing problems that have been solved already!

PLEASE NOTE: Microsoft have now provided an official dynamic knowledgebase article which provides a summary of Windows 7, Windows 8 and Windows Server 2012 hotfixes which can be found here: http://support.microsoft.com/kb/2883952 and consequently supersedes the below information.

Last updated 14/08/13 with KB2849568.

Hotfixes: Windows 8 and Windows Server 2012

KB2859347: IPv6 address of a DirectAccess server binds to the wrong network interface in Windows Server 2012.

KB2855269: Error message when you use an account that contains a special character in its DN to connect to a Windows Server 2012-based Direct Access server.

KB2849568: Vulnerability in the Windows NAT driver could allow denial of service: August 13, 2013.

KB2845152: DirectAccess server cannot ping a DNS server or a domain controller when a DirectAccess client is pinging the same server in Windows Server 2012.

KB2844033: DirectAccess Setup Wizard fails on a Windows Server 2012-based server in a domain that has a disjoint namespace.

KB2836232: Subnet mask changes to an incorrect value and the server goes offline in DirectAccess in Windows Server 2012.

KB2796394: Error when you run the Get-RemoteAccess cmdlet during DirectAccess setup in Windows Server 2012 Essentials

KB2795944: Windows 8 and Windows Server 2012 cumulative update: February 2013. This update includes fixes for DA that provide stability under heavy load.

KB2788525: You cannot enable external load balancing on a Windows Server 2012-based DirectAccess server.

KB2782560: DNS64 does not resolve computer names when you use DirectAccess and external load balancing in Windows Server 2012.

KB2769240: You cannot connect a DirectAccess client to a corporate network in Windows 8 or Windows Server 2012.

KB2748603: The process may fail when you try to enable Network Load Balancing in DirectAccess in Window Server 2012.

KB2666914: DirectAccess Connectivity Assistant 2.0 is available.

Hotfixes: Windows 7, Windows Server 2008 R2 and Forefront UAG 2010

KB2797301: A Forefront Unified Access Gateway 2010 DirectAccess client experiences repeated OTP prompts.

KB2758949: You cannot build an IP-HTTPS protocol-based connection on a computer that is running Windows 7 or Windows Server 2008 R2.

KB2718654: You are prompted to enter credentials when you try to access a SharePoint server on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer.

KB2680464: Location detection feature in DirectAccess is disabled intermittently in Windows 7 or in Windows Server 2008 R2.

KB2663354: DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010.

KB2633127: DA client cannot reconnect to the UAG DA server when a Windows 7-based or Windows Server 2008 R2-based client computer is connected to the Internet.

KB2615847: "ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH" error when you try to start an IPsec connection between two computers that are running Windows 7 or Windows Server 2008 R2

KB2535133: IP-HTTPS clients may disconnect from Windows Server 2008 R2-based web servers intermittently after two minutes of idle time.

KB2444558: You cannot access a host that is hosting the IPv4 file share by using SMB v1 from a Windows 7-based or Windows Server 2008 R2-based DirectAccess client.

KB2288297: You are unexpectedly prompted to enter your credentials when you try to access a WebDAV resource in a corporate network by using a DirectAccess connection in Windows 7 or in Windows Server 2008 R2.

KB979373: The DirectAccess connection is lost on a computer that is running Windows 7 or Windows Server 2008 R2 that has an IPv6 address.

KB978738: You cannot use DirectAccess to connect to a corporate network from a computer that is running Windows 7 or Windows Server 2008 R2.

KB974080: DirectAccess Workaround for reaching IPv4 address checking sites.

KB973982: The certificate for IP-HTTPS does not rebind if the certificate is changed after the configuration is applied one time in Windows Server 2008 R2.

KB972516: A DirectAccess access failure occurs after the DNS servers that are running Windows Server 2008 return empty responses for AAAA queries in a WINS zone.

Security Updates: Windows Server 2008 R2 and Windows Server 2012

KB2765809: Vulnerability in IP-HTTPS component could allow security feature bypass (MS12-083).

Hope the list is useful!

Thursday, 13 December 2012

Forefront TMG/UAG: Useful Tools and Scripts

I spend a fair bit of time deploying both Forefront TMG and Forefront UAG for customers and therefore have defined a pretty good build checklist that I follow for every deployment. This makes implementations easier to support as we have a standard build and standard toolset available for every customer. As part of these deployments, I install some core tools and also run several scripts to provide a solid foundation for both products.

I thought it may be useful to share my experience and provide the community with some advice for more polished and supportable TMG/UAG deployments.

image

Please Note: As Forefront UAG includes an instance of Forefront TMG, it is recommended to install all tools, but only run the scripts defined in the ‘Scripts: General’ section on UAG servers.

Tools

In terms of tools, my standard build would normally include the following tools:

Forefront TMG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront TMG installation and configuration.

Forefront UAG Best Practice Analyser which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront UAG server to look for common problems and configuration errors. Run this tool at least once when you have completed your Forefront UAG installation and configuration.

Network Monitor which can be downloaded here.

This tool should be pretty self-explanatory and should be installed on every Forefront TMG/UAG server to aid troubleshooting when the time comes. Network Monitor is also a prerequisite for using the Data Packager element of the Forefront TMG Best Practice Analyser.

Please Note: Additional Forefront TMG tools can also be downloaded from here, but I don’t tend to install all of these by default.

Scripts: General (Applicable to TMG and/or UAG)

In terms of general scripts, my standard build would normally include:

SetNetBTNodeType.reg which can be downloaded here.

This script is used to prevent NetBIOS broadcast traffic (and thereby dramatically
improve TMG performance) by configuring Windows as a peer-node host using the NetBT NodeType registry value. Props for this particular registry setting goes to the Microsoft Forefront TMG Administrators Companion book, which is highly recommended! Winking smile

SetServiceDependencies.bat which can be downloaded here.

Since Forefront TMG Service Pack 1 and above, I have had numerous occasions where Forefront TMG server takes a long time to reboot. These problems are well documented on various forums and blogs and I am still unsure if the issue has been fully fixed, even in the latest service pack level. To combat these problems, we which lies with the failure to start the Microsoft Forefront TMG Control service (isactrl) within a timely fashion, it is possible to change/reset the dependencies of the Forefront TMG Control service, thereby eliminating the problem.

RemoveWeakVersions2k8.reg which can be downloaded here.

This script is used to disable SSL version 2 which is enabled by default with Windows Server 2008/R2.

Disabling SSL v2 is a well versed security recommendation as it suffers from several cryptographic flaws and has been deprecated for several years. You can validate this change has been completed successfully using the Qualys SSL LABS: SSL Server Test available here.

Scripts: Web Proxy (N/A to UAG)

In terms of web proxy specific scripts, my standard build would normally include:

SetTemporaryStorageSettings.vbs and ShowTemporaryStorageSettings.vbs which can both be downloaded here.

Until quite recently, I was unaware that Forefront TMG Malware Inspection imposed a maximum disk space, in megabytes, that may be allocated for temporary disk storage for a single client  during malware inspection. The default maximum disk space is set at 50MB, which sometimes needs adjusting depending on the different customer environments. This script can therefore be used to set (or show) the default temporary storage limits to something more appropriate. It is a shame you cannot modify these parameters from within the Forefront TMG console, but this makes the script all the more useful and valuable.

More information (including other temporary storage limit settings) can be found here.

UseDNSforWPAD.vbs which can be downloaded here.

Based upon information provided in this blog article and personally experiencing problems with the WPAD.DAT file containing the IP address of the RAS adapter instead of the correct server primary internal IP address; I started using this script which instructs TMG to use the DNS name of array members (or server) instead of IP addresses in the WPAD script.

Please Note: With the advent of Forefront TMG SP2, using Kerberos with an NLB web proxy array is now much improved as discussed here.

Scripts: Web Publishing (N/A to UAG)

In terms of web publishing specific scripts, my standard build would normally include:

EnableSP2FBACookieSharing.vbs which can be downloaded here.

By default, a Forefront TMG forms-based authentication cookie is only valid on the array member that generated the cookie. If a client request that contains an authentication cookie from one array member is sent to a different array member, the client is asked to re-authenticate. This behaviour may occur when a node is taken offline. Or, this behaviour may occur if the client source IP changes between requests that affect which array member handles the incoming request.

Forefront TMG Service Pack 2 added functionality to support cookie sharing across array members. To do this, SP2 enables support for the cookie encryption keys to be shared across array members.

Please Note: To support sharing cookie encryption keys, the array members must be domain-joined. Be aware that this script does not work for workgroup-based array members.

As this is a pretty significant change in functionality, for the better, I now run this script by default when deploying standalone or EMS-managed arrays where array members meet the domain joined prerequisite.

More information on this new SP2 feature is available here.

Other Important Build Configuration

I wasn’t planning on talking about standard build configuration as this blog post was meant to be dedicated to tools and scripts, but I think they are actually hugely relevant when deploying TMG/UAG server. Hence I have included two key baseline configuration tasks for any TMG/UAG implementation

In addition to installing the above tools and scripts, it is also vital to configure TMG and UAG server network adapter settings and bind order appropriately. More information on this particular aspect is provided in the following TechNet Wiki articles:

Recommended Network Adapter Configuration for Forefront TMG Standard Edition Servers

Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers

Recommended Network Adapter Configuration for Forefront UAG Servers

And finally, make sure you have applied the latest updates and service packs for TMG and/or UAG; at the time of writing, this is Forefront TMG Service Pack 2 (build version 7.0.9193.500) and Forefront UAG Service Pack 1 Update 1 (build version 4.0.1773.10100).

I hope you find these tools and scripts useful and have learned something new to improve your own TMG/UAG deployments. If you have other tool and scripts recommendations, please drop me a comment below and I will endeavour to add these to the list.

Thursday, 13 September 2012

Initial Considerations for Migrating from Forefront TMG to Forefront UAG

Give the recent Microsoft announcement notifying customers that Forefront TMG is being discontinued, as discussed in my previous blog post, it is likely that many customers will consider migrating to Forefront UAG in order to provide publishing services that protect Microsoft server workloads like Exchange, SharePoint and Lync.

Therefore, given the recent news, I thought it might be useful to highlight a previous comparison of Forefront TMG and Forefront UAG to help identify some of the benefits of shifting solutions, but more importantly also highlight areas of Forefront TMG that cannot be satisfied by Forefront UAG at this time. The importance of the benefits and limitations are going to be very specific to individual needs, therefore a breakdown will undoubtedly be useful as part of the initial “What next?” thought process.

In my mind, one of the best comparisons was provided by Tom at the following location:

Choosing Between Forefront TMG or Forefront UAG for Publishing Scenarios

Please Note: It should noted that this article was written in April 2011 and Forefront UAG is now at Service Pack 2 level, which introduced several improvements as discussed here. Therefore, these should also be considered.

I really wish I had written that article (but I didn't!) so the best I can do is highlight its existence and potential value as people consider their options in light of the recent announcement. It is factual, concise, easy to consume and therefore a great reference at this time.

UPDATE: If you are considering using Forefront UAG as a replacement for Forefront TMG, you should review in detail the supported scenarios discussed here and also specific considerations for Lync as highlighted here.

Unfortunately, for customers using Forefront TMG for caching, secure web gateway, and firewall scenarios, there is no Microsoft equivalent that can be migrated to at the end of this support period. No doubt it would be very useful if a similar comparison table could be created to compare Forefront TMG against other vendor solution like Bluecoat, Cisco, Juniper, Fortinet and Websense – at this time, I’m not sure if that exists unfortunately…so the “What next?” question is a little harder to answer at this time if you use Forefront TMG in one of the above outbound scenarios. The original Microsoft mantra of Forefront TMG for outbound and Forefront UAG inbound is sadly no longer viable.

Additional notable references for TMG vs. UAG include:

http://blogs.technet.com/b/ben/archive/2012/01/09/uag-vs-tmg.aspx

http://tmgblog.richardhicks.com/2010/10/10/what-are-the-differences-between-tmg-and-uag/

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-UAG-feature-comparison.html

http://blogs.technet.com/b/ucedsg/archive/2010/08/16/do-i-use-forefront-tmg-or-forefront-uag-for-reverse-proxy-publishing-for-exchange-2010.aspx

Wednesday, 12 September 2012

Important Changes to the Microsoft Forefront Product Roadmap

Microsoft has recently announced publically the future roadmap for various Forefront products which can be found here: Important Changes to Forefront Roadmaps 

So, with a focus on Forefront TMG and Forefront UAG for this post, we can summarise the public announcement as follows:

Forefront TMG

  • There will be no further releases of the Forefront TMG product (or service packs).
  • Forefront TMG mainstream support will end on April 14, 2015 and extended support will end April 14, 2020.
  • Forefront TMG Web Protection Services (WPS) subscriptions will continue to be supported until December 31, 2015.
  • As of December 1, 2012, Forefront TMG will be removed from the price list and will not be available for purchase.
  • For customers using Forefront TMG for caching, secure web gateway, and firewall scenarios, there is no Microsoft equivalent that can be migrated to at the end of the extended support period.
  • Most web publishing scenarios that are supported by TMG can be published by UAG, including SharePoint and Exchange. In addition, UAG provides many additional publishing scenarios with federated authentication and granular authorisation policies.
  • VPN capabilities previously provided by Forefront TMG can be provided by the Unified Remote Access (URA) features of Windows Server 2012 (or UAG for SSL VPN).

Forefront UAG

  • There is no change to the UAG roadmap.UAG continues to be actively developed as seen by the recent release of UAG Service Pack 2 in August 2012.

So finally, we have an answer on the future of Forefront TMG and Forefront UAG products. In many ways it is a great shame to see such a well engineered, community supported and customer admired product like Forefront TMG finally laid to rest, but I guess things move on unfortunately. It will be interesting to see how UAG continues to be actively developed over time. If you haven’t looked at Forefront UAG, it may be worth brushing up your skills (or consultancy relationships) if you currently use Forefront TMG for reverse proxy or remote access scenarios. End of an era…you betcha!

Friday, 7 September 2012

So, Did I Waste My Time Learning UAG DirectAccess???

When I first heard that the feature set provided by UAG DirectAccess was going to be provided natively in Windows Server 2012 (as discussed in my recent blog post here) I wondered how much of my UAG DirectAccess knowledge would still be applicable to the Windows Server 2012 DirectAccess server role and how much ‘new stuff’ I would have to learn. Over the years, I have spent quite a lot of time and effort learning new technologies only to a find a few years later that technology moves on and those skills become side-lined by something newer. Hence I have got quite used to assessing reusable skills and resetting skill priorities. A good example here is the years I spent as a Novell Master CNE; I certainly haven’t used those skills for quite some time now! Smile

Given that many larger Enterprises are only just rolling out Windows 7, let alone Windows 8, and/or require advanced security features like two-factor authentication/multi-site/NAP it will not be possible for them to take advantage of the new single IPsec tunnel model with the Kerberos proxy. Hence, the traditional two IPsec tunnel solution used by UAG DirectAccess will still be used even with Windows Server 2012 deployments.

Understanding these IPsec tunnels, how they are established, how they are authenticated, and how to troubleshoot why they fail to establish, are all going to be pretty familiar ground for those that have been in the trenches with UAG DirectAccess at some point. So, is this knowledge still relevant? You betcha!

Then there’s IPv6; yes, you don't need to understand it with UAG DirectAccess, but it sure makes things a lot easier to if you get the basics. Even though Windows Server 2012 now natively supports NAT64/DNS64, first seen in UAG DirectAccess, all communication between the DirectAccess client and the DirectAccess server still occurs over IPv6. Management of DirectAccess clients from the intranet (historically termed ‘manage out’) still requires intranet IPv6 capability (via ISATAP or native IPv6) in order to function. So, is this knowledge still relevant? You betcha!

Then there’s PKI; yes, PKI may no longer be mandatory with Windows Server 2012 DirectAccess, but in order to achieve this simplification you need to have Windows 8 clients and/or have no interest in the advanced security features like two-factor authentication/multi-site/NAP which rely upon IPsec tunnels that utilise certificate-based authentication. In reality, a PKI solution is still required  for a large proportion of enterprise deployments; it’s just the smaller organisations whose life is made a little easier. To be honest, I think this was the exact design goal as most smaller organisations may not already have PKI solutions in-place or don’t have IT staff with the appropriate PKI skills to implement/manage one. So, is this knowledge still relevant? You betcha!

Please Note: Given the increasing dependency on certificates and PKI in many areas of IT nowadays, I would strongly advise this is a skill you add to your knowledge utility belt anyhow; not just as part of learning DirectAccess.

Then there’s all those lovely netsh commands you have memorised off by heart when troubleshooting the client-side of UAG DirectAccess; So, is this knowledge still relevant? You betcha!

Having spent some time with Windows Server 2012 DirectAccess now, I am pleased to report that a lot of the skills learnt from deploying and troubleshooting UAG DirectAccess are still very much relevant and applicable to the evolutionary new kid on the block. As UAG DirectAccess was never really a product per se, but more a collection of complementary technologies working together to produce a great user experience, there is a fair chance that some of these technologies are not just applicable to DirectAccess, but also more generic in nature (e.g. good to know anyhow). I was in a pretty good place as I already had skills in many of the components, like PKI and IPsec, I just needed to align my knowledge with an understanding of how UAG DirectAccess was engineered to use them. However, more familiarity with IPv6 and a better netsh vocabulary will no doubt be beneficial to me in future times.

If you learned UAG DirectAccess from the ground up and had never really used PKI, IPsec tunnels, Group Policy, IPv6 etc. then all of those skills are still very relevant, even if you learned them with a specific UAG DirectAccess bias.

So, depending upon your Windows client version and your desire for advanced DirectAccess security features there is a very strong likelihood that skills learnt from UAG DirectAccess will still be very much relevant to Windows Server 2012 DirectAccess. Sure, there are new things to learn with Windows Server 2012, coupled with a few prerequisites you may be able to worry less about. However, even if you only ever deploy Windows Server 2012 DirectAccess for smaller organisations with Windows 8 clients, and never get asked about managing DirectAccess clients from intranet management clients/servers, I think you will be glad that you learnt a little bit about PKI and IPv6 whilst learning UAG DirectAccess. If anything, these skills are going to become increasingly useful in your day job, especially if you work with other Microsoft products or get involved in security-related projects. 

So, to conclude my original question, did I waste my time learning UAG DirectAccess? No, not at all; I’m actually kind of glad I did. Given the potential of Windows Server 2012 DirectAccess I see this becoming an increasingly popular remote access solution for Microsoft-based customers and environments; it’s easily one of the highlights of the Windows Server 2012 release along with other security headliners like Dynamic Access Control and Server Core flexibility. Interesting times…  

Friday, 10 August 2012

Windows Server 2012 Remote Access: The New Microsoft Edge Server

 image

Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management. So, we can welcome a new Microsoft Edge server to the party, alongside the likes of Forefront TMG and Forefront UAG. Given the name of my blog, this continues the ‘Edge’ theme nicely!

It appears the term Unified Remote Access (URA) has also been defined to describe this new offering. Microsoft obviously appear to like three letter acronyms beginning with ‘U’ Smile 

More information on the changes can be found in the pre-release documentation available here. Given the recent announcement of the RTM status for Windows Server 2012, I would expect TechNet to be updated shortly with updated documentation to replace the pre-release version currently available. I’ve got a suspicion it will have also been written by a few friends I have made along the Forefront journey over the last few years…

With the advent of this new role, I plan to spend some time talking about the new features, changes and benefits it will bring for both DirectAccess and more traditional VPN services. Given my background with Forefront UAG DirectAccess and previous blog posts, this will be an area of particular focus. For example, I have already provided a blog post comparing the new DirectAccess feature-set to existing versions of the DirectAccess technology timeline, which can be found here.

I think Windows Server 2012 will be a great release, especially when looking for a feature-rich Remote Access solution…

Windows Server 2012 DirectAccess: Microsoft DirectAccess Comparison Table

image

With the impending release of Windows Server 2012 we will have our third iteration of the Microsoft DirectAccess solution. Life began with the DirectAccess feature coming to Windows in the first release of Windows Server 2008 R2 a few years ago now; it was then supercharged using Forefront UAG to offer a truly more achievable solution which was much easier to implement for many organisations given the improvements offered by the Forefront UAG platform. Now with the release of Windows Server 2012, we have the third generation of the solution which is fully featured and delivered as part of the native operating system. Given the impending third generation release, I thought it might be useful to prepare a DirectAccess comparison table to compare the different technology versions available, as shown below:

DA Solution

Windows Server 2008 R2 DA

Forefront UAG 2010 SP1 DA

Windows Server 2012 DA

Feature

Simplified DirectAccess management for small and medium organisations

No

No

Yes

Automated DirectAccess server configuration

No

Yes

Yes

Mandatory PKI deployment as a DirectAccess prerequisite

Yes

Yes

No1

Built-in NAT64 and DNS64 support for accessing IPv4-only resources

No

Yes

Yes

Support for a DirectAccess server with a single network card

No

No

Yes

Support for a DirectAccess server behind a NAT device

No

No

Yes

Requires at least one Windows Server 2008/R2 Domain Controller

Yes

No

No

Requires at least one Windows Server 2008/R2 DNS Server

Yes

No

No

Load balancing support

No

Yes

Yes

Server fault tolerance

Limited2

Yes

Yes

Support for multiple AD domains

No

Yes

Yes

NAP integration

Yes

Yes

Yes

Support for OTP (token based authentication)

No3

Yes

Yes

IP-HTTPS interoperability and performance improvements

No4

No4

Yes

Manage-out only support

No

Yes

Yes

Multi-site support

Limited5

Limited6

Yes7

Support for Server Core

No

No

Yes

Support for Windows 7 clients

Yes

Yes

Yes

Support for Windows 8 clients

Unknown

Limited8

Yes

Windows PowerShell support

No

Limited9

Yes

User and server health monitoring

No

Yes

Yes

Diagnostics

No

No

Yes

Accounting and reporting

No

Limited10

Yes

Notes and small print:

Items in red represent significant improvement or changes.

1PKI is still mandatory for force tunnelling, Network Access Protection (NAP) integration or two-factor authentication deployment scenarios. A PKI-based solution is therefore still required for some enterprise-class deployments, dependent on the required features. 

2Hyper-V failover cluster is required.

3Smartcard only.

4IP-HTTPS is supported, but there is a performance overhead due to combined/double SSL and IPsec encryption. IP-HTTPS in Windows Server 2012 now support null SSL encryption and additional optimisations but requires Windows 8 clients.

5Complicated setup due to IPv6 requirements.

6Global Server Load Balancer (GSLB) is required.

7Automatic DirectAccess entry-point detection or user selected entry-point requires Windows 8 clients.

8Technically works, but the supportability status is currently unknown (full support provided in UAG SP3).

9Read-only PowerShell.

10Command line via PowerShell only.

As highlighted above, Windows Server 2012 offers the most feature-rich platform when compared to previous versions and can be considered as a superset of the functionality provided by the Forefront UAG SP1 offering. Many of the enhancements included in Windows Server 2012 DirectAccess are based upon direct feedback from customers and changes to facilitate easier adoption and deployment of the technology within both smaller organisations and enterprise environments alike. I am planning on creating two upcoming blog posts which will highlight the changes and benefits in Windows Server 2012 DirectAccess from the perspective of the smaller organisation and then also for the enterprise space. Given the improvements and changes, I think DirectAccess will be even more popular than ever…what do you think?