Thursday, March 29, 2012

UAG endpoint detection and access policies

Endpoint detection and access policies are among the most important security features of the Unified Access Gateway (UAG). Naturally, the ability to evaluate the health of endpoint devices and to enforce certain requirements goes a long way towards enhancing overall security profile of any remote access solution and can play an essential role in implementing organization’s security in-depth strategy. UAG endpoint detection and access policies allow for an extremely detailed level of control. The policies can be applied at three different levels:

  • Trunk – policies applied at this level will be enforced before a user logs on, and if the computer does not meet them, the user will not even reach the log-on page.
  • Portal – policies applied at this level may prevent a user from accessing the portal application after the log-on.
  • Application – policies applied at this level may block access to some or all published applications.

When the user tries to access the UAG portal client components are initialized and perform a system scan. Data collected (about 300 parameters) is sent back to the UAG server, which evaluates it against endpoint policies set for the trunk, portal, and applications, to determine the appropriate level of access.
It is important to note that client components are required for the endpoint detection to work. Also, for security purposes the client detection components will not trust just any website that tries to launch them – unless user has selected to trust the site, the components will not run.
Enforcing 'Any Antivirus' and 'Any Personal Firewall' settings:
The following seem to be a popular initial configuration - to create a custom policy that will enforce the requirements for anti-virus and personal firewall software on the endpoint devices and to apply it at the trunk level. So, I will use it as to showcase the creation of a custom policy:
  • Select the trunk you will be applying custom policy to, navigate to “Endpoint  Access Settings” tab, and click on “Edit Endpoint Policies”:

  • Click on “Add Policy”:

  • Create new policy that defines “Any Antivirus” and “Any Personal Firewall” requirements:
 
  • Apply newly created policy instead of “Default Session Access” one to the trunk:
 
  • Make sure to click on “Activate configuration” for changes to take effect: 
 
  • Test new configuration – first, by trying to connect to the trunk from the device running anti-virus and personal firewall software (upon endpoint detection and evaluation you should get a standard log-on screen); then, by turning your personal firewall off and trying again (you should get a message notifying you that your device does not meet security policy requirements).

Thursday, March 22, 2012

International Cloud

Just a couple of interesting Cloud Technologies related facts and points. Please, see the original source for more information and a complete Infographic





 

Wednesday, March 14, 2012

UAG Customization

One of the strong selling points of UAG 2010 is its extensibility. Thing to keep in mind though is that while UAG customization can be very flexible, implementing complex scenarios will most certainly take you beyond out of the box functionality. And here's where some guidance would be much appreciated.


TechNet resource "Customizing Forefront UAG" is a good starting point, and there’s a book that was just published that covers this very topic – “Mastering Microsoft Forefront UAG 2010 Customization” by Erez Ben-Ari. I have already picked up a Kindle version for $9.99, but haven't had a chance to read it yet. If Ben-Ari's previous book "Microsoft Forefront UAG 2010 Administrator's Handbook" is of any indication, this is going to be an excellent resource.

Tuesday, March 13, 2012

Symbolic Linking

Symbolic links allow for the transparent sharing of data across volumes as well as network shares (i.e. data located on the same computer or on remote computers). The technology makes accessing data across various shared network resources easier and more transparent, in a similar way Distributed File System (DFS) does, but without the need to setup DFS infrastructure (of course, DFS functionality goes way beyond of what the symbolic links can do so, you have to understand the requirements and - use the right tool for the job).

If the notion of symbolic links sounds familiar that's because it has existed within the UNIX/Linux world pretty much forever. The functionality's now been made available in the Windows Server 2008 operating system to add some oomph to the migration from and the application compatibility with UNIX/Linux operating systems.


Well, regardless of where the functionality came from or what the intended goals might have been, it could still be quite handy in many other applications, simply consider it to be another tool in your belt.


For more information refer to the following links:
And to keep this post someone technical, here's a quick command that will enable all kinds of symbolic link evaluations (local and remote) on a particular Windows client (Vista, 7, 2008):
fsutil behavior set SymlinkEvaluation L2L:1 R2R:1 L2R:1 R2L:1
That's it folks. Enjoy.

Monday, March 5, 2012

UAG Pre-installation Checklist

Here's a quick pre-installation checklist I have developed for the UAG deployments. Of course, it may not cover all possible deployment scenarios. So, feel free to expand upon it as necessary.




Network:
  • Networking has been configured correctly
  • Static IPs assigned to all network interfaces
  • Static IPs to be assigned to each trunk (in load-balanced array this will be assigned to the VIP associated with the trunk) have been reserved
  • Connectivity to the Internet works
  • Connectivity to the internal network works
  • All internal networks (network ranges that UAG will be fronting/protecting) have been explicitly identified


Server(s):
  • All servers meet system requirements 
  • All available Windows updates have been installed
  • All servers are clean, with no additional (unnecessary) software installed
  • All servers have been properly named
  • If applicable (required for UAG array), all servers have been joined to the domain 
  • No previous versions of UAG, TMG, or SQL are installed on any of the servers
  • Windows firewall service is started, and set to start automatically on all servers

Accounts:
  • User account (domain account if UAG server is joint to the domain) and password to perform UAG installation have been identified (must have administrative permissions on the server)
  • User account and password that will be impersonated by UAG to retrieve data from Active Directory have been identified (must have permissions to traverse AD and read objects and their attributes). Similar provisions will apply to other authentication repositories. 
  • If SharePoint resources are to be published, user account and password to access SharePoint central admin (for AAM modification) has been identified.  



Media and Licenses:

  • UAG installation media (latest version with applicable service packs and updates) has been obtained and made available
  • UAG product key / license has been obtained and made available


Miscellaneous:
  • All required URLs (for trunks and applications to be published) have been identified
  • Means of creating/editing DNS records (for the URLs mentioned above) have been established
  • Valid digital certificates for each trunk and each application that will require the use of HTTPS (SSL/TLS) have been obtained and made available

NOTE: The certificates should match the FQDN names used in access URL (for example: if https://xxx.yyy.com is used to access UAG portal, then the certificate should be issued to xxx.yyy.com). To simplify operations the use of wildcard (*.yyy.com) certificate is recommended.

UAG 2010

Forefront Unified Access Gateway 2010 delivers comprehensive, secure remote access to corporate resources for employees, partners, and vendors from a diverse range of endpoints and locations, including managed and unmanaged PCs and mobile devices.



Background:
Forefront Unified Access Gateway (UAG) and Threat Management Gateway (TMG) trace their lineage back to other well known Microsoft products - Intelligent Application Gateway (IAG), Internet Security and Acceleration (ISA) Server, Proxy Server, and incorporate technologies from Microsoft acquisitions (Whale Communications). The following outlines latest steps in the UAG and TMG products evolution:   


and a brief feature comparison:


Business Ready Security:
Microsoft's Business Ready Security strategy is designed to help organizations of all sizes with managing risk while empowering collaboration and information sharing. At the time of this writing there are five comprehensive solutions that are aligned with this strategy:
  • Identity and Access Management
  • Secure Collaboration
  • Secure Endpoint
  • Information Protection
  • Secure Messaging
And Unified Access Gateway plays a prominent role within those solutions: 

Value Proposition:
Three pillars of UAG's value proposition are - 

Solutions Architecture:
UAG's solution architecture exemplifies the value propositions of Anywhere Access, Integrated Security, and Simplified Management:

Internal Architecture:
UAG's internal architecture builds upon, extends, or integrates with a number of Windows Server components:

Key Concepts:

  • Trunks – primary organizational units (could be HTTP or HTTPS; Portal, Redirect or ADFS), require IP address and FQDN. Contain one or more published applications.
  • Applications – built-in services (portal, files access, web monitor), web, client/server and legacy, browser-enabled, terminal/remote desktop services.  
  • Advanced Services – SSL application tunneling, Network Connector, Secure Socket Tunneling Protocol (SSTP), Direct Access. 
  • Sessions – various session parameters (timeout, logon/logoff URL, maximum logon attempts, session cleanup).
  • Authentication – trunk and application level. Supports: Active Directory, LDAP, RADIUS, RSA Secure ID, WinHTTP, Smart Card/Client Certificate, Other; ADFS 2.0. Enables Single-Sign-On (SSO).
  • Clients – endpoint detection, endpoint policies, NAP integration.

Limitations:

  • Only web protocols (HTTP, HTTPS) are supported.
  • Two part names (such as http://xyz.com) are not supported.
  • URLs with different domain names (such as www.yyy.com and www.zzz.com) can’t be published on the same trunk.
For more information refer to the following link.

Common Criteria:
Both Unified Access Gateway and Threat Management Gateway (included with every UAG distribution for firewall protection and support of features such as array management) are common criteria certified:


Saturday, March 3, 2012

Office 365 Information and Resources


Office 365 Getting Started
Overview:
  • General Overview | video 
  • Part 1: Connecting with people and information in new ways | video  
  • Part 2: Scheduling and running meetings with ease | video  
  • Part 3: Collaborating on documents and sharing business information | video
Tour for Users:
  • Chapter 1: Welcome to Office 365 | video 
  • Chapter 2: Email and more | video 
  • Chapter 3: Collaborate with Team Sites | video 
  • Chapter 4: Microsoft Office and Office Web Apps | video 
  • Chapter 5: Communicate now with Lync | video
Tour for Administrators:
  • Office 365 for Enterprises: The Admin Experience | video


Office 365 Information and Resources
Portal:
Provides a “one-stop-shop” access to the Office 365 features (manage your profile, change your password, download and install required components, navigate to OWA via Outlook link, navigate to SharePoint via Team Site link).

Exchange Online:
Exchange Online offers cloud-based email, calendar, and contacts. With Exchange Online, you run your email on our globally-redundant servers, protected by built-in antivirus and anti-spam filters and backed by unlimited, IT-level phone support 24 hours a day, seven days a week in your local language.

SharePoint Online:
Keep teams in sync. SharePoint Online gives you a central place to share documents and information. Designed to work with familiar Office applications, SharePoint lets you work together on proposals and projects in real-time because you have access to the documents and information you need from virtually anywhere.
  • SharePoint Online URL | (https://[something].sharepoint.com - depends on your domain) 
  • Getting started with SharePoint Online | Online Help
  • Basic tasks in SharePoint Online | Online Help

Lync Online:
Lync Online is a next-generation cloud communications service that connects people in new ways from anywhere by using presence, instant messaging, PC-to-PC calling, and rich online meetings with audio, video, and web conferencing.