15 December 2010

Exhange 2007 Active Sync intermittent credential prompts with TMG

This is a real world issue I had.  Publishing Exchange through ISA 2006 was fairly easy.  I had a single rule that I used to publish outlook Web Access and Active Sync.  After moving over to TMG 2010 we started getting a rather annoying problem.

Windows Mobile phones would intermittently request the users credentials when attempting to sync.  This despite "save password" being checked.  Also if you just "left it" the phone would sync perfectly
a few minutes later.

It took a while to figure out but what happens is that the authentication cookie on the phone does not expire when the ip changes.  When this happens the authentication cookies is no longer valid and the user is prompted again.

So to fix this Microsoft recommended publishing Active Sync with a separate rule.  Using the same listener, same settings etc.  The only difference is that the path.  This then solved the issue.

According to MS this is why:


Our guidelines would be to create a separate rule because there are some
internal TMG setting which allow a Client Agent like
MSFT-SPhone/5.2.5080 which
doesn’t support HTML Form authentication to fall back to basic auth. This should
be transparent for the user and shouldn’t be prompted to authenticate.

10 December 2010

Change the default certificate used by RDS

When building an RDS environment you will at some point add more RD Session host servers.  At this point you will start running into certificate issues because the requested name does not match the certificate anymore.

You might also be prompted that the certificates is form an untrusted source.  This is because by default the RDS server will use a self signed certificate.


In a proper RDS environment you will most probably be using a SAN certificate that is exported and installed on  all the RDSH servers.

To change the the certificate being used you need to do the following:


  • Get the certificate thumbprint.
  • Copy the thumbprint into notepad and remove all the spaces


Copy the following script and save it as rdconfig.js


var strComputer = ".";

var strNamespace = "\\root\\CIMV2\\TerminalServices";

var wbemChangeFlagUpdateOnly = 1;

var wbemAuthenticationLevelPktPrivacy = 6;


var Locator = new ActiveXObject("WbemScripting.SWbemLocator");


Locator.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy;


var Service = Locator.ConnectServer (strComputer, strNamespace);

var TSSettings = Service.Get("Win32_TSGeneralSetting.TerminalName=\"RDP-Tcp\"");


if (WScript.Arguments.length >= 1 )

{

    TSSettings.SSLCertificateSHA1Hash = WScript.Arguments(0);

}

else

{

     TSSettings.SSLCertificateSHA1Hash = "0000000000000000000000000000000000000000";

}


TSSettings.Put_(wbemChangeFlagUpdateOnly);

Open a command prompt and execute the script specifying the edited thumbprint as the parameter

cscript rdconfig.js 0e2a9eb75f1afc321790407fa4b130e0e4e223e2

This will now set the default certificate to be used by the RDS

If at any point you want to revert back to using the self signed certificate just execute the script without specifying a parameter.

 

08 December 2010

Customise RDS Web access login pages

I again went through the process of publishing RDS.  This time i thought i would "skin it" in my corporate colors.

The files that need to be edited are located in the following directory of the Web Access Server

 C:\Windows\Web\RDWeb\

The images are located in C:\Windows\Web\RDWeb\Pages\images
This is how they correspond to the page layout.

The style sheet is in C:\Windows\Web\RDWeb\Pages\en-US

Annoyingly not all the page elements colors are catered for in the style sheets, so you will also have to edit:

login.aspx
desktop.aspx
default.aspx
config.aspx

While you are going through these files you will aslo see a section called  // Localizable Text
This section contains all the string values used throughout the page.  So if you want to change the text of any of the filed this would be the place to do it.



To change the title of the page you need to go to the connection broker machine, open up Remote Desktop Connection Manager.  Under the Properties section change the "Display name"

So with just a few edits we now have a corporate look and feel as well as some branding in there too.

02 December 2010

Sophos Software Update Manager reading the log

The Sophos SUM has got many improvements over the old EM Library.  One of the only problems I still have with it is that it is hard to figure out what it is doing and what is going on.

This is especially true when you have a new installation and you are doing the initial software download, the enterprise console tell you Downloading Binaries, but how do you know if it is actually "going"



There is a log viewer.  For some reason it is not easily accessible. The logviewer.exe is located in the following directory

C:\Program Files (x86)\Sophos\Enterprise Console\SUM\Logviewer.exe



At the top of the log viewer there are two filters.  The first one "in red" is the severity filter.  This is handy to only display errors.
The filter options are:

  • All
  • Success
  • Information
  • Warning
  • Error


The second Filter sets the logging level - or level of detail.  Importantly this does not change the log itself, just the display of the log. The filter option are

  • Verbose
  • Normal
  • Important

To check that your download is actually happening all you have to do is change the logging level form normal to verbose.  This will then give you far more detail, and hitting the refresh button you can see the activity (auto refresh would be nice Sophos.)



This is currently displaying all the individual files being downloaded to the Warehouse.

If you want to know more about the size of the individual files you can browse to the folder directly and see how they are coming in and how big they are.  The folder is:

C:\ProgramData\Sophos\Update Manager\Update Manager\Warehouse


You can now correlate the items for the log viewer to actual files on the machine.

Once the warehouse is update with all the files it needs, depending on the Software Subscription, the files will then be compiled into the CID.  This is what can then be used to protect the client machines.

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs

By the time everything has finished the status in the Enterprise console will change from "Downloading Binaries to "Last checked at:"

01 December 2010

Troubleshooting Sophos Message Relay issues

In a previous article I described how to set up Message Relay machines to improve the scalability of a single Sophos Management server.  See http://fixmyitsystem.blogspot.com/2010/11/configure-sophos-message-relay-for.html

I was quite happy that I got everything working properly, so I figured let me build my production environment. This is where things got a little ugly.  I got stuck not being able to get my clients to use the message router.

What to look for in the communications report:

the Sophos Management server should look like this
A Client machine communicating directly with the management server looks like this.  Note the parent address refers to the Management server
The message router should look like this.  Note the RMS router type has to say message router

A client machine using the message relay looks like this. Note the name of the parent address refers to the message relay

When a machine updates and changes message relay you should see the following during the update.
Only this one file is retrieved and then it is followed by the reinstall of the RMS component.  If you do not see this file coming in and there is no install then nothing has changed.


Remember to check and refresh the Communications report


While checking these on the various machine I noticed the following issues.

Message relay machine remains as an endpoint RMS

After step 3 of http://fixmyitsystem.blogspot.com/2010/11/configure-sophos-message-relay-for.html your message relay should show up as a message relay in the Connection report.  Mine faild to do this even though it worked during the lab.  I found the problem....eventually.

You also need to copy your edited mrinit.conf file into the SAVSCFXP root.  If you reinstall the message relay from here it will now correctly configure the machine as the message relay.

Client machines do not start using the message relay even though they are updating from the MR machine

In theory and according to Sophos documentation.  If you point a client machine to a CID that has been configured to act as a MR the machine should update itself an start using the MR.  You can confirm this by checking the connection report.

 
There is one big catch here though.  The edited mrinit.conf file's "created on" date needs to be different to the one it was installed with.  It appears that the only way the client knows to get the new mrinit.conf file is by the date.  If they are different it will happily detect the alternate file, download and install it.  If the dates are the same it won’t download or install. 

24 November 2010

Malware Infected Website protection with TMG, IE and Sophos

More and more we are seeing a trend where malware authors compromise legitimate sites for the purpose of spreading malware.

A few years ago URL filtering or site blocking was a very effective way of preventing users from inadvertently being lured to a malicious site.  An updated list of malicious site was distributed and corporate web filtering product would prevent users from accessing these sites.  there are two big problem with this approach in today's world.
1. There are far to many sites being turned malicious to keep up, so a real time lookup is required.
2. If a site is not blocked, any malware on that is allowed to make it onto the client machine where the local malware scanner is required to clean it up.  If the definitions on the client machine do not detect the malware you are cooked.  It is therefore much better to scan content at proxy level for malware and either block or cleanup the content.  This should also have a live malicious code lookup to reduce the missed detection window.

Microsoft Forefront Threat Management Gateway (TMG)
One of the most exciting features added to this is the ability to not only do URL filtering but to also do inline malware scanning and cleanup.  By enabling URL filtering you can greatly reduce the threat from know malicous sites.  By enabling malware scanning you can catch infection attempt form legitimate sites.  Most of this happens without anyone knowing that this is going on.  I set up a custom report using Webspy to highlight malware action on my TMG environment.

Turning on the protection in the web access policy

Configure the malware detection behavior

My custom Webspy Malware report so that I can check what is happening




One of the increasing problems is that more users are working outside the corporate network on open public internet connections, so all the protection offered by TMG effectively falls away if the user connected to his home ADSL / 3G / Public Wifi etc.

Internet Explorer
IE has had many improvements over the years to protect users from malicious sites.  The latest incarnation of this is called smart screen filtering.  Sites are checked against the microsft reputation services database.  If a site is flagged as being malicous the site is blocked and you would have to manually override this.

Malicious site is detected and blocked

Determined user turns off SmartScreen
The user can now browse his redirected infected site in relative peace


If the user switches to another browse that does not offer a "Smart Screen" feature you have a problem.

Sophos Live Protection and Web protection
In the past malware products would only be able to prevent malware infection when it was all ready "knocking on the door."  Sophos live protection allows live lookup for any suspicious code, as another feature they also allow you to block access to malicious web sites.  Unlike Internet Explorer, the Sophos block cannot be turned off or bypassed by the user.  Another advantage I found is that a compromised legitimate site can still be accessed while only the malware redirects are blocked.  In my testing IE would block the whole site.

Configure the Antivirus and HIPS policy on the Sophos management server


The legitimate site opens up but Sophos prevent access to the redirected site.Notifications are displayed and recorded in the machine's log


 If I then manually attempt to access the malicious site I get the Sophos blocked screen


The advantage here is that unlike browser protection that is application specific, using a malware product makes it a system protection solution.

Conclusion
The constantly evolving malware landscape requires administrators to implement the new protection technologies as they become available. Using a combination of Security products, native Operating System features and a full featured Malware package helps you cover the bases whether the users are in our out of your corporate environment.

TMG, IE and Sophos are not the only products that offer these features, but this is the combination I use. :)

22 November 2010

Configure Sophos message relay for improved scalability on Windows Server 2008 R2

One of the recommendation form Sophos is that message relays should be used when one console manages more than 10 000 devices.  In my experience this is a optimistic number.  In reality you start running into server response issues from about 5000 devices and up.

Client machines update the Sophos management server by sending status messages all the time.  These messages or envelopes as they are called are handled by the Remote Management Service (RMS).  Normally these messages are sent directly from the client to the management server.  When using a relay, the messages are sent to the relay, combined and then forwarded onto the management server.   It is possible to nest relays up to 6 levels, but unless you have a network that has a similar relay layout I would avoid nested relays all together, I rather use a flat structure and use multiple relays at "the same 1 hop level"

Configuring a message relay involves a few steps.  (The steps and paths are based on a Windows 2008 R2 since this is a x64 OS the path might differ slightly if you are using an x86 OS)

Step 1 Identify an existing or create a new CID and configure. 
This is the same as setting up and configuring any normal CID

Step 2 Edit the mrinit.conf file
The mrinit.conf file is used by the RMS to route messages.  By editing the file you can configure client to point to a new server that will then become a relay by the virtue or handling messages other than it's own.

On the machine that will be hosting the CID

  • Browse to C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP
  • Find the mrinit.conf file 
  • Open the file for editing in notepad.

[Config] 

"NotifyRouterUpdate"="EM"
"ClientIIOPPort"=dword:00002001
"ClientSSLPort"=dword:00002002
"ClientIORPort"=dword:00002000
"IORSenderPort"=dword:00002000
"DelegatedManagerCertIdentityKey"="mUp+mEjFkUGEbP7xvEW2jfr4Hw8="
"ManagedAppCertIdentityKey"="ENBISBzWJwUjPqc5ZwoLZbLEx+M="
"RouterCertIdentityKey"="26kKHV8C8JacysnOmEsxVTbLxfY="
"ServiceArgs"=""
"MRParentAddress"="10.36.145.61,SOPHOS04.thecompany.co.za,SOPHOS04"
"ParentRouterAddress"="10.36.145.61,SOPHOS04.thecompany.co.za,SOPHOS04"


  • Now edit the variable string for ParentRrouterAddress.
  • The message relay must be Windows Server 2000,2003 or 2008
  • Specify the IP,FQDN, hostname of the machine that will be the message relay (it does not have to be the CID machine)
  • Create a new text file, copy the content of the  edited file into it, save as mrinit.conf
  • Save the changes.
  • Copy the file to the RMS folder


NOTE: the file is quite sensitive to formatting:

  • Do not edit the MRParentAddress this should be pointing to your management server.
  • There need to be an empty line at the bottom of the file (do not delete the final carriage return while editing)
  • The created on date MUST be different to the original mrinit.conf file.  You can't copy the file, edit it and paste it into the RMS folder.


Step 3 Register the changes using ConfigCID.exe
On the machine that will be hosting the CID

  • Open a command prompt and browse to the following folder : C:\Program Files (x86)\Sophos\Update Manager
  • Use the following command line :  configCID.exe "C:\programdata\Sophos\Update Manager\Update Manager\CIDs\S000\SAVSCFXP"
  • Check for the following lines in the result
  •  - Adding entry for \rms\mrinit.conf
  •  - Adding entry for \mrinit.conf

One more really important step

  • Reinstall the message relay machine form the updated CID.

If you check the communication report on the message relay machine you should see that the RMS router type has changed from Endpoint to message relay



See Update 2 below

Step 4 Configure machines to use the message router
Use an updating policy to point your client machines to the CID.  Any machine updating from the updated CID will now reinstall the RMS component and start using the message relay.  Since the RMS component is reinstalled and not simply updated this needs to be considered if you are changing really resource constrained machines.

Step 5 Check the Client
You can check the client machine in two ways
  • Click on start -> All programs -> Sophos -> View Sophos Network Communications Report
  • There should be no errors listed and the Parent Address should be the Message Relay's details.
Check the registry
  • HKLM\Software\WOW6432Node\Sophos\Messaging System\Router\Parent Address
If you check the Sophos Management console the machine should still be updating and communicating.

Step 6 Check The Message Relay
When a machine acts as a relay it has to collect messages and send them on and of course back again.  For this to work the message relay need to build up a "Routing Table"

On the Message relay machine
  • Browse to C:\programdata\Sophos\Remote Management System\3\Router
  • If you open the table_router.txt file you should see the router to all the message relay "clients"
Agent.0..
Router$NLBTEST01:18005.1..

Router$NLBTEST02:18005.1..
Router$NLBTEST03:18005.1..

  • Open the Envelopes folder.  
  • If you watch this folder carefully you should see files come in and disappear right away.  
  • If you have a large number of connecting machines files can build up for a few seconds before being sent off.  
This envelope cue should be monitored and checked out if machines are not communicating with the management console.  It is sometime necessary to stop the message router service, delete the table_router.txt file and restart the service to fix a corrupted routing table.  This normally take  about 5 minutes before the cue starts decreasing.

Conclusion
In small deployments the Management server is often used "for everything."  As the deployment grow in size you should use CID's that are not hosted and the management server, the same goes for using message relays.
By using relays you can greatly improve the amount of machined being managed from a single management server.


UPDATE

Check out http://fixmyitsystem.blogspot.com/2010/12/troubleshooting-sophos-message-relay.html if you have issues... and you probably will

UPDATE 2

We recently deployed another message relay, and ran into some more issues.  If in step 3 you check the netowrk communications report and the RMD router type remains showing Endpoint you need to do the following:

Copy the cac.pem and newly created mrinit.conf files from your CID location - typically this would be:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\

These files need to also be placed in:

C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\S0xx\SAVSCFXP\rms\program files\Sophos\Remote Management System\

In the same directory you need to run the ClientMRinit.exe - You must Run As Administrator


Once complete the network communications report should correctly state that the machine is now indeed a Message Relay

Thanks to Jacques De Villiers from Woolworths and Monique Burger form Netactix for figuring this one out





19 November 2010

Windows Activation error code 0x80072EE2 and activation URLs

When trying to activate Windows you might encounter the following error  0x80072EE2


This error code refers to the activation servers not being reachable.  This normally happen because Internet connectivity is not available.  By default in Windows 2008 onwards the Auto Detect proxy settings is not enabled.

To resolve this issue open Internet Explorer and enable auto detect proxy setting, or manually specify your proxy settings.

For my deployment I have also allowed anonymous access through my TMG proxy to the activation servers.
(This is not required if the logged on users has access to these sites)

activation.sls.microsoft.com:443
activation.sls.microsoft.com:433/slspc/SLActivate.asmx
test.update.microsoft.com/*
crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl/*
crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl/*
go.microsoft.com/*
sls.microsoft.com/*
sls.microsoft.com:443/*

That should be it.  Try again and it should succeed

18 November 2010

Using Sophos Update Managers and IIS sites for better WAN performance

By far the worst thing about Sophos 8 was the EM Library.  It was niggly and tricky and if it did not work properly it would freeze all the data on your console.

Eversince Sophos 9 they have been using the new and improved version of the EM Library - now called Software Update Managers (SUM).  There are a few advantages but the one we are concerned with is that it is far more robust. See 10 reasons to use SUM

For anyone having to update a distributed environment without having a SUM at each location there is one BIG problem.  By default SUM only offers up a UNC share for the clients to update from.  This is fine for clients updating from a local SUM but clients located at the other end of a slow link is a problem.  Using a UNC share means that the clients will use Server Message Block (SMB) aka Common Internet File System (CIFS) The big problem with CIFS is that it is very chatty and does not like latency, both of which is a problem on a slow WAN link.  For more info check out http://en.wikipedia.org/wiki/Server_Message_Block

Fortunately the Sophos clients support updating from an HTTP source.  This means we can supplement the normal UNC share with an IIS web site.  This will then use HTTP which is a far better option for a slow WAN link.  Also built into IIS we have limit control where we can throttle down the bandwidth and the allowed open sessions.

1. Set up a SUM

  • Decide which machine you would like to use as a SUM / HTTP update server
  • Configure the SUM to be subscribed the the relevant packages
  • Update your SUM and check that the relevant CID's are populated
  • (C:\programdata\Sophos\Update Manager\Update Manager\CIDs)
2. Install the IIS server role

  • Using server manager install the IIS role.  
  • Most role features can be left out as this will be a very basic IIS site

3. Configure your IIS Site

  • From the Actions menu select Basic setting.
  • Change the Physical path to be C:\programdata\Sophos\Update Manager\Update Manager



  • From the Middle pane open MIME Types
  • This control what kind of data can be served through your site.  Since we are sending Malware updates we need to add a wildcard MIME type
  • From the Actions pane Click Add
  • For File Name extention enter .*
  • For MIME Type enter */*


  • You can now also specify IIS limits if you want. From the Actions Pane select Limits
  • Specify the relevant limits you want to apply, they can be done individually or you can apply all

4. Configure an Update Policy

  • From the Sophos Enterprise Console
  • Create a new update policy
  • in the address specify the name or IP of your IIS server
  • Check that the right subscription is selected
  • You will be reminded that "The primary update location may not contain the selected software subscription - Do you want to continue anyway"
  • Apply the policy to your machines

5. Test a client and confirm that the updates succeed

  • From a client machine open the Sophos Endpoint Security and Control
  • By Clicking on Configure Updating you can verify that the update location is what you specified in the policy  (You will see that it has automatically appended the down level directories)

  • Right Click the Sophos shield in the System try and click update now
  • To determine that everything worked the way we want it to open the  View Updating Log


 Conclusion
Using SUM will be a big improvement over using the EMlibrary.  By Using IIS you can overcome the limitations and service your distributed environment with fewer  SUMs and that means fewer policies.  By using Multiple IIS sites from one server you can also gain very granular control as that what is enabled or disabled.

15 November 2010

Outlook Web with mobile devices and custom forms

In http://fixmyitsystem.blogspot.com/2010/11/customise-tmg-exchange-forms.html I cover how to change the exchange login form.  Something to note is that when using the Exhange forms the mobile templates are not available unless you explicitly put them on each TMG server.

Using the default paths you need to copy the cHTML and xHTML folders from

C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ISA
to
C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange

Now you will have forms that will allow web enabled mobile devices to authenticate.

The default look of the farms is really bland.  Basically no text and and a back and white Microsoft logo at the top.  This does really not inspire any confidence for a user that they have reached the site they are looking for.

Same as with the HTML form you can specify different string values to populate existing fields in the various pages.  But here you are going to have to check on on the pages to see what string values are used.

To change the graphic at the top of the form you need to edit the mslogo.gif file.  Once you are done copy the change files to all the array nodes and restart.

Here is my before and after graphic.  Just to show what a difference it can make.



I know, I know again with that pesky fruit logo.

12 November 2010

Customise TMG Exchange forms authentication page

When publishing Exchange web access through TMG or ISA the supported method for authentication is forms based authentication.


Be default you have two choices.  You can go for the standard TMG template (still called ISA) or you can use the Exchange template.

These templates are located in c:\program files\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\


  • HTML—Intended for standard browsers. 
  • cHTML—Intended for browsers that support cHTML, such as i-mode mobile devices.
  • xHTML—Intended for browsers that support xhtml-mp, such as Microsoft Windows Mobile® and other mobile devices.

We are going to be looking at the HTML version.  There are many different pages that can be changed if you really want to but all you need to do to change the look and feel of the page it to edit a few images and change a few text strings.

The key images you will probably want to change are the following:

  • lngtopl.gif
  • lngtopr.gif
  • lngbotl.gif
  • lngbotr.gif
I my case I would like to keep the general Office 2010 theme going. I would just like to insert my company logo and change some of the text. I also want to change the color to something more inline with my corporate image.

All the text on the pages are dynamically retrieved from the strings.txt file. here is a small part of it so you can get the idea.

[strings]
;Strings used in login page

L_LoginButton_Text="Log On"
L_WindowTitle_Text="Microsoft Forefront TMG"
L_ShowUITitle_Text="Client"
L_ShowDetail_Text="show explanation"
L_HideDetail_Text="hide explanation"
L_ShowSimpleUI_Text="I have a slow Internet connection. If you select this option, the Web applications you use may offer fewer features, but will provide a better experience in some situations."
L_ShowComplexUI_Text="Premium"
L_UIBasicDescription_Text="The basic client provides fewer features than the full-featured client but offers faster performance. Use the basic client if you are on a slow connection."
L_ShowTrustTitle_Text="Security"

You can open the individual html pages and look for the variable string values or you can look at the rendered page and search the file for the text string you want to change.

There are also two style sheets, one for the fonts owafont.css and another for styles logon_styles.css.  I use SharePoint designer to edit these so that the colours are inline with my corporate ones.

Editing the Logon_styles.css I change the following styles that contain yellow / orange definitions.
  • select,text
  • input.btn
  • .btnOnFcs
  • .btnonmseover
  • .btnonmsedwn
  • a
  • .wrng
Last but not least, I also want to change favicon (the little icon in the address bar) I created an .ico file or the corporate logo and replaced the original one.

Now to put this all together.  Copy your edited files to all the nodes in the array. And restart.

If it was not for writing this blog while I was doing the changes you are looking at about 15mins worth of effort, not bad considering the corporate gratitude and salary increase you will be receiving...

The official guide is here; http://technet.microsoft.com/en-us/library/ee914625.aspx But they don't have pictures :)

Okay, you got me - I don't work for apple - Just trying to get an I-Pad to work so it was top of mind when looking for an alternative logo...

05 November 2010

TMG rule organising enhancements

One of the nice new features in TMG 2010 is that it is a lot easier to manager your rules, especially if you have a lot of them.

 
Search
 
The first feature I want to explore is the search.   If you have ever had an ISA deployment where you publish multiple web applications you will know that the list can get quite long and tedious to look through to find that one rule you want to look at.  Sure, a really good naming convention will take you a long way, but there comes a time when it just does not cut it anymore.

 

 
The search allows you to find the rule you are looking for based on:

 
Free Text
Any free text. If you use free text, the search result contains all the matches in text-based properties, as well as matches in non-text properties defined as “searchable”.

 “default rule” finds the rules containing this string.
Default rule finds the rules containing the word default and the word rule. For example, a rule containing a listener with the following description: Many rules, all defaulted to this listener

Name:Value
The Name is a column name or a distinct UI property (e.g. Content Type) in the Firewall Policy node of the Forefront TMG Management console. The Value is one of the allowed values for this Name.
The result of the search contains all the matches within the available values of Name, including values of implied sub-properties.

From:Internal To:External Protocol:HTTP finds the rules that provide Web access.
Action:Allow Condition:"All Users" Listener:MyListener finds the rules allowing access to all users via a Web listener named MyListener.

Property:Value
The Property is a COM property name as defined in the Forefront TMG SDK. The Value is one of the allowed values for this Property.
The result of the search contains all the matches within the available values of Property, including values of implied sub-properties.


Type:fpcPolicyRuleAccess finds the access rules.
SourceSelectionIPs:Internal DestinationSelectionIPs:External SpecifiedProtocols:HTTP finds the same rules that From:Internal To:External Protocol:HTTP finds.



All in all pretty impressive really, considering it was not in ISA at all!

Rule Groups
Groups allow you to group together rules that belong together.  As an example you may have an application that you publish that requires a few rules to handle the various allows / blocks and redirects.  You can now create the separate rules and put them in a group.  It does not impact on how the rules work I just displays or hide them as a pack.

Limitations
You cannot create sub groups.
Rules must be in sequential number order to be able to group them.


Rules cannot be added to a group. you have to ungroup the rules and then select old an new rules and then group them again.





 Conclusion
Following good naming convention is always a good idea and allows you to visually and logically organise your rules in a way that makes sense to you, the administrator, even if it does not makes sense to DD.  The new features have been added to handle increasing amounts of rules. Take the time to plan how you want to use them and they can make finding the right rule a breeze.

04 November 2010

Generating a self signed certificate for HTTPS and FTP-ES

From time to time you will need a certificate for testing.  You can go the route of requesting one from your local PKI / CA but you can also generate a self signed certificate from the IIS management console.


  • Open the IIS Management console
  • At the server level select Server Certificates







  • From the Actions Pane click on "Create self-signed certificate"
  • Specify a friendly name
  • Click OK


  • The cert will now be listed
  • To check it out double click the friendly name and the cert will open up
  • You will not the the issues to and issued by are the same and hence it is a self-signed certificate



The limitation to self signed certs is that they are not trusted by anyone.
But they can be handy form time to time and in cases like FTP-ES it does not really matter what cert you use as long as you use one to enable the encryption.

01 November 2010

Sophos client not communicating with Enterprise Console

While testing the new version of Sophos I ran into this error.


I have existing client machines currently running Sophos endpoint 8.  To test I installed a separate server with Enterprise Console 9.  I then manually install on a few client machines.


I would install the client form the Enterprise Console's own CID.  The install would complete successfully but there would be no comms from the client to the server.  Running the Sophos Communications report showed that there was an error, but it listed as the rather generic:

Sophos Anti-Virus cannot report to Sophos Enterprise Console (SEC) or receive new security policies. 
This is because it is using an SSL certificate that is incompatible with the SEC server. 
Sophos Anti-Virus should be reinstalled by the system administrator.


This indicates that there is an issue with the server certificate and the listed solution to this is to reinstall the client from the CID....  This is exactly what got me to this point in the first place.

I finally found the problem.  The message router is specified by the mrinit.conf file.  This file is retrieved from CID.  My client machines however had a file that remianed after the Sophos client was unistalled.  This file was called mrinit.conf.orig.  This file contained the Orginal sophos servers address.  If i manually removed this file then the install woudl succeed without any issues.  This is however not practical for a large deployment.  The fix for this was to copy the mrinit.conf file from the cid and rename it to mrinit.conf.orig.  Copy these two files into the RMF folder of the CID.  Then by running configcid these files are then included into the CID.

Now when you install, the problem causing mrninit.conf.orig file is overwritten and all thing work nicely again.

29 October 2010

Webspy Vantage FTMG W3C import reverse or switch bytes in and out

When setting FTMG or even ISA 2006 to export the logs to w3c text files something strange happens...  The bytes in and bytes out values get switched around.  The result of this is that you will see what looks like a large amount of data going out towards a website as opposed to it coming in.

You can either edit the MSDEtoText.vbs files to switch the values for you.  (You can ask me for a copy of this script if you want one.) Or you can use import your logs directly form the MSDE database.

I raised this issue with the Webspy developers as a feature request and they confirmed that they now include an easy way for you to switch these values around.  You may want to change from the default if you are importing directly from the MSDE or if you have a script that allready fixes the issue. Note this is only for FTMG not for ISA 2006

When creating a storage you have to select the loader you will be using.

  • When you get to the loader section select Microsoft FTMG.
  • Click on properties.  
  • Change the format from Automatic detection to Forefront TMG (W3C).  
  • A new check box option will appear. Either check or uncheck "Reverse bytes sent and received to compensate for a bug in TMG's logging" depending or your scenario.






If you do this per input location after the storage has been created and contains data you will have to clear the storage and re-import all the logs.