5 Critical Settings Not Available in the Forefront TMG 2010 Management Console

Microsoft Forefront TMG 2010I’ve been working with Microsoft Forefront TMG 2010 and its predecessors (dating back to Microsoft Proxy Server 2.0) for many years. One of the hallmarks of this great product was its intuitive management console (ISA 2000 not withstanding of course!). As great as the TMG 2010 GUI is though, there are still a number of important configuration settings that can only be viewed or changed using the command line. In my latest (and last!) 5 Critical Settings Not Available in the Forefront Threat Management Gateway (TMG) 2010 Management ConsoleI share a few of these setting and demonstrate how to configure them using the command line commands or scripts.

Troubleshooting Name Resolution Issues on DirectAccess Clients

Often network connectivity issues can be traced directly to issues involving name resolution. The most common tool used to troubleshoot name resolution issues is NSlookup. If you’re a systems administrator there’s no doubt you’ve used this tool. However, NSlookup does not always work as expected on DirectAccess clients when they are away from the corporate network. Read my latest blog post at directaccess.richardhicks.com to find out how to use NSlookup and Resolve-DnsName on DirectAccess clients in the field.

Hacked via RDP

Hacked via Remote Desktop Protocol (RDP)? It can happen! Brian Krebs’ post shows that there is an underground market for valid remote desktop connections that can be purchased for use by cybercriminals for a wide variety of nefarious purposes. Out of necessity I once published RDP to a Windows server using Forefront TMG 2010 for a short time. I was amazed at how many connection attempts were made! Obviously there are bots that scan the Internet incessantly looking for open RDP ports and when they are found, they try common username and password combinations in an attempt to successfully authenticate. No doubt my IP addresses was recorded in a database in spite of the fact that a login was not successful. It is possible that a vulnerability in RDP with remote execution might be found in the future, at which point I’m certain they would return in attempt to leverage the vulnerability to gain access to my system. In this case the connection was only required temporarily, and I don’t make it a practice to expose RDP directly to the public Internet.

Protecting yourself from these types of attack is simple using established security best practices. DO NOT expose RDP directly to an untrusted network. Access to remote desktop solutions (Microsoft RDP, VNC, etc.) should be performed only via a secure channel such as VPN or Remote Desktop Gateway. Authentication best practices should be followed closely, including the enforcement of long, complex passwords and ideally multi-factor authentication like Windows Azure Multi-Factor Authentication (MFA). Windows Azure MFA is cloud-based, but can also work with on-premises security solutions. Read my article on ISAserver.org to see how I configured Forefront TMG 2010 to work with Windows Azure MFA.

Follow these rules and don’t be a victim!


Working with Windows Azure Virtual Networks

Great news! I recently accepted a new writing assignment for TechGenix latest web property, CloudComputingAdmin.com. Here I’ll be writing about cloud technologies, including public, private, and hybrid cloud solutions. You can expect that my focus will be primarily with Microsoft cloud solutions, including Windows Azure, Windows Server 2012/R2, Hyper-V, and System Center. In addition, because of my expertise and extensive experience in the fields of networking and security, you can expect many articles closely related to those topics as well.

My first article is Working with Windows Azure Virtual Networks. Read it today!


Windows Azure Multi-Factor Authentication and Forefront TMG 2010

When Microsoft first announced Windows Azure Multi-Factor Authentication, a cloud-based strong authentication solution, my first thought was “I wonder if it works with Forefront TMG 2010?” Being cloud-based, my first thought was perhaps not. However, once I started digging in to it I quickly learned that it includes a software component that can be installed on-premises and will even integrate with on-premises security solutions via a number of interfaces, including RADIUS. Forefront TMG 2010 has supported RADIUS authentication for many years, so I put together a test lab and in no time at all I had Windows Azure multi-factor authentication working with Forefront TMG 2010 remote access VPN. Forefront TMG 2010 integrated with Windows Azure multi-factor authentication provides the highest level of protection for remote access users. Leveraging Windows Azure cloud-based strong authentication is extremely cost effective, with very low per user or per authentication costs and no on-premises hardware to purchase. The Windows Azure public cloud, which is ISO/IEC27001:2005 certified, provides the most secure and reliable strong authentication service available today. To learn how to configure Forefront TMG 2010 to work with Windows Azure multi-factor authentication, click here.

Microsoft Forefront TMG 2010