ISA/TMG: Domain and Workgroup Considerations

It has always been a topic of debate whether to keep ISA/TMG servers in domain or in workgroup. Sometime back I wrote a blog entry http://isingh.spaces.live.com/blog/cns!D4B487C69B1A780!159.entry covering domain member vs. workgroup model.

In order to update the context, i would like to add the below URLs describing the supported and unsupported scenarios when configuring ISA/TMG servers in domain or in workgroup.

http://technet.microsoft.com/en-us/library/dd897048.aspx 
http://technet.microsoft.com/en-us/library/ee796231.aspx#kjdfg947jfht

Hope these URLs will help you understand the key features you lose when you implement a workgroup model.

Cheers !!

Microsoft DirectAccess Considerations when implementing it using Windows 2008 R2 based DirectAccess or using the Forefront Unified Access Gateway 2010 based DirectAccess (UAG DA)

Many a times I have been asked this question, what are the key considerations of implementing the DirectAccess Connectivity? Seriously, there are quite many. I am trying to put together few of them and will keep updating as and when I will come across.

 

1. When using the ISATAP connectivity internally, DirectAccess clients can only communicate using applications that support IPv6 and connect to intranet resources that are reachable with IPv6.
2. IPv4-only client applications will fail to connect over DirectAccess even using the NAT64 through UAG DirectAccess Server.
3. Native IPv6 on intranet is required for Bi-Directional Connectivity. NAT64 does not support bi-directional connectivity.
4. Windows Vista and above support native IPv6, however only Windows 7 machines can initiate the DirectAccess connectivity.
5. Windows XP and Server 2003 have an IPv6 stack, but built in system services are not IPv6-capable which means the Windows XP/2003/2000 machines cannot be accessed over DirectAccess when using the ISATAP internally. They can only be accessed when using the NAT64 or a NAT-PT device (non-Microsoft devices)
6. Windows 7 machines connecting over DirectAccess should be domain joined, logged in with domain credentials and should be either Ultimate or Enterprise edition.
7. Optionally, Conventional VPN connectivity may still be required for GPO update for first time.
8. End-to-End IPsec Authentication is not supported when using the NAT64
9. In some scenarios the internal infrastructure may need an upgrade depending on the type of configuration. Like, routers which do not do IPsec forwarding should be upgraded when using End-to-End Connectivity.
10. In Server/Client application, the server side does not need to be IPv6 when implementing NAT64, but the client side application should be IPv6 aware when communicating. It will fail to connect otherwise.
11. Some client side applications are written to use the server’s internal IPv4 address to connect.While installing or after installation these client applications uses the IP address to locate the server. When this kind of application tries to connect over DirectAccess connectivity, it will FAIL. IPv4 traffic cannot be passed through the DirectAccess tunnel. Meaning, any such application will not work over DirectAccess. It requires either a client version which support IPv6 or you need the SSTP connector in UAG to create a VPN tunnel when using that application.

Cheers !!!

Windows Server 2008 R2 DirectAccess Error: Registration of ISATAP in DNS Failed

I recently came across this error while configuring the Windows Server 2008 R2 based DirectAccess Server. Below is the configuration we had;

Windows Server 2003 Based Active Directory with Windows Server 2003 Domain Controller and DNS
Additional Windows Server 2008 R2 Domain Controller with DNS to push DirectAccess Policies
Windows Server 2008 R2 DirectAccess Server

When we applied the DirectAccess script from within the DirectAccess MMC console, it gave us the following error.

We later discovered that the default domain Administrator account was renamed to “Adminuser” and proper permissions were not being assigned to this user. We are still investigating the cause but the workaround is to assign this user permissions on the following

1. Windows Server 2008 R2 DNS Server
2. ISATAP A host record in the DNS if it has been manually created

Re-run the script and the script should run without errors

Cheers !!!

Blog Post Resources For Forefront TMG/ISA and UAG/IAG

 

Forefront TMG and ISA Server

Forefront Edge Security TechCenter	http://technet.microsoft.com/en-gb/forefront/edgesecurity/default.aspx
Forefront Edge Security Community	http://technet.microsoft.com/en-gb/forefront/edgesecurity/bb687298.aspx
Using Mail Protection with Exchange EdgeSync on Forefront TMG	http://technet.microsoft.com/en-gb/library/ee513174.aspx
Forefront TMG (ISA Server) Product Team Blog	(http://blogs.technet.com/isablog/
Using Windows Server Update Service for the TMG Update Center	http://blogs.technet.com/isablog/archive/2009/11/28/using-windows-server-update-service-for-the-tmg-update-center.aspx
The Whitepaper for Configuring and Troubleshooting NIS in Forefront TMG 2010 is Now Available	http://blogs.technet.com/isablog/archive/2009/12/08/the-whitepaper-for-configuring-and-troubleshooting-nis-in-forefront-tmg-2010-is-now-available.aspx
RRAS Ports are not created after enabling VPN on ISA Server 2006	http://blogs.technet.com/isablog/archive/2009/12/08/rras-ports-are-not-created-after-enabling-vpn-on-isa-server-2006.aspx
Forefront TMG 2010 Tools and SDK Update	http://blogs.technet.com/isablog/archive/2009/12/10/forefront-tmg-2010-tools-and-sdk-update.aspx
Reducing Kerberos requests when using KCD for web publishing.	http://blogs.technet.com/isablog/archive/2009/12/11/reducing-kerberos-requests-when-using-kcd-for-web-publishing.aspx
Hyper-V Update to Improve Network Stability	http://blogs.technet.com/isablog/archive/2009/12/12/hyper-v-update-to-improve-network-stability.aspx
Manually creating the SecurID Node Secret fails on Forefront TMG.	http://blogs.technet.com/isablog/archive/2009/12/15/manually-creating-the-securid-node-secret-fails-on-forefront-tmg.aspx
Closing the Forefront codename Stirling – Forefront TMG forum	http://blogs.technet.com/isablog/archive/2009/12/15/closing-the-forefront-codename-stirling-forefront-tmg-forum.aspx
Troubleshooting NIS was never made easier	http://blogs.technet.com/isablog/archive/2009/12/15/troubleshooting-nis-was-never-made-easier.aspx
How to get NLB to work with Forefront TMG when running in Hyper-V.	http://blogs.technet.com/isablog/archive/2009/12/22/How-to-get-NLB-to-work-with-Forefront-TMG-when-running-in-Hyper_2D00_V.aspx
RRAS Service fails to start on ISA Server 2006 when enabling RADIUS Authentication for VPN Users	http://blogs.technet.com/isablog/archive/2009/12/23/rras-service-fails-to-start-on-isa-server-2006-when-enabling-radius-authentication-for-vpn-users.aspx
Using Forefront TMG/ISA Server BPA for documenting your deployment	http://blogs.technet.com/isablog/archive/2009/12/24/using-forefront-tmg-isa-server-bpa-for-documenting-your-deployment.aspx
Forefront TMG 2010 documentation now available on TechNet	http://blogs.technet.com/isablog/archive/2009/12/29/forefront-tmg-2010-documentation-now-available-on-technet.aspx
Categories for URL Filtering	http://blogs.technet.com/isablog/archive/2010/01/03/categories-for-url-filtering.aspx
Localized versions of Forefront TMG 2010 documentation released to TechNet	http://blogs.technet.com/isablog/archive/2010/01/04/localized-versions-of-forefront-tmg-2010-documentation-released-to-technet.aspx
Scripting URL overrides in Forefront TMG	http://blogs.technet.com/isablog/archive/2010/01/07/scripting-url-overrides-in-forefront-tmg.aspx
Hardware recommendations for Forefront TMG 2010	http://blogs.technet.com/isablog/archive/2010/01/12/hardware-recommendations-for-forefront-tmg-2010.aspx
SCOM pack for Forefront Threat Management Gateway 2010 has been released	http://blogs.technet.com/isablog/archive/2010/01/14/scom-pack-for-forefront-threat-management-gateway-2010-has-been-released.aspx
Forefront TMG Administrator’s Companion Goes to the Printers	http://blogs.technet.com/isablog/archive/2010/01/15/forefront-tmg-administrator-s-companion-goes-to-the-printers.aspx
Tips and Tricks – ISA Data Packager Fails to Start	http://blogs.technet.com/isablog/archive/2010/01/18/tips-and-tricks-isa-data-packager-fails-to-start.aspx
Announcing the availability of TMG Best Practices Analyzer Version 8	http://blogs.technet.com/isablog/archive/2010/01/22/announcing-the-availability-of-tmg-best-practices-analyzer-version-8.aspx

 

Forefront Unified Access Gateway & Intelligent Application Gateway 2007

Intelligent Application Gateway 2007 Technical Resources	http://technet.microsoft.com/en-gb/forefront/edgesecurity/bb687299.aspx
Forefront Edge Security Community	http://technet.microsoft.com/en-gb/forefront/edgesecurity/bb687298.aspx
Forefront Unified Access Gateway Product Team Blog	(http://blogs.technet.com/edgeaccessblog
Forefront Unified Access Gateway (UAG) 2010 is released!	http://blogs.technet.com/edgeaccessblog/archive/2009/12/24/forefront-unified-access-gateway-uag-2010-is-released.aspx
An improved way of managing the Access Enabling Servers or "Managing DirectAccess Management with UAG"	http://blogs.technet.com/edgeaccessblog/archive/2010/01/10/an-improved-way-of-managing-the-access-enabling-servers-or-managing-directaccess-management-with-uag.aspx
UAG DirectAccess and F5 BigIP – Better Together	http://blogs.technet.com/edgeaccessblog/archive/2010/01/12/uag-directaccess-and-f5-bigip-better-together.aspx
UAG 2010 is now on MSDN	http://blogs.technet.com/edgeaccessblog/archive/2010/01/13/uag-2010-is-now-on-msdn.aspx
Forefront UAG RTM documentation now live on TechNet	http://blogs.technet.com/edgeaccessblog/archive/2010/01/13/forefront-uag-rtm-documentation-now-live-on-technet.aspx
Forefront UAG in Common Criteria Evaluation	http://blogs.technet.com/edgeaccessblog/archive/2010/01/14/forefront-uag-in-common-criteria-evaluation.aspx
What happened to Basic and Webmail trunks?	http://blogs.technet.com/edgeaccessblog/archive/2010/01/15/what-happened-to-basic-and-webmail-trunks.aspx
How to configure Forefront TMG to block AD users from accessing internal resources	http://blogs.technet.com/edgeaccessblog/archive/2010/01/19/how-to-configure-forefront-tmg-to-block-ad-users-from-accessing-internal-resources.aspx

 

 

Cheers !!!