TMG SP1 Technical Preview Now Available

The Technical Preview of the Service Pack 1 for Threat Management Gateway is now available on Connect website from Microsoft.
Download link: https://connect.microsoft.com/forefrontsecurity/content/content.aspx?ContentID=16930&wa=wsignin1.0

One thing which I always wanted and ISA never provided successfully was the user activity report. What is user doing? what is he/she surfing on the net? etc etc.. Now, with TMG 2010 SP1 you can have the user activity report for last 24 hours, 1 hour, 30 days or 7 days. You can pull a report for individual user or multiple users at the same time.

Now, it will be interested to see what other vendors brings to the table. Well, my guess is that TMG is strongly making it’s presence in the market now and is emerging as a strong competitor in web proxy and content management solutions. TMG out-of-box provides URL filtering although it’s a subscription based service but it’s simple and easy to use.

Overall I am very pleased with the efforts put in by the TMG development team in building a market ready product.

Cheers !!

Posted by

Bizzon Blog

Posted on

April 21, 2010

Posted under

Forefront, Microsoft UAG

Comments

1 Comment

Why use Microsoft Unified Access Gateway (UAG) for DirectAccess?

Microsoft introduced DirectAccess technology in Windows server 2008R2 wherein we can connect directly to our corporate resources without the need of any VPN software. Particularly, DirectAccess configuration is pushed to the client machines through a set of group policies. Once these group policies have been applied on all Windows 7 domain joined machines, these machines can then connect remotely to the corporate network without dialing in to any VPN server.

Although, it sounds a great solution from the description it’s not easy to deploy though. The major requirement for DirectAccess is the IPv6 connectivity within the internal network. DirectAccess require IPv6 addresses on the internal client machines to have a successful connection from the DirectAccess enabled client machines. Now, this can be achieved by two ways;

Native IPv6 connectivity in which you will assign an IPv6 address to the internal servers/machines directly through TCP/IP properties.
Use ISATAP technology to assign IPv6 addresses to client machines and servers which are capable of IPv6

Note: Windows XP and 2003 are both not capable of communicating on IPv6.

Once you have identified the way you want to assign IPv6 addresses to the client machines, that’s when you can bring in DirectAccess server to provide seem less remote connectivity.

Now, the question is, what do we do in case you don’t have machines which are IPv6 capable sitting inside the internal network?

Well, the answer is Microsoft Unified Access Gateway (UAG) 2010. Although, IPv6 is required on the DirectAccess client machines connecting from internet irrespective of the UAG or Windows Server 2008 R2 based DirectAccess but you can still have internal machines on IPv4. How? Let’s see.

Microsoft UAG 2010 has inbuilt functionalities called NAT64 and DNS64 which provides the capability for translating the IPv4 addresses to IPv6 and vice versa.

When a client machine requests a connection to a resource on the internal network it sends a quad AAAA DNS query to the internal DNS Server through the DirectAccess server (In this case it’s UAG). UAG server intercepts the request and proxies that request as a Host “A” record to the internal DNS. The same process is reversed when server replies back. UAG server receives the internal IPv4 address of the machine and then hashes the IP address to create an IPv6 address. This IPv6 address is then sent to the client machine which then creates another request using this IPv6 address as the destination.

When UAG server gets this request, it then coverts the IPv6 into an IPv4 address by reversing the hash process and then forwards the request to the internal server which has that IPv4 address.

By using the Microsoft UAG server and enabling DirectAccess through that we can provide access to our IPv4 resources.