WindowsNetworking.com Newsletter of April 2008

WindowsNetworking.com Monthly Newsletter of May 2009 Sponsored by: SpamTitan

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

Experience the benefits of a VMware Ready Virtual Appliance?

SpamTitan is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. With the SpamTitan Cluster solution you can set up a multi node cluster of SpamTitan appliances providing load balancing and failover across the various nodes. Benefit from the flexibility offered by virtualisation to build scalability, redundancy and back up into your email gateway. Available from $550.

For more information on SpamTitan click here.

1. Do You Need an SSL VPN?

Last month we spoke about cloud computing. Cloud computing is the hot topic, the Big Thing, and it seems like you can not get away from the subject if you are in the computer industry. Like all hot topics, cloud computing will cool off and the next hot topic will take over. That is the nature of “Big Things”, they become the same size as everything else after a while.

This made me think about a “Big Thing” from the past - SSL VPN. If you were paying attention to what is hot and what is not between 2002-2007, you surely noticed that SSL VPNs were the hot topic, the “Big Thing”. You do not hear too much about SSL VPNs anymore, mostly because they’re now accepted as just another essential part of the network.

If you do not have an SSL VPN, and do not know what they are about, let me tell you. An SSL VPN is essentially an inbound SSL based firewall. There are different types of SSL VPNs, but the three main types are:

  • Reverse Web proxy
  • SSL socket and port forwarder
  • SSL over PPP network level VPN

Some SSL VPNs are all three types, such as Microsoft Intelligent Application Gateway 2007. In fact, IAG 2007 is probably one of the most flexible and secure SSL VPNs available today. Why would you deploy an SSL VPN when there are other ways to enable remote access? Most companies enable remote access by allowing network level VPN connections to their networks. The problem with this is that it gives users way too much access to the corporate network. The fact is that users really do not care about being able to connect to the corporate network, what they care about mostly is having access to applications and information that is contained on the corpnet.

An SSL VPN can help you here. Let us look at how IAG 2007 works to show you the value of an SSL VPN. When users connect to an SSL VPN, they are first presented with a portal page. On this portal page users are presented with a list of applications they can use, such as remote desktop, OWA, SharePoint, Microsoft CRM, or PeopleSoft. The users click on the applications they want to use, and the SSL VPN takes them to the server and presents a browser window with the application and information the user requested. Nice!

So, enabling least privilege access to the network is a major advantage of SSL VPN. Some SSL VPNs enable advantage security, such as the IAG 2007 SSL VPN. IAG 2007 does positive and negative logic filtering, so that it checks for both known and unknown exploits by blocking known bad connections and allowing only known good ones. And then, even after the user connects to the applications they need, IAG 2007 can enforce policy based security by restricting access to components of applications based on whether the user is connecting from a trusted machine or not.

SSL VPNs are a great way to make your network more secure, while at the same time making your users more productive. For more information on the IAG 2007 SSL VPN, check out this link.

Thanks and see you next month!
Tom
tshinder@windowsnetworking.com

Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Edition Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.

For ISA or TMG firewall, as well as other Forefront Consulting Services and Microsoft virtualization technology consulting in the USA, call me at 206-443-1117 or visit Prowess Consulting web site.

Got a networking question that you can't find the answer to? Send a note to Dr. Tom at tshinder@windowsnetworking.com and he'll answer your question in next month's newsletter.

=======================
Quote of the Month - “The right to be let alone is indeed the beginning of all freedom”. - Supreme Court Justice William Orville Douglas
======================

2. ISA Server 2006 Migration Guide - Order Today!

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.


   Click here to Order
   your copy today

Experience the benefits of a VMware Ready Virtual Appliance?

SpamTitan is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. With the SpamTitan Cluster solution you can set up a multi node cluster of SpamTitan appliances providing load balancing and failover across the various nodes. Benefit from the flexibility offered by virtualisation to build scalability, redundancy and back up into your email gateway. Available from $550.

For more information on SpamTitan click here.

3. WindowsNetworking.com Articles of Interest

4. KB Article of the Month

"SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this feature allows for a VPN connection to be established through an HTTP proxy device.

The information in this article is specific to troubleshooting connection failures that relate to an SSTP-based VPN connection. You may receive other error codes on a remote access client computer. However, these error codes may be common for other kinds of VPN tunnels, such as PPTP, L2TP, and SSTP. For example, this article does not discuss error codes that you may receive if a remote access policy fails, if client authentication fails, or if a server does not support the ports that are required for the particular kind of connection"

Check out this great article that will help speed up your SSTP troubleshooting efforts.

5. Windows Networking Tip of the Month

One of my favorite commands is the nslookup command. You have probably used it yourself many times. For example, when trying to figure out if you had a name resolution problem, you opened a command prompt and typed:
nslookup www.windowsnetworking.com
and then you got back the IP address, or you didn’t get back the IP address and had to figure out why.

But did you know that nslookup has a lot of other useful commands you can take advantage of? Just type? in the nslookup windows and you’ll see help that like that in the figure below


 
For example, if you type the command
server 192.150.87.2
It will change the DNS server used by nslookup to a new DNS server

And if you want to really get a good understanding of what is going on, try using the d2 option, like this:
set d2

That will given you exhaustive debugging information. Have fun!

Experience the benefits of a VMware Ready Virtual Appliance?

SpamTitan is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. With the SpamTitan Cluster solution you can set up a multi node cluster of SpamTitan appliances providing load balancing and failover across the various nodes. Benefit from the flexibility offered by virtualisation to build scalability, redundancy and back up into your email gateway. Available from $550.

For more information on SpamTitan click here.

6. WindowsNetworking Links of the Month

7. Ask Dr. Tom

QUESTION:

Hi Dr. Tom,

I got a question for you. I’m building a new house and am wondering if I should put in Cat 6 cabling. I ask this because I’ve seen some major advancements in wireless network, with wireless N and all. What do you think? Is it worth the effort and money to put in a wired network while the walls are open during the build process?

Thanks! Jon Richard

ANSWER:

Hey Jon,

Great question! The answer is that you definitely should put the Cat 6 cables into each room while the house is being built. The walls will be open and the hassle and expense will be minimal compared to having to do it after the house is built. While it’s true that wireless network has come a long way in terms of speed and coverage over the last few years, it still pales in comparison to what wired network can do, and the speed and reliability advantages of wired over wireless should continue for the foreseeable future. Why lock yourself into a solution that can barely make 100Mbps when cheap gigabit NICs and switches are available now, and 10Gbps NICs and switches are likely to become commodity in the coming years.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.

Experience the benefits of a VMware Ready Virtual Appliance?

SpamTitan is a complete software solution to email security offering protection from Spam, Viruses, Trojans, Phishing and unwanted content. With the SpamTitan Cluster solution you can set up a multi node cluster of SpamTitan appliances providing load balancing and failover across the various nodes. Benefit from the flexibility offered by virtualisation to build scalability, redundancy and back up into your email gateway. Available from $550.

For more information on SpamTitan click here.