WindowsNetworking.com Monthly Newsletter of May 2009 Sponsored by: SpamTitan
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Last month we spoke about cloud computing. Cloud computing is the hot topic, the Big Thing, and it seems like you can not get away from the subject if you are in the computer industry. Like all hot topics, cloud computing will cool off and the next hot topic will take over. That is the nature of “Big Things”, they become the same size as everything else after a while.
This made me think about a “Big Thing” from the past - SSL VPN. If you were paying attention to what is hot and what is not between 2002-2007, you surely noticed that SSL VPNs were the hot topic, the “Big Thing”. You do not hear too much about SSL VPNs anymore, mostly because they’re now accepted as just another essential part of the network.
If you do not have an SSL VPN, and do not know what they are about, let me tell you. An SSL VPN is essentially an inbound SSL based firewall. There are different types of SSL VPNs, but the three main types are:
Some SSL VPNs are all three types, such as Microsoft Intelligent Application Gateway 2007. In fact, IAG 2007 is probably one of the most flexible and secure SSL VPNs available today. Why would you deploy an SSL VPN when there are other ways to enable remote access? Most companies enable remote access by allowing network level VPN connections to their networks. The problem with this is that it gives users way too much access to the corporate network. The fact is that users really do not care about being able to connect to the corporate network, what they care about mostly is having access to applications and information that is contained on the corpnet.
An SSL VPN can help you here. Let us look at how IAG 2007 works to show you the value of an SSL VPN. When users connect to an SSL VPN, they are first presented with a portal page. On this portal page users are presented with a list of applications they can use, such as remote desktop, OWA, SharePoint, Microsoft CRM, or PeopleSoft. The users click on the applications they want to use, and the SSL VPN takes them to the server and presents a browser window with the application and information the user requested. Nice!
So, enabling least privilege access to the network is a major advantage of SSL VPN. Some SSL VPNs enable advantage security, such as the IAG 2007 SSL VPN. IAG 2007 does positive and negative logic filtering, so that it checks for both known and unknown exploits by blocking known bad connections and allowing only known good ones. And then, even after the user connects to the applications they need, IAG 2007 can enforce policy based security by restricting access to components of applications based on whether the user is connecting from a trusted machine or not.
SSL VPNs are a great way to make your network more secure, while at the same time making your users more productive. For more information on the IAG 2007 SSL VPN, check out this link.
Thanks and see you next month!
Want to learn about network security from the experts? Want to get the inside information about Windows Network Security and the inner workings of the TMG firewall? Then join us at Black Hat Las Vegas for Microsoft Ninjitsu: Black Belt Edition Tim, Jim and I provide helpful and cogent insights into squeezing the highest level of security from your Microsoft infrastructure and let you into the secret tweaks that we use to get an edge over the bad guys.
For ISA or TMG firewall, as well as other Forefront Consulting Services and Microsoft virtualization technology consulting in the USA, call me at 206-443-1117 or visit Prowess Consulting web site.
Got a networking question that you can't find the answer to? Send a note to Dr. Tom at email@example.com and he'll answer your question in next month's newsletter.
3. WindowsNetworking.com Articles of Interest
"SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this feature allows for a VPN connection to be established through an HTTP proxy device.
The information in this article is specific to troubleshooting connection failures that relate to an SSTP-based VPN connection. You may receive other error codes on a remote access client computer. However, these error codes may be common for other kinds of VPN tunnels, such as PPTP, L2TP, and SSTP. For example, this article does not discuss error codes that you may receive if a remote access policy fails, if client authentication fails, or if a server does not support the ports that are required for the particular kind of connection"
Check out this great article that will help speed up your SSTP troubleshooting efforts.
One of my favorite commands is the nslookup command. You have probably used it yourself many times. For example, when trying to figure out if you had a name resolution problem, you opened a command prompt and typed:
But did you know that nslookup has a lot of other useful commands you can take advantage of? Just type? in the nslookup windows and you’ll see help that like that in the figure below
And if you want to really get a good understanding of what is going on, try using the d2 option, like this:
That will given you exhaustive debugging information. Have fun!
Hi Dr. Tom,
I got a question for you. I’m building a new house and am wondering if I should put in Cat 6 cabling. I ask this because I’ve seen some major advancements in wireless network, with wireless N and all. What do you think? Is it worth the effort and money to put in a wired network while the walls are open during the build process?
Thanks! Jon Richard
Great question! The answer is that you definitely should put the Cat 6 cables into each room while the house is being built. The walls will be open and the hassle and expense will be minimal compared to having to do it after the house is built. While it’s true that wireless network has come a long way in terms of speed and coverage over the last few years, it still pales in comparison to what wired network can do, and the speed and reliability advantages of wired over wireless should continue for the foreseeable future. Why lock yourself into a solution that can barely make 100Mbps when cheap gigabit NICs and switches are available now, and 10Gbps NICs and switches are likely to become commodity in the coming years.
Got a question for Dr. Tom? Send it to firstname.lastname@example.org.