How to Installing Forefront Threat Management Gateway 2010

6

Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years.   TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint.  Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint  web sites.
Let’s begin by outlining some of the key new features that TMG introduces over ISA.

• URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console.  Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc.  This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
• Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
• Email protection: Yup, you guessed it.. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
• Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
• Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.

Now that we have been introduced to some of the notable features within TMG, let’s begin the installation and initial configuration, but before doing so, ensure that you have met the minimum system requirements which are listed in the following TechNet article ;
http://technet.microsoft.com/en-au/library/dd896981.aspx
After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool.  Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.

Select Forefront TMG services and Management.  Click Next.

The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.

The installation begins and the wizard outlines the 3 core stages and estimated times.

Once the welcome screen appears, click Next.

Once the welcome screen appears, click Next.

Specify your installation path.  Click Next.

Add your Internal Network Address Ranges. Click Next.

You will receive the below warning message advising of services that will be restarted during the installation.  Click Next. Then click Install.

Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps.  Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.

Let’s begin by going through the 3 stages of the Getting Started Wizard.  The first stage is Configuring your network settings.


Click Next
The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server.  In my instance, I only have one single adapter and this has been reflected in the below screen capture.  This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.

Click Next
Specify your IP address settings.  It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.

Click Next and Finish.
You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.
The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.

Click Next and Finish.
The third and final stage of the Getting Started Wizard is defining your deployment options.

Click Next
Specify whether Forefront TMG will use the Microsoft Update Service to check for updates.  Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.

 The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection.  As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.

Click Next
Specify your NIS signature update settings and how often it will check for new updates.

Click Next.
In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.
Click Next
In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.
Click Next and then Finish.

Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule.  We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.
I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.
References
Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx
Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx
Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx

Read more »

Posted in: Forefront (TMG)

How to Lock your PC – but not your screen – with KeyFreeze

If you’re leaving your PC unattended for a while then locking it (pressing Win+L) can be a sensible precaution, as it prevents others from viewing your files or interfering with running programs.
The Windows Lock function also hides the current contents of the screen, though, annoying if you want to leave a movie playing, or perhaps monitor the progress of some lengthy task you’re running. And that’s why might sometimes prefer KeyFreeze, which locks your PC but leaves the screen active, just as before.
The program is tiny – a single 341KB executable – and portable. There are no unwanted extras here, just unzip it and you’re ready to go.
When you need to lock your system, just launch it. You’ll see a five second countdown, just long enough to rearrange any application windows to suit your needs. Once the countdown hits zero then your mouse and keyboard will then effectively be disabled, with a single exception: pressing Ctrl+Alt+Del unlocks your system and you’ll be able to carry on as normal.

Just launch KeyFreeze and your PC will be automatically locked within seconds

If you’re thinking this doesn’t sound too secure, then you’re right. Leaving the screen visible in the first place means you’ll be giving away lots of information to anyone passing, and the Ctrl+Alt+Del is perhaps the first hotkey anyone will guess.
Then again, KeyFreeze isn’t pretending to be a security tool. It’s not about protecting your system from attack, rather just reducing the chance of small children, perhaps wandering pets from knocking the mouse or keyboard and causing problems. And it does this very well.
There are small improvements which could be made here. It’s good that the program has a countdown before locking, for instance, so that you can prepare the system for whatever you want it to do – but 5 seconds may not always be long enough. It would be better if user could choose an appropriate delay.
For the most part, though, KeyFreeze is very effective, and if you need to protect your PC from curious kids then we’d give it a try.

Read more »

Posted in: Computer Tricks,Tips

Firefox 23 FINAL enables mixed content blocking, consolidates search settings

Mozilla has released Firefox 23.0 FINAL, the latest version of its open-source, cross-platform browser for Windows, Mac and Linux. The new build’s main highlight is the implementation of mixed-content blocking for improved security, but it also comes with a host of minor changes, including one that has already provoked a negative response from power users.
The controversial change is the consolidation of search default preferences so both Address bar and Search bar use the same default search engine. Previously Address bar searches defaulted to Google regardless of the default provider set in the Search bar.
The major consequence of this move is that the keyword.url configuration option has been removed, which previously allowed users to set their own choice of default search engine for the Address bar. Note that existing keyword searches are not affected.

Firefox 23 now blocks potentially dangerous insecure content on a secure website by default.

Frustrated users willing to risk breaking some other search features can restore the keyword.url functionality with the experimental keyword.URL Hack! add-on.
The new Mixed Content Blocker feature is now switched on by default – this now blocks certain insecure content – such as scripts – on secure websites by default to prevent eavesdropping and “man-in-the-middle” attacks.
On visiting such a site, all active insecure content is disabled and a small shield icon in the address bar will alert the user to the presence of insecure content. To view this content, click the shield icon followed by the Keep Blocking drop-down menu and choose Disable Protection on This Page. All content will subsequently load and the usual yellow warning sign indicating mixed content will be displayed in its place.
While passive content isn’t blocked, the site will not display a lock icon because it’s not fully encrypted.
Other improvements in Firefox 23 include a revamped program icon, plus the addition of a “click-to-start” option for disabled plugins. Instead of disabling or enabling plugins under about:addons, users can set plugins to “Always Activate” or “Never Activate”. By selecting the latter option, plugins won’t run unless a website specifically requests them, in which case the user can click to confirm the use of the plugin on that website only.
The new SocialAPI gains a number of updates in this release: support for a new Share Panel, full-screen video chats, a SocialMark recommend button and initial support for Web Install, which is designed to facilitate the finding and installation of new social providers.
Developers gain a new global browser console, plus a new Network Monitor toolbox, which provides a timeline view of network activity on a website – the data has been available since Firefox 4.0, but is now presented in a more accessible form. Similarly, the about:memory configuration screen provides a more functional user interface.
Three options have also been removed from the Preferences dialog: Load images automatically, Enable JavaScript and Always show the tab bar. The about:memory user interface is now more functional, and there are also a number of developer updates including partial support for Web Audio, enabled for testing purposes. Mac users should also see Firefox adopt the new scrollbar style implemented in Lion (OS X 10.7) and later.
Firefox 23.0 FINAL is available now as a free, open-source download for Windows, Mac and Linux.

Read more »

Connectify Lite 6.0 sports new look, adds random password generator

Virtual router Connectify Lite 6.0 has been released, boasting a redesigned look, more flexible user interface and new menu bar alongside a random password generator.
Connectify makes it possible for users to turn their computer’s network connection – wired or wireless – into a personal Wi-Fi hotspot through their PC’s wireless network adapter. There is also a Pro version with enhanced and exclusive features not found in the free build.
Connectify Lite 6.0’s most visible change is its new look. The user interface, which is accessed via the program’s Notification area icon, can now be resized and dragged anywhere on the desktop for ease of access. It’s also no longer always on top of other windows, so can be hidden when not required.

Users can now resize and move the Connectify 6 dialog box.

The program also replaces its single menu with a menu bar splitting its options into three separate sections – Settings, Tools and Help – as well as a button for upgrading to the Pro version.
The new build also offers a Generate Password button that will allow users to quickly choose a more secure password for their hotspot. However, it has dropped support for WPS thumbdrives – this feature was removed in Windows 8 – while the Pro-only “Clone Wi-Fi” feature has been renamed “Wi-Fi Extender” to make its functionality more obvious.
Users should also find an increased number of companies and icons in the client vendor database, making it easier to identify which devices have connected to the virtual hotspot.
Connectify Lite 6.0 is available now as a free download for PCs running Windows 7 or later (older builds for earlier versions of Windows are available). A Pro version is available with extra features, such as support for 3G/4G adapters, custom SSID name, Wi-Fi extender functionality, drag-and-drop file transfers and firewall controls. It’s currently available for $25 (annual license) or $40 (lifetime) at the Connectify website.

Read more »

Posted in: Software Tips

Quickly search and explore thousands of plain text files with Depeche View Lite

Searching one or two plain text files is easy. Windows Search and Notepad will probably be enough. But when you need to browse ten files, a hundred, maybe even thousands, then you’re likely to need a little specialist assistance. And that’s where the free-for-personal-use Depeche View Lite comes in.
Point this tiny portable program at a location and it will open every plain text file in that folder tree (up to a maximum of 10,000 in this build, anyway – the $40 commercial version is unrestricted). These are all displayed in a flat view, one above the other, and that alone can be useful as it’s easy to scroll down and browse them all.
When you do have a lot of files then you’ll soon want to start searching, of course, and this is extremely easy. There’s no need to open a dialog box, just start typing and the screen immediately updates, displaying only matching files and highlighting every occurrence of your keyword.
Should you need more searching power, your text can also include operators like AND, OR and NOT, as well as the * wildcard. And you’re able to define a path mask which restricts your searches to particular files (main*.html NOT .html.old , say).

Just start typing and your search text will be found and highlighted immediately

If you prefer to keep typing to a minimum, you’ll appreciate the program’s many mouse options. For example, just clicking a word highlights it, and displays floating icons with more options (search, copy to clipboard, highlight phrase, and so on). Or right-clicking a word leaves your current window alone, and instead opens a pane on the right hand side with the results of your search.
And if you need to keep track of the various items you’ve found, that’s not a problem. Locations within any file can be bookmarked for speedy recall later.
At some point you may want to edit a file, and life isn’t quite so convenient here: unlike its commercial big brother, Depeche View Lite doesn’t have an integrated text editor. Just pressing Ctrl+E at any point will open the current file in Notepad, though, and you can customise this to have the program use whatever editor you like (Settings > Options > Search, Edit).
There are some issues with the program, and most of them relate to the, well, quirky interface. Features don’t always work as you expect, and it takes a while to find your way around.
Once you’ve learned the basics, though, Depeche View Lite proves an interesting and very capable search tool. And if you regularly work with large numbers of plain text files then it could save you a lot of time and hassle.

Read more »

Posted in: Computer Tricks,Tips

How to connect TP-Link wireless IP camera to router wireless

Before you can configure wireless camera to connect to your router wirelessly, you need to get the following information first. Usually you can find them on your wireless router. If you don’t know how to get it, please contact the representative of your wireless router.

1. The SSID, or the network name of your wireless router
2. Wireless security settings on your wireless router.

After gather the information above, you can follow the steps below to configure the camera.

 

Step 1 Using an Ethernet cable to connect the camera to the LAN port of the wireless router first. We need wired connection to configure the router at the very beginning.

 

Step 2 On a desktop or laptop which is connected to the same wireless router, open Intelligent IP Installer (you can found it in the disk) and then highlight your camera.

Click Link to IE button, IE will automatically started and the login window will be prompted. Type in the username and password, you will be able to see the web configuration interface.

 

 

Or as now you know the IP address of the camera, you can manually type in the IP address in the address bar of other web browser such as Chrome.

 

Step 3 Go to SETTING->BASIC->Network->Wireless page. To enable wireless function, check the option on.

 

 Step 4 Click Refresh button, all the available wireless APs will be listed in the wireless network box. Highlight on your wireless router’s network name. Then fill in following content:
1. Select the corresponding Authentication, Encryption and type in the correct Passphrase or password which should match with the wireless settings in your wireless router.

If you are not sure about the information, please contact with the representative of your wireless router.

 

2. Select Obtain an IP address automatically (DHCP) and Obtain DNS server addresses automatically. Click OK and the camera will start to connect to the router wirelessly.

 

 

Step 5 After connect successfully, you can check the IP address assigned by the wireless router. There are mainly three methods you can use to check it.

Method 1: You can see IP address comes up in the wireless setting page of the IP camera.

 

 Method 2: Use Intelligent IP Installer. A new IP address comes up in the list after the IP camera was connected to the wireless router successfully.

 Method 3: Check the DHCP clients list in the web management page of your wireless router.

 In Step 4, you can also assign an fixed IP address for the camera. Just choose use the following IP address and enter IP address, subnetmask, gateway and DNS information accordingly. Just keep in mind that the IP address you assigned to the camera should not be taken by other devices in your home network.

 

 Step 5 Unplug the Ethernet cable and the camera is now connected to wireless router wirelessly. You can use any of your desktop and laptop in the network to surveillance the camera now.

Read more »

Posted in: Configure Camera

How to Create Users and User Templates in Windows Server 2008 Active Directory

You probably already know that a User Account in Active Directory is an Active Directory Object, or simply said, a record in an AD database. Most of the time we create user accounts for people, however user accounts can also be created for applications or processes.

User accounts allow a person to access resources on a network. But we can just as easily deny access to certain resources on the network through the user account. That’s why, User Account Objects are quite important and very useful.

Today I’ll show you how easy it is to create a new user account, create a user template and how to use a template in Server 2008 Active Directory. Next week we’ll discuss User Groups and Organizational Units. Now, let’s get started with creating a user account.

How To Create a New User Account in Active Directory

1. To start let’s go ahead and open up Server Manager

 2. Next we will open up the Roles section, next to Active Directory Users and Computers section and finally the Active Directory Users and Computers. You should now see your domain name.

 3. We are going to click on our Users section where we are going to create a new User Account. To do so, right-click on the blank section, point to New and select User.

4. In this window you need to type in the user’s first name, middle initial and last name. Next you will need to create a user’s logon name.
In our example we are going to create a user account for Billy Miles and his logon name will be bmiles. When done, click on the Next button.

5. In the next window you will need to create a password for your new user and select appropriate options.
In our example we are going to have the user change his password at his next logon. You can also prevent a user from changing his password, set the password so that it will never expire or completely disable the account.
When you are done making your selections, click the Next button.

 6. And finally, click on the Finish button to complete the creation of new User Account.

How To Create a User Template in Active Directory

A user template in Active Directory will make your life a little easier, especially if you are creating users for a specific department, with exactly the same properties, and membership to the same user groups. A user template is nothing more than a disabled user account that has all these settings already in place. The only thing you are doing is copying this account, adding a new name and a password.
You may have multiple user templates for multiple purposes with different settings and properties. There is no limit on the number of user templates, but keep in mind that they are there to help you, not to confuse you, so keep in mind less is better.
To create a user template, we are going to create a regular user account just like we did above. A little note here, you may want to add an * as the first character of the name so it floats at the top in AD and is much easier to find.
1. To start out, right-click on the empty space, point to new, and select User.

 2. Type in the user’s name (with asterisks if so desired) and click Next.

 3. Create the template’s password and do not forget to check the box next to the Account is disabled option. When ready, click Next.

 4. Once the account is created, you can go ahead and add all the properties you need for that template. To do so, double-click on that account and navigate to a specific tab. Once done click OK.

How To Use a User Template in Active Directory

1. Now in order to use that user template, we are going to select it, copy it and add the unique information such as user name, password, etc.
We can do that for as many users as needed. Let’s start by right-clicking on the template and selecting Copy.

 2. Next we are going to enter the user’s name, login and password information while making sure the checkbox next to Account is disabled is unchecked.

 3. Once we finish, our new user account is created with all the properties of the template account. Now wasn’t that easy!

Read more »

Posted in: Window Server

How to Configuring Active Directory (AD DS) in Windows Server 2012

Windows Server 2012 introduces a plethora of new features with a key emphasis on Cloud integration being the buzz word in the industry over the last 24 months.  Windows continues to grow and mature as an operating system with the latest iteration being more secure, reliable and robust and more importantly making it easily interoperable with other systems.
This post will focus on Installing a Windows 2012 Server and then promoting it as the first domain controller in a new Forest.  Even though the logical steps haven’t really changed dramatically since the introduction of Windows 2008, the interface has! especially with the new metro look.  So let’s begin our journey with Windows Server 2012 as this will be the first of many articles on configuring different components that Windows Server 2012 has to offer.

Installing Windows Server 2012

The first step is to boot up from the CD or ISO image and select your language settings.

 Select your Language and input options and then click on Next.

Click Install Now
Select the operating system you want to install.  I have selected Windows Server 2012 Release Candidate Server with a GUI.  The other option is server core which was first introduced in Windows 2008 and is a minimal install with no GUI but provides remote management through Windows PowerShell and other tools.

Click Next
Accept the License terms

 Click Next

 We are performing a new installation of Windows Server, so click on Custom.

Partition your drives and then click Next.
The Installation of Windows then proceeds.

 The installation will eventually re-start your Windows Server where it will go through the final stages of preparing the environment for first time use.

 You will eventually be prompted to enter a password for the built-in Administrator account.

 

Click Finish
You will now be presented with the new Windows Login Screen, which is a fair change to what we have been accustomed to with previous releases of Windows Server.

Hit Ctrl – ALT – Delete to sign in, and enter your password.
You will be presented with the new Server Manager Screen which really simplifies the administration and configuration of your new server.  Our main goal for this article is to configure Active Directory and its related services such as DNS.

First thing I want to do is change the computer name.  Windows goes ahead and provides a default unique name in the form of WIN-<random characters>
To do so, from the Server Manager > Dashboard screen, click on Local Server and then click on the computer name hyperlink.

 This will take you to the all familiar System Properties

Click Change, enter a more desirable Computer Name and then click OK.
You will then be prompted to restart your computer to apply the changes.  Click Ok and then Click on restart now.
After your computer has restarted, we will be presented with the Server Manager Screen.  Now we are ready to configure this server as an Active Directory Controller.

Adding the Active Directory Domain Services Role

From the Dashboard click on “Add roles and features”.  You will be presented with the “Before you begin screen.  Click Next.  In the “Installation Type” screen click on “Role-base or feature-based installation”.

Click Next
You will be presented with the following screen asking you to select a destination server.  This is a new feature of Windows 2012 where you have the ability to deploy roles and features to remote servers and even offline virtual hard disks.
In our case, we are selecting the current server from the server pool.

Click Next
We are now back in familiar territory (if you have worked with Windows 2008 Server) and we will select the “Active Directory Domain Services” and DNS Server if it hasn’t already been provisioned.

 You will then be prompted to add features that are required for Active Directory Domain Services.

Click on Add Features
Click Next
If you want to add additional features, you can do so from the next screen, otherwise click Next

 You will now be presented with the Active Directory Domain Services (AD DS) screen outlining some information about AD DS and its requirements.  You will notice that DNS is a MUST and has always been the case.

Click next
You now provided with a summary of installation selections

 The installation will now begin

 Upon completion you will be presented with an installation succeeded message.

Click Close.
Back in Server Manager, you will notice that AD DS has been added to the left navigation tree.  Click on it and then click on More on the right navigation pane where it states that Configuration is required for Active Directory Domain Services.

You will now be presented with the All Servers Task Details, in which you will click on Promote this server to a domain controller under Action.
The Deployment Configuration screen appears and we will select “Add a new forest” as this is the first domain controller.

Enter your Root domain name and then click Next.
The following screen will then appear in which you will enter and select your Domain Controller Options.

 You will then get the below warning in which you can ignore for now.

Click Next
The NetBIOS domain name will then be inputted automatically.  In the event of a conflict, it will suggest an alternative by appending the original name with a 0.

Click Next
Confirm or change the locations of your database folder, log folder and SYSVOL folder.

Click Next
Review your selections and then Click Next.
If all of the prerequisites checks have passed successfully, you will be able to click on Install to proceed.

Click Install
The installation will now proceed and you will see the progress being displayed.

The computer will most likely restart on its own to complete the installation so don’t be alarmed if it does.  You will receive a brief warning advising so.
Upon restart, you should be able to login using your domain credentials for the user administrator.
So let’s add our first user!  We can do so via the new Active Directory Administrative Center or via the well known Active Directory Users and Computers.  For something different, lets try the former.
Once Server Manager has launched, click on Tools > Active Directory Administrative Center
You will be greeted with the below Welcome screen.

 lick on your domain on the left navigation pane, in my instance it is corp (local).

Let’s begin by creating our first Organizational Unit that will house our corporate users (I am not a fan of using the default Users).  On the right navigation pane under Taks > <domain name> click on New and then select “Organizational Unit”.
Enter the mandatory details.

Click OK
This will immediately create the Organizational Unit in the designated location.  Double click on your newly created Organizational Unit and on the left navigation pane, select New User.  The below screen appears in which you will fill in the necessary details.

Make sure you scroll down to the bottom and fill in all the necessary sections such as Groups, Profile Settings and Organization settings.
Once completed, Click OK.
Your newly created user will now be listed in the middle navigation pane.

 As you can see it is relatively straight forward configuring your first domain controller in a new forest using Windows Server 2012, in particular if you have had experience with Windows Server 2008.

Read more »

Posted in: Window Server 2012