Monthly Archives: July 2012

Office 2013 Web App Server + SharePoint 2013 Integration

Office 2013 Web App Server + SharePoint 2013 Integration
With the release of the Office 2013 Preview, Microsoft also launched a beta of Office Web App Server. This product which is also known from Office 365 and SharePoint 2010, allows you to host the apps (Word, Excel, PowerPoint and OneNote.) in your own infrastructure to work in conjunction with either Exchange, SharePoint or Lync 2013.You can also manage the deployment via PowerShell pretty nifty! (we will go more into detail on that later)
This new features has some new features from the previous versus and removes some restrictions.
The name Web App, allows users to use the Apps via a browser, even from a tablet (Even thou not all support the editing function yet, just viewing)
(From Microsoft.com)
clip_image001

Now in order to install the product you need either a
Windows 2008 R2 with SP1 + .Net 4.5 + PowerShell 3.0 + KB2592525
Download .Net 4.5 RC http://go.microsoft.com/fwlink/p/?LinkId=256560
Download KB2592525 http://go.microsoft.com/fwlink/p/?LinkId=236954
Download PowerShell 3.0 http://go.microsoft.com/fwlink/p/?LinkId=256560
or Windows Server 2012 (Which has all the prerequisites installed)
And your server has to be joined to a Active Directory domain as well. And you would need a another service like SharePoint to integrate it with in order to make it work.
+ have to have IIS installed with the following features.

For Windows Server 2008 R2

Import-Module ServerManager

And then run:

Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

For Windows Server 2012

Import-Module ServerManager

And then run:

Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

Now we can start installing OfficeWebApps
1

2
3
4
After the installation you can open PowerShell and import the Officewebapp module.

Import-Module OfficeWebApps
you might need to open Powershell from the Admin module folder within Office Webapps.
We can list out all the cmdlets avaliable from the module
Now we can create a Webapp server farm (Which consists of this single server)
5
By running this command

New-OfficeWebAppsFarm –InternalURL http://servername –AllowHttp -EditingEnabled
(This just creates a web farm with the URL of http://servername and only communicates using HTTP and it enables the editing function in conjunction with SharePoint 2013. Since I don’t have SharePoint installed at this moment I’m going to run the command without the Editing parameter.
6

Now we have to verify that the farm is successfully created, by opening a browser window to http://servername/hosting/discovery
If it works as expected you should see some WOPI XML in the browser.
<?xml version=”1.0″ encoding=”utf-8″ ?>

– <wopi-discovery>

– <net-zone name=”internal-http”>

– <app name=”Excel” favIconUrl=”http://servername/x/_layouts/images/FavIcon_Excel.ico” checkLicense=”true”>
7
Something like that.
After that is complete, head over to the SharePoint 2013 server and open a PowerShell window.
But remember that Office webapps can only be used in conjunction with Claims based authentication.
If you are unfamiliar how to configure a claims based authentication website in SharePoint you can view it here à http://technet.microsoft.com/en-us/library/ee806885(v=office.15)

Import the SharePoint module

Add-PsSnapin Microsoft.SharePoint.PowerShell

Now you have to create a binding between the SharePoint server and the Office Web App server.

New-SPWOPIBinding -ServerName <WacServerName> -AllowHTTP

23

In my case New-SPWOPIBINDING –Servername SCCM –AllowHTTP
Next we have to add the SPWOPIZONE to internal

Set-SPWopiZone internal-http
After that open a SharePoint Library and open a document, 

8
Just by marking the document if will trigger the office webapp and open the document. 



This release is a part of Office 365 solution to Microsoft, they have already released the Azure portal available for download, will we see Office365 portal as a download soon as well? 
If you wish to try the product you can download it from here:
http://www.microsoft.com/en-us/download/details.aspx?id=30358

Hyper-V 2012 and BSOD with WLAN

 

Hyper-v 2012 and BSOD with WLAN
so lately I have had some strange issues with my Hyper-V Server (Running Server 2012) and this server is connected to my intranet using WLAN. Why you ask? Because in 2012 WLAN is supported and it is the only way I can connect my server to the network without using EoP.
I am using the wireless adapter as a bridge adapter to my virtual interfaces. So all my virtual machines connect to the internet using the wireless adapter.
clip_image002
So at random times my server got a BSOD.
With the regular DRIVER_IRQL_NOT_LESS_OR_EQUAL error message. (Not like the picture shown above)
I started looking at the normal places, is something wrong with a driver? I haven’t installed anything recently and it has been working fine for a couple of months so I couldn’t be that. Could It be that Windows update has updated a driver and didn’t notify me? According to the event log of the drivers that was a no to.
Next I checked my memory modules they also have a tendency to create BSOD. No faults there either, and the BSOD was happening at random times. So troubleshooting 101, what did you change before the first BSOD? I added my WLAN as a connection to the virtual switch, so I removed the wireless adapter from the server and no BSOD. So now I am one step closer and I found out what was creating the BSOD, I tried updating the drivers for the wireless adapter but there were no new drivers available.
So therefore I needed to resort to debugging the memory dump using WinDbg. (You can find the memory dump from c:windowsmemory.dmp

First I added the symbol path from Microsoft online,
SRV*C:SymCache*http://msdl.microsoft.com/download/symbols
(if you do this after you open the memory dump do a .reload )
clip_image004

Looks like the sinner here is bridge.sys, but what is that?
Hyper-v creates a bridge between your virtual interface (virtual switch) and your physical interface when you choose “Allow management operating system to share this network adapter” and this bridge (You can see it under network adapters) is the source of the problems.
So by choosing this option the parent host can still be online using the same physical interface as the virtual hosts use.
I know there are a lot of features which are not supported using a wireless connection, but since Microsoft says WLAN are supported in 2012 it better work in time for the RTM.
FYI: The only way I found out so far to fix this was to remove the “Allow management Operating system to share this network adapter” This disables the bridge and I haven’t had any BSOD after that.

Windows Server 2012 Essentials (formerly known as Small Business Server)

Windows Server 2012 Essentials is now available in public beta!
Essentials ( or formerly known as SBS) was made available for download the previous week. For those that aren’t so familiar with SBS it is a product that is aimed for SMB marked, with up to 25 users. It doesn’t come with all the features that a full server 2012 has, it has focused on what a small business needs.

* Network folders
* Email ( Not including exchange anymore, you can integrate it with Office365)
* Backup
* Security settings (via Group Policy)

SBS 2012 is built on the regular server 2012, but it made a lot easier for the it guy or power user to manage via the dashboard.
Lets take a walk trough it.

The setup looks like a regular Server 2012 but after its finished you get a wizard.
1

In my case this is a stand-alone server without an existing domain so I choose “Clean install”

2

Here you get a wizard to enter the name of the company and the internal domain name and computer name.

3

So now we have to create an admin account (Not NEVER use the username administrator2 in a real environment)

4

Next we create a regular user account which is going to be used for my day-to-day stuff.

5

After that the setup finishes the configuration (This might take some time)
7

After its finished it takes a reboot and the familiar start menu appears.

8

From here start the Dashboard. This is the tool that the admin is going to use in Essentials.

9

From here you get a nice, clean view of how you can configure everything.

10

From the user pane, we can create new users. define which computers a user can remotely connect to, activate an account as a Office 365 user (When the integration is in place) define which folders a user can access, etc.

11

Devices is just the list of devices which is connected to the domain, it lists up the update status.
* Security status
* Backup status
and any active alerts.
For my Primary server I can also activate Online Backup using Windows online backup services. And I can remotely start backup on any other computer.

12

Storage just lists up the shared folders on the server so no interesting there…
And in the Applications tab I can find available “Add-ins” from the Microsoft Pinpoint store. But by default not add-ins are included.

13

If I open up the Alert viewer which is the Red cross in the up right corner, I get all the active alerts for the server.

14

From here It allows me to setup an e-mail notification and some actions like this one for instance I can click “Activate your Server)

If I go to the settings menu I can alter the configurations for the server.
Like Windows Update, activate Media Server and configure Anywhere Access.
15

But back to a very useful menu, e-mail!
18
In previous versions of SBS, Exchange was included in the product in this release Microsoft has excluded Exchange from the product and is now focusing on moving customers to Office 365. Since I have an active account there lets setup the integration.

It is pretty straight forward.
Just click next, enter your account in Office365 and choose Apply Strong Password policy.

19
20
21
22

After that is done, the dashboard will reopen and Office 365 will now appear as an menu tab.

23

If I go to the users pane now I can assign a Office 365 account to a user.

image

So lets connect a computer to this domain. Open up a browser on a Windows 7 or windows 8 computer (This is required for the SBS 2012 beta)
And go to the address http://servername/connect
24

And download the software and run the wizard. Note thou that the wizard will ask you for a username and password. Enter the username of your regular account not that admin account!

Once it is finished the machine will not appear in the Devices tab.
31
As I said before from here I can enable backup and start backup and I can also implement some basic settings for Defender, Windows Update and Windows Firewall using Group Policy (Those are the only settings you can set via the Dashboard)

Many are going to miss the Exchange integrated within this server product, I believe that it is the right call for Microsoft to move users to their Office365 solution, since why be dependent on a single server running every service you have?  What happens if your SBS server suddenly dies? of course some people wish to have more control over where your data is, and I agree to a certain point but take note thou this release is still in beta I’m guessing that a Exchange 2013 might appear in a later release you never know.

Office 365 preview

For a couple of days ago, Microsoft released a new preview of the office 365 family,
http://www.microsoft.com/office/preview/en/try-more-products

This release includes the new versions (2013 release) of SharePoint, Exchange & Lync (Which all of these was released for a few days ago as well) as well as Office 2013 Preview.
Office 2013 release includes new versions of (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access. In the Home Edition)
Business & Pro Plus also includes Lync.

NOTE: That Office 2013 requires either Windows 7 or Windows 8.
And with this release Microsoft wants users to move towards the cloud with Office as well, since you need to sign up for Office 365 in order to download Office 2013.
Office 2013 Preview users can sign in by using either of two types of credentials: Personal (Microsoft account) or Organization (the Office 365 user ID that is assigned by the organization).

Here a the features as stated at Microsoft.com (For the Home Premium version)

  • A personalized Office experience on up to 5 PCs or tablets.
  • Powerful new versions of Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access.
  • Streaming full versions of Office applications with Office on Demand (PC running Windows 7 or 8 and Internet connection required).
  • If you’re also trying Windows 8 Release Preview, be sure to check out the OneNote Preview in the Windows Store. Keep your notes, pictures, voice memos, and web pages in one easy to access place so you have them when you need them.
  • Coming soon, with the full release of Office 365 Home Premium:
    • Talk to anyone using Skype, including 60 minutes of free international calls every month to landlines in over 40 countries and to cell phones in 7 countries. (Skype account required. Excludes special, premium and non-geographic numbers.)
    • Get an additional 20 GB of SkyDrive online storage for easy access and sharing of your documents.
    • Office for Mac

Also when you install Office 2013 you have the option in all the different applications to upload files directly to a SkyDrive folder.And by default when you install it uses the “Click-to-run” install method which is a virtualized & streamed installation, so a cached version of office is available from your computer (Notice when you start installing that you cant right away use Office Offline but you can use the applications, this is because Windows is caching the applications for offline use. Think of it as using App-v)

If you need to customize the Click-to-run setup you can download a customization tool here –> (You can run the setup file there with the parameters setup.exe /download to download the source files.
http://www.microsoft.com/en-us/download/details.aspx?id=30344

And also you can download the regular installation files here –> http://www.windowsvalley.com/office-2013-customer-preview/

2

This preview release has been launched in four different “packs”

Home Premium Preview (For the common household for up to 5 PCs or tablets)
Small Business Premium Preview (For SMB’s includes Lync, and Exchange online)
Pro Plus Preview (Same here)
Enterprise Preview (Pro Plus + some more)

Lets take a quick look at the new pages.

Here is the new Admin center preview, like the previous release I have all my other stuff like Outlook, SharePoint etc. on the top menu.
But I like the new look and feel over it.

image

Here is new Office 365 Exchange ( Powered by Exchange 2013) This also includes the Calendar and the People pane.

image

The new EAC

image

SkyDrive Pro (The web part powered by SharePoint 2013)
When you install Office 2013, you also get a SkyDrive App which you can connect to the SkyDrive Pro.

image

The regular “Team-site”

image

And of course you have the admin modules. (Still cant see any new PowerShell functions that I can download)

image

Lync Administration Center, in this release you can now use Enterprise Voice with Office 365, so far the only available service provider is Jajah.

image

You can also download a software that sets up your Office Apps to work directly with Office 365.
All users have to do is to enter username and password and then everything gets setup accordingly.

image

Microsoft has also released a version of Office Web Apps Server. This is

  • browser-based versions of Word, Excel, PowerPoint and OneNote.

This server has the same requirements as a SharePoint server.
http://www.microsoft.com/en-us/download/details.aspx?id=30358

 
They have also released new versions of Project Server 2013 and Visio, which you can get here.
http://technet.microsoft.com/en-US/evalcenter/hh973403.aspx?wt.mc_id=TEC_120_1_33 (Project Server)
http://technet.microsoft.com/en-us/evalcenter/hh973399.aspx (Visio 2013)

Word 2013

image

image
image

Here I can also add sharing features like LinkedIn, and Storage features like another SkyDrive account or a SharePoint site, pretty nifty.
Don’t know what Microsoft’s fascination with the color blue but I like it..

I also adore the new Lync client (New one and the old one )
image      

With this new release of Office 365, Microsoft is making its cloud product even better! Now fueled with 2013 Server of Exchange, Office, Lync and SharePoint, we end users have a lot of new functionality coming our way.
I am particularly looking forward to how Office 2013 works on Windows RT (Surface)  since it is supposedly going to be touch friendly. But something I’m stilling missing in this release of Office 365 is the possibility to connect O365 with Intune in that way so we can manage mobile devices that are connected to O365 via Intune, hopefully this feature will appear in the future Smile
Since Microsoft released the web portal for Azure last week, maybe they will release the portal for Office 365 in the future?
I’m also guessing this means new certifications for Office 365.

Windows Azure in your own datacenter

Wow, a lot is happening around Microsoft these days.
And just recently Microsoft released the Service Management Portal and API for Windows Azure free for download for hosting providers.
http://www.microsoft.com/hosting/en/us/services.aspx

Quick start guide –> http://go.microsoft.com/?linkid=9813519
Detailed step-by-step –> http://go.microsoft.com/?linkid=9813518

I have taken a quick walkthrough of the web part.

Requirements:
Hyper-V Host server for Service Management Portal and Web Sites VMs:
o Dual Processor Quad Core
o Operating System: Windows Server 2008 R2 SP1 Datacenter Edition With Hyper-V (64bit) / Windows Server 2012 with Hyper-V (64 bit)
o RAM: 48 GB
o 2 Volumes:
X First Volume: 40GB or greater (host OS).
X Second Volume: 100GB or greater (VHDs).
Separate SQL server(s) for Web Sites configuration databases and users/web sites databases running Microsoft SQL Server 2008 R2.
Separate MySQL server version 5.1 for users/web sites databases.
Either a Windows UNC share or a NAS device acting as a File server to host web site content.

image

And as you can see, the download consists of the multiple services that is Azure.
And during the installation there might be multiple restarts.

image

image

image

image

Once it is finished, click Finish and a Internet Explorer will pop up and open a connection to localhost:30101
This is the Service Management Console as it is signed with a self-signed certificate (so you will get an error message)

image
image

Here you have to enter setup configurations to the SQL server.
In addition you also get a bunch of new powershell cmdlets.

image

And if you open the IIS Admin console you see that you have a bunch of new web sites.
For instance https://localhost:30081/ is the Service Management Website.
https://localhost:30091/ is the admin site

image

Since im blogging this while on vacation I don’t have access to my home lab enviroment…. sad but true. More will come about this subject 🙂

Citrix Receiver on Linux (Ubuntu)

Quick post of how-to get Citrix Receiver up and running on a Ubuntu 11.04 the installation is the same for 12.04.
First of go to Citrix Receiver download site and choose Linux on the “For desktops”
http://www.citrix.com/English/ss/downloads/details.asp?downloadId=2323812&productId=1689163

From here you choose the .deb file. (This is part of the debian software package format )
0

Choose to open it via Ubuntu Software Center and press OK.

1

From here just click the install button.
You will get a pop up which ask if you wish to accept the EULA, click Yes and press Forward.
After it is done installing, you can find it via the search function.
3

But before we can start it we have to do some changes, by default the Icaclient has it’s own cert-store. And it only ships with 4 – 5 certs so most likely, when you setup a connection to en SSL encrypted site you will get an error message.
So therefore we need to copy CA-certs from Firefox CA-store into the ICAclients store.
From terminal run the command,
sudo cp /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/
5

After you have run the command you can now start the client.

4
The GUI is… well terrible..
Click the View button and choose Xenapp
6

Enter the URL of your WI

7

Enter your username and password

8

Now the clients list all my available apps just like the regular Citrix client does.

9

10

And I can start connections like a regular client.

11

AND! just ignore the fact that I have 405 updates available via my update manager Smile
/bad /bad IT admin.

Comptia CASP (Advanced Security Practitioner)

I have always had a huge interest in Computer security, and I always believe that the best way to defend yourself from computer attacks is to be up-to-speed.
Computer attacks are becoming more and more sophisticated, and therefore you need to know all the aspects of your infrastructure in order be prepared.
If you are like me and like to pursue certifications and have an interest in security. I would suggest the following!

1: (If you want to move towards Microsoft, start with MTA security fundamentals –> http://www.microsoft.com/learning/en/us/exam.aspx?ID=98-367&locale=en-us then continue on with either client, server, sql etc.)
2: (If you want to move towards Network, Citrix has an excellent security track. You have to start with CCNA then continue on with CCNA Security. http://www.cisco.com/web/learning/le3/learning_career_certifications_and_learning_paths_home.html)
3: (If you want a little of both and a bit more of the administrative part, pursue Comptia Security+ http://certification.comptia.org/getCertified/certifications/security.aspx)

When you have all of these, you can for instance start with EC-council exams, (CEH Certified Ethical Hacker contains a lot about how hackers think and how their gather information, great stuff!)

My next certification I’ve planned on taking is the Comptia CASP ( And I intend spending my holiday reading for it)

A little bit about the certification:
The CASP certification is an international, vendor-neutral exam that proves competency in enterprise security; risk management; research and analysis; and integration of computing, communications, and business disciplines.
The exam covers the technical knowledge and skills required to conceptualize, design, and engineer secure solutions across complex enterprise environments. It involves applying critical thinking and judgment across a broad spectrum of security disciplines to propose and implement solutions that map to enterprise drivers.

Number of questions
80 (maximum)

Length of Test
150 minutes

Passing Score
Pass/Fail only. No scaled score.

Recommended experience
10 years experience in IT administration, including at least 5 years of hands-on technical security experience

You can download the exam objectives here –> http://certification.comptia.org/Training/testingcenters/examobjectives.aspx
But I can give you the headlines.

Enterprise Security (This consists of the technical part of the exam)
40%

Risk Mgmt, Policy/Procedure and Legal (risk implications associated with business decisions, etc)
24%

Research & Analysis (Analyze industry trends and outline potential impact to the enterprise)
14%

Integration of Computing, Communications,
and Business Disciplines (The Administrative part)
22%

If you wish to study for this exam, I suggest buying a book from Amazon –> http://www.amazon.co.uk/CompTIA-Advanced-Security-Practitioner-Study/dp/1118083199/ref=sr_1_1?ie=UTF8&qid=1341916018&sr=8-1
But remember that Comptia recommends that you have 10 years experience in IT administration and and at least 5 years of technical security experience, like wise does the book. Not all terms in the book are explained as well as they should, so if there is something you are unsure about Google it or look it up in wikipedia.
And of course this is not as much a technical exam, it is split 50/50 into Technical and administrative (Much like the CISSP).

Forefront TMG

Since I wrote previously about Lync 2010 and I stated there that you need Forefront TMG to use as an reverse proxy for Lync components. (You can also use other HLB products such BIG-IP or Netscaler but remember that they don’t have the security capabilities that TMG has, but then again Netscaler and BIG-IP are hardware appliances, so I’m guessing they have a lot better speed than TMG does)
Therefore I thought that everyone could use a quick introduction so what Forefront TMG actually is.
NOTE: UAG Service Pack 1 Update 1? Now support fully Lync so you can use UAG to act as a reverse proxy as well.

But what is Forefront TMG? (for short Threat Management Gateway) and previously known as ISA (Internet Security and Acceleration) Server.
It is a multiple feature product and it includes features like.
Act as an Router, VPN server, NAT server, Proxy Server.
Web caching capabilities.
Application layer and stateful  firewall & anti-malware protection.
ISP redundancy (You can for instance have 2 connections to the internet and you can use it for load balancing and failover)

And as many others before me have asked, what is the difference between UAG and TMG?
Well first of TMG is mostly a product to secure your network from outside intrusion, and you would use UAG if you wish to publish internal resources in the most secure manner. UAG is mostly an reverse proxy and SSL-VPN product, but you can use UAG as a firewall as well (it again includes TMG for the firewall part) So in short.

You would use TMG to block unwanted traffic in or to inspect traffic.
You would use UAG to secure corporate access inn.

So this post will be about installing TMG and how to publish Lync web sites via TMG.

Requirements for TMG 2010.

CPU
64-bit, 1.86 GHz, 2 core (1 CPU x dual core) processor.

Memory
2 GB, 1 GHz RAM.

Hard Disk
2.5 GB available space. This is exclusive of the hard disk space required for caching or for temporarily storing files during malware inspection.

One local hard disk partition that is formatted with the NTFS file system.

Network adapters
One network adapter that is compatible with the computer’s operating system, for communication with the Internal network

Operating system
Windows Server 2008

  • Version: SP2 or R2
  • Edition: Standard, Enterprise or Datacenter

Windows Roles and Features

These Roles and Features are installed by the Forefront TMG Preparation Tool:

  • Network Policy Server.
  • Routing and Remote Access Services.
  • Active Directory Lightweight Directory Services Tools.
  • Network Load Balancing Tools.
  • Windows PowerShell.

And note that you need to be connected to the internet in order to install Forefront TMG ( Since it needs to download updates etc.)
NOTE: You can check setup log under C:windowstemp
You can download a trial for Forefront TMG from here –> http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway-trial.aspx

2

Before we start the setup, run the Preparation Tool. This verifies that the computer has all the prerequisites in place.

3

5

Here choose that you wish to install TMG services and Management. Click next and the tool will install all the required prerequisites.

6

Now that we are done with the prerequisites we can continue on with the installation of TMG.  Go back to the main setup menu and click Run installation Wizard.

7
The setup is pretty simple just click next and accept the license terms and choose a default location.

9

Here you have to add a internal network. Typically you have multiple NIC’s connected to TMG.

10

In my case “Local Area Connection 2” is my internal network card (If you notice I have a APIPA address. I changed the IP and ran the wizard again, so check that you have the correct IP address set before you continue the installation of course you can change this is in Forefront console afterwards if you wish)

11

12

Now after the installation is complete you can open the TMG console from Start –> All Programs –> Forefront TMG –> TMG Management

13
Before we can start, Forefront has a “Getting Started” wizard that we should take a quick walkthrough before we continue. We can just close it if we want to. B

Press the Configure network settings. Here we can configure how TMG is deployed. In my scenario TMG is the Edge Firewall and local connections to the internet is routed trough the TMG server.

14

And here again we are faced with configuring what NIC is connected to the internal network.

15

Next we have to set what NIC that is connected to the internet.

16

Click next and finish (Now that Forefront has knowledge of what NIC that is connected to the internet and which are connected locally they are now labeled “Internal” & “External”. Which makes it easier for you to setup ACL’s or settings, in case you need to change the NIC on the server. Then you only have to change what NIC is connected to where so you don’t have to change/update all the ACL’s etc.

Now we are back to the getting started wizard, click on “Configure system settings”

17

18

In my case I have installed the TMG server as a part of the domain or you can install it in a workgroup, there are both pro’s and con’s to choosing these.
First of if you have TMG a an edge firewall, and it is domain joined if someone manages to compromise your AD domain they might also be able to shutdown the firewall.
Microsoft recommends that you have your TMG servers in another forest with a one-way trust, that way you might prevent the internal forest from being compromised.
Some features requires it to be domain joined, such as the VPN server, in general terms installing TMG in a domain, eases the use of authentication.

Click next and finish.
Now again we are back to the Getting Started Wizard. Click “Define Deployment options” –>
19

This just goes trough the system settings, Click Use Microsoft Updates (This gives you the ability to update malware definitions and such for forefront.

20

Here you decide if you wish to Network Inspection System (NIS) and Web Protection w/Malware Inspection and URL filtrering
Network Inspection System is the TMG IPS (Intrusion Prevention System) which is signature based. So before It can start protecting your network from unwanted traffic you need to download NIS signatures.
http://technet.microsoft.com/en-us/library/dd441019 (This enables traffic to be inspected for exploits of Microsoft vulnerabilities)
Another thing you can do is use metasploit to test your network for known exploits and see if Forefront triggers ( But more about that in a later post)
URL filtering enables you do deny/grant access to web sites based on URL categories such as (porn,drugs etc)

21

(Customer Feedback) As I have stated before Microsoft actually uses this data so it should be enabled Smile

23

Click Next and now you are finished with the setup, by default the setup marks the “Run the web Access Wizard” after you click close.
So if you don’t want to do any changes there just remove the mark and click close.

25

We can take a quick look at the Web Access Wizard as well Smile
27

First of if we wish to have TMG setup default rules that block access to malicious URL we can enable that here. Click next and lets add a blocked web destination.
28
In my case I’m going to add vg.no.
You can add a * as a wildcard after the URL.
For instance http://microsoft.com/*

29
Add that to a destination category, click OK.

30

You can also create overrides (Here you can add active directory users that have unrestricted web access, regardless of ACLs) Click next

31
Here the malware inspection settings, comes in. Choose Yes here to enable malware inspection.

32

Here you can choose if you wish that users can enable https connections to sites. In my case I choose “Do not allow” This will do so the users cannot login to sites that require HTTPS. Click next

33
Now we come to the web cache configuration, this will allow TMG to cache frequently requested web objects in memory and on disk in order to improve web browsing performance and to reduce bandwidth utilization. So when a user tries to browse to a site, TMG will automatically try to fulfill the request from the cache. If the content is not in the cache, it will make the request to the webserver as normal. We will go more in on the different options on caching later in the post.  What I did here is add a local cache on the server with a total of 2000 mb. After that is done click Next.

34

And finish!
We are now back to the main console.

35
As you can see here TMG has now applied the default rules in the wizard. IT has created 4 rules.
1 to block HTTPS traffic (Which we defined in the wizard)
2 to block web destinations to VG Nett
3 Allow web access for all users
4 The last rule which is a implicit deny all.
These rules are always proceeded from down –> up, so by default all traffic is blocked, but it allows for regular HTTP traffic (Since HTTPS traffic is blocked as the final rule)
You have the ability to move rules up and down so you can alter the processing. And as you can see on the top even if the policy are visible there aren’t active. We have to click “Apply” first.
And you can also see in what direction the traffic is being blocked.

Now lets do the Lync part. (This guide is for a standard Lync Edition)
First of we need to use a reverse proxy to publish Lync https content.

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover mobility URLs from the Internet.

43

First of, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
44
In the web publishing rule name (Type something with a good description)

45

Here you set it to allow. Click next –>
46
Choose Publish a single web site or load balancer, click next –>

47
On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm.
Click Next –>

48

Here type the fully qualified domain name (FQDN) of the internal web farm that hosts your meeting content and Address Book content in the Internal Site name box.
If you don’t have DNS in the perimeter network you can add a IP address in the other menu. Click next –>

image
On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.

image
On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web Services FQDN, in the Public Name box.

image
On Select Web Listener page, click New to open the New Web Listener Definition Wizard.

On the Welcome to the New Web Listener Wizard page, type a name for the web listener in the Web listener name box (for example, LyncServerWeb).
image
On the Client Connection Security page, select Require SSL secured connections with clients.
image

On the Web Listener IP Address page, select External, and then click Select IP Addresses.

image

On the External Listener IP selection page, select Specified IP address on the Forefront TMG computer in the selected network, select the appropriate IP address, click Add.

image

On the Authentication Setting page, select No Authentication.

image

On the Authentication Delegation page, select No delegation, but client may authenticate directly.

image

On the User Set page, click Next. Click next and finish.
Then click Apply in the main menu.

Now in the Firewall Policy window you will now get a new policy named “Lync” in my case.
Right click on it and press properties.

Go to the From tab, choose “Anywhere” and click Remove.
Then press the Add button and choose External.

Next click on the bridging tab and select the Redirect request to SSL port check box and then specify port 4443.

image

Click Apply, OK.
Then click Apply in the Firewall console.

Now you have published Lync https roles via TMG.
You can read more about publishing Lync sites via Reverse Proxy here –> http://technet.microsoft.com/en-us/library/gg398069

We have just scratched the surface here for what Forefront TMG has to offer. Unlike its hardware firewall buddies, it operates in the highest levels of the OSI layers, and has more specific application layer protection that hardware appliances don’t have.
Many companies today have a two-tier solution, they have a stateful firewall in the front and a application layer firewall in the back. The purpose of the stateful firewall is to make sure that only fully established connections are allowed in, it doesn’t care if there is a malicious traffic that is being transmitted is just knows that its established a connection and that the three-way handshake is verified (It mostly cares about layer 4 in the OSI model, and its much faster then TMG, this is useful for instance stopping TCP syn flood ddos and general noise)  after that the traffic is then forwarded to TMG which handles all the malware inspection and higher level inspections.