If you would like to read the next parts in this article series please go to:
If you missed the news, here it is: the TMG Beta 2 software was recently released to the public! This is major advance over the Beta 1 version of the TMG, which felt more like ISA 2006 R2. I told you when Beta 1 was released that you should not be disappointed, because you are going to see a lot more when the next beta is released. Microsoft did not disappoint! TMG Beta 2 includes a bevy of new features and functionality that I know you will like.
In this article series I will provide you a high level overview of some of the major new features included with the TMG Beta 2 firewall. To really get the most out of this series, you will need to be relatively well acquainted with ISA 2006. If you are not an expert on ISA 2006, you can still get some value out of this overview, but keep in mind that I am focusing on the improvements, not all the features included in TMG. To get that information, you will need to get our book when it comes out. You can keep tabs on the progress of our book by visiting http://www.mstmgbook.org.
After we finish this high level overview series, I will begin a series of deep-dive articles on each of the new features discussed in the overview. Keep in mind that these series are covering the Beta versions of the TMG firewall to help you with your testing of the beta TMG firewall. We will update the articles after the product is released, and make sure to get the book too, so that you will have a board exposure to the TMG firewall covering all its features, not just the new ones that I will be focusing on.
Before getting started, be aware that a major new requirement for TMG firewalls is that they must be installed on 64bit versions of Windows Server 2008. The fact that TMG will run on a 64 bit operating system should not be underestimated. A 64bit OS enables you to take advantage of the massive increases in hardware support. Just imagine the speed gains you will see in an 8-way TMG firewall with 16 GB of memory and 10Gbps NICs using the networking improvements seen with the Windows Server 2008 Next Generation TCP/IP stack. Just the improvements in the amount of non-paged pool memory means that resource exhaustion could very well be a thing of the past. This support for 64bit Windows means that performance specs for TMG firewalls going forward have the ability to far outstrip anything you can imagine in comparably based stateful packet and application layer inspection firewalls.
To give you an idea of the power of 64bit Windows computing, just check out the specs in the table below.
The approach I will take in this series (which will probably go three or four parts) will be to look at what is new and improved in each node in the TMG firewall console. You can see each of the nodes included in the left pane of the TMG firewall console in the figure below.
The first thing you will notice is that the left pane of the firewall console has been streamlined. Now there is only a single level of sub-nodes under the server or array sub-node. You will also notice that some names of the nodes have been changed and that there are new sub-nodes. The Virtual Private Networks node is now named Remote Access Policy (VPN). New nodes include:
- Web Access Policy
- E-mail Policy
- Intrusion Prevention System
- Logs & Reports
- Update Center
In the course of the article series we will look at what is new in all the nodes. Let us get started by looking at the array/server node.
The Array Node
When you click the array node in the left pane of the TMG firewall console, you will see some new entries in the Tasks tab of the Task Pane on the right side of the console. These new options are:
- Launch Getting Started Wizard
- Join Array
- Connect to Forefront codename Stirling
You can see these new options in the figure below.
The Getting Started Wizard is a new feature included in the TMG Beta 2 firewall. The Getting Started Wizard is first exposed during installation. However, you have the option to run it again if you like by clicking the Launch Getting Started Wizard link in the Tasks tab. Here you can configure network settings, system settings and deployment options. The Getting Started Wizard greatly simplifies some of the grunt work required to getting the TMG Beta 2 firewall up and running.
A major change seen in with the TMG firewall compared to the ISA firewall is that all installations use ADAM based storage, now referred to as Active Directory Lightweight Directories Services in Windows Server 2008. ISA 2006 used Registry based storage for configuration with the Standard Edition of the ISA firewall, while ADAM was used for ISA 2006 Enterprise edition. There would not be a Standard Edition and Enterprise edition of the TMG firewall. There will be a single edition with the same features and capabilities, however there will be different functionality based on whether you attach the TMG firewalls to an Enterprise Management Server (EMS). I will talk about EMS later in this article series.
When you click the Join Array link, you see the Join Array Wizard. The Join Array Wizard makes it very easy to join a TMG firewall to an array. You will also see something else: a new type of array called a “standalone” array. A standalone array allows you to quickly set up an array of TMG firewalls without requiring an Enterprise Management Server. This is a nice option to have when you do not need to manage multiple arrays and just want to set up a single array for your organization. Of course, if you want the functionality you had with ISA 2006 Enterprise edition, you can deploy an Enterprise Management Server and manage multiple arrays.
When you click the Connect to Forefront Codename Stirling link, you will expose the Forefront codename Stirling Integration Wizard. Of course, the name of this wizard will change when Stirling gets its actual name. This wizard will make it easy to connect your TMG firewall or firewall array to the Stirling security management system. If you do not know about Stirling, now is a good time to get started. What Stirling will do is enable you connect all your Forefront security products so that they can report to Stirling. Stirling then takes the information obtained from each of the Forefront products and enables the use of proactive response policies based on critical security information obtained from each of the Forefront products. Since the TMG firewall is a member of the Forefront security suite, you’ll be able to configure policies that trigger incident response actions when TMG detects a potential threat.
The Monitoring Node
The Monitoring node has seen some improvements. The first thing you will notice is that the System Performance area now works (something that stopped working in ISA 2006). Not only does it work, but it reports new information. Now you will see information that is more useful, such as CPU Usage (Percentage) and Available Memory (Mbytes). While a small change, I think it’s a good and useful one.
You will also notice some new panes on the Dashboard. The Update Services pane is new, as is the ISP redundancy pane. Here you will see new alerts related to updates to the number of different services, such as the anti-malware for Web and e-mail protection, as well as upcoming updates to the URL filtering database (not available in Beta 2 but will be available in future releases). The ISP redundancy pane will report valuable information such as how long the links have been up, the status of each of your ISP links, and the bytes/sec for each of the links.
Click on the Alerts tab in the Monitoring node and click on the Configure Alert Definitions link in the Task Pane. There you will see a tremendous increase in the number of alerts available in the TMG firewall compared to those available in ISA 2006. When you look through all of the alerts, you will find something interesting – the nature and comprehensiveness of these alerts are consistent with what I will call a “behavioral IDS”. Just take a look at them yourself and see what you think. You will be impressed at the wide array of firewall status conditions that are covered by the enhanced alert definitions found in the TMG firewall.
Click the Services tab. Here you will see a variety of new services that were not used by the ISA 2006 firewall. Notice the following:
- SQL Server (ISARS)
- SQL Server Reporting Services (ISARS)
- World Wide Web Publishing Service
- SQL Server Express
- Forefront TMG Managed Control Service
Notice that the Remote Access Service is no longer on the list. I am not sure why they removed it. Maybe it appears when you enable VPN, which was not enabled on this machine. SQL Server Express replaces the MSDE database that was used by ISA 2006. One thing you might wonder about is why the World Wide Publishing Service is installed on the TMG firewall. This is required for SQL Reporting Services. But do not worry, no one can access the WWW service except the TMG firewall, it’s not accessible to users outside the firewall.
Click the Configuration node. This was not available in the ISA 2006 Standard Edition firewall, since configuration information was stored in the Registry. As I mentioned earlier, there are no longer separate editions, and the single edition uses ADAM based storage. On the Configuration tab you will see synchronization status with ADAM (Active Directory LDS).
In this, part 1 of a multipart series on what’s new and improved with the TMG Beta 2 firewall, we took a look at new and improved features highlighted in the server/array node and the monitoring node. In the second part of this series we will take a look at a number of improvements and new features exposed in the Firewall Policy, Web Access Policy and E-mail Policy nodes. See you soon! –Tom.
If you would like to read the next parts in this article series please go to: