Auditing the Initial Configuration of the EBS TMG Firewall (Part 2)

If you missed the first part in this article series please read Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the ISAServer.org Real time article update newsletter.

Thanks for coming back for part two of our series on auditing the initial configuration of the EBS TMG firewall. In the first part of the series, I did a short overview of the EBS solution and the TMG, and then described the test network configuration. I also described the Hyper-V configuration I used to create the EBS network.

I want to thank everyone who wrote in to me regarding the differences between a private and Internal network. It turns out that VMware has the same features, but after ten years of using VMware, I never used them and so I didn’t know they existed. The VMware “host only” network is similar to the Hyper-V Private network. Both of these virtual network types enable the virtual machines to communicate with each other and the host machine. The host machine is assigned a virtual interface with an IP address that you should use on the hosts in the host only network. You can use the ipconfig command on the host to find the network ID used by the host only interface.

The figure below shows the interfaces VMware Workstation uses.

Figure 1

VMnet1 is used for the host only network and VMnet8 is used for the NAT network, where the VM’s share the host system’s address for network communications.

Figure 2

OK. Enough of the virtual networking lessons. Let’s move on to our audit of the EBS Forefront TMG firewall. Remember, our goal here isn’t to reconfigure the firewall. The assumption is that the EBS team has created a best practices configuration of the EBS Forefront TMG firewall and we’re just documenting that. If there’s anything that we see can be improved or changed, I’ll point it out.

General Firewall Properties

We’ll start with the general firewall properties. You can find this information by opening the TMG firewall console and right clicking the firewall name in the left pane of the console. Then click Properties. You’ll see the firewall Properties dialog box as seen in the figure below.

Click on the Assign Roles tab. You can assign various administrative roles to the firewall, such as:

• Forefront TMG Array Administrator – this role has full control over the array-level configuration, including permissions to assign array roles. Has read-only access to enterprise policy applied to this array. Note that the TMG firewall can be installed only as a single member array.
• Forefront TMG Array Auditor – this role has full access to array monitoring and real-only access to the array configuration. This role also has read-only access to the enterprise policy applied to this array. Note that EBS TMG firewalls cannot be configured to part of a enterprise group and thus enterprise policy does not applied to EBS TMG firewalls
• Forefront TMG Array Monitoring Auditor – This role has restricted access to array monitoring features. Can view sessions, view and reset alerts, query service status, and verify connectivity

The EBS TMG firewall configures the domain admin, the domain admins groups and members of the firewall’s local admins group as Forefront TMG Array Administrators. This is a secure configuration and I don’t see any reason to change this. Feel free to add other users as array and monitoring auditors as required by your specific deployment.

Figure 3

Click on the Join Microsoft Telemetry Services tab. Here you have the option to help Microsoft protect against malware and improve the IPS features of the EBS TMG firewall. Here you have three options:

• Join with a basic membership – TMG will report basic information about potential threats, including threat type, where the threat originated, and the action applied
• Join with an advanced membership – In addition to basic information sent to Microsoft, the EBS TMG firewall will report addition details about threats, including traffic samples and full URL strings. With advanced membership, you provide Microsoft with more help in analyzing and mitigating threats
• I do not want to join Microsoft Telemetry Service at this time. Do not send any information to Microsoft.

Microsoft doesn’t make a decision for you on this one, which is good from a security point of view. I recommend that you Join with advanced membership. The more help we give Microsoft the better, as they’ll be able to use this information to create a more secure product. However, if you’re in an environment where you don’t want to share what URLs your users visit (e.g., you’re a security or defense agency, or you traffic in pr0n), then you probably don’t want to share that information with Microsoft.

Figure 4

Click the Customer Feedback tab. If I recall correctly, we were offered the option to participate in the Customer Experience Improvement Program during the installation process. This would make sense since I don’t see the reminder to join the program at the top of the middle pane of the EBS TMG firewall console. I highly recommend that you participate in this program. This is the one thing that you and your organization can do to make the EBS TMG firewall better. This information gives the development team the information they need to create a product based on how people actually use the EBS TMG firewall. Opting in has no negative security impact and you’ll be helping other EBS TMG firewall owners when you do.

Figure 5

TMG Firewall Console Monitoring Node

The TMG Firewall console’s Monitoring node provides you with a number of tabs containing information helpful in monitoring many aspects of the EBS TMG firewall. Not all of them contain configurable elements. We will cover the tabs containing configurable elements, which include:

• Alerts
• Sessions
• Reporting
• Connectivity Verifiers
• Logging

Alerts

One of the big improvements the EBS TMG firewall has over the ISA firewall is in the area of alerts. The EBS TMG firewall has many more alerts then the ISA firewall. In fact, there are 183 alerts available in the current version of the EBS TMG firewall. These alerts inform you about configuration issues, setup issues, network problems, and security events. The EBS TMG firewall alerts can be considered part of the firewall’s behavioral security monitoring feature set.

To see what alerts are available on the EBS TMG firewall, click on the Monitoring node in the left pane of the EBS TMG firewall console and then click the Alerts tab. Click the Alerts Definitions link on the Tasks tab of the Task Pane. You will see something similar to the figure below.

Figure 6

Almost all of the alerts are enabled by default. Below is a list of all the alerts included with the EBS TMG firewall. I’ve bolded the alerts that are not enabled and included a short comment regarding those alerts.

• Access to Configuration Storage server is blocked
• Account Name Resolution Failed
• Accumulation Folder Access Error
• Accumulation Folder Created
• Alert action failure
• Application Filter Not Registered
• Array Member Status Verification Failed
• Array Member Status Verification Succeeded
• Array-level Policy Rule Was Deleted
• Broken Reference in Cross-Array Configuration
• Cache Container Initialization Error
• Cache Container Recovery Complete
• Cache File Resize Failure
• Cache Initialization Failure
• Cache Permissions Insufficient
• Cache Restoration Completed
• Cache Write Error
• Cached Object Discarded – This alert is disabled by default. I don’t see a reason to enable this alert since it will create a lot of noise and doesn’t provide useful information unless you’re troubleshooting your Web caching configuration. This alert is triggered during cache recovery; an object with conflicting information was detected. The conflicting object was discarded.
• Certificate on Forefront TMG about to expire
• Certificate on Forefront TMG invalid
• Code Page Invalid
• Component Load Failure
• Compression by Unsupported Method
• Compression Failure
• Compression Failure (Allocated Memory Exhausted)
• Compression Failure (Decompression Failed)
• Compression Failure (Filter Misconfiguration)
• Concurrent TCP Connections from One IP Address Limit Exceeded
• Configuration Agent Removed Overlapping ranges
• Configuration change cannot be loaded by Forefront TMG
• Configuration Changes Overload
• Configuration error
• Connection Limit Exceeded
• Connection Limit for a Rule was Exceeded
• Credentials Delegation Failure
• Credentials Delegation Using Kerberos Constrained Delegation Failure
• Cross-Array Link Translation Configuration Inconsistency
• Definition Update Process Stopped
• Definition Updates and Telemetry Unavailable Through Local Host Network
• Definition Updates Available
• Definition Updates Available But Could Not Be Installed
• Definition Updates Checking Failed
• Definition Updates Installed
• Definition Updating Failed
• Denied Connections per Minute from One IP Address Limit Exceeded
• DHCP Anti-Poisoning Intrusion Detection Disabled
• Dial-on-demand failure
• DNS Intrusion
• DNS Zone Transfer Intrusion
• Event Log Failure – This alert is disabled by default. I’m not sure why they decided to do this, since an Event Log Failure is a significant security event. I recommend that you enable this alert and configure the alert to send you an e-mail message when it is triggered. This alert is triggered when an attempt to log the event information to the system event log fails.
• Firewall Communication Failure
• Forefront TMG Cannot Connect to the Configuration Storage Server
• Forefront TMG Computer Restart Is Required
• Forefront TMG Computer Switched Configuration Storage server
• Forefront TMG VPN tunnel redistribution is recommended
• Free Disk Space Limit Exceeded
• FTP Filter Initialization Warning
• Global denied packets rate limit
• Host ID assigned to this server is not valid
• HTTP Requests from One IP Address Limit Exceeded
• Intra-Array Configuration Error
• Intrusion Detected
• Invalid Configuration Settings
• Invalid CRL Found
• Invalid DHCP offer
• Invalid dial-on-demand credentials
• Invalid network adapter configuration
• IP spoofing
• IPsec Configuration Update Failure
• IPsec Traffic Blocked
• LDAP Server Recovered
• LDAP Server Unavailable
• License Expired
• License Nearing Expiration
• Link Translation Configuration Insecure
• Link Translation Configuration Invalid
• Link Translation Redirection Unpublished Site Contains Invalid Character
• Link Translation Redirection Unpublished Site Length Invalid
• Local NLB configuration change
• Log Deletion Failure
• Log Failure
• Log formatting failure
• Log Queue Store Usage Ended
• Log Queue Usage Started
• Log Storage Limits
• Logging Resumed
• Low Non-Paged Pool
• Low Non-Paged Pool Recovered
• Malware Inspection Available Disk Space Exceeded
• Malware Inspection Client Disk Space Limit Exceeded
• Malware Inspection Content Download Timed Out
• Malware Inspection Definitions Loaded
• Malware Inspection Definitions Not Loaded During Update
• Malware Inspection Definitions Not Loaded When Service Started
• Malware Inspection Definitions Outdated
• Malware Inspection Deletion of Outdated Definitions Failed
• Malware Inspection Detected Attempted Content Theft
• Malware Inspection Disabled Globally
• Malware Inspection Filter Detected Malware – This alert is disabled by default. You may or may not want to enable this alert, depending on the volume of malware you expect to see. You might want to enable it early in your deployment just to get a feel for the amount of malware your EBS TMG firewall is detecting. You can then turn it off after you feel that the firewall is doing it’s job. For more information about malware detected, you can always create reports that will give you that information. This alert is triggered when the Malware Inspection Filter detects malware and either removes it or blocks the message.
• Malware Inspection Progress Notification Template Not Loaded
• Malware Inspection Storage Limit Exceeded
• Microsoft Update Currently not Used
• Misconfigured Alert
• Network configuration changed – This alert is disabled by default and there’s no compelling reason to enable it, unless you’re troubleshooting network issues. This alert is triggered when a network configuration change that affects the TMG firewall is detected.
• NLB configuration Failure
• NLB Inconsistent Configuration Detected
• NLB is Draining And Stopping
• NLB Possible reduced Load Balancing Performance
• NLB Shutdown – Firewall Service Not Responding
• NLB Shutdown – Firewall Service Stopped
• NLB Started
• NLB Stopped – Configuration Failure
• NLB Stopped – Network Adapter Problem
• NLB Stopped – NLB Integration Is Unavailable
• NLB Stopped – RRAS Service Not Responding
• NLB Stopped – VPN Static Address Pool Is Empty
• NLB Stopped Manually
• No Available Ports
• No Connectivity
• Non-TCP Sessions from One IP Address Limit Exceeded
• OS component conflict
• Oversized UDP Packet
• Pending DNS Requests Resource Usage Limit Exceeded
• Pending DNS Requests Resource Usage Limit within Limits
• Policy Enforcement Completed
• POP Intrusion
• Propagate configuration change failed
• Published server certificate expiration warning
• Published Web Server Name Not Resolvable
• Quarantine Exit Request Discarded
• Quarantined VPN Clients Network Changes – This alert is triggered when a user is removed from a Quarantined VPN Clients Network. Again, I don’t see any reason to enable this alert unless you’re troubleshooting your VPN Quarantine configuration.
• RADIUS Server Recovered
• RADIUS Server Unavailable
• Report Job Generation Failure
• Report Server Roles Not Applied
• Report Server User SID Not Found
• Report Summary Generation Failure
• Reporting Services Configuration Failure
• Resource Allocation Failure
• Revert to Last Known Configuration Failed
• Revert to Last Known Configuration Succeeded
• Routing (chaining) failure
• Routing (chaining) recovery
• RPC Filter – Bind failure
• RPC Filter – connectivity changed
• Server Publishing Failure
• Server publishing is not applicable – I don’t see any reason to enable this alert unless you’re troubleshooting Server Publishing Rules. The alert is triggered when a Server Publishing Rule cannot be applied.
• Server Publishing Recovery
• Service Initialization failure
• Service not responding
• Service Shutdown
• Service Started
• Slow Connectivity
• SMTP filter encountered an invalid bare CR or LF
• SMTP filter encountered an invalid DATA terminator
• SMTP Filter event – I don’t know why the EBS team decided not to enable this alert. This alert is triggered when an SMTP command rule was violated. It might be that the alert would generate too much noise depending on your SMTP publishing configuration. I’d recommend that you enable this rule after deployment and check to see how much noise is generated by this alert.
• SOCKS configuration failure
• SSL connection failure with published server (name mismatch)
• SSL connection failure with published server (no trust)
• SSL connection failure with published server (server certificate not valid)
• SSL connection failure with published server (unknown reasons)
• SYN Attack
• TCP Connections per Minute from One IP Address Limit Exceeded
• The Configuration Agent Has Restored Its Connection with the Configuration Storage server
• The configuration was reloaded
• The response was rejected because a compressed response was not requested
• Total log size limit exceeded
• Traffic Blocked
• Undefined account for intra-array authentication
• Unregistered event
• Unresolvable remote gateway address on a VPN Network
• Unresolvable Server Name
• Upload New Configuration to Services Failed
• Upstream chaining credentials
• VPN connection Failure
• VPN Connection Request Policy Updated
• Web Farm Servers Unavailable
• Web Filter Not Registered
• WFP Filter Conflict Detected
• WFP Sub-Layer Includes Unexpected Filters
• Windows NLB Is Not Installed
• Windows User-Based Policy in Workgroup
• WMI Service Connection Was Lost

Sessions

On the Sessions tab you can see information about machines connecting to networks through the EBS TMG firewall. By default, you see the following information:

• Activation date and time
• Session Type
• Client IP
• Source Network
• Client Username
• Client Host Name

There is one more option, which is hidden by default. This is the Application Name. When you have deployed the Firewall client to client systems behind the EBS TMG firewall, the Firewall client will send the name of the application to the firewall and the application name will appear in the Sessions list. This is very valuable information when you’re investigating application use and abuse on your network. Application information also appears in the log files and reports when you deploy the Firewall client.

To enable the Application Name column, right click on one of the column headers and click on the Application Name option, as seen in the figure below.

Figure 7

Reporting

The EBS TMG firewall can create a number of different reports that draw upon data collected in the firewall and Web Proxy filter log files. EBS TMG firewall reports include:

• Summary reports
• Web Usage reports
• Application Usage reports
• Traffic and Utilization reports
• Security reports
• Malware Inspection reports

The default configuration of the EBS TMG firewall does not enable any reports. I think for future iterations of this product, the EBS team should consider creating some default reports, such as a daily summary report. A default summary report would provide a good out of the box experience for the EBS TMG firewall owner and perhaps motivate him to investigate other reports.

Figure 8

Each of the reports can be customized. The figure below shows an example of the interface used to customize the Summary report. The customizations mainly focus on how many entries you want to see in the report for a specific entity. For example, for the summary report, you can configure how many entries there for protocols, users, and sites. You can also configure the sort order based on either Requests or Bytes.

The default settings for the reports are fine, but if you want the reports to go deeper into the information contained in your log files, you should customize them to give you the level of detail you need.

Figure 9

Another configurable reporting option are the Log Summary Properties. As you can see in the figure below, daily and monthly summaries are enabled by default. Log summary data is used to generate reports. You can configure when the log summaries are created and the number of daily and monthly summaries that are saved. The default options are fine and I don’t see a compelling reason to change them.

Figure 10

Connectivity Verifiers

You can configure the EBS TMG firewall to verify connectivity to infrastructure machines on your network. There are six connectivity verifier groups that you can select from:

• Active Directory
• DHCP
• DNS
• Others
• Published Servers
• Web (Internet)

There are three verification methods you can use to determine connectivity:

• Send an HTTP “GET” request
• Send  Ping request
• Establish a TCP connection to port (a specific TCP port)

In an EBS TMG firewall deployment, you know something about the infrastructure, such as the IP addresses of the Management and Messaging Servers, and their associated Active Directory, DHCP, DNS and published servers. Given that we know this information, it might be worthwhile to create connectivity verifiers for these machines and services. One might argue that other components of the EBS solution can do the same thing, so why bother? That’s a good point, but it’s also a good idea to have multiple levels of monitoring and reporting, just in case one of the becomes unavailable or is inaccessible at any point in time.

I recommend that you create connectivity verifiers for your Active Directory, DNS, DHCP, published server and the Internet.

Figure 11

Logging

There are several configurable options on the Logging tab. Click on the Logging tab and then click on the Configure Firewall Logging link in the Tasks tab of the Task Pane. That will open the Firewall Logging Properties dialog box. The default logging method is SQL Server Express Database (on local server) and I recommend that you do not change this.

Click the Options button and you will see the Options dialog box. Here you can change the location of the ISALogs folder. If you have multiple disks on your server, you should consider moving the log files to another disk, preferably one that is configured to use RAID5 to provide fault tolerance.

You can also configure Log file storage limits. The default limits are well considered and I don’t see a compelling reason to change the settings unless you have an unusually high level of traffic that requires that you maintain larger log files. Note that you have two options regarding how to maintain the log file storage limits. These are:

• Delete older log files as necessary
• Discard new log entries

Neither one of these options are compelling. For this reason, you should get a baseline of your typically log file sizes and configure the limit based on your baseline values. Keep in mind that there will be times when the firewall is under attack and the log files can grow precipitously. This is the scenario that will trigger the storage limits option. The are arguments for both options, but going with the default Deleting older log files as necessary may not be the best option and you should consider changing it to Discarding new log entires.

Figure 12

Click on the Fields tab in the Firewall Logging Properties dialog box. Here you can see what fields are logged, as seen in the figure below.

Figure 13

Not all of the available fields are logged by default. The table below shows you the fields available for logging. The bolded and highlighted fields are those that are disabled by default. You should enable them if you have a specific reason for doing so. Note that the more fields you enable, the greater the size of the log files. If you find that your log files are growing faster than you desire, you can remove fields that you deem to be unimportant to shrink the size of your log files. In addition, you can configure rules to be logged or not. There are other tricks you can employ to reduce the size of your log files, such as creating a rule to deny NetBIOS protocols and then configuring the rule to not log those connections.

When you click the Configure Web Proxy Logging link in the Tasks tab in the Task Pane, you see the same options you have with the Firewall logging. The same observations and recommendations apply here.

Figure 14

When you click the Fields tab in the Web Proxy Logging Properties dialog box, you’ll see what fields are enabled by default. Note that the Web Proxy log fields are not the same as the Firewall service fields, so take a look at these to determine if you need all of these fields. I see no reason to change from the default fields unless you have a specific reasons for doing so.

Figure 15

The table below shows the fields available in the Web Proxy log. The bolded fields are those that are not enabled by default..

A new features included with the EBS TMG firewall is the Log Queue. When log entries are generated faster than they can be formatted and placed into the log file, log entries can be stored in the log queue until they can be properly formatted and placed into the log database. ISA firewalls did not have this feature, and when entries came in too fast, the ISA firewall would go into lockdown mode. The new Log Queue feature enables you to keep the firewall running even when logging goes into overdrive.

For nice coverage of this new feature, check out Overview of the Logging Improvements in Forefront Threat Management Gateway (TMG).

Click the Configure Log Queue entry in the Tasks tab of the Task Pane to bring up the Log Queue Storage Folder dialog box. Here you have the option to change the location of the log queue. I recommend that if you have multiple drives in your firewall that you put this on the same drive as the log files and use RAID 5 for fault tolerance.

Figure 16

With the new Log Queue feature comes another new feature, the Log Status dialog box. Click the View Log Status link on the Tasks tab in the Task Pane and you’ll see the Log Status dialog box as seen in the figure below. Here you get information regarding the log status, database updated to (I’m not sure what this is supposed to tell you) and the log queue total in KB.

Figure 17

Update Center

If there’s one things that defines the changes seen in the EBS TMG firewall compared to the ISA firewall is the integrated Web anti-malware. With the ISA firewall, you needed to deploy a 3rd party application to get malware inspection for HTTP connections. With the EBS TMG firewall, this anti-malware inspection is built into the firewall.

Click on the Update Center node in the left pane of the EBS TMG firewall console. Click the Configure Update Settings link on the Tasks tab in the Task Pane. This brings up the Update Center Properties dialog box.

On the Definition Updates tab you can configure the automatic update option. The options are:

• Check and install
• Check only
• Do nothing

The default is to Check and install and I see no reason to change from that default value.

Figure 18

Click the Microsoft Update Setup tab. Here you can choose how the malware definitions are updated. You choices here are:

• Use the Microsoft Update service to check for updates (recommended)
• I do not want to use Microsoft Update service

Note that if the firewall is configured to use WSUS for updates, the settings on this page will be applied. The default settings for the EBS TMG firewall is to use WSUS, as this is part of the EBS overall patch and update solution.

Figure 19

Click the Configure License Details link on the Tasks tab of the Task Pane. Here you get information about your license agreement number and the expiration date for your anti-malware license. I see no reason to change anything here.

Figure 20

Summary

In this, part two of our series on auditing post installation configuration of the EBS TMG firewall, we went over the default configuration settings for options available in the Monitoring and Update Center nodes. Overall, the default configuration looks good and there are no major issues requiring a radical overhaul of the configuration. But we’re far from done. In the next article or two, we’ll review the firewall policy. I suspect there we might find some candidates for improvement. We’ll see! –Tom.

If you missed the first part in this article series please read Auditing the Initial Configuration of the EBS TMG Firewall (Part 1)

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the ISAServer.org Real time article update newsletter.