Dec 032010
 

Like Microsoft ISA server, the Configuration Storage Server (CSS) from TMG also uses ADAM to store the configuration. When creating a replica of the CSS, ADAM is also used to replicate the data.

But what if the primary fails and you have to reinstall the server? Well, in that case you can still use the replica CSS to connect the firewall to. However when installing a new replica of the secondary CSS you will receive issues with ADAM. One of the issues you might get is something like this:

Event ID: 2091

Ownership of the following FSMO role (Operations Master role) is assigned to a server which is deleted or does not exist.

Operations which require contacting a FSMO role owner will fail until this condition is corrected.

So because of this error the roles needs to be transferred to an other CSS server. There are 2 possible ways to do this. 1) Transferring the role or 2) Seizing the role. Actually it’s just like Active Directory. Seizing is something you only do when the previous FSMO holder isn’t available anymore. If it is still available but you want to replace that server you should use the transfer method.

But how do you do this in a Forefront environment?

Let’s say we have two ISA servers and we want to add an additional CSS on a different computer. Let’s say the computer names are as follows: CSS01, ISA01 and ISA02. The CSS01 will become the primary CSS and we want to decommission the current primary CSS running on ISA01.

First of all, let’s tackle the easy part. In the ISA or TMG client right click the array and simply change the primary configured CSS to the secondary or replica CSS. So instead of ISA01.domain.com as your primary CSS, change it to CSS01.domain.com After this is done you need to change the FSMO roles to CSS01.

Okay, first of all you need to start the ADAM Tools Command Prompt. If you click the start button, go to All Programs >> ADAM and there you can find the ADAM Tools Command Prompt. Basically it opens a new command prompt with a starting point in C:\Windows\adam folder. Those tools are installed when you install a CSS on either computer.

Once you are in the command prompt you need to follow the following procedure:

  1. Open an ADAM tools command prompt on ISA1 or ISA2.
  2. At the command prompt, type: dsmgmt.exe
  3. At the dsmgmt: command prompt, type: roles
  4. At the fsmo maintenance: command prompt, type: connections
  5. At the server connections: command prompt, type: connect to server CSS01.domain.local:2171

The ADAM port used by ISA or TMG is 2171 so keep notice of this. Otherwise it will try to connect to port 389 which is the default port number for ADAM or AD.

Once connected you also need to transfer the roles if possible. To transfer the roles follow the procedure below.

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: transfer naming master
  3. At the fsmo maintenance: command prompt, type: transfer schema master

And you’re done! If all went well the roles are transferred. If not you will get error messages in your command line window. Ok this is one part, but what if ISA01 had issues with its CSS? For example, if objects are tombstoned or any way corrupted. Or maybe ISA01 is crashed and cannot be recovered anymore. Or what if you tried to transfer the role and received a warning like this:

Event ID: 1837

An attempt to transfer the operations master role represented by the following object failed.

In that case you can seize the FSMO roles instead of transferring. To do this follow the procedure below:

  1. At the server connections: command prompt, type: quit
  2. At the fsmo maintenance: command prompt, type: seize naming master
  3. At the fsmo maintenance: command prompt, type: seize schema master

If you want to add the ISA01 again as CSS simply install the Configuration Storage Server again as a replica and you’re done.

Dec 022010
 

Recently I came across something interesting when building a new ISA environment where the Firewall Client will be mostly what is used. Almost all the traffic needs to be authenticated before being sent to its destination. Since the Firewall Client is designed for that (the traffic is not just HTTP(s) and FTP over HTTP) we advised to install the Firewall Client on every Citrix Server and clients.

However during some initial testing I noticed something weird. Although some of the traffic is being balanced, I noticed that the Firewall Client isn’t balanced at all. At first I was really stumped and I didn’t know where to look to troubleshoot. I checked and checked and triple checked the configuration to make sure everything was set correctly. I’d even let a colleague of mine check it again to prevent myself from thinking in circles. Still I couldn’t find any weird configuration issues and neither could my colleague.

image

Note: The screenshot is made off hours so SecureNat is also imbalanced at the moment. This is not important for this article 😉

So what happened over here? In the end I was pointed by Jason Jones to this Microsoft article where Microsoft stated:

Load balancing is not supported with Forefront TMG Clients or ISA Firewall Clients

Issue: Client machines running Forefront TMG Clients or ISA Firewall Clients may have issues connecting to an array of Forefront TMG servers with any type of load balancing configured on the related Forefront TMG network.

Cause: Load balancing (either integrated or using an external load balancer) is not supported together with Forefront TMG Clients or ISA Firewall Clients.

Solution: Instead of using a load balancer, use DNS round robin to point the clients to the Forefront TMG array member’s dedicated IP addresses.

Hmmm. This is not fun. What’s the reason you should use DNS round robin? Is this by design? Why is that?? After further investigating and talking with Jason Jones I heard the following:

The FW client uses a control channel to facilitate authentication and communication with the TMG firewall. For proper operation, Firewall Clients must therefore be configured to communicate directly with the TMG firewall’s dedicated IP address (DIP) not the VIP.

Jason Jones is a MVP for Microsoft Forefront for a pretty long time and I’ll trust him. Personally I’m not very fond of using DNS round robin to balance such. It might be because the design of the Firewall Client. In my opinion Microsoft should address this “issue”.

Oh, Before I forget, the reason why I have a problem with this is because I see an issue coming up when one node fails. Just imagine this:

A FWC client is configured to use a DNS name to connect to the ISA or Forefront TMG array. Lets say you would use FWCArray.domain.com

The client will lookup an IP address for that DNS record and will receive an IP address from the failed host. The FWC tries to connect to the failed ISA server. If the host doesn’t respond you would not be connected. I’m not sure what exactly would happen since this is truly new for me but I guess you’ll never get connected until your lucky enough that the client will receive the IP address of the functioning ISA/TMG node.

I’m forced to use this configuration for one of my clients  but trust me, it doesn’t really feel good. 😉

Nov 032010
 

For me, the information below is something I was really looking forward too. Currently the books are only for sale at the O’Reilly Media website. The estimated page numbers for the books bothers me though. For TMG it’s estimated at 88 pages. Hopefully this information is incorrect. There is much more to tell about TMG than just 88 pages. 🙂

Maybe I’m a bit impatient since I’m eagerly waiting for the study material to do the exam. Oh well I don’t know. After my ISA (2004/2006) exams I might be ready for the next version, TMG. Also UAG is something which is really interesting me.

Anyhow, the books below are what I found on the http://blogs.msdn.com/Microsoft_Press webpage. Have fun with it 🙂

The new book “Deploying Microsoft Forefront Protection 2010 for Exchange Server” has been released by Microsoft Press.

648913.inddA quote from the blog website:

A new eBook from Yuri Diogenes and Dr. Thomas W. Shinder is now available. Deploying Microsoft Forefront Protection 2010 for Exchange Server (ISBN 9780735648913) presents useful best practices for deploying FPE. Yuri and Tom give a nice overview of what you can expect in the book’s introduction, which is reprinted here.

 

 

The new book “Deploying Microsoft Forefront Threat Management Gateway 2010” has been released by Microsoft Press.

imageA quote from the blog website:

A new eBook from Yuri Diogenes and Dr. Thomas W. Shinder is now available. One of three eBooks they have written about deploying Forefront, Deploying Microsoft Forefront Threat Management Gateway 2010 (ISBN 9780735648920) presents useful best practices for deploying TMG. Yuri and Tom give a nice overview of what you can expect in the book’s introduction, which is reprinted here.

 

The new book “Deploying Microsoft Forefront Unified Access Gateway 2010” has been released by Microsoft Press.

image

A quote from the blog website

A new eBook from Yuri Diogenes and Dr. Thomas W. Shinder is now available. One of three eBooks they have written about deploying Forefront, Deploying Microsoft Forefront Unified Access Gateway 2010 (ISBN 9780735648951) presents useful best practices for deploying UAG. Yuri and Tom give a nice overview of what you can expect in the book’s introduction, which is reprinted here.

Jun 282010
 

Ok, it’s been a long time since I wrote something but this really bothered me for almost a week. I was trying to install Forefront Client Security in our lab environment. I really thought that this couldn’t be that hard to just get it up and running. Most applications install subcomponents automatically, or at least they request for additional subcomponents to be installed. You’d be wrong if you thought this is also the case for Forefront Client Security. I’ve learned my lesson, RTFM 🙂

Anyhow there are a couple of things you really need to know before you even consider installing Forefront Client Security. There are some pre-requisites. First of all, Forefront Client Security is currently not supported on Windows 2008 x64. So, Windows 2008 R2 isn’t supported either. This was a little shock for me since I thought 64-bit was a commonly supported platform. Well at least for Microsoft Software. 🙂 So switching back to x86 was supported but still I couldn’t manage to install Forefront Client Security on my server.

After almost a week of trying to install the Microsoft Forefront Client Security I finally found  this Microsoft document which helped me to Install it. I still think that Microsoft should do a check of what software is installed and if not, install it or ask for it.

Since I’m running WSUS on a different server, I didn’t need to install WSUS again. Still though check out the pre-installation requirements below if you want to run it all on the same server:

  • Install Microsoft .NET Framework 1.1 with SP1
  • Install .NET Framework 3.0.
  • Install IIS and ASP.NET
  • Install SQL Server 2005 with SP2.
  • Install GPMC with SP1
  • Install, configure, and synchronize Windows Server Update Services (WSUS) with SP1

For me, leaving out WSUS worked fine, but come on, installing 2 versions of .NET framework, IIS, GPMC, couldn’t this be included in the installation wizard?

Anyhow, I did managed to get it up which made me pretty happy… 🙂

Feb 162010
 

Yes,
It’s there, the Forefront Threat Management Gateway 2010 Capacity Planning Tool is now available.

 image

There are now 2 resources available to scale your TMG environment. A TechNet article for common scenarios and a downloadable version special for enterprise and high bandwidth scenarios.
The TechNet article can be found here.
The download can be found at this location.
It’s an xlsm file so per default it can be used for excel 2007 and up but with the Compatibility Pack you can use if with excel 2002 and 2003 as well.