Apr 222010

The current expected release date for the Microsoft Forefront Threat Management Gateway exam is July 23th 2010, although that might shift when it comes closer.

70-157: Exam MCTS
MCTS: Forefront Integrated Security, Configuring
July 23th 2010

Regarding a TMG MCITP cert, there is no information about that at the moment.

Edit: 29 July 2010.

Yesterday I found somewhere else that the official dates should be around the end of October.

TS: Microsoft Forefront Network Security, Configuring
premeditated Release-Date: October 20, 2010
TS: Microsoft Forefront Identity & Access Management, Configuring
premeditated Release-Date: October 22, 2010
TS: Microsoft Forefront Secure Messaging and Collaboration, Configuring
premeditated Release-Date: October 29, 2010

Edit: 21 October 2010.

A couple of weeks ago (during my holiday) I found at the dutch global knowledge website the courses for TMG and other forefront products.
Dutch website
English using google translation

Apr 152010

Lately I received a couple of questions asking if I could explain a bit more about the Flood Mitigation settings within Microsoft ISA Server 2006. Before we start, you should know that pretty much the same settings are also available in Microsoft Forefront Thread Management Gateway or TMG. I’m not going to tell you exactly how you should configure it since you need to find your own balance. Rather, I’m going to tell you what the settings mean. I think it’s more important to understand what they do then giving you some numbers. 🙂

So let’s start of with a screenshot from Microsoft ISA Server 2006 Flood Mitigation settings:

Flood Mitigation

This is the page which can help you in preventing DoS attacks, SYN attacks or different kinds of flood attacks.  So adjusting those options should be done with care. For example: when you configure the settings to be more relaxed and allow a large amount of connections, it could potentially cause the ISA server to get overloaded with high CPU, disk, memory or network usage and slow to a crawl. On the other hand, if you configure it to be strict and not allow very many connections the ISA server will reject new connection requests for a certain IP. After one minute, ISA Server resets the quota for this IP address and the traffic is no longer blocked. If the client again exceeds the quota, the ISA Server once again blocks the traffic for one minute.

So finding the correct balance is probably the thing to do. Personally, I would recommend that you use the default settings first. When certain IP addresses are exceeding the default values, begin by investigating why this is happening. If it’s a legitimate reason, you can add that IP address to the IP Exceptions tab. For example, in my experience with some clients I’ve noticed that Citrix can generate a high number of HTTP connections per minute. In those cases, I add the Citrix servers to the IP Exceptions list. For one client, I used this list to raise the default connection limit from 600 to 6,000 HTTP connections per minute which was enough.

Of course Microsoft has posted an excellent article about this. The table below, which I copied from the article, tells a lot about the settings. Actually, I think it tells all you need to know. 🙂

ISA Server mitigation Defaults
TCP connect requests per minute, per IP address. ISA Server mitigates flood attacks that occur when an attacking IP address sends numerous TCP connect requests. ISA Server also protects against worm propagations that occur when an infected host scans the network for vulnerable hosts. By default, ISA Server limits the number of TCP requests per client to 600 per minute.You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 6,000 requests per minute.
TCP concurrent connections per IP address. ISA Server mitigates a TCP flood attack that occurs when an offending host maintains numerous TCP connections with ISA Server or other servers. By default, ISA Server limits the number of TCP concurrent connections per client to 160. You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 400 concurrent connections per client.
TCP half-open connections. ISA Server mitigates SYN attacks. In a SYN attack, an offending host sends TCP SYN messages without completing the TCP handshake. By default, ISA Server limits the number of concurrent half-open TCP connections to half the number of concurrent connections configured for concurrent TCP connections. You cannot change this default.
HTTP requests per minute, per IP address. ISA Server mitigates DoS attacks. In a DoS attack, an offending host sends numerous HTTP requests on the same TCP connection to victim Web sites. By default, ISA Server limits the number of HTTP requests per client to 600 per minute. You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 6,000 requests per minute.
Non-TCP new sessions per minute, per rule. ISA Server mitigates non-TCP DoS attacks. In a non-TCP DoS attack, malicious hosts send numerous non-TCP packets to a victim server. The specific non-TCP traffic is allowed by an ISA Server rule. By default, ISA Server limits the number of non-TCP sessions per minute to 1,000, for the specific protocol (rule).
UDP concurrent sessions per IP address. ISA Server mitigates UDP flood attacks. In a UDP flood attack, an offending host sends numerous UDP messages to victim hosts.When a UDP flood attack occurs, ISA Server discards older sessions, so that no more than the specified number of connections is allowed concurrently. By default, ISA Server limits the number of concurrent UDP sessions per IP address to 160.You can configure custom limit exceptions for specific IP addresses. By default, this limit is set to 400 sessions per client.
Feb 162010

It’s there, the Forefront Threat Management Gateway 2010 Capacity Planning Tool is now available.


There are now 2 resources available to scale your TMG environment. A TechNet article for common scenarios and a downloadable version special for enterprise and high bandwidth scenarios.
The TechNet article can be found here.
The download can be found at this location.
It’s an xlsm file so per default it can be used for excel 2007 and up but with the Compatibility Pack you can use if with excel 2002 and 2003 as well.

Feb 052010

A really nice and cool feature in TMG is the ability to do Enhanced NAT or also called ENAT. Till ISA 2006 outgoing traffic was only possible using the default configured IP address to perform NAT. This could become a problem when you wanted to use a different IP address for you’re email and the remote side uses reverse lookup. In those cases you could run into issues since the MX record was configured with a different IP address then the source IP of ISA. 

Now with Forefront TMG this is changed.

For this example I simply opened the default NAT rule for internet access and check this out. The help feature from TMG stated: Enhanced Network Address Translation (NAT) enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis.


Also when you create a new NAT rule using the wizard you also will see this screen which is essentially the same as above.


Well I’m not sure why e-mail servers are been mentioned specific because I could think about quite a few other possible usages as well.

Feb 042010

In ISA server it was quite a pain in the ass that the default value for NLB uses to be unicast NLB. Although this could work out in many cases, my personal preference is to use multicast NLB. Since ISA 2006 SP1, it was supported to make use of multicast NLB in integrated mode. Anyhow, in ISA 2006 there is a script you needed to be run to configure the NLB Multicast configuration which I will describe later on.

However, now TMG has been released there is a little change which will make it easier to configure, which I will describe right here. However there are couple of other requirements before you can do this.

First of all you have to check if your routers and switches are able to use multicast. There are routers and switches which doesn’t understand this configuration. Secondly you have to create a static arp entry on those devices to support the multicast configuration.

And then the more simplified configuration in TMG.

Click on the left side on the networking node.
At the action pane on the right side click the Enable Network Load balancing Integration
You will enter a wizard and click next. After you clicked next, click on the network you want to enable load balancing and click on the Configure NLB settings button.

And then, check the screenshot below… the cluster operation mode option is available.
I’ll say: Thank you Microsoft 🙂