Multiple URLs with IAG

Thanks to my hosting provider Titan Internet , I have a very comprehensive statistics package which shows the top search phrases that leads people to this blog.

One of the phrases recently was:"IAG allow several URL"

In short yes, IAG will allow multiple URLs, where each URL will access a different trunks.

So you will be able to host a number of URLs and trunks, all with a different look and feel, as well as different authentication methods. There are some limitations, such as File Access can only be configured once, and not to different shares for different trunks.

So you could have the following:

Company wide remote access

URL: https://iag.mycompany.com

Authentication: AD & HOTPin

Endpoint Protection: Machine must be running AV software

Applications: OWA, SharePoint, CRM, File Access & Terminal Server

Technical Support remote access

URL: https://tech.mycompany.com

Authentication: AD & VASCO

Endpoint Protection: Machine must be a member of the domain

Applications: OWA, SharePoint, CRM, File Access, Terminal Server & RDP access to servers

Auditor Access

URL: https://audit.mycompany.com

Authentication: Local Users & RADIUS

Endpoint Protection: Machine must be running AV software

Applications: Accounting database (authorisation by user account)

Partner Access

URL: https://partner.mycompany.com

Authentication: Novell

Endpoint Protection: None

Applications: Intranet Access (authorisation by user account)

The granularity is there for a number of different portals, and each one can have a different look and feel, with a different URL.

Have fun trying this!!!

Installing Windows 7 using a USB memory stick

As I have a few days off work, I decided to rebuild my Windows 7 netbook, which led me to find a useful website again. I know a few people have struggled to get Windows 7 onto their computers as netbooks and some laptops don't have DVD drives.

I created a bootable memory stick so that I could install Windows 7 on my Advent 4211 netbook (MSI Wind clone) and have done the same for a few friends who are not so computer literate.

This website gives very good step-by-step instructions on how to do this: http://www.intowindows.com/how-to-install-windows-7vista-from-usb-drive-detailed-100-working-guide/

Bear in mind you will need a Vista or Windows 7 machine in order to create this.

HOTPin.... two factor authentication from Celestix

As you may have a gathered I do a lot of work with the Celestix WSA appliance, deploying numerous solutions as well as carrying out proof of concepts and web demonstrations.

I've been trailing Celestix HOTPin for a little while on my demo Celestix WSA applaince. What is Celestix HOTPin?

Celestix HOTPin is a two factor authentication solution. Just to reitterate what different factors of authenication there are, we can provide:

• Something you know - Passwords, PINs, etc.
• Something you are given - One time passwords, tokens, etc.
• Something you are - Fingerprint, iris scan, etc.

To have a two factor authenication solution, you should ensure that your users utilise two of these methods as authenication.

Celestix HOTPin is a one time password (OTP) solution, but rather than use the traditional method of hardware tokens, the passwords are generated on soft tokens. A soft token, is a piece of code that can run on other hardware, rather than require a dedicated piece of hardware such as a token.

Celestix HOTPin will run on Blackberry, iPhone and Smartphone/Windows Mobile devices, as well as 32-bit Windows machine. The software can be protected with a PIN, so even if your mobile telephone or laptop is found, the PIN should protect the OTP from being generated.

If you have an SMS gateway (a device that can send text messages from your network) then OTP can be generated by Celestix HOTPin and SMS'd over to the mobile device. A great back up solution, which does not require software to be loaded on a mobile device, but no so great is your are in a reception blackhole unable to get a mobile signal!!

The Celestix HOTPin software currently integrates with the Celestix WSA appliance, which saves the need to additional hardware to run this solution. The software is managed centrally on the Celestix WSA appliance, via a very familiar interface if you are use to the Celestix products.

As mentioned before I have been running this on my trial appliance, where I have deployed both the 32-bit Windows client, and the Blackberry client. Both of them do exactly what you expect, they generate a OTP!!

In my demostration environment, I check for a number of items at the login page, including:

• Windows AD Username
• Windows AD Password
• Celestix HOTPin (PIN & OTP)
• CAPTCHA

I'm so happy with how easy it is to install and manage, I will be deploying this into my live environment that we use at e92plus.

If you want to see a demostration of the Celestix WSA appliance with the various authentication methods running, please contact www.e92plus.com and we organise a web demo.

ActiveSync on IAG

ActiveSync is a pretty straight forward component to activate on IAG.... or at least it normally is, but I got an support question about it today.

Probably best to start with the basics first, and some more useful information gathered along the way.

The starting point with most application should be this document regarding applications that IAG is aware of: IAG Application Aware [1.0Mb]

Someone pointed me towards these Microsoft blog entries, which gives a little more detail:
Publishing Microsoft Activesync through IAG2007 - Part 1 of 2
Publishing Microsoft Activesync through IAG2007 - Part 2 of 2

Another useful component is this Microsoft Exchange Server Remote Connectivity Analyser, which can test the connections to ensure your configuration works. (Thanks Andrew for showing me this, it will be very useful!)

The analyser will allow you to check the connection including SSL certificates and server name, connection to the trunk, AD authentication, connection to the Exchange server and the OPTIONS commands.

The issues we had today were regarding the OPTIONS commands, as everything else seems to work. More investigation to follow..... and hopefully an answer!

Barracuda Web Filter... deployment!

My team are out doing things today, so I've been left to hold the fort!
Strangely in a matter of minutes I had two very similar questions, from two different resellers working with different end users.

They looked at the Barracuda Web Filter as it was a very cost effective URL filtering solution. The issue was that did not want to deploy it as an in-line/transparent deployment due to a couple of reasons.

First off, what is an in-line/transparent deployment? This is where the solution will sit between the firewall and main switch, and transparently monitor the traffic, and intercept the internet traffic as necessary.

The other deployment is to use the solution as a forward proxy, where all the internal traffic is routed to the proxy server, and as the name suggests, will go out to the internet on behalf of the computer making the internet request.

The transparent deployment has a number of advantages, such as supporting application blocking, automatic pass-through if there is a system failure (on the 310 or above), the client browsers will not need to be modified and the client's IP address will be passed to the firewall. The downside is that during the initial setup there will be an interuption to the network traffic and some static routes may need to be configured.

With the forward proxy deployment there will be no need to interupt the network traffic, and static routes will not need to be configured. The flip side, is that as the Web Filter will only be able to scan the outbound HTTP traffic, it will not be able to block by applications listed, IP addresses specified or by specified ports. It will not be able to sacan non-HTTP traffic for viruses or spyware, and the cleint browser must be populated with the proxy server IP address.

The first customer I spoke to today had a highly distributed network, with a large number of subnets and VLANs, where as the second customer had complicated double layer router set up, with crossed and looped patching, so unable to find a single cable to intercept.

The two customers had a common comment, which was the Barracuda website did not highlight it was possible to use the Barracuda Web Filter as a forward proxy. As ever, I would recommend the services of a good distributor, before saying no!!!

Avira and IAG

The last few days I've been speaking to a reseller who purchased Avira AntiVir Professional Anti Virus software from e92plus.

They were having issues connecting their PC to an IAG solution! For some reason, since the AV change from McAfee to Avira, they were unable to access an IAG solution. The IAG solution was not deployed or implemented by e92plus, so it was just fortunate that I work with both products.

My initial reaction to the description of the problem, was that the IAG solution was not up to date, and lacked IAG SP2, which would give WMI recognition which works with all versions of Avira. Prior to SP2, IAG would only recognise Avira V6 or V7. The reseller checked with the IAG supplier and it turns out that SP2 is already installed.

My colleague tried to access the site from an XP machine running Avira 8, and was able to access it. The reseller had installed the latest version of Avira Professional which is version 9, and the assumption was that was the problem. I tried to access the site from an Vista machine running Avira 9, and again I was able to access the site!

With a bit more digging, it turns out that the endpoints must meet three criteria before they are able to login.

1. Must have an anti-virus application running
2. Must have a software firewall running
3. Must have the IAG components installed and running

So at e92plus we also use an IAG appliance, which would explain why we were able to access the site. This would mean that our machines meet the above requirements as all these components were installed.

Checking with the reseller, we highlighted that without the IAG components installed, it would not work. These components will require adminsitrative rights to install. Despite their frustration, I was not able to help from an IAG perspective, but pointed them in the right direction, as the offline installation package may be required due to a corrupted installation, or not having adminstrative rights when the initial installation was run.

They were able to access the site from both Vista and XP machines with Avira version 9, as well as e92plus proving that we were able to access from Vista and XP machines with both Avira version 8 and 9.

The issue that the reseller now has is that on site, it will not work with their client's machines, and the finger was pointed at Avira.

I can catergorically say, I don't believe the issue to lie with Avira, as we were able to prove from a number of machines that it works. Despite this, it was requested that we escalate this with Avira, and they also see no issue with their product!!

Although I understand our resellers frustration, the troubleshooting needs to be with the IAG side or the client installation, rather than the AV! The troubleshooting should start with the log files from the IAG server, but as the supplier of the IAG solution seems reluctant to help our reseller, so they are stuck between a rock and hard place!!

Celestix WSA evaluation... and RDP queries!

At e92plus we have a number of Celestix evaluation units for proof of concepts, and today I spent the day installing one.

We had a number of applications to install, including OWA, Intranet site and RDP which all were very straight forward.

They run a number of Citrix servers, but we had an issue publishing this. Publishing as a browser embedded application, we had issues as we could not apply a root certificate to the broswer. The end user will create a web based Citrix environment, which I will remotely configure once this has been deployed.

I got a call from a reseller, where there was an issue with an RDP session, where the application would start up the Windows Remote Desktop Client, but would not populate the server name. The fix is to set the Initial Server as the server you want to RDP to.

There was also a query about how use local drives within an RDP session. It's something I've struggled with in the past, but as it wasn't essential I didn't get a chance to get a definitive answer. Something to look into...

Websense as well....

I guess from reading this blog, you would assume that I only work with Celestix products! I have to say it feels a bit like that recently has I'm running a 3-4 IAG web demonstrations a week now, along with evaluation and real installations.

I work with Websense a lot as well, and it's easy to forget that Websense not only provide web filtering, but also email and data security products.

Today, I ran a web demo for a Websense Web Security solution, which runs perfectly in an ISA environment, including the Celestix MSA appliances. The discussion turned to Web 2.0 and user generated content, where a solution such as Websense Web Security Gateway comes into its own.

Websense WSG, has to run on a Linux platform and will not run on Windows. This solution can be the proxy and cache server, negating the need for a third party proxy such as Bluecoat or Microsoft ISA server.

WSG runs an anti virus scanner at the gateway, which is not supplied with Websense Web Security, but could be an add-on for Microsoft ISA server, where something like Avira AntiVir for ISA Server would work.

Another shortcoming of Websense Web Filter or Web Security is that it can not deal with user generated content or SSL encrypted content.

Traditional web filtering solutions can not filter feeds into pages such as iGoogle. The page is "seen" as being google.com so completely allows it, the problem is that iGoogle can have feeds from Hotmail, GMail, Facebook, etc which are normally blocked. By using WSG, the individual feeds can be allowed, blocked, quota'd or confirmed.

Traditional web filtering solutions will not be able to filter SSL packets, but the Linux gateway will be able to be the "man in the middle", where it will be able to decrypt, inspect, and either discard the packet or re-encrypt the packet and forward it on.

Content inspection can also be carried out on the fly!!

With all these features of dynamic user content filtering, SSL filtering, on the fly content filtering, why are users on jumping at this product? The issue is not really price, but rather the Linux server that the software must run on!! It's amazing how many people are still put off my Linux!!

Authentication...

I was giving a web demostration today and the conversation turned to authentication.

They currently run VASCO, but found it a bit of a hassle having to issue and manage tokens, and it would not allow for pandemic situation, where there would be a need for more people than usual to have access to a remote solution.

There was mention of some solutions that relied on grids, picture, icons, keys on screens or security questions.

I had to take a step back and talk about two factor authentication, which should be:

• Something you know - Username, password, passphrase, answers to static questions
• Something you are given - One time password, digital certificates
• Something you are - Biometrics, such as fingerprint, iris scan

Two factor authentication is made up of two of the above.

If you are using a solution that still relies on something you know, such your username and password, along with a picture/icon you know, it surely is still just one factor of authenication, albeit a strong one. This may stop brute force attacks on keyloggers, but all the security is all based on information you know. As we all the know, security is normally compromised by the human element!

Although it can be an administrative overhead running a Vasco solution, you don't have to pre-issue the tokens. Send an unassigned token to the user, and get them to log into a self assignment website. This will obviously remove the need for the administrator to go through the time consuming process of assigning a token and then posting it out to a user. There is also a security concern as the token is already assigned, and the user details are probably on the envelope!!

As VASCO can work with an existing RADIUS server, which is normally considered "AAA" or triple A. The "AAA" stands for Authentication, Authorisation and Accounting. The VASCO server will carry out the Authenication component, but a RADIUS server can then deal with the authorisation and the accounting. This way we can be sure of who the user is, what services they can access and account of what they have used.

There was also a comment about not liking hard tokens, so why not use VASCO tokens that run on mobile phones, soft tokens to run on a computer, or an SMS solution to text the one time password out to mobiles.

Barracuda surprise!!

Barracuda have an annual partner conference, and this year the EMEA partner conference is being held in Prague.

It was a pleasent surprise to be invited by my boss to attend this event from a technical perspective. I'm hoping this will give me a better insight into the product roadmap, as well as how to effectively structure proof of concepts.

It will also be interesting to look round Prague as I have never been there before.

Busy day with new eyes!

A few things, firstly my eyes are a little sore, but even after a couple of days my vision is as good as it was with contact lenses!!

Anyway.... a couple of IAG bits to cover:

1) An evaluation that needed to be scoped! Some interesting bits as they want to look at: RSA (ACE), Celestix HOTPin, KCD and Windows 2003 AD authentication, with OWA, Sharepoint, File Access and Citrix (Web & client based). I'm confident with all the components, except for the KCD. Anyone who has ever worked with KCD, will not it's not always straight forward! Research will happen next week, so we'll see from there.

2) Pre-sales call, where we needed to be able to publish Terminal Server and use Swivel as the authentication method. IAG can either "pop" the RDP client and create a secure tunnel to connect the client to the Terminal Server, or to connect to TSWeb, which will then connect to the terminal server. It's not like AEP Netilla, which will start up a Java RDP client, which will allow any machine with Java to be able to connect to a Terminal Server. As for Swivel, I know a number of IAG/Whale Communication partners that use Swivel as the authentication method, but not something I've used. If it's based on RADIUS, then the only thing that the customer will need to investigate is how to ensure the webpages are displayed correctly.

A few things to look up to learn a bit more, so KCD and Swivel research!!

So tomorrow... new eyes! (hopefully)

I have been wearing glasses since I was eight (28 years) and contact lenses since I was 15 (21 years), and after much research and deliberation, I'm going to have laser eye treatment.

In fact, my eyes are being checked to see if they are suitable for treatment in the morning, and if all goes well they will be lasered in the afternoon. If I am suitable, then there won't be any updates for a little bit.

http://www.optimax.co.uk/

Wish me luck!!!

A day in the life of an IAG installation... (Part 2)

Right... day two!

We tried the VMWare View configuration first, but it seems that the Security Server element wasn't deployed, so they cracked on a deployed one!!

We spent a little getting the IP phone working, but it seems that the ports that I Googled didn't let it work!! We ran Wireshark, but nothing showed up that we didn't already allow. The conclusion was to do one of two things; call up the supplier and see if they can shed any light on the port configuration, or utilise the NAT feature on the IP softphone, which would allow the traffic to traverse the firewall and not use the SSL-VPN!

We ran through the customisation element of the IAG appliance. Initally we used the component on the Celestix web UI, which avoids the need for looking at the coding. The next element was the look at how to manually modify the site.

This guide was written by Michael Riva, who attended the same IAG course as me, which helps with the basics:
http://www.isaserver.org/tutorials/Customizing-IAG-2007-Portal-Pages.html

Also check out the manual (the link of which is below) which was written by someone technical, so you are not treated like an idiot!!

We also installed CAPTCHA on to the appliance, which requires a sub-400Kb file to be installed on the appliance, and some minor changes to the URL sets to make it work. What is CAPTCHA, well more information here: http://www.captcha.net/ Contact Celestix for more information as to how you can get this on your Celestix WSA appliance.

We ended the day talking about administrative tasks, backing up configurations and most importantly... changing all the default passwords!!

Another happy customer! It's great to be involved from the beginning, carrying out the webinar and presales component, understanding the customer's requirements, architecting the solution, scoping out the implementation, then carry out the implementation! :)

A day in the life of an IAG installation...

Today I'm away from home carrying out a two day installation for a Celestix WSA/Microsoft IAG appliance.

This was a slightly different implementation as the firewall is hosted offsite and they don't have a traditional DMZ. After a couple of chats with the ISP, we managed to get a new subnet implemented, creating a virtual DMZ. Bear in mind that IAG can not be deployed a single NIC server, it needs to have an external and internal zone.

The customer had a number of requirements, including OWA 2007, SharePoint, RDP access, an intranet site, file access and granular endpoint/access policies, which all go swimmingly. As well as ensuring that the appliance was correctly service packed to SP2 Update1.

The challenges today (and there are always challenges with an IAG installation) included SSH connections to Linux servers, and Telnet terminal emulation application. These were made to work as bespoke client/server applications, along with automatic startup of the associated applications and the correct switches to start them up on the correct screens. These should have been straight forward, but as everyone uses different clients, the testing of the various switches took a bit of time. There was also an issue with a static route, but was dictated incorrectly, but as ever check the obvious first, such as..... manually entered IP addresses!!

So a fair chunk done for the day, but two things left me scratching my head. Two outstanding applications need to be dealt with, as I have never seen or used either before. The first was a VMWare View implementation and a Mitel 8602 IP Softphone. As I'm in a hotel tonight, it gave me a chance to do some Googling and see if any of this helps.

VMWare View (Deploy as a browser embedded application)
Frontend: Ports 80 & 443
Backend: Ports 3389 (RDP), 4001 (JMS) and 8009 (AJP13)

Mitel 8602 IP Softphone (Deploy as a client/server application)
5566 - TCP
5567 - UDP
5004 to 5069 - TCP
6004 to 6247 - TCP & UDP

We'll see if those fix the issues tomorrow! Then it only leaves customisation, administration overview and housekeeping, which means a packed day ahead!

Wanted: ISA & IAG Technical Consultant / Engineer - South East UK

At e92plus, we are looking for a Celestix Engineer, where the focus will be to carry out web demos, presales, architecture, deployment and some support for the Celestix product range.

The range currently includes the Celestix MSA (Microsoft ISA appliance), Celestix WSA (Microsoft IAG SSL-VPN appliance), Celestix Load Balancer (Linux based load balancer) and Celestix HOTPin (Celestix's own two factor authentication solution). As a number of the deployments from e92plus are Websense Web Filter/Web Security integrated with ISA server, there will be a requirements to understand that as well.

Previously this role was covered by me, which was fine when we had a lower volume of calls, but as the Technical Manager, I have a number of other tasks to cover as well. The idea is to remove the day-to-day Celestix requirement from me and have a dedicated engineer. Obviously I'll be there to as a back up and mentor whoever takes on this role.

For those interested, here is the job description

Feel free to contact me on the blog address, if you are interested in this role, or have any questions.

CISSP - Getting started?

I decided to look at other qualifications after completing a raft of Microsoft qualifications recently, which included:

• MCSE:Security 2003
• MCSA:Security 2003
• MCTS:ISA 2006

Although the product I specialise in are Microsoft based, they do not utilise anywhere near the knowledge you have to learn for an MCSE, so working for a Network Security Distributor, the CISSP seems to fit better than the MCSE!

My current bedtime reading is this: http://www.dummies.com/store/product/CISSP-For-Dummies-2nd-Edition.productCd-0470124261.html

It's only to whet my appetite, until I have the time to read the proper books!

Useful IAG Links

Primarily an ISA forum, but there is an IAG section on the messageboard: http://www.isaserver.org
A forum focused on IAG: http://forums.forefrontsecurity.org
Independent Wiki for IAG: http://www.ssl-vpn.de/wiki/

Java client not working on IAG?

This is a bit of a common issue, but it's not normally noticed as the tests are normally carried out on IE, so it uses the ActiveX components, which aren't an issue.

The fix (found here: http://forums.forefrontsecurity.org/?g=posts&m=553):

The default rule set blocking the java-client, so make the following changes to the URL list:

InternalSite_Rule28: (/internalsite/applet/(sslvpnclientdetectjavamicrosoftclientoesislocalruntimeelevatoragent_win
_helperagent_mac_helperagent_lin_helper)\.jar) change Parameters value Reject to: Ignore

Duplicate rule 29: Change URL value of new rule to: /internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class

It worked for my Firefox users, but didn't impact me using ActiveX clients on IE8.

Celestix and Microsoft IAG

What is Microsoft Intelligent Application Gateway (IAG)?

It's an remote application delivery platform or as some would call it.... an SSL-VPN.

It's a way of delivering the applicatons you use internally at work, to an external audience via HTTPS.

The IAG can interogate computers to check what operating system it runs, whether there are specific applications running (such as anti-virus software, software based firewalls, etc), whether the computer is a member of a domain, etc.

By coupling endpoint checks, along with user credentials, granular understanding of applications, reporting and monitoring. We have a secure delivery method, as we can ensure correct users, can access correct applications, with approved computers, and be able to see who, accessed what and when. Sounds pretty comprehensive!!

This product originally was made by Whale Communications and was developed about ten years ago, prior to being bought out my Microsoft. This software platform is avalable on the Celestix WSA appliance. If you are based in the UK and want to evaluate an appliance, contact e92plus on 020-8274 7000

Some useful resources for those new to IAG are available here:

Celestix WSA Quick Start Guide [3.8Mb]
Microsoft IAG User Guide [3.32Mb]
Microsoft IAG Advanced User Guide [2.77Mb]

Microsoft IAG 2007 Service Pack 2 - Notes
Microsoft ActivePerl (which must be installed prior to SP2) [15.8Mb]
Microsoft IAG 2007 Service Pack 2 [36.5Mb]

Microsoft IAG 2007 Service Pack 2 Update 1 - Notes
Microsoft IAG 2007 Service Pack 2 Update 1 [19.8Mb]

Celestix and Microsoft ISA

For the last three years, I've been working at e92plus as the Technical Manager. We have a portfolio of products, some have gone since then, some new ones have come, but the one I took a shine to was Celestix.

Celestix make hardened Windows appliances that run Microsoft ISA Server, and Microsoft IAG Server.

I have been a Microsoft Certified Professional (MCP) since 1998... (yes, I'm that old and then some!) and have worked with NT3.51 through to Windows 2008.

It seemed like the logical step for me to take the Celestix product range under my wing.

I started playing with Windows ISA 2006 nearly three years ago, but a majority of these deployments have been as a proxy and cache, but have seen the other flavours as well.

Any way the point of this post is to list the useful resources that have helped me along the way:

http://www.isaserver.org/ - A proper ISA guru - Thanks Tom! :)
http://blog.msfirewall.org.uk/ - Jason Jones of Silversands is an MVP based in the UK
http://tmgblog.richardhicks.com/ - Recently I meet Richard Hicks of Celestix, and this is his blog

More VASCO qualifications!

Today's training course went very well and I feel confident that it gives enough information to the attendees to get installing and using the product immediately!

The exam covers all aspects learnt in the last two days and is an open book exam which I know some people love and some people hate. I have to say that in the "real world" you'd be able to look at the product, speak to people, refer to manuals, use Google, etc, so I agree with open book exams.

Fortunately, I passed the exam to gain more VASCO qualifications. That now means I'm a VASCO Certified Engineer (VCE) for Middleware 3.0, aXsGUARD 7.0 and now Identikey 3.1. As I passed with over 80%, it also qualifies me to carry out training in this product as well.

e92plus are now an Authorised Training Centre for VASCO Identikey, as well an ATC for Websense and Cyberoam.

We'll start to run the certified training course for VASCO Identikey 3.1 from September 2009, so I may see you soon! :)

VASCO Training

Who is the worlds largest two factor token provider?

RSA?? Nope, although that's probably the answer, if you spoke to someone in the UK or US.

Speak to someone in Europe or from the banking industry, then the answer would be.... VASCO!

VASCO provide tokens to commerical banking worldwide and in fact all verticals, but as such have more functioning tokens in the real world than any other token provider.

I spent today in technical training, learning more about VASCO Identikey 3.1. Vasco is one of the vendors that we distribute for at e92plus.

Initial reaction is that it's much better structured than the old VASCO Middleware 3.0 course. I'd highly recommend this course for someone new to two factor authentication, as well as someone who has experience of other solutions.

Advantages over Middleware, include a web interface, reporting, much improved AD integration and a SOAP interface. More to come tomorrow, along with an exam!!