- FIM 2010 R2 Book
- The Story in this book
- Overview of FIM 2010 R2
- Basic Configuration
- User Management
- Group Management
- Self-Service Password Reset
- Using FIM to manage Office365 and other Cloud Identities
- FIM Portal Customization
- Customizing Data transformations
- Issuing Smart Cards
Archive for category TMG
Yuri Diogenes [MSFT] has just started a new Wiki page on TechNet. Anyone working with TMG should visit and contribute to the Forefront Threat Management Gateway (TMG) 2010 Survival Guide.
Migrating from ISA to TMG is in some case quite easy, but in others it can be quite a jurney. In one of my latest cases it was indeed an interesting jurney…
So let me share some findings with you.
Moving from Standalone ISA to TMG Array.
This does not look to be a problem in theory, but…
Things you can do in a standalone ISA are sometimes not possible in a cluster.
This time it was the use of multiple subnets on a single nic. When moving to NLB you cannot have a VIP from a different subnet.
Found this out when i entered the scene day 1… And this caused the project also needing to do some IP-routing changes in the network.
Even though it is possible to export/import configurations in some scenarios. You usually want to take the opportunity to change the rules to take advantage of new features in TMG and also to clean up in the “mess” after adding rules over the years. While doing this kind of migration I have discovered many times that customer tells you one thing and the rules show something else.
You ask the cu…
“Have you made any special settings that we need to consider?”, and cu will answer “No”.
Well what you find in the rules is that a lot of them have “special non-default settings”. And when do you find this out… When users start testing! A little bit to late in other words.
The problem is that it is not a trivial task to check 100 rules in detail in order to grasp how many places have “special settings”.
This cu had a few FTP rules in place. They already knew which ones needed to be cleared from the “Read-Only” flag. They had learned that the hard way in ISA. But they did not know if they also required “Active FTP”. In a TMG cluster you need to “enable” Active FTP on first the enterprise level… And also on the Array level.
Using NLB to build TMG (or UAG) clusters is heavily dependent on switches used. HP Procurve has shown to not being “up to the job” in many cases.
After spending the last days helping a customer Migrate from ISA to TMG and trying to figure out how to get NLB to work in their environment I thought i should share some findings.
Unicast or Multicast
It is important to remember that TMG does not care if you use Uni- or Multicast. This is entirely a switch problem. Problem is that many network guys do not know how to pick the right one for the specific switch model at hand.
NLB in Procurve
When using typical Procurve switches (like 2800-series) you will find yourself stuck on using Unicast NLB and also having to add some static MAC-address entries in the environment.
When trying to use Multicast NLB we discovered that HP switches will not let you add Multicast MAC-addresses as static entry’s in many models.
One thing that i noted in this project is total lack of information from HP on how to integrate NLB with there different models.
Many of you might say… Stop using NLB and get a HW LB instead…
In my opinion NLB should always be the first load balancing you should consider when building TMG and UAG clusters.
Why?… Simply because this is the one integrated into the product. If using any other LB you will not benefit from TMG’s integrated management. Configuring a stand-alone LB to detect service failures in TMG to cause a node-drop is not an easy task. I have also found that when using external LB you will in many cases not be able to use routed relations and will have some serious problems to get bi-directional affinity to work, especially in protocols like RPC.
Just spent a day last week with one of Swedens largest Universities. I was talking about TMG.
What struck me was that the main problem they had with TMG was that it was reducing their bandwidth!
I find it quite strange to still here customers talking about Firewalls in terms of bandwidth rather then about the security and protection they add to their infrastructure.
After trying hard for a while.. and failed…to make this article readable on the web.
I decided to just give it to you as pdf until i figured out how to format it, to fit the blog page sizes.
So please download:
Äntligen har den då kommit!
Första betan av Nitrogen (ISA 2008) släpptes i slutet av veckan till TAP deltagarna.
Har inte hunnit slänga upp en ännu eftersom den kräver en x64 Server 2008 i botten.
Men i början på nästa vecka skall jag sätta upp den hos min kund som är med i TAP:en.
Så fort som möjligt ska jag sedan börja bombardera produktteamet med bloggposter för att få godkänt att jag börjar skriva lite om vad ni kan förvänta Er i nästa generation av ISA Server.
Själv har jag bett om pris på en ny server (Dubbla QuadCore o 16GB RAM!) för att kunna börja virtualisera x64 på 2008 RC0′s virtualiserings plattform. När den är på plats (förhoppningsvis om ett par veckor) så kan jag på allvar börja testa den i andra scenarion än dom som min TAP-kund tänker testa för.