Tuesday 24 November 2009

Web Monitor Logs

A common question I'm asked, is how can I keep my Web Monitor logs for longer. Ensure you have SP2 Update 1 installed for this feature.

Just feed the logs into a Syslog server, sounds easy...
  • Start up the IAG Configuration application
  • Select 'Admin' at the top and select 'Event logging'
  • Select the 'Syslog' tab and enter in the details of your Syslog server

Sometimes, we just want an easy solution.... and here is one!

I've had a play with a freeware Syslog server called Syslog Watcher, which works very well with this integration, but would welcome any recommendations for Syslog software.

Sunday 15 November 2009

Endpoint Protection should no longer be optional!

Most environments will run a firewall and anti virus software on the computers.

We start to take it one step further where we monitor/filter the users web traffic; we scan inbound (and sometimes outbound) emails; we secure inbound traffic to our networks with a combination of anti virus software, firewalls, reverse proxying, NACs, SSL-VPNs with access policies and two factor authentication; we secure our internet facing services with web application firewall, but this level of protection is often to prevent threats from outside of our organisation.

We all hope we can trust our work colleagues and employees, but an often overlooked security option is what our internal staff may either intentionally or unintentionally cause harm to the the internal systems.

I have a seen a few endpoint protection solutions, and they are either lacking in functionality, or have a wealth of features coupled with a price tag.

I was asked to trial a new offering from Cyberoam, who have previously focused on UTM firewalls and SSL-VPN solutions, but looking to expand their security offering have now produced an endpoint solution, which they have called Cyberoam Endpoint Data Protection (aka Cyberoam EDP).

The Cyberoam EDP solution comes with four components, where you can pick and choose which components you require.
  • Device Management
  • Application Control
  • Asset Management
  • Data Protection and Encryption

The Device Management component allows you to define which hardware components can be used on your endpoints. So you can limit access to hardware which are either build in or plugged in, such DVD writers, USB memory sticks, external hard disk drives, etc.

The Application Control component allows the access and blocking of applications, such as peer to peer and IM from either a legality or IT policy persepective, or software such as Photoshop and Office, where you can ensure that they software is only used on certain hardware to maintain correct license useage of software (ie not allow the software to run on more machines that you are legally allowed to)

The Asset Management component allows the auditing and tracking on hardware on your network, and what software is installed where. There is also version tracking, so you can see hardware and software changes within your network.

The Data Protection and Encryption component allows you to create policies to prevent data from leaving your company. These policies can be applied to email, IM and removeable devices, so certain file types or file names can not leave via these transport methods. You also shadow message transfers, so you have records of IM conversations and emails!! The encryption fucntion is for removeable media or when files are transferred.

I tested this on my network and all the functions works perfectly in my test environment, but the limitation was that Windows 7 operating systems and 64-bit operating systems were not supported at time of testing. ( I had a number of Windows 7 machines work perfectly and a couple that did not work, as well as some fuctionality from a 64-bit Windows 7 laptop) The Windows 7 element of the software is currently being tested and a fully supported version of the software is due out soon.

I believe this prodcut will give enterprise levels of security to the SME market.

More information as well as a 30 day free trail is available here: http://www.cyberoam.com/endpointdataprotection.html

If you try it, I'd be interested in your feedback. :)

Friday 6 November 2009

High Availability for IAG

After four hours on the train today, I spent a fair chunk of today configuring a pair of Celestix Load Balancers for an IAG deployment.

The only way to create IAG in a highly available configuration, is to put the IAG solution behind a front end load balancer. A common question I get asked is why do I recommend a pair of load balancers... well why would specify a solution with multiple application servers, only to place them behind a single load balancer and risk moving your single of failure from the application server, to the load balancing solution.

There are some simple instructions on how to configure the Celestix Load Balancers (CLB) and well documented in the manuals, but here are some headline points when configuring the solution for Direct Server Return (DSR), where the load balancer coming into the IAG solution, but outbound (as the name suggests) the IAG solution will go directly back to the client, rather than through the load balancer.
  1. Configure the IAG external IP address to the be the virtual server IP address
  2. Ensure DSR is selected in the advanced settings
  3. Under the Healthcheck option for the target, ensure PING is off, but check TCPOpen ais enabled for 443,2,10
  4. Ensure all IP addresses are unique, including gateways, servers, engines, etc.
  5. Create an ISA rule to allow access from the CLB range to the Local Host, for port 443.
  6. Create loopback adapters for the WSA appliance, ensuring that there is no gateway, and within advanced ssettings, the Interface Metric is set to 254
  7. Ensure VRRP is enable, where both appliances have the same VRID, ensure the Master has a priority of 1 and the backup of 254, on a different network
  8. Ensure the local host files that the server name points to the VIP

I had a pretty unique situation today, where four portals were configured on two IAG appliances, with virtual IPs and load balancers.

We ended up using 14 external IP addresses, VIP for each portal (4 external IPs), an external IP for each portal on each appliance (8 external IPs), and a unique IP for each load balancer (2 external IPs). It's very rare to have this many real IPs to play with, but the same principle would apply, if these IPs were internal ones behind a NAT'ing device, which would only have required 4 external IPs (one for each portal)

Ensure you understand the customer requirements and follow the manual.

Good luck with maaking your IAG solutions highly available! :)