Friday 1 October 2010

ActiveSync and email on iPhones (and other ActiveSync devices)

Recently I’ve been asked a lot about ActiveSync for iPhones, but I try to highlight the security implications for this.

I have spoken with a number of people who have ActiveSync running on their Exchange Servers, where they can access the server directly from the internet. I’m not a fan of having servers on the LAN available from the internet, but the pressure to deploy the access this is often overlooked. Especially as the Microsoft IAG and UAG solutions will allow you to reverse proxy the ActiveSync connection, eliminating the need for a direct connection to the Exchange server.

Ensure the handset you have has a level of encryption on it, as the company can be subject to hefty fines from the ICO, if personal data is not encrypted. Apple iPhones have AES 256-bit hardware encryption to protect the data at rest. The Nokia E-series that I have investigate have encryption on both device and storage memory.

Although as this is protecting data at rest, ensure there is at least a password on the device, or there is no point having the encryption. Enforcing password on the device, and comprehensive password policies can be created on from the Exchange server.
What is the handset is stolen? There is the ability to remote wipe the mobile device, as well as enforce a wipe if there are too many failed attempts to logon to the device.
The only concern is a number of requests for this access on personal iPhones, which is a worry from a data leakage perspective. Although a number of places have said they will ensure password policies and reserve the right to remote wipe the device when it is required, then make their employees agreeing to this. Personally, I am not a fan of this and would rather be working with corporate devices, where as a business you have more “rights” to your hardware.
From a technical perspective, you will need to do the following:
  • Ensure ActiveSync is configured and running on the Exchange server, with the relevant password, encryption and wipe policies. Assign the access to the users who should be able to access it, taking care to remove access from everyone else (so they are unable to connect up unauthorised or personal mobile devices).
  • Configure an ActiveSync portal on IAG, or create a portal for ActiveSync on UAG.
  • Ensure all the Exchange server settings are entered correctly.
  • Apply a real SSL certificate to the portal, as some mobile devices will not allow you to except a self signed SSL certificate.
  • Publish the portal.
  • Test the ActiveSync by defining the server name, domain/username and password here:
  • Expect it to fail on the OPTIONS section, but everything else should pass.
  • Configure your device to point to the newly created portal.
  • Allow device to synchronise and enjoy emails on your mobile device!


Monday 27 September 2010

Avira International Partner Summit, Germany - September 2010

I was fortunate enough to be attend the 2nd Avira International Partner Summit, which was held in Germany last week.

There were partners from 35 different countries, so it was great to meet and chat with members of the extended Avira family.

Avira were a great host, not only offering information regarding growth and expansion of the previous year, new developments and structure changes, but also offering a listening ear with the issues and challenges faced by the various distributors and our reseller partners.

There were a number of useful workshops to allow us to voice our challenges in a commercial, marketing and technical environment, but also share ideas and solutions in these areas, and I was amazed at the parity despite the diverse audience.

There are many exciting things that will be announced and released from Avira in due course, and I will keep you up to date when I can!

Two Factor Authentication on GMail

An interesting article about Google protecting Google Apps, which includes GMail, with a one time password sent to your mobile phone:

This technology has been available for a while, but this should create greater awareness of two factor authentication, and in turn make more companies realise this is required for their websites, services, applications and SaaS/Cloud offerings.

Vasco can provide two factor authentication to remote access solutions, such as traditional IPSEC VPNs as well as SSL-VPNs.  Vasco can provide two factor authentication to a whole network, using uniquely generated one time passwords to log into Windows instead of traditional passwords.  More importantly Vasco can be used to protect web services and web applications.  The one time passwords can be generated by hardware tokens, software tokens, tokens for mobile and smartphones, and even sent one time passwords via SMS.

Cloud maybe the next big thing as a delivery method, but what will you be using to secure it?

Is your anti-virus software doing it's job?

AV-Comparatives ( have been reviewing and comparing anti-virus software packages for a number of years. 

The latest reports are available from this section of their site:

The comparisons between these products are independent and are based on the findings, which are reported.

I know people find it a big upheaval to change your anti-virus provider, especially in larger organisations, but the results offer a very compelling argument to switch to Avira!

Thursday 1 July 2010

Are all UTM appliances the same? - Cyberoam

I'm a little bias, but I think the Cyberoam CR series UTM (Unified Threat Management) offering is head and shoulders above other UTM appliances on the market.

Some people will consider all UTMs the same, rather than looking at the components that make up the whole, or they consider it a point solution where only one or two features are used, rather than making the most of the whole solution.

Why do I consider the Cyberoam CR series a better solution, well here are some of my findings:
  • Identity based UTM, to allow rules to be applied to users, rather than IPs
  • A stateful firewall, that supports high availability and IP v6
  • Gateway anti-virus and anti-spyware solution provided by Kaspersky
  • Real time anti-spam solution provided by Commtouch
  • IPSEC VPN that supports PPTP and L2TP, as well as a VPN client provided by GreenBow
  • SSL-VPN functionality on the appliance
  • Web content and application filtering, including IM filtering
  • IPS, including the ability to create your own signatures
  • Multi-link/Multiple WAN links supported on all the appliances, including USB 3G dongle support
The Cyberoam CR series solution is very cost effective and can go head-to-head with all the major UTM appliances, and in my opinion out shine them as well!

To help compliment this solution, there is also the Cyberoam Centralised Console (CCC), which can manage multiple Cyberoam UTM appliances, as well as software based solution to offer Data Protection & Encryption, Device Management, Application Control and Asset Management.

Don't just take my word for it, organise an evaluation of one from e92plus

Wednesday 30 June 2010

UAG - Activating your configuration

The first few times I used UAG, I wondered why it took so long to activate the configuration.  Even though the finish screen came up, the configuration would not always be live.

There is an easy way to check this by using the messages.  On the main UAG screen, click on "Messages" and select "Filter Messages...", then select "Informational messages".

So the before the finish button would appear after activation:

But if you have a look at the following screen, you can see it takes a bit longer before the activation is completed.

Tuesday 29 June 2010

UAG - RDP set up

I've been struggling with publishing RDP on my test UAG appliance, as it was not the same as IAG.

First of all, publish the application which is located on the "Terminal Services (TS)/Remote Desktop Services (RDS)", where you have "RemoteApp" for use with Windows 2008 Terminal Services, Remote Desktop (Predefined and User defined), as well as the two options available from IAG.

I can't use the two options from IAG, as they do not support 64-bit clients (and I use Windows 7 64-bit).

Publish the application as Remote Desktop, either predefined so no user interaction, or user defined where the user will need to specify the desktop to connect to.

Give the application a name, set up the appropriate access policy, define the server to connect to, configure the client settings, ensure the portal link information is correct and ensure the authorisation is correct.

As I found out, this alone will not work and your will receive an error, which points to certificate issues.

As the UAG appliance is the Remote Desktop Gateway, a certificate will need to be applied to it.  Go to the Start menu, and select "Administrative Tools/Remote Desktop Services/Remote Desktop Gateway Manager".  From there expand the server, and you will see an option to apply a certificate to the gateway.

Apply the appropriate certificate and enjoy remote access!

Tuesday 25 May 2010

Microsoft UAG Update 1

Microsoft released UAG Update 1 last month, which updates the following areas:
  • Remote Desktop access from Windows Vista and Windows XP: Client endpoints running Windows Vista and Windows XP can now access RemoteApps and Remote Desktops published through Forefront UAG.
  • Support for Microsoft SharePoint Server 2010: Forefront UAG now supports SharePoint Server 2010.
  • Support for MSOFBA: Forefront UAG now supports the Office Forms Based Authentication protocol to allow rich clients to directly access applications published through Forefront UAG.
  • Support for site cookies: Forefront UAG now supports the use of site cookies for non-alternate access mapping applications, in addition to domain cookies.
  • Support for large CustomUpdate files: Forefront UAG now supports CustomUpdate files up to 1.5 GB in size.
  • Changes in Group Policy Object (GPO) provisioning for DirectAccess clients: Update 1 fixes an issue that caused the export script that creates GPO objects to fail, and an issue that caused the GPO to be applied to all authenticated users in the domain (including computer accounts), instead of to DirectAccess clients only.

More information regarding this update can be downloaded from here

Cyberoam Version X is here!

Cyberoam, the identity based UTM manufacturer, has revamped their multi award winning product, which can now run the new version of the firmware, Version X.

The older graphical user interface was criticised with being a little cluttered and not intuitive.  Version X is a visual treat, with a very crisp and modern.  The interface and components are well laid out and very intuitive within Version X.

More information regarding this major update can be found here:

Contact e92plus, if you would like to see or evaluate the Cyberoam product range.

Friday 7 May 2010

VMWare View on Microsoft IAG

VMWare View has been a bit of a pain to a number of people, but here what I have done in the past to get it to work.  (Thanks to Andrew Button for helping to remind me of some of these bits!!)

Let me be clear, I am not a VMWare expert in any fashion, and I have little knowledge of VMWare View!
  1. Ensure VMWare View works internally first
  2. Ensure a VMWare Security Server has been deployed (this tip was thanks to my  friend, Google)
  3. On IAG, publish a "Enchanced Generic Client App (hosts optional)"
  4. Give the application a name and the right access policy
  5. Give the server name that is hosting the VMWare View server, with the correct port (probably 443, if you are using HTTPS), iexplore as the executable, and the argument is the full URL for the service
  6. Finish the wizard
  7. Go into the properies and ensure that the Socket Forwarding Mode is set to VPN
  8. Publish and test
I have been struggling with making this SSO, but no joy.  If this changes, I will update this post!

Monday 26 April 2010

Show season is here: Infosec 2010 at Earls Court

The biggest information security show in Europe is upon us and Infosec 2010 will be hosted Earls Court from Tuesday 27th to Thursday 29th April.

A number of our vendors will have stands there, including:

Barracuda - Stand J65
Celestix - Stand J72
Lumension - Stand H50
VASCO - Stand G40
Websense - H10
WinMagic - F82

If you want a chat or a catch up, drop me a mail.

See you there and enjoy the show!

- Posted using BlogPress from my iPhone

Friday 12 March 2010

ASP Error when configuring File Access within IAG

I was on site when I encountered an odd issue.  When configuring the File Access component within IAG, we got teh following ASP error:

Request object error 'ASP 0104:80004005'

Operation not allowed /whalefilesharingadmin/computers.asp, line 47
Thanks for Senthil from Celestix who found the answer to this.

The error was being caused due to the size limit in IIS for the maximum number of bytes allowed in the entity body of an ASP request.

The answer is to locate this file:


and modify the following value:

AspMaxRequestEntityAllowed to 1073741824

This changes the excepted size limit to 1GB.

Testing IAG SP2 Update 3 - Part 3

Having been distracted from IAG with the impending launch of UAG on the Celestix platform, and Websense launching their Triton platform, I finally found time today to do some more testing.

Uri from Eurodata dropped me an email checking if my AD repository was the same as my domain (which it isn't!), as this would save having to edit inc files after an upgrade.  Step 9 of the following article:

Today I reset my demo appliance and tried the following:
  • Configure the networking components of my Celestix WSA applaince
  • Install Java, Active Perl, SP2 and SP2 Update 2
  • Create an ActiveSync trunk
  • Import my Exchange certificate
  • Use an AD repository that is named the same my domain
  • Modify the ASP file mentioned above
  • Test - Success!
  • Install SP2 Update 3
  • Test - Success!
  • Recreate my portal trunk for my applications
  • Test - Success!
Now IAG SP2 Update 3 is working successfully in a new installation (albeit via SP2 Update 2, rather than straight to SP2 Update 3), I will try an in-place upgrade on my known working appliance.

Thanks for the email Uri, as it motivated me to look at this issue again!! :)

Tuesday 2 March 2010

Microsoft TMG Arrays Explained...

TMG arrays explained by someone (Richard Hicks of Celestix Networks & Microsoft MVP) who knows what they are talking about on

Thursday 25 February 2010

Barracuda Backup Service

I briefly mentioned the Barracuda Backup Service after attending the EMEA partner conference, but what if you want to know more.....

Well e92plus are hosting a technical training session on the HMS Belfast in London on Friday 19th March.

More information and registration for this event can be found here:

Celestix MSA voted Readers Choice Award Winner

Congratulations to Celestix for their MSA Security Appliance on winning the readers' choice award for hardware appliances.

Read more about it here:

Testing IAG SP2 Update 3 - Part 2

Here is some useful information from the MS UAG Blog about IAG SP2 Update 3.

The table in the link is very useful at summerising what is and isn't supported.

Socket forwarding is not supported by any 64 bit Windows operating system, as well as Mac & Linux machines.  I have seen this with my Windows 7 64 laptop, which does not work with published RDP sessions, but can confirm that XP compatibility mode does work.

The Network Connector will not work with either 32 or 64 bit Windows 7 machines, as well as Mac & Linux machines.  I can confirm this as a customer and I have tested this, although I have yet to test a Windows 7 in XP compatibility mode with the Network Connector, but I suspect it will work.

Although this update was meant to be the "fix" for Windows 7 and IAG, I'm afraid there are still limitations.

IAG is dead.... long live UAG!

Tuesday 23 February 2010

Testing IAG SP2 Update 3 - Part 1

I managed to get my hands on SP2 Update 3 for IAG v3.7 a week or so ago.

So far I've only managed to deploy this to my live environment, but with some good and bad results!

My current IAG platform is a Celestix WSA 4000, and it has been Service Packed and updated pretty much as and when these updates have been available.

As I'm a little wary of these things, I use the Celestix Last Good Version (LGV) feature, which allows me to take a snapshot of my appliance and save this to a Linux partition on the appliance. It takes around 15 minutes to make this snapshot, and around 10 minutes to rollback... if required!

My appliance hosts a portal with various applications such as OWA, Intranet, RDP, etc, as well as an ActiveSync tunnel for our mobile devices.

After the update was applied, the portal worked perfectly with both Windows 7 32-bit and 64-bit machines, but it broke my ActiveSync tunnel!

One of my authentication methods is Active Directory and it is used for both the Portal and ActiveSync tunnel. The authentication using AD was perfect on the Portal, but it failed for the ActiveSync tunnel. All the mobile devices said the wrong password was being presented.

No changes were made to the mobile devices and this impacted both Nokia E71 and Apple iPhones. Changing the password on the device made no difference, but we knew that the AD authenication should be working correctly as the portal works.

Rolling the appliance back to SP2 Update 2 using the LGV feature, allowed all the mobile device to authenicate again, even though someof these devices did not have their password changed.

Since then, I've managed to get hold of another appliance to test with, so Part 2 will continue tomorrow.....

Wednesday 17 February 2010

Two factor authentication tokens on iPhone

I've been playing with the iPhone recently and I've been very impressed with the amount of applications you can get for the phone.

The other day after some prompting from the UK Vasco Technical Account Manager, I installed a Vasco Digipass for the iPhone. (Thanks Dan)

So now I have a demo Digipass on my phone, where I can use it for demonstration purposes. It was fairly straight forward, you need to download the app from the Apple AppStore and tap in a couple of codes to make it work. Obviously I need a Vasco server installed somewhere and install the relevant DPX file on it, so the token can be used.

Off the back of this success, I took the opportunity to install a Celestix HOTPin client on my iPhone as well.

Again, just download the iPhone client software from the Apple AppStore. You will need to ensure that the Celestix HOTPin server is running somewhere. Currently it can run on the Celestix WSA appliance, which negates the need for an additional server hardware. Once the server component is configured and users added to the system, it is ready to go.

I used the HOTPin client on the iPhone to communicate with my Celestix WSA appliance which is hosting the HOTPin server. It downloads the client.dat file onto the iPhone and the client then allows the phone to generate the one time passwords.

The Vasco token required a bit more information to set up and they have the advantage of being able to provide your users with hard tokens, software tokens, mobile phone tokens and OTP via SMS, all through a single server element and manage them from one console.

The Celestix is a more cost effective solution as the HOTPin server software can run on the Celestix WSA appliance and there is no server software cost as such. The only down side is that there is no hard token option, so you may encounter some friction from users as they will not want the HOTPin client installed on their own personal mobile devices, although you have the option for a software client on Windows or using OTP vis SMS.

Although both solutions support receiving the one time password via SMS, what happens if your users are in a mobile telephone blackspot?

- Posted using BlogPress from my iPhone

Tuesday 16 February 2010

Computer Engineer Barbie

After an online vote, Barbie has a new profession.... Computer Engineer.

More information about it here

Saturday 13 February 2010

Microsoft IAG SP2 Update 3

Information from Microsoft regarding: IAG SP2 Update 3

Once this has been tested by Celestix, it will be available for download from the webiste.

It will also give me a chance to test it in my lab as well.

Friday 12 February 2010

Microsoft Forefront TMG (Threat Management Gateway) - Introduction

Microsoft TMG is the successor to ISA Server 2006, which still has the features from ISA, such as an application layer enterprise class firewall, with proxy, cache and VPN services. So all the good things from ISA 2006 that we know and love are still there.

There are many new features within TMG, including:
  • Gateway anti-virus scanning, which uses the Microsoft scanning engine
  • URL filtering, which can web traffic using Microsoft Reputation Services
  • HTTPS inspection, using dynamically, self signed or trusted CA certificates
  • Network Inspection System, which is vulnerability based intrusion dection & prevention
  • Email Protection, as TMG can be the Exchange Edge Transport for Exchange 2007 SP2 or 2010, as well Forefront protection for Exchange
  • Remote Access, using SSTP, Direct Access and NAP integration
  • Forefront Protection Manager integration
  • SCOM 2007 & 2007 R2 integration
  • ISP redundancy for two links
  • VoIP (SIP) support
  • Enhanced NAT, to allow one-to-one NAT

Thanks to Celestix, and Richard Hicks for providing the above information.
At e92plus, we have a webinar to give a more comprehensive introduction to Microsoft TMG and the Celestix MSA appliance range.  Book your place here

Monday 8 February 2010

Routing issues on IAG

I was asked this evening by a friend and customer why he was unable to remotely access a Celestix WSA appliance via a VPN, but able to access via an RDP session from one of the servers on the LAN.

There is a site to site IPSEC VPN between the two sites and the remote site subnet had been added into the Remote Management trusted subnets.

The issue lies with the Microsoft ISA 2006 component within the Celestix WSA appliance, that is used to protect Microsoft IAG.

First of all I would create a static route on the appliance. This can be done either by using the command line and adding a persistent route, using the jog dial on the front of the Celestix WSA appliance or using the Celestix Web UI (:10000) select "Network", then "Routing" and then "Static Routes", where you can create a new static route.

Once this is done, I would start up Microsoft ISA Server on the appliance, expand "Configuration", select "Networks", go to the "Networks" tab, right click for "Properties" of the internal network, select the "Addresses" tab, click the "Add Adapter" button, and select the "LAN" tickbox.
This will apply the all the routes that the LAN card can see, including the new static route(s). Once trusted, you will be able to access resources within the defined subnets, and ISA will be able to allow the traffic defined from the site to site VPN.

- Posted using BlogPress from my iPhone

Wednesday 3 February 2010

Moving my blog & Celestix

Well looks like Google no longer want to support users who want to upload their blogs via FTP after March.

So I'm changing the URL to and pointing that cname to Google, rather than host it.

When I get a chance, I'll create either a redirection or a link on the www site.

It now also always me to blog via my iPhone which a bonus!

I'm currently on my way to Reading to see Richard Hicks and Doc Miller again. I had the pleasure of their company yesterday at our office and today is a reseller techical briefing day at the Celestix office in Reading.

- Posted using BlogPress from my iPhone

Monday 25 January 2010

Sport Relief - I'm running six miles!!

I'm doing my bit for Sport Relief by running six miles, but you don't have to run... you only have to sponser me!

Whatever you can afford would be gratefully recieved:

Wednesday 20 January 2010

IAG Logs - Extending?

A common issue raised by customers have been regarding how far back the IAG logs can go back.

I have posted in the past about how to use Syslog server with IAG, which will allow the logs to be stored elsewhere for longer, but you may still have issues with what or how much is being reported.

Extending your historical logs:
  • In the IAG Configuration console, select the "Admin" menu and select "Event Logging"
  • Select the "General" tab
  • Change the "Queue Size" to 100
  • Change the "Max Report Results" to 10000
  • Click on "OK"
  • Activate the IAG Configuration

Change the settings for report clean up:

  • In the IAG Configuration console, select the "Admin" menu and select "Advanced Configuration"
  • Change "Start Cleanup at:" to 10000
  • Change "Stop Cleanup at" to 100
  • Change "Number of Undeleted Files" to 100
  • Click on "OK"
  • Activate the IAG Configuration

You may need to wait up to 48 hours to see if these changes have helped, but these settings can be tweaked further to fine tune the logs for your reporting needs.

Monday 18 January 2010

Celestix on Facebook and Twitter

In case you weren't aware, Celestix are on Facebook and on Twitter (@CelestixNetwork)

I'm on both but hey, I'm sure I'm not as interesting!!!

IAG SP2 Update 3?

Well I've had word that IAG SP2 Update 3 should be out in a month or so.

The components being addressed with this update, are that Windows 7 will be recognised correctly and 64-bit clients will be supported.

Obviously you have seen that I have documented a 32-bit Windows 7 workaround, but there are still issues with this when using certain applications. The only 64-bit client that can be made work is Windows 7, as long as your computer has the ability to run XP Compatibility Mode (which will mean that only specific processors are supported)

As soon as I see that update, I will get it installed and tested, as my work laptop is both Windows 7 and 64-bit..... you can see I like a challenge!!

Saturday 9 January 2010

Celestix Technical Training - Microsoft UAG & TMG

Celestix will be giving training in Microsoft UAG and TMG (which will replace Microsoft IAG and ISA server) on the 3rd February.

If you are a reseller based in the UK and this is of interest, please register here

Websense V10000 - Web Security Appliance

Most people are aware that Websense are a market leader in the web filtering market, but tradionally has only been a software only option.

The software can either filter via a network sniffer (via a mirror or span port on a switch) or integrated with another solution such as a Cisco firewall or Microsoft ISA server.

The software has some limitations or lacked features that were being demanded from an enterprise perspective. These were addressed with Websense Security Gateway, which gave the following features:
  • Web proxy server
  • Integrated anti-virus solution
  • Real time content classification
  • Real time security scanning

This brought other considerations, due to the nature of this software, it would only be supported on a Linux platform. At the time I spoke with a number of customers who were put off by this, as they only had Windows administrators, and did not have the capacity to support a Linux server.

Websense took this onboard, and developed the V10000 appliance, which is a Websense branded appliance, which runs a Linux operating system and runs the Websense Security Gateway software within a virtualised environment. The specification of the hardware, will allow the appliance to run the Email Security and Data Security features in the future as well.

In short, Websense have produced an enterprise class proxy server, with enterprise web security in an appliance form factor.

At e92plus, we are technically proficient with the Websense range, where we not only carry out web demonstrations, deal with presales questions, deliver proof of concept deployments, architect and deploy full solutions, we also deliver both bespoke and certified Websense training.

SecurityPlus - IT Security Newsletter from e92plus

As you may know I work for e92plus, an IT Security Distributor based in the UK.

Richard Hicks of Celestix Networks and a Microsoft MVP wrote an interesting article about re-perimeterisation for our newsletter.

We are very grateful to Richard Hicks and Celestix for their continued support.

The article can be found here: SecurityPlus from e92plus

BETT 2010 - London Olympia 13th to 16th January

BETT is an educational technical show that is based in London.

This year we have two of e92plus' vendors at the show, Xirrus (innovative wireless solution) and NComputing (cost effective desktop virtualisation)

I will post more detailed information about each of these vendors later.

More information about the show is available here: BETT 2010

Wednesday 6 January 2010

Happy New Year for 2010!

And what a way to see in the New Year.

Currently where I live in the UK there is 3-4 inches of snow, which has made it very difficult to get off my driveway, let alone drive to work.

Fortunately I can work from home, thanks to a Celestix WSA appliance running Microsoft IAG!

I have access to my emails via OWA, intranet site, CRM server and Terminal Server.

This has allowed me to pretty much carry on as normal!

If you are stuck at home today, I hope you are working!! ;)