Thursday 25 February 2010

Barracuda Backup Service

I briefly mentioned the Barracuda Backup Service after attending the EMEA partner conference, but what if you want to know more.....

Well e92plus are hosting a technical training session on the HMS Belfast in London on Friday 19th March.

More information and registration for this event can be found here: http://www.e92plus.com/training-and-events/training-detail/10-03-19/Barracuda_Backup_Technical_Workshop.aspx

Celestix MSA voted ISAserver.org Readers Choice Award Winner

Congratulations to Celestix for their MSA Security Appliance on winning the ISAserver.org readers' choice award for hardware appliances.

Read more about it here: http://isaserver.org/news/ISAserver-Readers-Choice-Award-Hardware-Appliances-Celestix-MSA-Security-Appliance-Jan10.html

Testing IAG SP2 Update 3 - Part 2

Here is some useful information from the MS UAG Blog about IAG SP2 Update 3.

The table in the link is very useful at summerising what is and isn't supported.

Socket forwarding is not supported by any 64 bit Windows operating system, as well as Mac & Linux machines.  I have seen this with my Windows 7 64 laptop, which does not work with published RDP sessions, but can confirm that XP compatibility mode does work.

The Network Connector will not work with either 32 or 64 bit Windows 7 machines, as well as Mac & Linux machines.  I can confirm this as a customer and I have tested this, although I have yet to test a Windows 7 in XP compatibility mode with the Network Connector, but I suspect it will work.

Although this update was meant to be the "fix" for Windows 7 and IAG, I'm afraid there are still limitations.

IAG is dead.... long live UAG!

Tuesday 23 February 2010

Testing IAG SP2 Update 3 - Part 1

I managed to get my hands on SP2 Update 3 for IAG v3.7 a week or so ago.

So far I've only managed to deploy this to my live environment, but with some good and bad results!

My current IAG platform is a Celestix WSA 4000, and it has been Service Packed and updated pretty much as and when these updates have been available.

As I'm a little wary of these things, I use the Celestix Last Good Version (LGV) feature, which allows me to take a snapshot of my appliance and save this to a Linux partition on the appliance. It takes around 15 minutes to make this snapshot, and around 10 minutes to rollback... if required!

My appliance hosts a portal with various applications such as OWA, Intranet, RDP, etc, as well as an ActiveSync tunnel for our mobile devices.

After the update was applied, the portal worked perfectly with both Windows 7 32-bit and 64-bit machines, but it broke my ActiveSync tunnel!

One of my authentication methods is Active Directory and it is used for both the Portal and ActiveSync tunnel. The authentication using AD was perfect on the Portal, but it failed for the ActiveSync tunnel. All the mobile devices said the wrong password was being presented.

No changes were made to the mobile devices and this impacted both Nokia E71 and Apple iPhones. Changing the password on the device made no difference, but we knew that the AD authenication should be working correctly as the portal works.

Rolling the appliance back to SP2 Update 2 using the LGV feature, allowed all the mobile device to authenicate again, even though someof these devices did not have their password changed.

Since then, I've managed to get hold of another appliance to test with, so Part 2 will continue tomorrow.....

Wednesday 17 February 2010

Two factor authentication tokens on iPhone

I've been playing with the iPhone recently and I've been very impressed with the amount of applications you can get for the phone.

The other day after some prompting from the UK Vasco Technical Account Manager, I installed a Vasco Digipass for the iPhone. (Thanks Dan)

So now I have a demo Digipass on my phone, where I can use it for demonstration purposes. It was fairly straight forward, you need to download the app from the Apple AppStore and tap in a couple of codes to make it work. Obviously I need a Vasco server installed somewhere and install the relevant DPX file on it, so the token can be used.

Off the back of this success, I took the opportunity to install a Celestix HOTPin client on my iPhone as well.

Again, just download the iPhone client software from the Apple AppStore. You will need to ensure that the Celestix HOTPin server is running somewhere. Currently it can run on the Celestix WSA appliance, which negates the need for an additional server hardware. Once the server component is configured and users added to the system, it is ready to go.

I used the HOTPin client on the iPhone to communicate with my Celestix WSA appliance which is hosting the HOTPin server. It downloads the client.dat file onto the iPhone and the client then allows the phone to generate the one time passwords.

The Vasco token required a bit more information to set up and they have the advantage of being able to provide your users with hard tokens, software tokens, mobile phone tokens and OTP via SMS, all through a single server element and manage them from one console.

The Celestix is a more cost effective solution as the HOTPin server software can run on the Celestix WSA appliance and there is no server software cost as such. The only down side is that there is no hard token option, so you may encounter some friction from users as they will not want the HOTPin client installed on their own personal mobile devices, although you have the option for a software client on Windows or using OTP vis SMS.

Although both solutions support receiving the one time password via SMS, what happens if your users are in a mobile telephone blackspot?


- Posted using BlogPress from my iPhone

Tuesday 16 February 2010

Computer Engineer Barbie

After an online vote, Barbie has a new profession.... Computer Engineer.

More information about it here

Saturday 13 February 2010

Microsoft IAG SP2 Update 3

Information from Microsoft regarding: IAG SP2 Update 3

Once this has been tested by Celestix, it will be available for download from the webiste.

It will also give me a chance to test it in my lab as well.

Friday 12 February 2010

Microsoft Forefront TMG (Threat Management Gateway) - Introduction

Microsoft TMG is the successor to ISA Server 2006, which still has the features from ISA, such as an application layer enterprise class firewall, with proxy, cache and VPN services. So all the good things from ISA 2006 that we know and love are still there.

 
There are many new features within TMG, including:
  • Gateway anti-virus scanning, which uses the Microsoft scanning engine
  • URL filtering, which can web traffic using Microsoft Reputation Services
  • HTTPS inspection, using dynamically, self signed or trusted CA certificates
  • Network Inspection System, which is vulnerability based intrusion dection & prevention
  • Email Protection, as TMG can be the Exchange Edge Transport for Exchange 2007 SP2 or 2010, as well Forefront protection for Exchange
  • Remote Access, using SSTP, Direct Access and NAP integration
  • Forefront Protection Manager integration
  • SCOM 2007 & 2007 R2 integration
  • ISP redundancy for two links
  • VoIP (SIP) support
  • Enhanced NAT, to allow one-to-one NAT

Thanks to Celestix, and Richard Hicks for providing the above information.
 
At e92plus, we have a webinar to give a more comprehensive introduction to Microsoft TMG and the Celestix MSA appliance range.  Book your place here

Monday 8 February 2010

Routing issues on IAG

I was asked this evening by a friend and customer why he was unable to remotely access a Celestix WSA appliance via a VPN, but able to access via an RDP session from one of the servers on the LAN.

There is a site to site IPSEC VPN between the two sites and the remote site subnet had been added into the Remote Management trusted subnets.

The issue lies with the Microsoft ISA 2006 component within the Celestix WSA appliance, that is used to protect Microsoft IAG.

First of all I would create a static route on the appliance. This can be done either by using the command line and adding a persistent route, using the jog dial on the front of the Celestix WSA appliance or using the Celestix Web UI (:10000) select "Network", then "Routing" and then "Static Routes", where you can create a new static route.

Once this is done, I would start up Microsoft ISA Server on the appliance, expand "Configuration", select "Networks", go to the "Networks" tab, right click for "Properties" of the internal network, select the "Addresses" tab, click the "Add Adapter" button, and select the "LAN" tickbox.
This will apply the all the routes that the LAN card can see, including the new static route(s). Once trusted, you will be able to access resources within the defined subnets, and ISA will be able to allow the traffic defined from the site to site VPN.


- Posted using BlogPress from my iPhone

Wednesday 3 February 2010

Moving my blog & Celestix

Well looks like Google no longer want to support users who want to upload their blogs via FTP after March.

So I'm changing the URL to http://blog.andytang.com and pointing that cname to Google, rather than host it.

When I get a chance, I'll create either a redirection or a link on the www site.

It now also always me to blog via my iPhone which a bonus!

I'm currently on my way to Reading to see Richard Hicks and Doc Miller again. I had the pleasure of their company yesterday at our office and today is a reseller techical briefing day at the Celestix office in Reading.

- Posted using BlogPress from my iPhone