• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SSL inspection in TMG?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> SSL inspection in TMG? Page: [1]
Login
Message << Older Topic   Newer Topic >>
SSL inspection in TMG? - 20.Aug.2008 1:19:23 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
Many web ads are moving to HTTPS/SSL instead of nonencrypted to get around ad blockers.  This also represents a malware risk as app layer firewalls such as TMG will not be able to detect it.  Companies such as clear tunnel have come up with a solution as a plug-in to ISA server 2006.

Might TMG incorporate such a feature in its final version?  If not, why not?
Post #: 1
RE: SSL inspection in TMG? - 20.Aug.2008 8:16:51 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Strictly speaking, ClearTunnel can run on ISA 2004 as well. .. sort of :)

(in reply to hunglikethor)
Post #: 2
RE: SSL inspection in TMG? - 21.Aug.2008 10:10:11 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Very very good question.
I will also want to know this.

It's just my feeling, or the big names out there run after "SSL inspection"...
The "New kid on the block" Palo Alto Networks support this.
They all tell that they are the first or some of the few to support that.
For example Secure Computing support SSL inspection, what Collective Software misses in raport with them IMHO, is the level of quality of marketing "white papers".

If Microsoft would not add outbound SSL inspection for TMG, we can hope that maybe Collective Software will help ?

(in reply to ferrix)
Post #: 3
RE: SSL inspection in TMG? - 21.Aug.2008 10:15:27 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Just my thoughts.. If you have an expensive product then you can afford to spend a lot on marketing.  And you *have* to, because otherwise customers won't stomach the cost.

Collective is a pretty low overhead shop, we mostly spend on R&D and support and keep product prices as low as possible to stay in line with the ISA pricing model.  Not a perfect solution, but it works well enough.

(in reply to justmee)
Post #: 4
RE: SSL inspection in TMG? - 21.Aug.2008 11:13:50 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Greg,
Yeah, I know and understand and agree.
Sometimes is not enough to have a great product, life ain't faire....
I was re-reading a couple of days ago their "white papers", and again I found them overwhelming. It's just hard, at least for me, that once certain customers read those things, to make them see another way....

(in reply to ferrix)
Post #: 5
RE: SSL inspection in TMG? - 21.Aug.2008 12:10:18 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Well IMO this is also why ISA itself is a hard sell sometimes.  MS has not spent a lot on marketing, and their direct sales effort for ISA has been very spotty. 

(in reply to justmee)
Post #: 6
RE: SSL inspection in TMG? - 21.Aug.2008 2:06:14 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
I felt that too. Many people out there don't know what ISA Server is after so many years, and very likely, IMHO, most of the ones who know what ISA is and what ISA can do, found out due to the tremendous efforts of Tom.

(in reply to ferrix)
Post #: 7
RE: SSL inspection in TMG? - 21.Aug.2008 2:09:32 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
ISA: the best kept secret in security :) :/

(in reply to justmee)
Post #: 8
RE: SSL inspection in TMG? - 21.Aug.2008 6:41:11 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Numerous years in production and not one reported security vulnerability...you bet!

I still love providing ISA Server handovers after implememtation as nearly everyone is just so unaware of its capabilties when used properly...showing Cisco bods the web publishing capabilites and real-time log monitor (with filters) are two of my favourites!

I think TMG is going to be a killer version...would love to say more, but under NDA

MS are really getting their security 'ducks in line' with the combination of the upcoming edge product releases and Stirling...I think 2009 will be an interesting year for MS security...  

Cheers

JJ

< Message edited by Jason Jones -- 21.Aug.2008 6:55:07 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ferrix)
Post #: 9
RE: SSL inspection in TMG? - 22.Aug.2008 9:30:17 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

Absolutely! I wish we could share what's in the next version of the TMG. Esp. in light of this discussion. But I think everyone is going to be pretty happy with what they're going to do with it, even some long lived DCRs are going to be addressed! :)

And some new stuff is going to be really amazing -- stuff that no other firewall on the market can do or will able to do by the time that TMG is released.

People need to keep in mind that the TMG that comes with EBS bears little or no relationship with what they're going to see in the final TMG RTM. So, don't get disappointed.

And with the upcoming Stirling integration, it's really going to blow people's socks off! :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 10
RE: SSL inspection in TMG? - 23.Aug.2008 12:42:16 AM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
as long as you collectively patting yourself on the back on how wonderful ISA/TMG is/will be, let's hope it is a forward thinking product and not a follow-me product.

I use ISA Server 2006 and TMG in my network and they both work fairly well.  Even get my MAcs to authenticate to it via Kerberos for outbound traffic.  Would like to see more cross platform support as the dog that is Vista not being deployed in most enterprises I have seen.  What about a firewall client agent for Mac?

Anyway if SSL inspection is not built in I would not upgrade.  Do not see much difference (yet) between ISA Server 2006 w/ Web monitor (better IMO becasue of 3 AV engines) and TMG.

(in reply to tshinder)
Post #: 11
RE: SSL inspection in TMG? - 24.Aug.2008 12:47:33 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Thor,

The TMG you see now will bear little resembalance to what you see with the actual TMG. The TMG you see now is essentailly ISA 2006 R2.

I think you'll find a lot of stuff in the final version that you'll like and will consider it a worthy of an upgrade. It won't be like the 2004 to 2006 upgrade, it will be a real upgrade :)

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 12
RE: SSL inspection in TMG? - 29.Aug.2008 4:22:24 PM   
mylo

 

Posts: 144
Joined: 26.Mar.2002
Status: offline
Folks,
Anyone know if TMG will support cross-forest kerberos constrained delegation or is this *ahem* a bridge too far

Regards,
Mylo

(in reply to tshinder)
Post #: 13
RE: SSL inspection in TMG? - 2.Sep.2008 9:28:17 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mylo,

Good question. I haven't heard one way or the other on this issue.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mylo)
Post #: 14
RE: SSL inspection in TMG? - 5.Nov.2008 12:01:05 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
According to this:
http://blogs.technet.com/rhalbheer/archive/2008/11/04/the-next-version-of-isa-server-live-from-teched-emea.aspx
quote:

Web Protection: Scan files that are downloaded by the users for malware and block them on the gateway by the TMG server.
  • We can even inspect outbound SSL traffic as we are bridging SSL on the server if you want it. The user is informed that SSL will be inspected. This is very important from a privacy perspective. So, with this technology we can block invalid or expired certs. Last but not least here, you can exclude certain sites or site groups (e.g. Finance and Banking) from the SSL inspection. So, you can configure it the way that you do not inspect the traffic but the certificate will be validated or nothing is done at all.
<Edited>
quote:

Original Edward:
as long as you collectively patting yourself on the back on how wonderful ISA/TMG is/will be, let's hope it is a forward thinking product and not a follow-me product.

Party pooper...

Adrian

< Message edited by adimcev -- 5.Nov.2008 12:04:30 PM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 15
RE: SSL inspection in TMG? use of SSL cert with TMG? - 6.Nov.2008 10:23:45 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
This is good news I noticed that TMG comes with its own self-signed certificate.  Might this be how it will inspect SSL traffic?

(in reply to adimcev)
Post #: 16
RE: SSL inspection in TMG? use of SSL cert with TMG? - 9.Nov.2008 10:52:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
IIRC, it will act as a subordinate cert authorities and it's CA certificate is distributed via AD.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 17
RE: SSL inspection in TMG? - 9.Feb.2009 4:54:33 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
looks like beta 2 is supporting inspection of SSL traffic.  For Email it requires installion to Exchange 2007 SP1 Edge transport but I am more interested in HTTPS.

(in reply to hunglikethor)
Post #: 18
RE: SSL inspection in TMG? - 12.Feb.2009 9:04:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, you have to install Exchange Edge before you install the TMG firewall. But then the TMG firewall setup will install the FSE components for you.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hunglikethor)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> SSL inspection in TMG? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts