Forefront Threat Management Gateway SP1

Posted on June 30, 2010 by Michel de Rooij

Microsoft released Service Pack 1 for Forefront Threat Management Gateway 2010.

Here’s the list of changes included in this service pack :

New Reports
• The new User Activity report displays the sites and site categories accessed by any user.
• All Forefront TMG reports have a new look and feel.

Enhancements to URL Filtering
• You can now allow users to override the access restriction on sites blocked by URL filtering. This allows for a more flexible web access policy, in that users can decide for themselves whether to access a blocked site. This is especially useful for websites that have been incorrectly categorized.
• You can now override the categorization of a URL on the enterprise level; the override is then effective for each enterprise-joined array.
• Denial notification pages can now be customized for your organization’s needs.

Enhanced Branch Office Support
• Collocation of Forefront TMG and a domain controller on the same server, which can help reduce the total cost of ownership at branch offices.
• When installed on a computer running Windows Server 2008 R2, SP1 simplifies the deployment of BranchCache at the branch office, using Forefront TMG as the Hosted Cache server.

Support for publishing SharePoint 2010
• Forefront TMG SP1 supports secure publishing of SharePoint 2010.

You can download Forefront TMG 2010 SP1 here.

Forefront TMG 2010 Capacity Planning Tool

Posted on June 29, 2010 by Michel de Rooij

Version 1.0 of the ForeFront Threat Management Gateway2010 Capacity Planning Tool has been released.

This tool is to help you with planning and sizing (or verifying) your TMG 2010 configuration, and gives a calculation on the hardware configuration, number of concurrent users and bandwidth requirements using hardware, concurrent users or bandwith as starting point.

For its calculations the tool uses parameters like number of concurrent users and features you want to enable on the TMG. Regarding features you can make your own selection or use presets, e.g. “Mail Protection” for using TMG as an anti-spam/anti-malware e-mail gateway. The calculator has support for load-balancing and virtualization.

You can download the Forefront TMG 2010 capacity planning tool here.

Forefront Protection 2010 Capacity Planning Tool

Posted on May 11, 2010 by Michel de Rooij

The folks at Microsoft released version 1.0 of the Forefront Protection 2010 for Exchange Server capacity planning tool. This tool is to aid you in planning and sizing your FPE configuration.

The tool starts with the question if you want to evaluate your current setup or are planning for a new environment. After that you need to select the required architecture, Standard for small to medium sized organizations or Enterprise for large organizations (e.g. combined Exchange Server roles). You can define the required level of protection (i.e. number of engines on Edge, Hub Transport and Mailbox Server roles) and see the predicted effect on the hardware requirements. After completing the questionnaire you receive the recommended hardware configuration.

You can also see the predicted performance for different setups, i.e. virtual or non-virtual setup, Windows Server 2003 or Windows Server 2008 R2 as well as Exchange level (2007 or 2010).

You can download the FPE capacity planning tool here.

Outlook 2003 & Exchange 2010

Posted on March 29, 2010 by Michel de Rooij

Problems connecting Outlook 2003 to Exchange 2010 could turn out to be an unpleasant surprise after migrating to Exchange Server 2010 over the weekend. The problem is caused by Outlook 2003 not using encrypted RPC connections to the Exchange Server by default, and Exchange 2010 requiring encrypted RPC connections (contrary to earlier Exchange versions). The solution is simple but you have several options; The way you should proceed not only depends on your situation but you also need to check the company’s security policies regarding communications encryption which might restrict your options.

Change how Outlook connects

Enabling RPC encryption in Outlook can be performed per configuration (Outlook profile) or using a Group Policy Object.To manual change the way Outlook connects:

Open Control Panel > Mail > Show Profile > <Select Profile>
Select Properties > E-mail Accounts > View or Change existing e-mail accounts
Select Next > Microsoft Exchange Server > Change > More Settings > Microsoft Exchange Server > Security
There, check Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server
Close everything with OK > Next > Finish > Close > OK.

You can also control the RPC encryption setting centrally for Outlook clients using the following registry value as part of a GPO:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\RPC
DWORD: EnableRPCEncryption
Value: 1

For a more detaild guide on implementing the Outlook profile change or implementing the GPO using an administrative template, consult KB2006508.

Change how Exchange 2010 accepts
To change the way Exchange 2010 accepts RPC connections, i.e. disable the RPC encryption requirement, you need to disable the RPC encryption for Exchange Server 2010 CAS servers (remember, in Exchange 2010 RPC connections are handled by the CAS server role), use the following cmdlet:

Set-RpcClientAccess –Server <Server Name> –EncryptionRequired $False

Forefront Security for Exchange SP2 RU1

Posted on February 18, 2010 by Michel de Rooij

With all these “2010” information you could forget that most customers are still running earlier versions. For people running ForeFront Security for Exchange SP2, Rollup 1 was released yesterday. Besides a new parameter (called feature) for enabling of disabling FSE on a cluster node, RU1 contains no less than 30 hotfixes. For a list of fixes, consult the related knowledgebase article here. You can download FSE SP2 RU1 after submitting a hotfix request here.