Skip to main content
 Agile technology for the Agile business
Sign In
San Diego Computer & Network Consulting Experts 
Go Search
 
Home
Our Microsoft Expertise
Our Services
Microsoft Solutions Blog
About Gilham Consulting
Contact Us
Support Portal
  

 
z
Home > Gilham Consulting Microsoft Notepad

6/30/2010

Remote Desktop Connection Manager (RDCMan)

 

RDCMan manages multiple remote desktop connections. It is useful for managing server labs where you need regular access to each machine such as automated checkin systems and data centers. It is similar to the built-in MMC Remote Desktops snap-in, but more flexible.

Download details: RDCMan

Posted at 9:07 AM by MOSS-04\john | Category: Windows Deployment | Permalink | Email this Post | Comments (0)
SharePoint Server 2010 Product Licensing Details

 

You can use SharePoint 2010 to set up intranet, extranet, and Internet sites.  Intranet sites are licensed using a Server/CAL (Client Access License) model.  SharePoint Server 2010 is required for each running instance of the software, and CALs are required for each person or device accessing a SharePoint Server.  Extranet and Internet sites are licensed using a Server-only model—no CALs are required.  For more information on licensing models, see Licensing Details.

SharePoint Server 2010: Intranet Scenarios

Client Access License

The Standard CAL delivers the core capabilities of SharePoint 2010:

  • Sites: A Single Infrastructure for All Your Business Web Sites

  • Communities: An Integrated Collaboration Platform

  • Content: ECM for the Masses

  • Search: Relevance, Refinement, and People (excludes FAST Search)

  • Composites: Do-It-Yourself Business Solutions (excludes Access Services and InfoPath Services)

Enterprise Client Access License

The Enterprise CAL delivers the full capabilities of SharePoint 2010:

  • Sites: A Single Infrastructure for All Your Business Web Sites

  • Communities: An Integrated Collaboration Platform

  • Content: ECM for the Masses

  • Search: Relevance, Refinement, and People includes FAST Search)

  • Composites: Do-It-Yourself Business Solutions (includes Access Services and InfoPath Services)

  • Insights: BI for Everyone (includes PerformancePoint Services, Excel Services, and Visio Services)

Note that the Enterprise CAL is additive: To access the Enterprise edition features, a person/device must have both the Standard CAL and Enterprise CAL. Below is a detailed comparison of specific features available in SharePoint Foundation, Standard & Enterprise CAL.

Foundation:

Accessibility
Audience Targeting
Blogs
Browser-based Customizations
Business Connectivity Services
Business Data Connectivity Service
Claims-Based Authentication
Client Object Model (OM)
Configuration Wizards
Connections to Microsoft Office Clients
Connections to Office Communication Server and Exchange
Cross-Browser Support
Developer Dashboard
Discussions
Event Receivers
External Data Column
External Lists
High-Availability Architecture
Improved Backup and Restore
Improved Setup and Configuration
Language Integrated Query (LINQ) for SharePoint
Large List Scalability and Management
Managed Accounts
Mobile Connectivity
Multilingual User Interface
Multi-Tenancy
Out-of-the-Box Web Parts
Patch Management
Permissions Management
Photos and Presence
Quota Templates
Read-Only Database Support
Remote Blob Storage (SQL Feature)
REST and ATOM Data Feeds
Ribbon and Dialog Framework
Sandboxed Solutions
SharePoint Designer
SharePoint Health Analyzer
SharePoint Lists
SharePoint Ribbon
SharePoint Service Architecture
SharePoint Timer Jobs
SharePoint Workspace
Silverlight Web Part
Site Search
Solution Packages
Streamlined Central Administration
Support for Office Web Apps
Unattached Content Database Recovery
Usage Reporting and Logging
Visual Studio 2010 SharePoint Developer Tools
Visual Upgrade
Web Parts
Wikis
Windows 7 Support
Windows PowerShell Support
Workflow
Workflow Models

Standard:

Ask Me About
Basic Sorting
Best Bets
Business Connectivity Services Profile Page
Click Through Relevancy
Colleague Suggestions
Colleagues Network
Compliance Everywhere
Content Organizer
Document Sets
Duplicate Detection
Enterprise Scale Search
Enterprise Wikis
Federated Search
Improved Governance
Keyword Suggestions
Managed Metadata Service
Memberships
Metadata-driven Navigation
Metadata-driven Refinement
Mobile Search Experience
Multistage Disposition
My Content
My Newsfeed
My Profile
Note Board
Organization Browser
People and Expertise Search
Phonetic and Nickname Search
Query Suggestions, "Did You Mean?", and Related Queries
Ratings
Recent Activities
Recently Authored Content
Relevancy Tuning
Rich Media Management
Search Scopes
Secure Store Service
Shared Content Types
SharePoint 2010 Search Connector Framework
Status Updates
Tag Clouds
Tag Profiles
Tags
Tags and Notes Tool
Unique Document IDs
Web Analytics
Windows 7 Search
Word Automation Services
Workflow Templates
Enterprise:

Access Services
Advanced Content Processing
Advanced Sorting
Business Data Integration with the Office Client
Business Data Web Parts
Business Intelligence Center
Business Intelligence Indexing Connector
Calculated KPIs
Chart Web Parts
Contextual Search
Dashboards
Data Connection Library
Decomposition Tree
Deep Refinement
Excel Services
Excel Services and PowerPivot for SharePoint
Extensible Search Platform
Extreme Scale Search
InfoPath Forms Services
PerformancePoint Services
Rich Web Indexing
Similar Results
Thumbnails and Previews
Tunable Relevance with Multiple Rank Profiles
Visio Services
Visual Best Bets

SharePoint Server 2010 Product Line-up - Gurmeet Singh's SharePoint 2010 Blog - Site Home - TechNet Blogs

Posted at 9:00 AM by MOSS-04\john | Category: Sharepoint 2010 | Permalink | Email this Post | Comments (0)

6/12/2010

Manage Windows 7 Power Options from the Command Line

 

Windows 7 includes the Power Configuration utility (Powercfg.exe) for managing power options from the command (CMD) line. You can view a list of parameters for this utility by typing powercfg /? at a command prompt. The parameters you’ll work with most often include:

–a Lists the available sleep states on the computer and the reasons why a particular sleep state is not supported.
–d [guid] Deletes the power plan specified by the globally unique identifier (GUID).
–devicequery all_devices_verbose Lists detailed power support information for all devices on the computer. Be sure to redirect the output to a file because this list is very long and detailed.
–energy Checks the system for common configuration, device, and battery problems and then generates an HTML report in the current working directory.
–h Toggles the hibernate feature on or off.
–l Lists the power plans configured on a computer by name and GUID.
–q [guid] Lists the contents of the power plan specified by the GUID. If you don’t provide a GUID, the contents of the active power plan are listed.
–requests Displays all power requests made by device drivers. If there are pending requests for the display, these requests would prevent the computer from automatically powering off the displays. If there are pending requests for any device including the display, these requests would prevent the computer from automatically entering a low-power sleep state.
–s [guid] Makes the power plan specified by the GUID the active power plan.
–x [setting] [value] Sets the specified value for the specified setting in the active power plan

Read more @> Manage Windows 7 Power Options from the Command Line

Posted at 12:12 PM by MOSS-04\john | Category: Windows Deployment | Permalink | Email this Post | Comments (0)

5/23/2010

Download details: Windows Phone 7 Training Kit for Developers - April 2010 CTP

 

Windows Phone 7 Series promises to be an amazing mobile phone operating system given its innovative user interface and functionality, as well as its great development platform upon which you can quickly and easily build games and applications. With a myriad of new devices, a powerful and immersive software platform, and a new marketplace to attract developers and provide easy access to applications, consumer demand for Windows Phones will be high, and developers will quickly adopt the Windows Phone platform to capitalize on this growing mobile marketplace. This Training Kit will give you a jumpstart into the new Windows Phone world by providing you with a step-by-step explanation of the tools to use and some key concepts for programming Windows Phones.

Download details: Windows Phone 7 Training Kit for Developers - April 2010 CTP

Posted at 11:22 AM by MOSS-04\john | Category: Windows Mobile | Permalink | Email this Post | Comments (0)

5/21/2010

Clustering Remote Desktop Connection (RDC) Broker for High Availability when Deploying Microsoft VDI

 

A failover cluster is a group of independent computers that work together to increase the availability of applications and services. The clustered servers (called nodes) are connected by physical cables and by software. If one of the cluster nodes fails, another node begins to provide service (a process known as failover). Users experience a minimum of disruptions in service.

This guide describes the steps for configuring Remote Desktop Connection Broker (RD Connection Broker) in a failover cluster, as part of a configuration that provides users with access to personal virtual desktops or virtual machines in a virtual desktop pool through RemoteApp and Desktop Connection. To configure RD Connection Broker in this way, you start with a server that can act as an RD Session Host and RD Connection Broker, configure that server as a one-node failover cluster, then add additional servers (configured in the same way) to the cluster. This can increase the availability of the access you provide to users.

As you work with the configuration in this guide, you can also learn about failover clusters and familiarize yourself with the Failover Cluster Manager snap-in in Windows Server® 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter.

noteNote

The failover cluster feature is not available in Windows Web Server 2008 R2 or Windows Server 2008 R2 Standard.

For information about the features and functionality in Remote Desktop Services and in failover clustering in Windows Server 2008 R2, see the following topics:

Overview of Remote Desktop Services and virtual machine redirection in the context of a failover cluster

By using the steps in this guide, you can provide users access to personal virtual desktops or virtual machines in a virtual desktop pool, through RemoteApp and Desktop Connection. This is called virtual machine redirection. You can provide virtual machine redirection by configuring a server with specific role services and settings that are available through the Remote Desktop Services server role (as described in Role, role services, and feature requirements for a failover cluster that supports virtual machine redirection, later in this topic). Then, to increase the availability of the services that you are providing, you configure that server as a one-node failover cluster and add more servers (configured with the same role services and settings) to the failover cluster. If one of the servers fails or must be taken offline for maintenance, another server begins to provide service through a process known as failover.

The following illustration shows a failover cluster with a clustered instance of RD Connection Broker. Node 1 and Node 2 are connected by multiple networks. Node 1 has failed, and Node 2 has begun running the clustered instance of RD Connection Broker. Node 2 is also running RD Session Host, although not as part of a cluster. When Node 1 recovers from the failure, it will also be able to run RD Session Host. In other words, even if one node fails, RD Session Host and RD Connection Broker continue to be available.

Figure 1   Failover of clustered RD Connection Broker

Failover of RD Connection Broker

Although it is not called out in the previous illustration, the clustered instance of RD Connection Broker stores important state information in registry keys that the Cluster service monitors and replicates between the cluster nodes. (This differs from some other clustered services or applications, which typically store such information in cluster storage.) Because the information is automatically replicated between nodes, when Node 2 begins running the clustered instance of RD Connection Broker, the state information it needs is already stored in the local registry on the node.

The following illustration shows the sequence of events that begins with the user requesting a connection to a virtual desktop, and ends with the virtual desktop being displayed on the client.

Figure 2   Servers providing a virtual desktop

Configuration with clustered RD Connection Broker

  1. The user requests a connection to a virtual desktop, either a personal virtual desktop or one from a virtual desktop pool.
  2. The RD Gateway receives the request.
  3. The RD Gateway sends the request to a virtual machine redirector (that is, RD Session Host running in virtual machine redirection mode). The virtual machine redirector informs RD Connection Broker, and then waits for the IP address of a virtual machine.
  4. RD Connection Broker requests information about a virtual machine from the RD Virtualization Host.
  5. RD Connection Broker receives information about a virtual machine and then provides that information to the virtual machine redirector.
  6. The virtual machine redirector communicates through the RD Gateway, providing the client with the IP address and connection information for a virtual desktop.
  7. The client connects to a virtual desktop.
  8. The virtual desktop is displayed on the client.

The following illustration shows the same sequence of events occurring despite the failure of one node of the cluster. Because a second cluster node is still running, it can respond to client requests as they occur.

Figure 3   Servers providing a virtual desktop after a failure

Clustered RD Connection Broker with a node failure

From time to time, a user might attempt to connect with a clustered server just before it fails. In that case, when the server fails, the user will have to try again. On the next attempt, assuming that the connection attempt is made with a functioning server, it will succeed.

When you create a clustered instance of RD Connection Broker, you configure certain settings differently than you would for a standalone RD Connection Broker server. For a table of the differences, see Appendix A: Differences between a clustered RD Connection Broker and a standalone RD Connection Broker.

Hardware, software, and network infrastructure requirements for a failover cluster

Deploying Remote Desktop Connection Broker with High Availability Using Failover Clustering

Posted at 9:30 PM by MOSS-04\john | Category: Virtualization | Permalink | Email this Post | Comments (0)
SharePoint 2010 Reference .Net Software Development Kit (SDK)

 

The Microsoft SharePoint 2010 Software Development Kit (SDK) includes documentation and code samples for Microsoft SharePoint Foundation 2010 and for Microsoft SharePoint Server 2010, which builds upon the SharePoint Foundation 2010 infrastructure. The documentation includes detailed descriptions of the technologies that SharePoint Server 2010 and SharePoint Foundation 2010 provide for developers, reference documentation for the server and client object models, and step-by-step procedures for using these technologies and object models and programming with them. This SDK also includes best practices and setup guidance to help you get started with your own custom applications that build and extend upon the SharePoint Foundation 2010 and SharePoint Server 2010 platforms.
For additional information, you can visit the SharePoint Developer Center on the Microsoft Developer Network (MSDN): http://msdn.microsoft.com/sharepoint. Visit frequently to learn about recently published content; to view essential getting-started content; to view rich media content such as videos and screencasts; to get connected to instructor-led training and other learning resources; to learn more about product features and scenarios in our MSDN Resource Centers; and to find community resources such as MSDN forums, newsgroups, MVP blogs, and much more.
The SDK also includes many code samples that address common customization scenarios and solution building blocks. Future (quarterly) releases will contain additional samples, and you can also check MSDN Code Gallery for SharePoint solutions and code samples.

Download details: SharePoint 2010 Reference: Software Development Kit

Posted at 9:21 PM by MOSS-04\john | Category: Sharepoint 2010 | Permalink | Email this Post | Comments (0)
Microsoft Private Cloud “AppFabric” Prepares for Release

 

Several weeks ago, I told you about our upcoming Application Infrastructure Virtual Launch event. Today, I am pleased to announce the availability of the Windows Server AppFabric Release Candidate (RC). To learn more, I recommend tuning into the keynote (and the many other sessions we have going on) today at the App Infrastructure Virtual Launch event!

Here’s a brief overview of the announcements we’re making during the event this morning:

First off, we’re officially launching Windows Server AppFabric, with the immediate availability of the Windows Server AppFabric Release Candidate (RC); the final RTM release will be available for download in June. I would like to invite you to check out the new Windows Server AppFabric MSDN page (also revamped today!) and download the release candidate to get started.

Also today, we’re excited to announce the availability of the first BizTalk Server 2010 Beta; which now seamlessly integrates with Windows Server AppFabric, combining the rich capabilities of BizTalk Server integration and the flexible development experience of .NET to allow customers to easily develop and manage composite applications. To learn more (and download the beta), visit the BizTalk website at www.microsoft.com/biztalk.

Together with the already available Windows Azure AppFabric, Windows Server AppFabric and BizTalk Server 2010 form Microsoft’s application infrastructure technologies, bringing even more value to the Windows Server application server. These offerings benefit developers and IT pros by delivering cloud-like elasticity, high availability, faster performance, seamless connectivity, and simplified composition for the most demanding, enterprise applications.

If you’ve been following this blog, we hope you’ve been enjoying the technical insights that the product team has been providing into AppFabric and the underlying technologies (WCF and WF). To gain a broader context about our technologies, and to gain access to a wealth of technical resources, be sure to visit the virtual launch event. In particular, here are some specific sessions and content that the team would like to highlight for your consideration:

  • Application Server Session
  • Enterprise Integration Session
  • Windows Server AppFabric Product Stand

Read more @> The .NET Endpoint

Posted at 7:23 PM by MOSS-04\john | Category: Cloud Computing | Permalink | Email this Post | Comments (0)

4/29/2010

Malware and Virus Scanning Architecture in Forefront Threat Management Gateway (TMG) 2010

 

Being a security gateway, the new TMG 2010 has a malware inspection capability built right in it. It inspects all http as well as https traffic to ensure none of the malware infected traffic can get into the corporate network. You may ask my company antivirus program is doing exactly the same thing why do I need to use the gateway to do this? It is important all computers within the corporate network have Anti-Virus installed but sometime their definition may not be up to date especially roaming users by using the gateway not only you can protect those server and client machine, it also provides a centralized monitoring role as well as content policy enhancement.

By using the malware filter, you can safeguard your corporate network with the Microsoft Anti-Malware engine.

From the diagram above it shows how the Malware inspection works starting from

1. PC requests some resource from the internet, it can be a web page or downloading a file.

2. The Forefront TMG will check whether this user is allowed to connect to the request web page by company policy.

3. If the user is allowing to connecting to his/her desire web site, the connection will proceed. On the other hand if the user is not allowed to connect to his/her desire web site the TMG will return a restriction or warning (subject to the policy) message back to the user.

4. If the user is allowing to connecting to the web site a request will reach the intended website and the web server will serve back the content right back to the user.

5. If the Proxy feature is enabled it will catch in the proxy engine.

6. The content then pass on to the Malware Inspection Filter to ensure it is free Malware and serve back to the user’s PC. If there is some form of Malware embedded within the content, TMG will stop it right away.

The TMG is using the Microsoft Anti Malware Engine for malware detection and it will automatically update its engine as well as the AM signature from the Microsoft Cloud service and have them stored locally to ensure the signature database is always up to date and efficiently.

<snip>

Read the whole article @> Microsoft Hong Kong ITPro 's blog : Forefront Threat Management Gateway TMG 2010 part 1

Posted at 3:10 PM by MOSS-04\john | Category: Security | Permalink | Email this Post | Comments (0)
Best Practices Analyzer (BPA) for HYPER-V (RTM and R2)

 

You can use Hyper-V Best Practices Analyzer to scan a server that is running the Hyper-V role, and help identify configurations that do not comply with the best practices of Microsoft for this role. BPA scans the configuration of the physical computer, the virtual machines, and other resources such as virtual networking and virtual storage. Scan results are displayed as a list of issues that you can sort by severity, and include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.

Download details: Update for Best Practices Analyzer for HYPER-V for Windows Server 2008 R2 x64 Edition (KB977238)

Posted at 10:38 AM by MOSS-04\john | Category: Virtualization | Permalink | Email this Post | Comments (0)

4/8/2010

Microsoft Threat Management Gateway (TMG) 2010 - Key Features & Capabilities

 

Microsoft Forefront Threat Management Gateway 2010 (TMG) is designed to provide a comprehensive, secure Web gateway that helps protect employees from Web-based threats.

URL Filtering

Destination URLs are examined for compliance with corporate policy and for malicious potential of destination Web site. Forefront TMG uses Microsoft Reputation Services for URL filtering, combining multiple sources to increase coverage of URLs and categorization.

URLs and categories will increase as the Forefront TMG Beta 3 continues through Summer 2009.

Web antivirus/anti-malware protection

Inbound and outbound Web traffic is inspected for viruses and malware, including archived folders. Encrypted folders can be blocked. For large files, users are trickled the file to assure them the file is being downloaded.

E-mail security

Forefront TMG provides central management for Exchange and Forefront Protection 2010 for Exchange when located on the same server. Forefront TMG does not include either Exchange or Forefront Protection 2010 for Exchange. Both must be purchased and installed separately.

HTTPS inspection

HTTPS-encrypted sessions can be inspected for malware or exploits. Specific groups of sites—such as banking sites—can be excluded from inspection for privacy reasons. Users of the TMG Firewall Client can be notified of the inspection.

Network Inspection System (NIS)

Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS enables blocking of classes of attacks while minimizing false positives. Protections can be updated as needed.

Enhanced Network Address Translation (NAT)

Forefront TMG now enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis.

Enhanced Voice over IP support

Forefront TMG includes SIP traversal, enabling simpler deployment of Voice over IP within the network.

Windows Server 64-bit support

Forefront TMG is installed on Windows Server 2008 with 64-bit support.

clip_image003[1]

Firewall Protections

Feature

Description

Multi-layer firewall

Forefront TMG provides access control and protection on three layers: packet filtering, stateful inspection, and application layer filtering.

Application layer filtering

Forefront TMG provides deep content filtering through built-in application filters.

Granular HTTP controls

Forefront TMG delivers customizable, granular controls to HTTP traffic, including:
- File download controls
- Signature-based blocking
- HTTP method controls
Forefront TMG provides strong controls over Web-based threats.

DoS protections

Forefront TMG provides resiliency against flood attacks and re-allocates resources to provide higher security inspection.

Extensive protocol support

Forefront TMG delivers out-of-the-box support for many protocols. New protocols can be defined.

clip_image003[2]

Highly Secure Application Publishing

Feature

Description

Highly secure e-mail access from Outlook Client

Remote users can access Exchange Server using the full Outlook MAPI client over the Internet without establishing a VPN connection. The connection is encrypted for security.

Simple Outlook Web Access and Microsoft Office SharePoint Server publishing

Simple wizards allow quick configuration of remote access for both Outlook Web Access and SharePoint servers. Outlook Web Access users can be authenticated at the Forefront TMG server, preventing attacks by unauthenticated users.

Highly secure publishing of Web servers, internal servers, and Terminal Services

Remote users can access internal resources or Web servers more securely. Link translation is provided.

Single sign on

Forefront TMG allow users to access a group of published Web sites without being required to authenticate with each Web site.

Delegation of basic authentication

Forefront TMG helps protect published Web sites from unauthenticated access by requiring the Forefront TMG firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server.

Link translation to internal servers

Forefront TMG includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names.
Implements link translation automatically during Web publishing.

SSL bridging support

To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by Forefront TMG, inspected, and re-encrypted.

clip_image003[3]

Virtual Private Networks

Feature

Description

Site-to-site VPN

Forefront TMG enables quick connectivity between sites via wizard-based approach. Also can be configured for tunnel-mode IPSec for support of third party devices.

Remote access VPN

Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions, using the native Windows VPN services.

Inspection of VPN traffic

VPN traffic terminated on the Forefront TMG server is inspected according to the appropriate security policy.

VPN quarantine

Forefront TMG provides deep VPN client inspection and integration of your firewall policy.

SecureNAT for VPN clients

Forefront TMG helps ensure remote users connected to the network can gain Internet access while maintaining a strong security policy for the corporate network.

Publish VPN servers

Forefront TMG can be used to publish internal Windows Servers as VPN servers.

clip_image003[4]

Management

Feature

Description

Enterprise policy

Policy can be assigned to gateways, arrays, or enterprise-wide.

Easy-to-use wizards

Forefront TMG simplifies configuration with multiple wizards for features such as Web publishing, Web access, and array configuration.

Real-time monitoring and reporting

Logs may be viewed real-time or historically – including active sessions.

Query building

With a built-in query tool, historical data can be found quickly. Complex queries can be built.

Report creation and publishing

Reports can be designed for specific needs and then published locally or to a network file share.

External logging

Logs may be sent to a Microsoft SQL Server located on the internal network.

Delegated permissions

Admin roles can be delegated to users or groups.

clip_image003[5]


Networking and Performance

Feature

Description

Network load balancing

Forefront TMG leverages network load balancing to provide fail over and scaling of performance.

Network-based configuration

You may configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. Forefront TMG extends the firewall and security features to apply to traffic between any networks or network objects.

Caching

Forefront TMG provides caching to improve user experience and reduce bandwidth costs. With the centralized cache rule mechanism of Forefront TMG, you can configure how objects stored in the cache are retrieved and served from the cache.

Background Intelligent Transfer Service (BITS) caching

Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data.

HTTP compression

You can reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets.

Diffserv (Quality of Service)

Forefront TMG includes packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.

URL Filtering
Quick Introduction

URL Filtering allows controlling end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or pornographic materials, based on predefined URL categories.

The typical use case for this feature includes:

  • Enhancing your security
  • Lowering liability risks
  • Improving the productivity of your organization
  • Saving network bandwidth

The URL Filtering administration experience is pretty straightforward. All you need to do after enabling the feature is add one or more of the predefined URL categories into Forefront TMG policy (you can find some UI snapshots further below). Once this is done, end-users browsing to a Web site included in one of those categories will be blocked and presented with a relevant notification page, which you can customize.

Additional value can be obtained from URL Filtering related reports and log entries. Have you ever wanted to understand how Web usage in your organization is distributed? And how about identifying those users who consistently violate your Web usage policy? You can do those easily now by looking at the built-in URL filtering reports.

Finally, URL Filtering categories can also be leveraged to exclude sites from being inspected by the HTTPS Traffic inspection and the Malware Inspection features. For instance, you may wish to exclude financial sites from HTTPS inspection, due to privacy considerations.

Before going into further details, note that the feature is still in Beta, so we do expect significant improvements in coverage and accuracy by the final TMG release.

URL categorization data, where does it come from?

TMG features over 80 URL categories ranging from security-oriented selections, like Phishing, Malicious and Anonymizers, through productivity-oriented categories such as Games, or Instant Messaging, and ending with liability-oriented categories like Criminal Activities and Pornography. Categories are also grouped into a higher-level hierarchy which we call Category Sets. The latter can also be used in TMG policy to simplify configuration.

As some of you may have noticed, at the RSA 2009 Conference Microsoft announced its new reputation services and its intention to provide these capabilities for our security products and solutions.  Microsoft also announced several key partnerships in the URL filtering space that will be used to support these reputation services. Forefront TMG will be the first system at Microsoft to leverage and utilize Microsoft Reputation Service (MRS).

MRS is a cloud-based object categorization system hosted in Microsoft data centers and designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. In the case of Forefront TMG, in order to find out the category of a URL, TMG issues an online query to MRS. MRS maintains a database with tens of millions of unique URLs and their respective categories.

Does this mean every end-user request is sent out to the cloud? No it doesn’t. To improve bandwidth utilization and performance, we have implemented a local cache (residing on a TMG server), that stores the recently queried URLs and their respective categories. Cache entries are subject to a time-to-live value, allowing refreshing the entry periodically. This local cache is expected to serve the overwhelming majority of user requests.  The cache is persistent so it doesn't need to be refreshed after each reboot. TMG will query MRS only when a request cannot be served from the local cache.

But that's only the tip of the iceberg. Read on to find out why we think we are building something special with TMG and MRS together.

What is so special about Microsoft Reputation Service (MRS)?

The MRS team wanted to confront an inherent problem with traditional URL Filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors out there, each one specializing in a specific area of the solution.

Some vendors specialize in identifying malicious sites and spam URLs; others are rich with productivity related categories. Some specialize in covering the Internet's “long tail”; others are great with quick classification of previously unknown sites. Some use human-based classification where others use machine-based techniques. Some are great with Web2.0 style URLs… OK, I'll stop here as you get the idea by now. Even those vendors who employ several classification techniques and cover multiple categories can't deal with the huge and ever-expanding challenges of today's Web.

MRS team's idea was simple; let's leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporating multiple streams of data into a merged database. This way – each vendor/source brings its unique strengths to the table into a common solution.

MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are Microsoft internal, and others are the result of collaboration with 3rd party partners. One such agreement, announced during RSA, is an agreement with Marshal8e6.  Other agreements have not been disclosed yet. Expect some surprises...

But the real beauty is that being a Web service, and given its unique architecture, MRS can easily incorporate new DBs completely transparently to the customers. We expect the MRS unified database to expand over time and become the recognized industry leader. TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.

Other interesting aspects – security, privacy, licensing

Security – Both Forefront TMG URL Filtering and MRS were designed with security in mind, following Microsoft's Security Development Lifecycle (SDL) strict standards and guidelines. Both are resilient to a variety of attacks, and the communication between the two is encrypted.

Privacy – this is a known concern when discussing cloud based services, and therefore the privacy of our customers' data is paramount. We are issuing detailed privacy statements along with the Beta 3 release to provide clarity and transparency on our privacy policies. Make sure to read those.

Licensing – URL Filtering is subscription based, and is part of the Forefront TMG Web Security Service license (together with the Malware Inspection updates).

The small (but important) things

As this is a high-level overview of the feature, we will not dive into all the small details that make for a complete, rich user experience. We will cover some of those in subsequent posts, as we go along. But here are few examples for flexibility you are likely to need/want when working with URL Filtering:

  • You can locally override a URL category
  • You can query for a URL's category in the TMG UI
  • You can customize the block page displayed to end-users, introducing your own HTML tags into the text area.
  • You can leverage URL Filtering for ad blocking
  • You can use the build-in TMG scripting capabilities to allow non-TMG administrators to locally override a URL (enabling advanced help-desk scenarios)
  • You can use URL Filtering related reports to figure out how your organization uses the Internet (which are the top browsed categories for instance)

ü You can report classifications issues to Microsoft (this one is not available in Beta3)

A sneak peek at the UI

TMG Web Access Wizard allows you to easily introduce URL categories into your policy:

clip_image004

This is how the policy may look like after completing the Web Access Wizard (viewed from the Web Access Protection node). Note that URL Categories are standard TMG network objects, so you can use the toolbox on the right to drag-drop additional categories into an existing rule, or to create new rules.

clip_image006

You can query for a URL's category (available as a task in the Web Access Protection node)

clip_image007

You can locally override a URL's category (available as a task in the Web Access Protection node)

clip_image008

You can customize the block page presented to end users, introducing your own HTML tags (this is a per-rule setting available from the ‘Action’ tab of the rule’s properties)

clip_image009

Read the whole article @> Infrastructure Tek Bits : Microsoft Threat Management Gateway (TMG) 2010 - Key Features & Capabilities

Posted at 8:15 AM by MOSS-04\john | Category: Security | Permalink | Email this Post | Comments (0)
1 - 10 Next

 Subscribe and Bookmark

 About John

John Gilham is the veteran Microsoft solutions consultant located in San Diego, CA.

Gilham Consulting customer's utilize his small firm for Microsoft technology integration including:

  • IT infrastructure design (Hyper-V, AD, DNS, automated platform deployments)
  • Microsoft security solutions (PKI, NAP, 802.1x, Forefront)
  • Unified Messaging & VOIP (Exchange 2007 & OCS 2007)
  • System Center Management Solutions (SCDPM, SCVMM, SCCM, and SCOM)
  • IT and Data Center Operations
  • IT project management

They choose Gilham Consulting due to their proven track record in delivering Microsoft centric solutions.  John's customers’ have ranged in size from Fortune 100 companies, non-profits, and well funded startups all across North America.

He believes that Microsoft products, when managed and architected properly, allow the best platform for organizations to automate and track their business processes to serve their customers more effectively.

This blog is a collection of the better references we've stumbled across on Microsoft infrastructure best practices relevant to our current or future projects.

Please enjoy, correct, and contribute! 

Categories
Active Directory
Business Automation
Cloud Computing
Dynamics CRM
Exchange 2007
Exchange 2010
IT Management
Network Services
OCS 2010
Office 2010
Office Communications 2007
Personal Technology
Powershell
Response Point
Security
Sharepoint 2007
Sharepoint 2010
SQL Server
Systems Center
Terminal Services
Virtualization
Windows Deployment
Windows Mobile
Windows Storage

 Latest Posts
Remote Desktop Connection Manager (RDCMan)
SharePoint Server 2010 Product Licensing Details
Manage Windows 7 Power Options from the Command Line
Download details: Windows Phone 7 Training Kit for Developers - April 2010 CTP
Clustering Remote Desktop Connection (RDC) Broker for High Availability when Deploying Microsoft VDI
SharePoint 2010 Reference .Net Software Development Kit (SDK)
Microsoft Private Cloud “AppFabric” Prepares for Release
Malware and Virus Scanning Architecture in Forefront Threat Management Gateway (TMG) 2010
Best Practices Analyzer (BPA) for HYPER-V (RTM and R2)
Microsoft Threat Management Gateway (TMG) 2010 - Key Features & Capabilities
The forecast is sunny for [Microsoft] cloud services.
Microsoft announces "RemoteFX," the Calista-based Hyper-V-requiring PC-over-IP competitor
Dynamic Memory (aka Memory Overcommit) Coming To Hyper-V
SharePoint Overwhelms Business Intelligence - Gartner
Active Directory Power Tool: AD Explorer (and Editor)
Protect your Business Information for Free using Encrypting File System (EFS)
How to: Integrate Office Communications Server (OCS) 2007 R2 with Exchange 2010 OWA/CAS
Microsoft Forefront Identity Manager (FIM) 2010 Released
Microsoft Thinks VDI Might Not be the Answer to Every Desktop Scenario
Creating Hyper-V Virtual Machine Templates for VDI or SCVMM Library
GoGrid Dedicated and Virtual Server Hosting Review – Cool Concept, but Poor Technology and Service.
Microsoft’s Balmer on Cloud Computing: "All In"
System Center Configuration Manager (SCCM2007) and Microsoft Deployment Toolkit (MDT) Video Walkthrough
Microsoft Perspective on SharePoint 2010 Search Engine Optimization (SEO)
Understanding SQL Server Joins Basics (Query and Internals)
Simple Xcopy Backup of Hyper-V VMs
App-V 4.6 Released – Get the Training Materials to Learn to Sequence Applications
Windows Desktop Optimization – Which Technology Solution Depends on your Users
Microsoft Desktop Virtualization Webcast (VDI)
Support for Two Exchange 2010 Servers Separated in Multi-site Architecture
Remote Desktop (Terminal Services) Session Host Capacity Planning in Windows Server 2008 R2 for Physical and Virtual Machines
Windows Firewall with Advanced Security: Step-by-Step Guide to Deploying Windows Firewall and IPsec Policies
Automatically Test Application Compatibility for New Apps on Terminal Server/RDS Farm using the RDS Application Compatibility Analyzer
Hyper-V Live Migration Network Configuration Best Practices
Forrester Research Posts on Legal Implications of Cloud Computing
Planning for an Automated Windows 7 Upgrade from Windows XP
A CIO Check List for eDiscovery and Litigation
Microsoft Announces New SharePoint 2010 Certifications
Transitioning Client Access Servers (CAS, OWA and ActiveSync) to Exchange Server 2010
Exchange 2010 Transport Architecture Diagrams Available for Download
Microsoft Forefront TMG Categories for Web URL Filtering/Blocking
Microsoft OCS 2010 New Features
Operation and Failover of Resource Hosting Subsystem (RHS) In Windows Server 2008 Failover Clusters
Migrating Exchange 2003 or 2007 ActiveSync to Exchange 2010
Problem Application Candidates for Virtualization with Microsoft App-V
BlackBerry Enterprise Server (BES) fully supported on Exchange 2010 RU1
How to setup an Exchange 2010 CAS Array to Load Balance MAPI
Getting started with BI in SharePoint Server 2010
Microsoft Infrastructure Planning and Design Guide Series
Simple Windows Server 2008 Core Configuration Tool
SCVMM 2008 R2 VM Processor Hardware Profile CPU Type
Windows Server 2008 R2 Feature Diagram Poster
Intelligent App & Infrastructure Monitoring with Service Level Dashboards using System Center Operations Manager
Microsoft Technet OCS Resources
Direct Access and Unified Access Gateway (UAG) -- Better Together
Guided Tour inside the Windows Azure Cloud Server Farm Containers
The IT Complexity Crisis: Danger and Opportunity
Unattended SharePoint 2010 Install with PowerShell
Video: Developing SharePoint Microsoft Online Sandbox Solutions
SharePoint 2010 Beta Install Error: Failed to create sample data
Introduction to Microsoft CRM/XRM for a .Net Developer
Microsoft Office 2010 Leverages Click-to-Run Delivering Office Over the Web
Screencast: SharePoint 2010 for Project Management
Windows Azure Platform Training Kit
Business Value Impact (ROI) of Windows Server 2008 R2 (by Forrester)
Business Value Impact (ROI) of Exchange 2010 (by Forrester)
Forefront Threat Management Gateway 2010 Released
Forefront Protection 2010 for Exchange Server RTM Capacity Planning Guide
Understanding Exchange 2010 High Availability (Clustering) and Site Resilience
SharePoint 2010 Central Administration “Blogthrough”
OCS 2007 R2 Edge Server Remote Access Configuration Guide
SharePoint 2010 Overview Training - New User Interface, Troubleshooting, and Development Planning
Hyper-V Storage & Disaster Recovery with Third Party Storage Vendors
Complete Guide to SharePoint (MOSS) 2007 Content Deployment
Office Communicator SIP Registration Trace Analysis
Create Windows 7 System Image Backup
OCS 2007 R2 Cannot Start Office Communications Server Monitoring Agent (RtcQmsAgent)
OCS 2007 R2 Activation Failure
GUI Tool to Author Your Own PowerShell Cmdlets
Microsoft VDI Explained: Remote Desktop Services Virtualization (RDS-V) for Windows 2008 R2 & Windows 7
Application Compatibility Mitigation Best Practices for Remote Desktop Services
RemoteApp and Desktop Connection in Windows 2008 R2
Exchange 2007 Features Dropped in Exchange 2010
Manage Linux, Unix, and Solaris with System Center Operations Manager (SCOM) 2007 R2 Cross Platform Update
SQL Server 2008 Hardening, Security, Compliance & Auditing
New Features for Windows Server 2008 R2 Remote Desktop Services (RDS or Terminal Services)
The Hidden Trap in BI and Analytics
BranchCache Deployment Guide for Windows 2008 R2 and Windows 7
Exchange 2010 Server RTM’s
Microsoft Dynamics CRM Online Update Coming November 2009
Convert Physical Server or Workstation to VHD (Hyper-V, Xen, Virtual PC) – Microsoft Sysinternals Releases Free Disk2VHD Utility
Planning a DirectAccess Network Access Guide
Microsoft Forefront Identity Manager 2010 RC1 Released
Office Communications Server (OCS) 2007 R2 XMPP Gateway
End User Password Reset in Microsoft Forefront Identity Manager (FIM)
Office Communication Server (OCS) 2007 R2 SIP Trunk Providers
Move WSUS Content Updates and Database Files to a Different Volume on Small Business Server (SBS)
Configuring Exchange Server 2007 ActiveSync for iPhone OS 3.1 (and prior)
Exchange Server 2007 SP2 Will Support Windows Server 2008 R2
SharePoint in Plain English

Contact Us  |   San Diego, California

Copyright 2007-2009 Gilham Consulting - All rights reserved