After some testing I also found out that TMG tries to authenticate the user before deciding if the user is even allowed to access the services. This means that if you have used a group or create a "User Group" on TMG to limit the users that can use these services, you are still faced with the risk that your entire organisation is still at risk from this kind of attack.
Thankfully UAG has something to help combat this. UAG has an option that holds off further authentication attempts for a configurable amount of time when a threshold has been reached. For example, an administrator can say that after 3 incorrect logon attempts the user is held off for 60 minutes. Obviously you need to take into consideration your current password polices to ensure you have the optimal configuration.
Another thing I learnt the hard way is that UAG by default requires access to your CA's CRL and if it cannot get to it will provide your users with a generic Certificate Error message. To modify this behaviour you need to change the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL\ValidateRwsCertCRL value to 0.
I also found this whitepaper (http://go.microsoft.com/fwlink/?LinkId=197136) from Microsoft that outlines Publishing Exchange Services with both TMG and UAG and also includes some intersting info that you can use to work out which product will best meet your needs.
So for Matt's 5 cents:
UAG has some cool features that are not well documented. If security is a major concern and you require the ability to set a more comprehensive policy then UAG is for you. A word of warning though, for those of you that are familiar with TMG, UAG is a totally different look and feel and it is a bit more complicated.
No comments:
Post a Comment