TMG and BigFix BESClient

No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule


2. Of course we’ll be Allowing this port to communicate


3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

3    4

4. Name your protocol…


5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6  7   8

6. We have no secondary connections that are needed… so click next and hit finish

9   10

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

11  12

8. Specify who is allowed to communicate… Source which should be your internal network.


9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)


10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

15   16


We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:


Lastly we’ll need to “Apply” this new rule set in order to get things working.


TMG and AT&T Global Network Client

Since setting up my Microsoft Threat Management Gateway, I’ve come to realize how restrictive it is… The default installation setups both an in-coming and out-going firewall.  This can be rather frustrating if you don’t know how to configure things correctly.
In this post I’ll show you how to configure an Access Rule to allow the AT&T Global Network Client thru to wherever your going…

01. Open up your Forefront TMG Management console and find the "Firewall Policy" link within the left side tree.

2. Under the Tasks tab on the right side, find the “Create Access Rule” and left click it.

3. Call the Rule name:  AT&T Global Network Client
and hit next

4. We’ll want to “Allow” it…

45. This rule applies to “Selected protocols” and click the “Add” button

6. Under the “Add Protocols” window, click New->Protocol

7. Name it the “AT&T Network Client” then add the following ports to the list:

a. TCP, Outbound, From 50 To 50

b. TCP, Outbound, From 389 To 389

c. UDP, Send, From 500 To 500

d. TCP, Outbound, From 709 To 709

e. UDP, Send, From 4500 To 4500

f. TCP, Outbound, From 5080 To 5080

8. Our rule now needs to specify the “From” network of Internal, and the “To” network as External

Finish and Apply the changes… This should allow your VPN Client to connect and work properly.

Port Scanning?!? oh and Microsoft Threat Management Gateway (TMG)

I am working on learning network security… so I went and picked up the NMAP Network Scanning book (ISBN: 978-0-9799587-1-7) from Gordon Lyon and
During my reading he talks alot about an Intrusion Detection System (IDS). Apparently IDS’s are used to detect attacks on their networks including something benign as a port scan. This got me thinking… doesn’t my MS Action Pack include something like that… indeed it does… two in fact. The ISA 2006 and it’s newer replacement Threat Management Gateway (TMG 2010).
Any respectable hacker would jump at the chance to set it up and “hack” yourself to see what happens right? OF COURSE!!!

I’ve setup the new system and placed it on the “edge” of my network. This puts it in exactly the right spot to have the largest exposure… right…