Hello everyone

Finally after hard work we upgraded the site www.IAGserver.ORG to www.ForefrontSecurity.ORG

ForefrontSecurity.ORG is Microsoft Forefront Security Knowledge Center, Forums and Community Web Site that helps customers, IT experts, developers and security experts leverage their Forefront Security knowledge and experience

First time ever! ForefrontSecurity.ORG happy to presents a new service "Get paid for your Knowledge"

"Get paid for your Knowledge" allows you to publish yourself and get paid for that - Help us to help other!

Contact us for more details info@ForefrontSecurity.ORG

See you there ...

Idan (DeviceZ) Plotnik

Security Engineer, Forefront MVP

It's been more than 10 years since I started "playing" with Microsoft software, and finally after a true hard and intensive work I got the Microsoft Forefront MVP award, here is the announcement :)

Dear Idan Plotnik,

Congratulations! We are pleased to present you with the 2009 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others.The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community Support Services

I want to thank from the bottom of my heart to all the customers, friends and Microsoft colleagues. I want you to know that I got this award because of you! Thanks to all of  the designing, developing, implementing, debugging, researching and hacking hours I spent in your organizations!

In addition, I want to thank all of you that supported me when I needed it, you proved me that I was right: If you think and do only positive, even when people show you the negative, you win!

Idan (DeviceZ) Plotnik

Security Engineer, MVP

Hello,

I'm happy to announce about IAG Virtual Appliance!, now we can run IAG inside virtual server on Hyper-V and a lot more! read about it here:

http://blogs.technet.com/edgeaccessblog/archive/2008/11/02/iag-sp2-it-is-all-about-the-application.aspx

Check out http://www.IAGserver.ORG for upcoming articles and videos about IAG SP2 and if you have any question about SP2 please post them on IAG forums http://forums.IAGserver.ORG

 Thanks,

Idan <DeviceZ> Plotnik

New Video: Smart Card Authentication and File Access Single-Sign-On with KCD

http://www.iagserver.org/default.aspx?ctype=screencasts&id=V00000001&name=Smart-Card-Authentication-and-File-Access-Single-Sign-On-with-KCD

New Video: How to install IAG SP1

http://www.iagserver.org/default.aspx?ctype=screencasts&id=V00000003&name=How-to-install-IAG-SP1

New Video: How to create SSL certificate for IAG

http://www.iagserver.org/default.aspx?ctype=screencasts&id=V00000002&name=How-to-create-SSL-certificate-for-IAG

New Article: How to create custom Generic Multi Servers SILENT SSLVPN template for Client/Server application access

http://www.IAGserver.ORG/default.aspx?ctype=articles&id=A00000003&name=How-to-create-custom-Generic-Multi-Servers-SILENT-SSLVPN-template-for-Client-Server-application-access

New Article: How to create custom Client/Server Application SSLVPN template for Remote Desktop with Full Screen and Console Access "/console"

http://www.IAGserver.ORG/default.aspx?ctype=articles&id=A00000002&name=How-to-create-custom-Client-Server-Application-SSLVPN-template-for-Remote-Desktop-with-Full-Screen-and-Console-Access

New Article: How to configure File Access Single-Sign-On (SSO) with Kerberos Constrained Delegation (KCD) before SP1

http://www.IAGserver.ORG/default.aspx?ctype=articles&id=A00000001&name=How-to-configure-File-Access-Single-Sign-On-(SSO)-with-Kerberos-Constrained-Delegation-(KCD)-before-SP1

Enjoy!

Idan <DeviceZ> Plotnik 

ping Security Engineers, Sys Admins, Developers, Architects, Security Managers;

If ( I forgot someone )

{       

     Sorry;

}

Microsoft Forefront Intelligent Application Gateway (IAG) is the new Microsoft SSLVPN product formally known as Whale Communication SSL VPN

After 2 months of hard work you can finally see the new Microsoft Forefront Intelligent Application Gateway (IAG) Website and Forums that includes Videos, Articles, Links and more !

http://www.IAGserver.ORG - The First Place To Share Great Minds

http://forums.IAGserver.ORG

There are so many new things in this Application Aware Remote Access SSL VPN product! for example: Active Directory Federation Services (ADFS) gateway, Kerberos Constrained Delegation (KCD) with Smart Cards, OTP and Soft Certificates, Application Filtering and Content Inspection and more!

See you there ...

Idan <DeviceZ> Plotnik

ISA Server (Internet Security and Acceleration Server) is gone … now we are talking TMG (Threat Management Gateway)

Microsoft announced last week in RSA about the new Threat Management Gateway (TMG). Now you can download a BETA version of the product, but you will need 64BIT machine with Windows 2008

I recommend you reading the following TechNet documentation before running and installing TMG

http://technet.microsoft.com/en-us/library/cc441438.aspx 

So many new features !!! you MUST see it ...

http://www.microsoft.com/downloads/details.aspx?FamilyID=65bd5f8a-d94c-457a-9f88-2046597130e1&displaylang=en

Idan <DeviceZ> Plotnik

Ping Security Gurus

After i finished reading all the public information about GAPA, i want to share it with you. The new Microsoft inovation!

Microsoft research published these arcticles few years ago

http://research.microsoft.com/research/shield/

If you want to read the patnent info ...

http://www.freepatentsonline.com/y2007/0112969.html

This is my first entry about the GAPA subject, i will continue writting on it in the near future ... stay tuned!

Idan <DeviceZ> Plotnik

This is the second time Im talking in TechEd, two years ago I had 3 presentations and now I have "only" two J

In my first presentation I'm going to talk about ISA 2006 advanced scenarios, the new SP1 and how to debug, troubleshoot and analyze problems … and of course talk about the cool next version !!!

In my second presentation I will talk about the amazing world of Microsoft secure remote access and application security. I will present advanced authentication scenarios with IAG (Intelligent Application Gateway) how to stop SQL injections and XSS attacks with IAG with out-of-the box rules, and of course !!! the new version of the product, and … authentication and SSO surprise (first time in public!)

Come to see me … I will take you on a new SecurityTrip

Download my presentation here: http://download.microsoft.com/download/a/7/c/a7ccc02e-9404-4008-ac61-2bcd696c92ec/SEC479.ppt

Idan <DeviceZ> Plotnik

Some items can’t be deleted. They were either moved, already deleted, or access was denied

So this is my story about deleting emails from OWA J. The past and the future …

More than Two years ago my attack and defense team and I were supposed to provide a federation solution for one of the government departments. We chose ADFS (Active Directory Federation Services) which was in BETA2.

Our mission was to provide a solution to enable user from domain X to use its own credentials and access OWA from domain Y (without AD trust) and also provide SSO.

The main problem was that ADFS and OWA 2003 didn’t worked together and the interesting thing that we found out was that ADFS uses ISAPI Extension as does OWA. However the ADFS ISAPI extensions weren't designed to transfer credentials to another ISAPI extension so we developed HttpHandler that will act as proxy between two sites on the same IIS Server. Each site had its own ISAPI extension – it was against all odds!!! And it worked! We managed to provide SSO to OWA from domain X with credentials from domain Y!!!

But … we bumped into the following error while trying to delete emails

To make a long story short, the problem was the length of the URL that we forwarded from the proxy to the back-end web site

After more than two years, I had a very strategic project in one of the top insurance companies, and I bumped into this error again. This time the architecture was different, we had two reverse proxies that was installed in-front of the front-end exchange server

The first thing that I wanted to analyze is the difference between the request and the response when surfing directly to the OWA and through the reverse proxy

The printscressn below simulats not-working scenario traffic. You can see that after the “BDELETE” WEBDAV request (session 138) there is a “SEARCH” WEBDAV request (session 174) that is not suppose to be there

The printscressn below simulats working scenario traffic. You can see that after the “BDELETE” WEBDAV request (session 138) there is no “SEARCH” WEBDAV request as the first example

 

After debugging I identified the problem, in the response to the “BPROPPATCH” WEBDAV request I found HTTP/1.1 “502 Bad Gateway” instead of HTTP/1.1 200 response:

 

As usual I opened RFC 2616 and searched for “Bad Gateway” because I wasn't sure i remembered this part. This was my direction to the solution:

10.5.3 502 Bad Gateway

“The server, while acting as a gateway or proxy, received an invalid response from the upstream server    it accessed in attempting to fulfill the request.”

Once I was sure this was the problem I started debugging it from the configuration side. After I changed the host header on the second reverse proxy to the original host header I managed to delete emails

<DeviceZ>