Breve Storia della Perimeter Protection
Proxy Server 1.0Proxy Server 2.0
Internet Security And Accelleration (ISA) 2000
Stateful Packet Inspection«Trusted Networks»
ISA 2004NO network traffic
out of the box
ISA 2006Web Publishing
Forefront Threat Management Gateway 2010
Forefront Edge Security and Access Products
Before Now
Network Protection
Network Access
The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures
Integrated and comprehensive protection from Internet-based threats
Unified platform for all enterprise remote access needs
4
Forefront TMG ed UAG
New features make Forefront TMG the ideal outbound access solution In contrast to ISA 2006, very little has been done in Forefront TMG in terms of improvements for inbound access controlExceptions : Secure Socket Tunneling Protocol (SSTP) for VPN client
connections NAP Integration
You will not see any other major changes in the Web or Server Publishing features when moving from ISA 2006 to Forefront TMGThe majority of inbound access (remote access) effort is going into the Microsoft Forefront Unified Access Gateway (UAG) 2010It is expected that Forefront TMG will be used primarily for outbound access control and network firewall, and UAG will be used for inbound access (remote access) control
5
Possibili Collocazioni nel Network Perimeter
Edge of the corporate network
Back-end firewall behind another Forefront TMG firewall or third-party
firewall
As a parallel firewall on the edge, next to another Forefront TMG or third-
party firewall
As a network service segment firewall, providing a secure perimeter between client
systems and network services
Multi-homed firewall that acts as the hub between multiple internal and perimeter
networks
Forefront TMG: caratteristiche
Firewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threats
Remote Access Gateway – Enable users to remotely access corporate resources
Intrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
Forefront TMG: Scenari di Implementazione
• All-in-one solution for medium businesses
• Firewall, VPN, Web security, IPS, e-mail relay in a single box
Unified Threat Management
(UTM)
• Authenticating proxy with security• Web antivirus and URL filtering• Inspection of HTTP and HTTPS
traffic
Secure Web Gateway
• Secure Web publishing• Dial-in VPN• Site to site VPN
Remote Access Gateway
• Antispam• Antivirus• E-mail filtering
Secure E-mail Relay
Forward, Reverse Proxy, Web Proxy, e Winsock Proxy Server
• Application layer inspection• For forward proxy connections, Web anti-
malware capabilities and URL filtering• For reverse proxy SSL bridging• For both HTTP protocol inspection
Web proxy server Reverse proxy
services
• Stateful packet and application layer inspection on all traffic moving through the VPN
• User-based access controls (based on user name or user group membership)
• Remote Access Quarantine Control and Network Access Protection (NAP)
Remote Access VPN Server
• Forefront TMG email gateway feature is powered by the Edge Transport Server role of Exchange Server 2010 together with Microsoft Forefront Protection 2010 for
Secure E-mail Gateway
Network Inspection System, Malware Inspection e HTTPS Inspection
• Usa signatures of known vulnerabilities from the Microsoft Malware Protection Center (MMPC) to help detect malicious traffic and then to take action
Network Inspection System
• The Malware Inspection filter (Edge Malware Protection) is a built-in Web filter
• Delayed download, HTML progress page, Trickling
Malware Inspection
• Forefront TMG introduces a new feature called HTTPS inspection
• Is based on a trusted man-in-the-middle mechanism, in which Forefront TMG works as a trusted man in the middle to be the SSL site for the clientman in the middle to be the SSL site for the client
HTTPS Inspection
Riepilogo delle funzionalità
• VoIP traversal
• Enhanced NAT
• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspectionSecure
Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispam
Network intrusion prevention
Confronto con ISA Server 2006 ISA Server 2006
ForefrontTMG
New
New
New
New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64-bit (only) New
Riepilogo delle funzionalità
E
LicenzeTwo editions and Two Client Access Licenses (CALs)
Standard EditionFull UTM
Enterprise Edition Scalability and management
Web protectionE-mail
protection
Subscriptions
Confronto tra le edizioni
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management
Yes, with added ability for EMS to manage SEs
Publishing
VPN support
Forward proxy/cache, compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
Passaggio licenze da ISA 2006 a TMG 2010
ISA Server SE
ISA Server EE
Forefront TMG 2010 SE
Forefront TMG 2010 EE
Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year
Today At Launch
Installazione e configurazione iniziale
16
Requisiti di sistema
Minimum Recommended
Processor 2 core (1 CPU x dual core) 64-bit processor
4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
Memory 2 gigabytes (GB) of memory
4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk space*
2.5 GB of available hard disk space*
Hard Disks One local hard disk partition formatted with NTFS
Two disks for system and logging, and one for caching and malware inspection
Network One network adapter for communicating with the internal network
One network adapter for each network connected to the Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
17
Server Roles e Features richieste
Server roles and features required by Forefront TMG include:
Network Policy Server
Routing and Remote Access Service
Active Directory Lightweight Directory Services
Network Load Balancing
Windows PowerShell
These server roles are installed during Forefront TMG installation; you do not need to install them in advance
They are not removed if you uninstall Forefront TMG
Forefront TMG Preparation Tool
Forefront TMG is not supported on a machine that is configured as a domain controller, with the exception of a read-only domain controller, which requires that TMG Service Pack 1 be installed.
Prerequisiti
Basic installationConnected to the network, with DNS server settings configured
For the Secure Mail Relay usage scenarioExchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server
Nota : Enterprise Management Server
Both the Standard and Enterprise editions of Forefront TMG store their configurations in an Active Directory Lightweight Directories Services (AD LDS) database
Standard Edition : the AD LDS database is always on the Forefront TMG firewall itself
Enterprise Edition : option of installing the AD LDS configuration database on a firewall array member or on a separate computer. The separate computer hosting the AD LDS database is called the Enterprise Management Server (EMS)
20
Installazione
21
Installazione
22
Configurazione inizialeGetting Started Wizard
23
Configurazione dei Network Settings
Select the network topology used:
Edge firewall3-Leg perimeterBack firewallSingle network adapter
Network Setup (Template) Wizard
24
Define the IP configuration for each network adapterAssign adapter to the appropriate network
Configurazione dei Network SettingsNetwork Setup Wizard
25
Define host name, domain membership and DNS suffix
Configurazione dei System SettingsSystem Configuration Wizard
26
Configurazione dei Deployment Settings
Activate subscription licensesEnable malware protection and intrusion preventionConfigure signature update schedule and response policyJoin the Customer Experience Improvement Program (CEIP) and the Microsoft Telemetry Service
Deployment Wizard
27
Configurazione dei Deployment SettingsDeployment Wizard
Concetti base
29
Network Relationship
TMG, defines a network as a logical representation of a network connection owned by the computer where TMG operates
• These networks can be• a physical connection such as network interface card (NIC) or modem
• a logical interface such as a dial-in or site-to-site VPN connectionIn each case, TMG must have a clear understanding of how to define and process the traffic that is received from a given network
• The simplest definition for a network relationship is that relationship indicated by the source and destination hosts as defined in the traffic 5-tuple
Note 5-tuple is an industry-standard standard term describing the criteria used to uniquely identify an Ip communication channel
• This data includes:• n Source and destination IP addresses• n Source and destination ports (if used)• n Transport Protocol (TCP, UDP, and so on)
30
ConfigurazioneNetwork Rules
Like firewall policy rules, network rules define how TMG will handle traffic between source and destination hosts
Network rules are also processed in the order in which they are defined
Because network rules form a primary criterion for traffic processing, they have Define allowed traffic flows the power to discard traffic before any firewall policy rule has the opportunity to evaluate it
When this happens, the firewall log will not include a name in the rule field because no firewall policy rule processed the traffic
As is the case with firewall policy rules, the order of network rules is critical to correct traffic evaluation by TMG
31
ConfigurazioneNetwork Rules
All network rule sets will begin with the same rule, Local Host Access, which defines a route relationship for traffic that is sourced or terminated by TMG itself •This rule cannot be modified by the TMG administrator
All network rules operate in the
context of network objects
When you run the Network Rule
Wizard, you are given the
opportunity to select from a subset of the firewall policy
network objects
Options presented for a
network rule source and destination criteria are
limited to those items that are
defined as some variation or
grouping of an IP address, IP subnet, IP
address range, or combinations of
these as in Computer or
Network Sets
No firewall policy elements which
abstract the source or
destination into a name (such as domain or URL
sets) can be used for network rules
because they cannot represent literal network membership
32
Configurazione
Forefront TMG supports unlimited network adaptersLimited by hardware
Network Adapters
33
Configurazione
Networks configuration model the enterprise network infrastructure
Contains all reachable IPs for network adapterCannot overlap with other NetworksStatic or dynamic
Networks
34
Configurazione
Network Sets are used to group one or more networksDefined by selecting the networks included in the set (Include) or a set of networks excluded from the set (Exclude)Used in the definition of network and policy rules
Network Sets
35
Configurazione
Determine the relationship between two networks
RouteBi-directionalSource address not modified
NATUni-directionalSource address is modified
Required for non-Web access and Server Publishing rules
Web proxy filter ignores network rules
Network Relationship
36
Configurazione
New Feature: Enhanced NATSpecify the IP address to be used when doing NAT
Network Rules
37
Configurazione
Display the routing table used between networksSet via route –p add command or GUI
Routing
38
Forefront TMG PolicyThree types of rules:1. Network rules2. System policy3. Firewall policy
39
Installazione su server a singola scheda di reteForefront TMG supports using a single network
adapterSupported scenarios
Secure Web Gateway (forward Web proxy and cache)Web Publishing (reverse Web proxy and cache)Remote client VPN access
Unsupported scenariosApplication layer inspection (except for Web proxy)Server publishingNon-Web clients
Firewall clientSecure NAT
Site-to-site VPNs
40
Cosa Verificare in caso di Setup Failed
If TMG Setup fails for any reason, first read the description of the error message that appears onscreen
Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt, which is located in %sytemdrive%\Users\All Users\Microsoft\Forefront
Security for Exchange Server
If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and Forefront Protection 2010 for Exchange Server
The log files for the Exchange component of the installation are stored at %systemdrive%\ExchangeSetupLogs
During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%\temp folder
The information in TMG Setup log files is based on Microsoft Windows Installer logging
41
Setup Log Files
42
Classici errori di configurazioneMultiple default gateways
Define only one default gateway
Not adding reachable addresses to networksEnsure all reachable addresses added
DNS resolution issuesDNS server list is system wide, not per adapterUse the internal DNS servers, or host a DNS server service locally and use conditional forwarding