1. introduzione a tmg
DESCRIPTION
1. introduzione a TMG Seminario TMG e UAG presso Microsoft (Roma)TRANSCRIPT
![Page 2: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/2.jpg)
Breve Storia della Perimeter Protection
Proxy Server 1.0Proxy Server 2.0
Internet Security And Accelleration (ISA) 2000
Stateful Packet Inspection«Trusted Networks»
ISA 2004NO network traffic
out of the box
ISA 2006Web Publishing
Forefront Threat Management Gateway 2010
![Page 3: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/3.jpg)
Forefront Edge Security and Access Products
Before Now
Network Protection
Network Access
The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures
Integrated and comprehensive protection from Internet-based threats
Unified platform for all enterprise remote access needs
![Page 4: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/4.jpg)
4
Forefront TMG ed UAG
New features make Forefront TMG the ideal outbound access solution In contrast to ISA 2006, very little has been done in Forefront TMG in terms of improvements for inbound access controlExceptions : Secure Socket Tunneling Protocol (SSTP) for VPN client
connections NAP Integration
You will not see any other major changes in the Web or Server Publishing features when moving from ISA 2006 to Forefront TMGThe majority of inbound access (remote access) effort is going into the Microsoft Forefront Unified Access Gateway (UAG) 2010It is expected that Forefront TMG will be used primarily for outbound access control and network firewall, and UAG will be used for inbound access (remote access) control
![Page 5: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/5.jpg)
5
Possibili Collocazioni nel Network Perimeter
Edge of the corporate network
Back-end firewall behind another Forefront TMG firewall or third-party
firewall
As a parallel firewall on the edge, next to another Forefront TMG or third-
party firewall
As a network service segment firewall, providing a secure perimeter between client
systems and network services
Multi-homed firewall that acts as the hub between multiple internal and perimeter
networks
![Page 6: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/6.jpg)
Forefront TMG: caratteristiche
Firewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threats
Remote Access Gateway – Enable users to remotely access corporate resources
Intrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
![Page 7: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/7.jpg)
Forefront TMG: Scenari di Implementazione
• All-in-one solution for medium businesses
• Firewall, VPN, Web security, IPS, e-mail relay in a single box
Unified Threat Management
(UTM)
• Authenticating proxy with security• Web antivirus and URL filtering• Inspection of HTTP and HTTPS
traffic
Secure Web Gateway
• Secure Web publishing• Dial-in VPN• Site to site VPN
Remote Access Gateway
• Antispam• Antivirus• E-mail filtering
Secure E-mail Relay
![Page 8: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/8.jpg)
Forward, Reverse Proxy, Web Proxy, e Winsock Proxy Server
• Application layer inspection• For forward proxy connections, Web anti-
malware capabilities and URL filtering• For reverse proxy SSL bridging• For both HTTP protocol inspection
Web proxy server Reverse proxy
services
• Stateful packet and application layer inspection on all traffic moving through the VPN
• User-based access controls (based on user name or user group membership)
• Remote Access Quarantine Control and Network Access Protection (NAP)
Remote Access VPN Server
• Forefront TMG email gateway feature is powered by the Edge Transport Server role of Exchange Server 2010 together with Microsoft Forefront Protection 2010 for
Secure E-mail Gateway
![Page 9: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/9.jpg)
Network Inspection System, Malware Inspection e HTTPS Inspection
• Usa signatures of known vulnerabilities from the Microsoft Malware Protection Center (MMPC) to help detect malicious traffic and then to take action
Network Inspection System
• The Malware Inspection filter (Edge Malware Protection) is a built-in Web filter
• Delayed download, HTML progress page, Trickling
Malware Inspection
• Forefront TMG introduces a new feature called HTTPS inspection
• Is based on a trusted man-in-the-middle mechanism, in which Forefront TMG works as a trusted man in the middle to be the SSL site for the clientman in the middle to be the SSL site for the client
HTTPS Inspection
![Page 10: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/10.jpg)
Riepilogo delle funzionalità
• VoIP traversal
• Enhanced NAT
• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspectionSecure
Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
![Page 11: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/11.jpg)
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispam
Network intrusion prevention
Confronto con ISA Server 2006 ISA Server 2006
ForefrontTMG
New
New
New
New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64-bit (only) New
Riepilogo delle funzionalità
![Page 12: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/12.jpg)
E
LicenzeTwo editions and Two Client Access Licenses (CALs)
Standard EditionFull UTM
Enterprise Edition Scalability and management
Web protectionE-mail
protection
Subscriptions
![Page 13: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/13.jpg)
Confronto tra le edizioni
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management
Yes, with added ability for EMS to manage SEs
Publishing
VPN support
Forward proxy/cache, compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
![Page 14: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/14.jpg)
Passaggio licenze da ISA 2006 a TMG 2010
ISA Server SE
ISA Server EE
Forefront TMG 2010 SE
Forefront TMG 2010 EE
Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year
Today At Launch
![Page 15: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/15.jpg)
Installazione e configurazione iniziale
![Page 16: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/16.jpg)
16
Requisiti di sistema
Minimum Recommended
Processor 2 core (1 CPU x dual core) 64-bit processor
4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
Memory 2 gigabytes (GB) of memory
4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk space*
2.5 GB of available hard disk space*
Hard Disks One local hard disk partition formatted with NTFS
Two disks for system and logging, and one for caching and malware inspection
Network One network adapter for communicating with the internal network
One network adapter for each network connected to the Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
![Page 17: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/17.jpg)
17
Server Roles e Features richieste
Server roles and features required by Forefront TMG include:
Network Policy Server
Routing and Remote Access Service
Active Directory Lightweight Directory Services
Network Load Balancing
Windows PowerShell
These server roles are installed during Forefront TMG installation; you do not need to install them in advance
They are not removed if you uninstall Forefront TMG
Forefront TMG Preparation Tool
Forefront TMG is not supported on a machine that is configured as a domain controller, with the exception of a read-only domain controller, which requires that TMG Service Pack 1 be installed.
![Page 18: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/18.jpg)
Prerequisiti
Basic installationConnected to the network, with DNS server settings configured
For the Secure Mail Relay usage scenarioExchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server
![Page 19: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/19.jpg)
Nota : Enterprise Management Server
Both the Standard and Enterprise editions of Forefront TMG store their configurations in an Active Directory Lightweight Directories Services (AD LDS) database
Standard Edition : the AD LDS database is always on the Forefront TMG firewall itself
Enterprise Edition : option of installing the AD LDS configuration database on a firewall array member or on a separate computer. The separate computer hosting the AD LDS database is called the Enterprise Management Server (EMS)
![Page 20: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/20.jpg)
20
Installazione
![Page 21: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/21.jpg)
21
Installazione
![Page 22: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/22.jpg)
22
Configurazione inizialeGetting Started Wizard
![Page 23: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/23.jpg)
23
Configurazione dei Network Settings
Select the network topology used:
Edge firewall3-Leg perimeterBack firewallSingle network adapter
Network Setup (Template) Wizard
![Page 24: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/24.jpg)
24
Define the IP configuration for each network adapterAssign adapter to the appropriate network
Configurazione dei Network SettingsNetwork Setup Wizard
![Page 25: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/25.jpg)
25
Define host name, domain membership and DNS suffix
Configurazione dei System SettingsSystem Configuration Wizard
![Page 26: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/26.jpg)
26
Configurazione dei Deployment Settings
Activate subscription licensesEnable malware protection and intrusion preventionConfigure signature update schedule and response policyJoin the Customer Experience Improvement Program (CEIP) and the Microsoft Telemetry Service
Deployment Wizard
![Page 27: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/27.jpg)
27
Configurazione dei Deployment SettingsDeployment Wizard
![Page 28: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/28.jpg)
Concetti base
![Page 29: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/29.jpg)
29
Network Relationship
TMG, defines a network as a logical representation of a network connection owned by the computer where TMG operates
• These networks can be• a physical connection such as network interface card (NIC) or modem
• a logical interface such as a dial-in or site-to-site VPN connectionIn each case, TMG must have a clear understanding of how to define and process the traffic that is received from a given network
• The simplest definition for a network relationship is that relationship indicated by the source and destination hosts as defined in the traffic 5-tuple
Note 5-tuple is an industry-standard standard term describing the criteria used to uniquely identify an Ip communication channel
• This data includes:• n Source and destination IP addresses• n Source and destination ports (if used)• n Transport Protocol (TCP, UDP, and so on)
![Page 30: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/30.jpg)
30
ConfigurazioneNetwork Rules
Like firewall policy rules, network rules define how TMG will handle traffic between source and destination hosts
Network rules are also processed in the order in which they are defined
Because network rules form a primary criterion for traffic processing, they have Define allowed traffic flows the power to discard traffic before any firewall policy rule has the opportunity to evaluate it
When this happens, the firewall log will not include a name in the rule field because no firewall policy rule processed the traffic
As is the case with firewall policy rules, the order of network rules is critical to correct traffic evaluation by TMG
![Page 31: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/31.jpg)
31
ConfigurazioneNetwork Rules
All network rule sets will begin with the same rule, Local Host Access, which defines a route relationship for traffic that is sourced or terminated by TMG itself •This rule cannot be modified by the TMG administrator
All network rules operate in the
context of network objects
When you run the Network Rule
Wizard, you are given the
opportunity to select from a subset of the firewall policy
network objects
Options presented for a
network rule source and destination criteria are
limited to those items that are
defined as some variation or
grouping of an IP address, IP subnet, IP
address range, or combinations of
these as in Computer or
Network Sets
No firewall policy elements which
abstract the source or
destination into a name (such as domain or URL
sets) can be used for network rules
because they cannot represent literal network membership
![Page 32: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/32.jpg)
32
Configurazione
Forefront TMG supports unlimited network adaptersLimited by hardware
Network Adapters
![Page 33: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/33.jpg)
33
Configurazione
Networks configuration model the enterprise network infrastructure
Contains all reachable IPs for network adapterCannot overlap with other NetworksStatic or dynamic
Networks
![Page 34: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/34.jpg)
34
Configurazione
Network Sets are used to group one or more networksDefined by selecting the networks included in the set (Include) or a set of networks excluded from the set (Exclude)Used in the definition of network and policy rules
Network Sets
![Page 35: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/35.jpg)
35
Configurazione
Determine the relationship between two networks
RouteBi-directionalSource address not modified
NATUni-directionalSource address is modified
Required for non-Web access and Server Publishing rules
Web proxy filter ignores network rules
Network Relationship
![Page 36: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/36.jpg)
36
Configurazione
New Feature: Enhanced NATSpecify the IP address to be used when doing NAT
Network Rules
![Page 37: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/37.jpg)
37
Configurazione
Display the routing table used between networksSet via route –p add command or GUI
Routing
![Page 38: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/38.jpg)
38
Forefront TMG PolicyThree types of rules:1. Network rules2. System policy3. Firewall policy
![Page 39: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/39.jpg)
39
Installazione su server a singola scheda di reteForefront TMG supports using a single network
adapterSupported scenarios
Secure Web Gateway (forward Web proxy and cache)Web Publishing (reverse Web proxy and cache)Remote client VPN access
Unsupported scenariosApplication layer inspection (except for Web proxy)Server publishingNon-Web clients
Firewall clientSecure NAT
Site-to-site VPNs
![Page 40: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/40.jpg)
40
Cosa Verificare in caso di Setup Failed
If TMG Setup fails for any reason, first read the description of the error message that appears onscreen
Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt, which is located in %sytemdrive%\Users\All Users\Microsoft\Forefront
Security for Exchange Server
If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and Forefront Protection 2010 for Exchange Server
The log files for the Exchange component of the installation are stored at %systemdrive%\ExchangeSetupLogs
During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%\temp folder
The information in TMG Setup log files is based on Microsoft Windows Installer logging
![Page 41: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/41.jpg)
41
Setup Log Files
![Page 42: 1. introduzione a TMG](https://reader033.vdocuments.site/reader033/viewer/2022052901/556bf9c3d8b42a6d768b4845/html5/thumbnails/42.jpg)
42
Classici errori di configurazioneMultiple default gateways
Define only one default gateway
Not adding reachable addresses to networksEnsure all reachable addresses added
DNS resolution issuesDNS server list is system wide, not per adapterUse the internal DNS servers, or host a DNS server service locally and use conditional forwarding