MICROSOFT FOREFRONT TMG 2010 EBOOK
Microsoft, Microsoft Press, Access, Active Directory, ActiveX, Forefront, Internet Explorer, Jscript, MS, .. The Join Array and Disjoin Array Wizards (TMG only). Adobe Reader for viewing the eBook (Adobe Reader is available as. Configuring the Forefront TMG Cache Adobe Reader for viewing the eBook (Adobe Reader is available as. Deploying Microsoft Forefront Threat Management Gateway ebook by The evolution of Microsoft ISA Server, Forefront TMG provides multiple layers of.
|Language:||English, Spanish, French|
|ePub File Size:||28.78 MB|
|PDF File Size:||12.22 MB|
|Distribution:||Free* [*Regsitration Required]|
One of three ebooks they have written about deploying Forefront, Deploying Microsoft Forefront Threat Management Gateway (ISBN. Selection from Microsoft® Forefront® Threat Management Gateway (TMG) Administrator's Plus, get a fully searchable eBook on the companion CD . only) · The Connect to Forefront Protection Manager Wizard (TMG only). Editorial Reviews. About the Author. Yuri Diogenes is a Microsoft senior support escalation eBook features: Highlight, take notes, and search . June 23,
Installing TMG Chapter 9: Understanding Access Rules Chapter Configuring Load-Balancing Capabilities Chapter Network Inspection System Part V: Malware Inspection Chapter URL Filtering Chapter Enhancing E-Mail Protection Chapter Understanding Publishing Concepts Chapter Publishing Servers Chapter Remote Access Chapter Understanding Remote Access Chapter Logging and Reporting Chapter Logging Chapter Enhanced NAT Chapter A major change took place with the introduction of ISA Server This was the first version of the product that could be considered an enterprise-ready, network layer firewall.
ISA Server was the first version of the product to provide both stateful packet inspection and application layer inspection. The problem with ISA Server was that, as we entered the twenty-first century, the concept of trusted internal and untrusted external networks was no longer valid.
To respond to such threats, ISA Server was released, which used a new networking model in which no networks were considered trusted. Out of the box, no network traffic could traverse the ISA firewall. Only after the ISA firewall administrator explicitly configured firewall rules could traffic move through the firewall.
In addition, the concept of all networks being untrusted was extended to VPN client connections, as well as site-to-site VPN gateway links. Even more significant in the introduction of the ISA firewall was its ability to perform stateful packet inspection and application layer inspection over all connections to and through the firewall.
This meant that stateful packet inspection and application layer inspection was performed on outgoing connections, incoming connections, remote access VPN connections, and site-to-site VPN connections. These investments are seen in the new features included with the Forefront TMG firewall, some of which include: However, in contrast to ISA , in which major investments in terms of new reverse proxy features were made for inbound access control, very little has been done in Forefront TMG in terms of improvements for inbound access control.
At this point in time, it is expected that Forefront TMG will be used primarily for outbound access control and network firewall, and UAG will be used for inbound access remote access control.
With powerful stateful packet and application layer inspection features and capabilities, the ISA firewall, and now the Forefront TMG firewall, have both proven themselves time and again to be highly resilient to attack. Together they have one of the best track records for security in the entire firewall industry. This track record is demonstrated by the very small number of reported security issues found in the ISA or Forefront TMG firewall code when compared to similar products.
However, Forefront TMG is not only an edge firewall.
As a network perimeter security device, the Forefront TMG firewall can actually act in one or more of several roles. Forefront TMG uses advanced stateful packet and application layer inspection capabilities to help secure the traffic that moves to and through the firewall. This helps ensure that both traditional network layer attacks that were popular in the past and the crop Forefront TMG as a Perimeter Network Device CHAPTER 1 3 of application layer attacks that are popular now are blocked by the firewall before they reach their intended destinations.
As a network firewall, Forefront TMG can be placed on the edge of the network, with a connection directly on the Internet, or it can be placed behind other firewalls so that it becomes the perimeter firewall for the network segments that lie behind it. The Forefront TMG firewall can act as both a forward and a reverse proxy server. In its role as a Web proxy server, the Web proxy client actually sends the request to the Web proxy server.
The Web proxy evaluates the request and, if the request is allowed, recreates the request on behalf of the requesting client and forwards it to the destination server.
The destination server then replies, and the reply is forwarded to the requesting client. The connection is terminated on the external interface of the Forefront TMG firewall and inspected.
The published Web server responds to the request, Forefront TMG intercepts the response, and, if the response is considered valid, the request is forwarded to the requesting client. Attackers are able to take advantage of SSL to move malware into your network and private corporate data out of your network, because most perimeter security devices are unable to evaluate the contents of an SSL-encrypted session.
In both forward and reverse proxy scenarios the Forefront TMG firewall is able to perform application layer inspection to help ensure that there are no dangerous commands or payloads in the communication.
Both forward and reverse proxy scenarios benefit from SSL bridging, which helps prevent exploits from being hidden from within an SSL tunnel. Forefront TMG proxies the request to the destination Web server and receives the response. Before forwarding the response to the requesting client, Forefront TMG places the content in its in-memory cache and then moves it to its on-disk cache. After placing the content in the cache, the content is returned to the requesting client.
Forward caching has the end result of reducing the overall bandwidth used on the Internet link by providing content from cache instead of from the destination Web server. In addition, the end-user experience is significantly improved because content is returned at LAN speed instead of at relatively slow WAN speed.
In this scenario, the external client makes a request for content on a Web server on a network protected by Forefront TMG.
Microsoft® Forefront® Threat Management Gateway (TMG) Administrator’s Companion
Forefront TMG intercepts the request, evaluates it, and then, if it is acceptable, forwards it to the published Web server. The Web server returns the response, Forefront TMG intercepts it, evaluates it, and then, for content that is marked as cacheable, Forefront TMG will cache the content in memory, and subsequently on disk, and forward the response to the external requesting client.
Administrators Insight T he end result of reverse caching is a bit different from that of forward caching and adds different value. While forward caching reduces overall Internet band- width usage and improves the overall end-user experience, reverse caching has little effect on Internet bandwidth and no effect on the end-user experience.
Instead, reverse caching enables you to reduce the load on the published Web server, and, in some scenarios, enables you to allow external users access to content on the published Web server, even when the Web server is disabled or down for maintenance. In addition, it can reduce the amount of bandwidth usage on networks between the TMG firewall and the published Web servers. For remote access VPN clients and servers, there is a one-to-one relationship between the client and the server.
This is in contrast to the role of the VPN gateway, which is covered in the next section of this chapter. The remote access VPN client has a virtual link layer connection to the corporate network.
This provides an experience similar to that seen by hosts that are either physically or wirelessly connected at the corporate network. VPN clients use the Internet as their transport to the corporate network. Once they are connected, VPN client systems can access resources on the corporate network in a way that is similar to the way an on-network host works. However, VPN clients pose a challenge that you typically do not see for on-network hosts: Most VPN clients are unmanaged clients with unknown security status.
Forefront TMG solves some of the issues related to the questionable security status of a VPN client by enabling the following features: If the remote access VPN client fails to pass security checks, then it may be offered a method of remediation.
In contrast, the site-to-site VPN gateway has a one-to-many relationship with clients. A single remote access gateway link can have many clients behind it. Remote access VPN gateways allow you to create virtual network segments over the Internet. However, unlike internal network segments that are connected by LAN routers and switches, clients on remote networks are connected to the corporate network over the VPN gateway.
For example, suppose you have a network in Dallas and another in Seattle. You want machines on each of the networks to have access to resources on the other network.
There are a number of ways you can do this, such as using a dedicated WAN link to connect the offices. Siteto-site VPN gateways can solve both these problems by using the Internet as a transport and creating a virtual link layer connection between the two networks. Areas of control revolved around keywords, attachment names and extensions, and source and destination user names or domains.
The Edge Transport Server role provides key features, such as connection filtering and spam detection, while the Forefront Protection for Exchange FPE components protect against malware or other dangerous code entering or leaving your network. Administrator Insight M any administrators have been told that the Exchange Edge Server role is not supported on domain member machines.
To better understand this idea, review the points in the scenario displayed in Figure Sometimes the company security policy only allows access from the server to some specific Web sites, such as Windows Update.
Forefront TMG can address this need by controlling access to a specific group of servers. Forefront TMG can go beyond that and also identify malicious access attempts between computers servers to servers, servers to client, or client to client. Now that you understand the core Web access protection scenarios, we will look at the features mentioned in each scenario in more detail. Network Inspection System Download from Wow! NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center MMPC to help detect malicious traffic and then to take action which might be to block the traffic when an exploit is detected.
The goal of GAPA is to build an IPS that is aware of the application protocol that it is inspecting and able to apply complex conditions or rules to the intercepted network traffic. These conditions rely on the logical structure of the protocol under inspection.
The NIS engine is integrated into the firewall binaries, although it also has dynamic engine loading capabilities. The engine loads a snapshot file on each reload configuration, which contains the engine signatures and protocol definitions. Signatures are downloaded from Microsoft Update Center both on a regular basis and during emergencies, so that NIS can respond to zero-day attacks.
Figure illustrates how snapshots and engine updates are managed. Malware Inspection As new threats are getting smarter and are leaving the network layer and moving to the application layer, the challenge of keeping all workstations behind the edge device updated with the latest antivirus signature is getting even more difficult. The core advantages of inspecting traffic against malware at the edge are: Malware inspection can be enabled globally in the Web access policy, as shown in Figure This can introduce some problems such as degraded user experience related to the delay caused by the accumulation.
Forefront TMG uses different delivery methods to protect the user experience when downloading files from the Internet: Malware inspection is a key secure Web gateway feature that Forefront TMG uses to protect internal workstations.
Users got more conscious about e-commerce and carefully looked at the lock in the Web browser to see if that traffic was encrypted. This is indeed a great habit that took years to build; however, there are challenges in this area because encrypted traffic that crosses the firewall is not inspected. The dangerous part of this is that it relies on the legitimacy of the Web site that the user is trying to access. If the destination Web site is using this encrypted channel to transfer malware, the traditional edge device will not be able to inspect the traffic and identify it.
HTTPS inspection is not restricted to determining whether the content within the packet includes malware or not; it also enables: The problem domain is simply too large for any single vendor to provide a complete solution. As a result, there are multiple vendors who each specialize in a specific area of the solution. The MRS team's idea was simple: This made it possible to implement a scalable architecture that allows multiple streams of data to be incorporated into a merged database.
This way, each vendor and source brings its unique strengths to a common solution.
Join Kobo & start eReading today
In order to further improve data quality, a URL filtering telemetry mechanism was developed and built into the product. Based on those samples, the MRS team can analyze URL filtering coverage and accuracy, identify pain points, and address those pain points accordingly. Forefront includes security applications in four main areas: UAG is designed to provide a comprehensive and unified solution for remote access into the corporate network by enabling multiple remote access technologies in a single server solution.
However, UAG provides more than remote access; UAG helps you to secure remote access in a number of remote access scenarios. UAG employs multiple remote access technologies because different users will require different types of access. For example, a non-domain computer might need administrative, network level access to much of the corporate network, so you could provide SSTP VPN access to that user.
In that case, you could publish these sites using secure reverse proxy. Finally, domain member computers outside the network might need full corporate network access that is exactly the same as the end-user experience when the user is directly connected to the corporate network over a wired or wireless connection. In this case, you could provide DirectAccess. You can use UAG to support all these remote access scenarios and more. Some of the key features and capabilities available in UAG include: Because Forefront TMG is installed on the UAG server, it is designed to be an edge device and can be placed at the edge of an enterprise network.
Forefront Identity Manager Forefront Identity Manager FIM changes the current state of identity management by providing powerful end user self-service capabilities. IT professionals are also given more tools to solve day-to-day tasks, such as delegating administration and creating workflows for common identity management tasks. In addition, FIM is built on a. FPE can be deployed in a number of ways. First, FPE can be installed on the Edge Server so that it can inspect email moving into and out of the corporate network.
Finally, FPE can be installed on the mailbox server, so that it can inspect the contents of user mailboxes and provide real time protection against malicious attachments.
FPE is part of the two-member family of Forefront server protection products. The other product in this family is Forefront Protection for SharePoint, which performs similar duties to protect SharePoint sites. Forefront Protection for Exchange Server includes: This allows Forefront TMG to work with the back-end components of FPE to provide multiple levels of protection for your email organization.
FOPE includes: The policy enforcement feature is unique for FOPE. Policy enforcement allows you to create policies to perform tasks such as encrypting email before forwarding it to its destination. You can use FOPE policies to enforce email encryption for any mail addressed to that destination.
Users do not need to be aware of this policy, because the policy enforcement and encryption takes place in the cloud.
Forefront Protection for Exchange currently supports integrated provisioning and management of FOPE, enabling a hybrid on-premises and cloud solution for email protection.
Key features included in Forefront Protection for SharePoint include: Administrators Punch List Key takeaways from this chapter: All networks are subject to stateful packet and application layer inspection. The only improvement for remote access is the new support for SSTP. That preparation will help ensure that Forefront TMG is best able to perform the duties you intend for it. This chapter provides a discussion about preparing for installing Forefront TMG and then goes through the actual steps required to install Forefront TMG in your environment.
Preparing to Install Forefront TMG While there are many things to consider prior to installing a Forefront TMG solution on your network, there are three primary areas that deserve special attention. These three areas are: That is to say, you had a problem that needed to be solved, and you determined that Forefront TMG was the right solution for your problem. Now is the right time to revisit the problem you were seeking to solve with Forefront TMG so that you can choose the correct deployment options to fit your needs.
Forefront TMG can fill multiple roles in your organization's network infrastructure.
When planning roles for your Forefront TMG deployment, determining the appropriate number of network interface cards NICs required by the solution is critical because not all of the solutions are supported by a single-NIC configuration. Aside from this consideration, all the roles are interoperable, meaning that you can configure your Forefront TMG firewall to support multiple roles on a single computer or on a single array of Forefront TMG firewalls or Web proxies.
The Forefront TMG roles include: As a network firewall, Forefront TMG will need at least two network interfaces. This reduces the number of routing issues on your network.
In addition, as a Winsock proxy solution, Forefront TMG is able to track and record the names of the applications users use to connect to the Internet, the name of each user who uses each application, and the name of each computer from which each application was accessed.
You can use Forefront TMG as your edge email protection solution. Forefront TMG takes advantage of the Exchange Edge Server role and also supports Forefront Protection for Exchange to provide a defense in depth antispam and anti-malware solution for protecting your email organization.
While it was designed to provide enhanced protection for Microsoft Exchange, Forefront TMG can also be used as an edge email protection solution for any SMTP-based solution you currently use. Stay ahead with the world's most comprehensive technology and business learning platform. With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more. Start Free Trial No credit card required. View table of contents.
Start reading. Book Description Get your Web security, network perimeter security, and application layer security gateway up and running smoothly.Configuring User Override for URL Filtering In a world in which compliance and security policy enforcement are growing trends, having a secure Web gateway that reflects your IT business requirements is a real advantage. There are a number of ways you can do this, such as using a dedicated WAN link to connect the offices. Library of Congress Control Number: Forefront TMG uses different delivery methods to protect the user experience when downloading files from the Internet: This rule is designed to block everything because no requests were identified as being safe to open.
Johnson M. VMware vRealize Orchestrator Cookbook. Led by two members of the Microsoft Forefront team, you'll get pragmatic, inside insights into system components and capabilities; identify software, hardware, and business requirements; and step through essential planning and design considerations, including network topology, remote access, publishing rules, performance, administration, and more. This is the time that the assigned cookie will be valid for the user.