Implementing Microsoft ® Forefront Threat Management Gateway Server

Implementing Microsoft ® Forefront Threat Management Gateway Server

Course Outline Module 1: Overview of Microsoft Forefront TMG
Module 2: Installing and Maintaining TMG Server Module 3: Enabling Access to Internet Resources Module 4: Configuring TMG Server as a Firewall Module 5: Configuring Access to Internal Resources

Course Outline (continued)
Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks Module 7: Implementing Caching Module 8: Monitoring Forefront TMG

Module 1: Overview of Microsoft Forefront TMG

Overview Introducing Microsoft Forefront TMG
Deployment Scenarios for Forefront TMG

Lesson: Introducing Forefront TMG
What Are the Benefits of Forefront TMG? Multimedia: Overview of Forefront TMG Functionality Forefront TMG Management Interface Forefront TMG Enterprise Edition Features Differences Between TMG Server 2000 and Forefront TMG

What Are the Benefits of Forefront TMG?
Advanced Protection Multi-layer packet inspection Unified firewall and VPN server Multi-networking Application-layer filtering Ease of Use Efficient management tools Network templates Product integration Ease of use for clients Multi Layer Packet Inspection > Packet Filtering Firewall, StateFull Firewall, App Firewall Unified Firewall and VPN > Single Management Point Ease of use for client > integrate with Radius and AD Enhanced Performance Optimized for performance Integrated functionality Scalability Web caching

Differences Between ISA Server 2006 and Forefront TMG
Simplified management (Deployment) Protect users from web browsing threats (Web Access Policy) with Malware and HTTPS inspection Protect users from threats ( Policy) with Antispam and Antivirus Protect desktops and servers from intrusion attempts with Network Inspection System (NIS) as IPS Using Active Directory Lightweight Directories Services as ADAM New Dashboard for Monitoring Share point Portal Server Publishing wizard . Fully support for Exchange Server 2007. branch office VPN connetivity Wizard . Flood Resiliency (TMG Server stop unavailable from flooding attacks ). Enhanced remediation during attack. Support for LDAP authentication (Forefront TMG can access the Authenticate to Active Directory without being the member of the domain. ) BITS caching.(Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data.) Web Publishing load balancing .(Automatically balance request stream among TMG Servers on the arry ) HTTP compression.(HTTP compression reduces file size by using algorithms to eliminate redundant data during transmission of HTTP packets) Quality of Service (new packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.)

Differences Between ISA Server 2006 and Forefront TMG cont.
Support VoIP New VPN Service with SSTP VPN Redundancy and Load Balancing ISP Share point Portal Server Publishing wizard . Fully support for Exchange Server 2007. branch office VPN connetivity Wizard . Flood Resiliency (TMG Server stop unavailable from flooding attacks ). Enhanced remediation during attack. Support for LDAP authentication (Forefront TMG can access the Authenticate to Active Directory without being the member of the domain. ) BITS caching.(Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data.) Web Publishing load balancing .(Automatically balance request stream among TMG Servers on the arry ) HTTP compression.(HTTP compression reduces file size by using algorithms to eliminate redundant data during transmission of HTTP packets) Quality of Service (new packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.)

Lesson: Deployment Scenarios for Forefront TMG
How TMG Server Works as an Internet Edge Firewall How TMG Server Works as a Back-End Firewall How TMG Server Works as a Branch Office Firewall How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server How TMG Server Works as a Proxy- and Caching-Only Server

How TMG Server Works as an Internet Edge Firewall
Use TMG Server to: Block all Internet traffic unless explicitly allowed Publish internal servers such as Web or Exchange servers Provide a VPN gateway for remote users Provide proxy and caching services LAN Web Server TMG Server Web Server VPN Internet Server User Exchange Server Remote User

How TMG Server Works as a Back-End Firewall
Use TMG Server to: Securely publish Exchange servers Securely publish other internal Web servers Provide proxy and caching services LAN Web Server Web Server TMG Server Firewall Web Server Server Internet User Exchange Server Remote User

How TMG Server Works as a Branch Office Firewall
Use TMG Server to: Create an IPSec tunnel-mode VPN between offices Create a PPTP or L2TP with IPSec VPN between offices Inspect and filter all traffic between offices Provide secure access to the Internet at the branch office LAN TMG Server LAN TMG Server or other VPN gateway VPN Tunnel Branch Office Server Internet Corporate Headquarters User

How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server
Use TMG Server to: Provide proxy and caching services to conserve Internet bandwidth Configure dial-up connections to the Internet Block all inbound network traffic Provide secure configurations using network templates and server publishing wizards LAN ISP Server Internet TMG Server Server Web Server User

How TMG Server Works as a Proxy- and Caching-Only Server
Use TMG Server with a single network adapter to provide proxy and caching services Deploying TMG Server with a single network adapter means that it does not provide additional security functionality LAN TMG Server Web Server Server Firewall Internet User

Module 2: Installing and Maintaining TMG Server

Overview Installing Forefront TMG Choosing TMG Server Clients
Installing and Configuring TMG Clients Advanced TMG Client Configuration Securing Forefront TMG Maintaining Forefront TMG

Lesson: Installing Forefront TMG
System and Hardware Requirements for Forefront TMG Installation Types and Components Configuration Choices During Installation How to Perform an Unattended Installation of Forefront TMG How to Verify an Installation of Forefront TMG Default Configuration for Forefront TMG How to Modify the TMG Server Installation Upgrade Options from TMG Server 2000 to Forefront TMG

Preparation TMG TMG will only run on 64-bit Windows Server There will be a 32-bit demo version after the TMG goes RTM, but there won’t be any beta versions that run on 32-bit Windows TMG requires at least 2 GB of memory (it will probably run on less, but not very quickly) 2.5 GB of disk space At least one NIC (although I always recommend two or more NICs to provide true security) You must install to the default folder on the C: drive TMG will install IIS 7 on your machine in order to support SQL reporting services. If you remove TMG from the machine, II7 will not be removed for you and you will need to do that manually Services and driver files for the TMG are installed in the TMG installation folder

System and Hardware Requirements for Forefront TMG
Windows Server bits CPU RAM 2 GB 1.8 GHZ(2core) Hard Disk Format NTFS Hard Disk Space 2.5 GB Internal External

Hardware Requirements for Forefront TMG

System Requirements for Forefront TMG

System Requirements for Forefront TMG cont.

Installation Types and Components

Practice: Installing Forefront TMG
TMG-XX Internet

How to Verify an Installation of Forefront TMG
Verify that the TMG Server services are installed and started Verify that the MSDE services are installed and started Review the setup log files Check the Application Log in the Event Viewer Check for TMG Server Alerts

Verify after installation: Service
TMG Service Installing the MSDE service also creates the initial log files for TMG Server. By default, these log files are located in C:\Program Files\ Microsoft TMG Server\ISALogs.

Verify after installation: Service cont.
MSSQL Service Installing the MSDE service also creates the initial log files for TMG Server. By default, these log files are located in C:\Program Files\ Microsoft TMG Server\ISALogs.

Default Configuration for Forefront TMG
Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the TMG Client installation share is configured if you install the TMG Client installation files No servers are published System policy permits access to the TMG Server but access rules deny all network traffic through the TMG Server Traffic is routed between the TMG Server and all other networks Only Administrators can modify firewall policies Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network Only Administrators can modify firewall policies Traffic is routed between the TMG Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network System policy permits access to the TMG Server but access rules deny all network traffic through the TMG Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the TMG Client installation share is configured if you install the TMG Client installation files

Example: Default Configuration

Example Default Firewall Policy
โดย Default จะ Deny ทุกกรณี

Practice: Verifying the Installation and Default Configuration of Forefront TMG
Verifying the successful installation of Forefront TMG Examining the default installation of Forefront TMG TMG-XX Internet

Migration Options from ISA Server to Forefront TMG
Import the ISA Server Configuration Extract the ISA Server 2006 configuration ISA Server 20006 Install Forefront TMG ISA2K4 > ISA2K6 Enterprise Edition import or upgrade to Enterprise Edition >> can Standard Edition import or upgrade to Standard Edition >> can Standard Edition import or upgrade to Enterprise Edition >> cannot Enterprise Edition import or upgrade to Standard Edition >> cannot Remark: ISA Server 2006 cannot upgrade to TMG directly due to 64 bits platform

Lesson: Choosing TMG Server Clients
Types of TMG Server Clients How to Configure a SecureNAT Client How to Configure Web Proxy Clients Guidelines for Choosing an TMG Server Client

Types of TMG Server Clients
Does not require you to deploy client software Internet SecureNAT Client TMG Server TMG Clients. TMG Clients are computers that have TMG Client software installed and enabled. When a computer with the TMG Client software installed makes a request for resources on the Internet, the request is directed to the Firewall service on the TMG Server computer. The Firewall service will authenticate and authorize the user and filter the request based on Firewall rules and application filters or other add-ins. The Firewall service may also cache the requested object or serve the object from the TMG Server cache by using the Web Proxy filter. TMG Clients provide the highest level of functionality and security. SecureNAT clients SecureNAT clients are computers that do not have TMG Client software installed. Instead, SecureNAT clients are configured to route all requests for resources on other networks to an internal IP address on the computer running TMG Server. If the network includes only a single segment, the SecureNAT client is configured to use the internal IP address on the computer running TMG Server as the default gateway. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes the TMG Servers external IP address for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine if access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the TMG Server cache. The SecureNAT clients are easiest to configure because you need to configure only the default gateway on the client computers. Web Proxy clients. Web Proxy clients are any computers that run CERNcompatible Web applications such as Web browsers. Requests from Web Proxy clients are directed to the Firewall service on the TMG Server computer to determine if access is allowed. The Firewall service may also cache the requested object or serve the object from the TMG Server Web cache. Because most client computers already run Web Proxycompatible applications, Web Proxy clients do not require any special software to be installed. However, the Web application must be configured to use the TMG Server Web Proxy Client TMG Client Improves the performance of Web requests for internal clients Allows internet access only for authenticated users

Guidelines for Choosing an TMG Server Client
If you need to… Then use… Avoid deploying client software SecureNAT clients Use TMG Server only for forward caching SecureNAT or Web Proxy clients Allow access only for authenticated clients TMG Clients or Web Proxy clients Publish servers on your internal network Improve Web performance for non-Windows operating systems SecureNAT > ไม่ต้องติดตั้ง , non windows สามารถใช้ได้, ใช้แค่ server publishing Web Proxy > authen ได้, web performance, authen ได้เฉพาะการใช้งานผ่าน web TMG Client > authen ได้, web performance, most secure , authen ได้ทุก protocol เช่น web, ftp, pop3 เป็นต้น

Client Characteristics

How to Configure a SecureNAT Client
SecureNAT clients do not require client installation or client configuration On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway

How to Configure Web Proxy Clients

Monitoring Session on TMG

Practice: Configuring SecureNAT and Web Proxy Clients
Configuring TMG Server to log client connections Configuring and testing a SecureNAT client Configuring and testing a Web Proxy client Internet-xx TMG-XX Guest > Client by WinXP, ISA Host > Internet-xx ( Web Only ) ( Multiple IP > Nectec, Internet( xx)) Internet Clientxx

Lesson: Installing and Configuring TMG Clients
How to Configure TMG Client Settings The TMG Client Installation and Configuration Process Options for Automating the TMG Client Installation

How to Configure TMG Client Settings

The TMG Client Installation and Configuration Process
Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to TMG Server Install the TMG Client: From the TMG Client share on computer running TMG Server or another network share

Practice: Installing the TMG Client
Configuring the TMG Client settings on TMG Server Installing the TMG Client Internet-xx Web TMG-XX Internet Clientxx

Step for Setup TMG Client
เรียกจากแผ่นติดตั้ง

Step for Setup TMG Client cont.
ทำการ Setup ตามขั้นตอน Wizard ระบุ TMG Server

เมื่อเสร็จแล้วให้ทำการ restart add record ของ TMG เข้าไปใน host file.

Automatic Setting Automatic Setting Depend on ISA Configuration.

Automatic Setting Depend on ISA Configuration.

Options for Automating the TMG Client Installation
Software package distributed using Group Policies Unattend Installation Path\Setup.exe /v " [SERVER_NAME_OR_IP=ISA_Server_Name] [ENABLE_AUTO_DETECT={1|0}] [REFRESH_WEB_PROXY={1|0}]/qn " Unattended installation SMS package distributed to specific clients using SMS

Configuring Administrative Roles
TMG Server Administrative Roles Role Description Forefront TMG Auditor Full Access Monitoring Read only ISA Configuration Forefront TMG Monitoring Auditor Restricted Access Monitoring View Session, Query Service Status View and Reset Alerts Forefront TMG Administrator Can perform all administrative tasks

Example for Delegate Job for ISA Role
Properties of TMG Server

Best Practices for Securing the Server
Securing TMG Server Do Not Install TMG Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices

Lesson: Maintaining Forefront TMG
About Exporting and Importing the ISA Server Configuration About Backing Up and Restoring the ISA Server Configuration Remote Administration Options for TMG Server

About Exporting and Importing the TMG Server Configuration
Use export and import to clone an TMG Server or to save a configuration for troubleshooting or to roll back a configuration change You can export the entire TMG Server configuration, or any individual or group of configuration settings Importing a configuration overwrites all settings from the exported file

About Backing Up and Restoring the TMG Server Configuration
Use back up to create a configuration file that can be used for disaster recovery Back up creates a file with the entire TMG Server configuration Restoring a back up overwrites all TMG Server settings

Remote Administration Options for TMG Server
Use remote administration to manage physically secured servers or servers in other offices Use Remote Desktop or Terminal Services to manage all settings on the server running TMG Server Use the TMG Server Management MMC to manage TMG Server settings remotely Configure the server running TMG Server to enable Remote Desktop and configure System Policy to enable remote MMC management

Practice: Remote Management for TMG
Using Remote Desktop for remote management Using MMC for remote management TMGxx Clientxx

Module 3: Enabling Access to Internet Resources

Overview Forefront TMG as a Proxy Server
Configuring Multi-Networking on TMG Server Configuring Access Rule Elements Configuring Access Rules for Internet Access

Lesson: Forefront TMG as a Proxy Server
How TMG Server Enables Secure Access to Internet Resources Why Use a Proxy Server? How Does a Forward Web Proxy Server Work? What Is a Reverse Web Proxy Server? How to Configure TMG Server as a Proxy Server DNS Configuration for Internet Access How to Configure Web Chaining How to Configure Dial-Up Connections

How TMG Server Enables Secure Access to Internet Resources
Is the … User allowed access? Computer allowed access? Protocol allowed? Destination allowed? Content allowed? TMG Server Web Server Proxy Server

Why Use a Proxy Server? Improved Internet access security:
TMG Server Web Server Improved Internet access security: User authentication Filtering client requests Content inspection Logging user access Hiding the internal network details Improved Internet access performance

How Does a Forward Web Proxy Server Work?
Is the … User allowed access? Protocol allowed? Destination allowed? 3 6 1 5 2 4 TMG Server Web Server

What Is a Reverse Web Proxy Server?
Is the … Request allowed? Protocol allowed? Destination allowed? Web Server 3 DNS Server 4 5 2 1 TMG Server 6

How to Configure TMG Server as a Proxy Server

DNS Configuration for Internet Access
If no internal DNS server is available to resolve Internet addresses, configure the TMG Server clients to use an Internet DNS server Configure TMG Server clients to use an internal DNS server if the DNS server can resolve Internet addresses TMG Server can proxy DNS requests for Web proxy and TMG Clients but not for SecureNAT clients TMG Server includes a DNS cache that caches the results of all DNS lookups performed through TMG Server

- Client จะเป็นคนถาม DNS Server เอง
DNS Request by Client Secure NAT - Client จะเป็นคนถาม DNS Server เอง Web Proxy Client, TMG Client - TMG จะเป็นคนถาม DNS Server เอง ( Proxy DNS Request)

Practice: Configuring DNS
Configure Client use Internal DNS Configure Internal DNS by Internal Technique Configure Internal DNS by Internet Technique Internet-xx Web DNS TMG-XX Internet Clientxx SV-xx DC DNS DHCP

How to Configure Web Chaining
Internet Branch Office Branch Office Head Office

Example Web Chaining

Practice: Configuring TMG Server as a Web Proxy Server
Configuring the proxy server settings on TMG Server Internet-xx Web DNS TMG-XX Internet Clientxx SV-xx DC DNS Server DHCP Server

Lesson: Configuring Multi-Networking on TMG Server
How Does Forefront TMG Support Multiple Networks? Default Networks Enabled in TMG Server About Network Objects How to Create and Modify Network Objects What Are Network Rules?

How Does Forefront TMG Support Multiple Networks?
Support any Number of Networks VPN Networks Represented as Networks Dynamic Network Membership Per Network Rules Per Network Policies Network Sets Internet VPN Perimeter1 LAN1 LAN2 Perimeter2

Default Networks Enabled in TMG Server
Includes Local Host The TMG Server Default External All IP addresses not associated with another network Internal All IP addresses specified as internal during installation VPN Clients All IP addresses for currently connected VPN clients Quarantined VPN Clients All IP addresses of connected VPN clients that have not cleared quarantine

Example Default Network on ISA2006

About Network Objects Network Object Includes Network
All computers connected to a single network interface Network Set One or more networks Computer A single computer identified by an IP address Computer Set All computers included in specified computer, subnet or address range objects Address Range All computers identified by continuous IP addresses Subnet All computers on a specified subnet URL Set All specified URLs Domain Name Set All specified domain names Web Listener The IP address on which the TMG Server listens for connections

How to Create and Modify Network Objects
Click Firewall Policy, Toolbox, then Network Objects Click Networks, then Networks or Network Sets

What Are Network Rules? Route connection: NAT connection:
A route relationship is bidirectional If a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A NAT connection: A NAT relationship is directional Addresses from the source network are always translated when passing through TMG Server

Practice: Managing Network Objects
Configuring a new network on TMG Server Configuring a new network rule on TMG Server Configuring a new computer network object on TMG Server TMG-XX Internet

Lesson: Configuring Access Rule Elements
What Are Access Rule Elements? How to Configure Protocol Elements How to Configure User Elements How to Configure Content Type Elements How to Configure Schedule Elements How to Configure Domain Name Sets and URL Sets

What Are Access Rule Elements?
Used to Configure Protocols The protocols that will be allowed or denied by an access rule Users The users that will be allowed or denied by an access rule Content Types The content type that will be allowed or denied by an access rule Schedules The time of day when Internet access will be allowed or denied by an access rule Network Objects The computers or destinations that will be allowed or denied by an access rule

***Example Policy ***

How to Configure Protocol Elements

How to Configure User Elements
Use Authenticated User Use Somchai ( IT Users ) Use Somying ( Sales Users )

How to Configure User Elements
ไม่ support protocol เรื่องเกี่ยวกับการ ping กรณีเป็น HTTPที่ใช้งานผ่าน browser จำเป็นต้องเป็น client 2 ประเภท คือ Web Proxy, TMG Client โดย 2.1 ถ้ามี user ที่ตรงกับรายชื่อ user ใน TMG จะดูว่าตกลงใน policy สามารถเข้าใช้งานได้หรือเปล่า (windows integrated) 2.2 ถ้ามี user ไม่ตรงกับรายชื่อ user ใน ISA จะทำการ popup เพื่อระบุ user logon กรณีที่เป็น protocol อื่นๆ จำเป็นต้องเป็น TMG Client เท่านั้นและต้องมีรายชื่อของ ทั้ง Client และ TMG ตรงกันด้วย Remark ยกเว้น DNS กรณีที่ใช้ Web Proxy หรือ TMG Client จะใช้ DNS ของ ISA โดยตรง.. ( ไม่มีการ authen ) Ping ควรใช้ All Users เท่านั้น

Summary กฏที่ใช้ในการ assign ใน Firewall Policy
ถ้า user ที่ระบุไว้เป็นสมาชิกทั้ง 2 กลุ่ม แต่ขัดแย้งกันจะเชื่อ except ก่อนเสมอ somchai หมดสิทธิ เข้าใช้งาน !!!!

How to Configure Content Type Elements ( ทำได้เฉพาะ HTTP เท่านั้น )
Define the MIME types and file extensions to include Test by Use HTTP ( .txt, jpg, bmp ) กรณีที่ยังมีอยู่ให้ clear cache ใน IE ก่อน Internet Option > General > Temporary Internet Files > Delete Files

Example Content Types If not allow All Image in policy See result like this ( work only HTTP Traffic )

How to Configure Schedule Elements
Define the times when this schedule is active or inactive

How to Configure Domain Name Sets and URL Sets
Use this to configure access to an entire domain Use this to configure access to a URL User Computer Set >> ระบุ IP จะโดนทั้ง fqdn และ ip นั้นๆ User URL Set >> โดนเฉพาะ URL ที่ระบุ , IP นั้นๆจะไม่โดน

Example Block Bad Website
การกำหนด firewall policy ควรกำหนด - URL ที่ไม่อนุญาต - IP ของ Server ที่ไม่อนุญาต User Computer Set >> ระบุ IP จะโดนทั้ง fqdn และ ip นั้นๆ User URL Set >> โดนเฉพาะ URL ที่ระบุ , IP นั้นๆจะไม่โดน

Example Block Bad Website cont.
User Computer Set >> ระบุ IP จะโดนทั้ง fqdn และ ip นั้นๆ User URL Set >> โดนเฉพาะ URL ที่ระบุ , IP นั้นๆจะไม่โดน

Logic ในการคิด Firewall Policy
การอ่าน Policy จะทำการอ่านจากบนลงไปล่าง ถ้าเกิดเข้า กฏตัวไหนก่อนจะ apply ทันที โดยจะไม่ไปอ่านกฏอื่นๆ อีก อ่านจากบนลงล่าง เจอตัวไหนก่อนทำทันที

Practice: Configuring Firewall Rule Elements
Configuring a new user set Configuring a new content type element Configuring a new schedule element Configuring a new URL set Internet-xx Web DNS TMG-XX Internet Clientxx SV-xx DC DNS Server DHCP Server

Lesson: Configuring Access Rules for Internet Access
What Are Access Rules? How Network Rules and Access Rules Are Applied About Authentication and Internet Access How to Configure Access Rules How to Configure HTTP Policy How to Troubleshoot Access to Internet Resources

What Are Access Rules? Access rules always define: Destination Network
Destination IP Destination Site action on traffic from user from source to destination with conditions Allow Deny User Protocol IP Port/Type Source network Source IP Schedule Content Type

How Network Rules and Access Rules Are Applied
3 4 5 1 2 6 TMG Server Web Server Domain Controller

About Authentication and Internet Access
Authentication and TMG Server Clients Authentication Methods Basic authentication Digest authentication Integrated Windows authentication Digital certificates authentication RADIUS authentication RSA SecureID authentication SecureNAT clients. For SecureNAT clients, there is no user-based authentication. You can restrict access to the Internet based only on network rules and other access rules. TMG Clients. When TMG Server authenticates a TMG Client, it uses the credentials of the user making the request on the computer running the TMG Client. Because TMG Client authentication is automatic, no client configuration is required to enable authentication of users who gain access to TMG Server by using a TMG Client. Web proxy clients. Web proxy clients do not automatically send authentication information to TMG Server. By default, TMG Server requests credentials from a Web proxy client to identify a user only when processing a rule that restricts access based on a user element. You can configure which method the client and TMG Server use for authentication. You can also configure TMG Server to require authentication for all Web requests. Basic authentication. Prompts users for a user name and password before allowing Web access. Basic authentication sends and receives user information as plaintext and does not use encryption. Basic authentication is not a secure authentication method unless the network traffic is encrypted by using SSL. Because basic authentication is part of the HTTP specification, most browsers support it. Digest authentication. Passes authentication credentials through a process called hashing. Hashing creates a string of characters based on the password but does not send the actual password across the network, ensuring that no one can capture a network packet containing the password and impersonate the user. Digest authentication currently works only in a domain in which all of the domain controllers are running Windows 2000 or Windows Server 2003 and users are using Internet Explorer 5 or later. Digest authentication works only if the domain controller has a reversibly encrypted copy of the requesting users password stored in Active Directory. Integrated Windows authentication. Uses either the Kerberos V5 authentication or NTLM protocols, which do not send the user name and password across the network. Integrated Windows authentication works with Internet Explorer 2.0 or later. Use Integrated Windows authentication when all of the client computers use Internet Explorer. Integrated Windows authentication is the default authentication method used by members of the Windows 2000 and Windows Server 2003 family. Digital certificates authentication. Requests a client certificate from the client before allowing the request to be processed. Users obtain client certificates from a certification authority that can be internal to your organization or a trusted external organization. Client certificates usually contain identifying information about the user and the organization that issued the client certificate. Use client certificate authentication when your organization requires certificates for user authentication. Web proxy clients do not support client certificate authentication, but this option can be used in a Web chaining configuration. Remote Authentication Dial-In User Service. RADIUS is an industry standard authentication protocol. A RADIUS client (typically a dial-up server, virtual private network [VPN] server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates the RADIUS client request, and sends back a RADIUS message response. RADIUS authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet. RSA SecureID authentication. TMG Server 2004 enables the option to authenticate users based on authentication credentials from the RSA SecurID product from RSA Security, Inc. The SecurID product enforces a requirement that a remote user must have two factors of authentication to gain access to protected resources. These two factors are something that the user knows, (a personal identification number, or PIN), and something that a user has (a physical token). Neither the PIN nor the token will grant access in isolation from each other. Both are required. RSA SecureID authentication is more frequently used to provide authentication for accessing resources on the internal network from the Internet.

How to set Authentication.
Test Set Digest >>> Result not work ( bcos of not have domain ) Test Set Integrated >>> Result is work ( use NTLM ) and sniff by cain Test Set Basic >>> Result is work ( But Password clear text ) and sniff by cain

Type of Standard Authentication
Basic Authentication - จะมีการส่ง password โดยแบบ clear text ควรใช้ร่วมกับ SSL - ใช้งานร่วมกับ Client ส่วนใหญ่ได้ - ไม่ support single sign-on

Example Basic Authentication
Most support for Browser Not encryption ****** Basic Clear text.

Digest Authentication - มีการส่งค่า password โดยใช้ Hashing - ใช้กับ user ที่มีรายชื่ออยู่ภายใต้ Active Directory เท่านั้น

Example Digest Authentication
Send user and Password By use Hashing Work only Domain Account

Integrated with Windows Authentication - User ไม่จำเป็นต้องใส่ค่า user และ password - server จะทำการคุยกับ client computer ด้วยตัวเองว่า user ที่ทำการ logon อยู่ที่เครื่องคือใคร - กรณี account ไม่ตรงกันจะ pop up authen ขึ้นมา - Encryption

Example Windows Integrated
Integrated with windows account จะใช้ window account ทำการ logon อัตโนมัติ กรณี account ไม่ตรงกันจะ pop up authen ขึ้นมา Encryption

How to Configure Access Rules

Practice: Integrated TMG with NPS (Radius Server)
Installing NPS Server Set Radius Server, Radius Client Configure Firewall Policy with Radius Internet-xx Web DNS TMG-XX Internet Clientxx SV-xx DC DNS Server NPS

How to Troubleshoot Access to Internet Resources
To troubleshoot Internet access issues: Check for DNS name resolution Determine the extent of the problem Review access rule objects and access rule configuration Review access rule order Check access rule authentication Use TMG Server logging to determine which access rule is granting or denying access

What Are Web Access Policy?
New Feature of TMG: A new wizard based tool Focus only HTTP/HTTPS Functionality like malware inspection Include HTTPS Outbound Inspection Use malware inspection can update definition directly with update center (Microsoft Update or WSUS)

How to use Web Access Policy

How to use Web Access Policy: Web Destinations

How to use Web Access Policy: Malware Inspection

How to use Web Access Policy: HTTPS Inspection

Lab: Enabling Access to Internet Resources
Exercise 1: Configuring TMG Server Access Rule Elements Exercise 2: Configuring TMG Server Access Rules Exercise 3: Testing TMG Server Access Rules

Module 4: Configuring TMG Server as a Firewall

Overview Using TMG Server as a Firewall
Examining Perimeter Networks and Templates Configuring System Policies Configuring Intrusion Detection and IP Preferences

Lesson: Using TMG Server as a Firewall
What Is a TCP/IP Packet? What Is Packet Filtering? What Is Stateful Filtering? What Is Application Filtering? What Is Intrusion Detection? How Forefront TMG Filters Network Traffic Implementing Forefront TMG as a Firewall

Network Interface Layer
What Is a TCP/IP Packet? Network Interface Layer Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Physical payload Internet Layer Destination: Source: Protocol: TCP IP payload Transport Layer Destination Port: 80 Source Port: 1159 Sequence: Acknowledgment: TCP payload Application Layer HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =

What Is Packet Filtering?
Is the … Source address allowed? Destination address allowed? Protocol allowed? Destination port allowed? Web Server Packet Filter TMG Server

What Is Stateful Filtering?
Connection Rules Create connection rule Web Server Is packet part of a connection? Web Server TMG Server

What Is Application Filtering?
Get Get method allowed? Respond to client Web Server TMG Server Does the response contain only allowed content and methods?

What Is Intrusion Detection?
Alert the administrator Port scan limit exceeded All ports scan attack TMG Server

Implementing Forefront TMG as a Firewall
To configure TMG Server as a firewall: Determine perimeter network configuration Configure networks and network rules Configure system policy Configure intrusion detection Configure access rule elements and access rules Configure server and Web publishing

Lesson: Examining Perimeter Networks and Templates
What Is a Perimeter Network? Why Use a Perimeter Network? Network Perimeter Configurations About Network Templates How to Use the Network Template Wizard Modifying Rules Applied by Network Templates

What Is a Perimeter Network?
Firewall Firewall Internet Internal Network

Why Use a Perimeter Network?
A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security

Network Perimeter Configurations
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration LAN Perimeter Network

About Network Templates
Bastion host Three-legged configuration LAN Perimeter Network Web Server LAN Back-to-back configuration Deploy the 3-Leg Perimeter template Deploy the Edge Firewall template LAN Perimeter Network Deploy the Front-End or Back-End template Deploy the Single Network Adapter template for proxy and caching only

How to Use the Network Template Wizard

How to Use the Network Template Wizard cont.

Modifying Rules Applied by Network Templates
You may need to modify the rules applied by a network template to: Modify Internet access based on user or computer sets Modify Internet access based on protocols Modify network rules to change network relationships You can either change the properties of one of the rules configured by the network template, or you can create a new access rule to apply a specific setting

Lesson: Configuring System Policies
What Is System Policy? System Policy Settings How to Modify System Policy Settings

Disable all functionality that is not required
What Is System Policy? System policy is: A default set of access rules applied to the TMG Server to enable management of the server A set of predefined rules that you can enable or disable as required Modify the default set of rules provided by the system policy to meet your organization’s requirements. Disable all functionality that is not required

System Policy Settings
System policy settings include: Network Services Authentication Services Remote Management TMG Client Diagnostic Services Logging and Monitoring SMTP Scheduled Download Jobs Allowed Sites

How to Modify System Policy Settings

Practice: Modifying System Policy
Examining and modifying the default system policy Testing the modified system policy TMG-XX Internet Clientxx

About Intrusion Prevention Configuration Options
Intrusion Prevention on Forefront TMG: NIS Signature can now be update dynamically. Detects well-known protocols attack: HTTP, DNS, SMB, NetBIOS, MSRPC, SMTP, POP3, IMAP4 and MIME Work together with Microsoft Malware Protection to newly discovery threats.

Example: IPS for TMG

How to Configure Intrusion Prevention

About Intrusion Detection Configuration Options
Intrusion detection on Forefront TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level

Example: IDS for TMG

How to Configure Intrusion Detection

Using Update Center

Module 5: Configuring Access to Internal Resources

Overview Introduction to Publishing Configuring Web Publishing
Configuring Secure Web Publishing Configuring Server Publishing Configuring TMG Server Authentication

Lesson: Introduction to Publishing
Multimedia: Using Forefront TMG to Enable Access to Internal Network Resources What Are Web Publishing Rules? What Are Server Publishing Rules? DNS Configuration for Web and Server Publishing

What Are Web Publishing Rules?
Web publishing rules provide the following features: Secure Web publishing rules enable the use of SSL to encrypt network traffic between client and server Publish HTTP or HTTPS content Application-layer filtering Path mapping User authentication Content caching Publish multiple Web sites with one IP address Link translation Logging client IP address TMG Server

What Are Non-Web Server Publishing Rules?
Server publishing rules provide the following features: Non-Web Server publishing rules forward requests to internal servers based on protocol and port number Publish content using multiple protocols Application layer filtering for protocols with application filters Support for encryption Logging client IP address TMG Server

DNS Configuration for Web and Non-Web Server Publishing
Perimeter Network DNS Server DNS Server 4 2 1 TMG Server 3 Internet Internal Network

Lesson: Configuring Web Publishing
Web Publishing Rules Configuration Components How to Configure Path Mapping How to Configure Web Listeners How to Configure Link Translation How to Configure a New Web Publishing Rule

Web Publishing Rules Configuration Components
Action Name Users Traffic source Public name Web listener Path mappings Bridging Link Translation

How to Configure Path Mapping
Virtual Directories Sales Human Resources Online Store TMG Server

Example Path Mapping

How to Configure Multiple Web Publishing
Web2 TMG Server

Example Multiple Web Publishing
Same web listener

How to Configure Web Listeners
Anonymous Web listener CohoVineyard Web Site TMG Server Private Web Site Authenticated Web listener

How to Configure a New Web Publishing Rule
Web Publishing Rule Wizard configuration: Action Published Website Public name Web listener User Sets

Practice: Configuring Web Publishing
Configuring a New Web Listener Configuring a New Web Publishing Rule Testing the Web Publishing Rule DMZxx Web Internet-xx Web DNS TMG-XX Internet Clientxx Server-xx DC DNS DHCP

Lesson: Configuring Secure Web Publishing
What Is Secure Sockets Layer? How to Prepare TMG Server for SSL How SSL Bridging Works How SSL Tunneling Works How to Configure a New Secure Web Publishing Rule

What Is Secure Sockets Layer?
Server Authentication Client Authentication Encrypted SSL Connection Web Server

How to Prepare TMG Server for SSL
Import Web Server TMG Server

How SSL Bridging Works TMG Server

How to Configure a New Secure Web Publishing Rule
SSL Web Publishing Rule Wizard configuration: Publishing Mode Action Bridging Mode Published Website Public name Web listener User Sets

Practice: Configuring Secure Web Publishing
Enabling Access to the Certificate Authority Web Site Installing a Server Certificate Configuring a New Secure Web Publishing Rule Testing the Secure Web Publishing Rule InternalWeb-01 InternetWeb-01 TMG-xx Internet DC-xx

Lesson: Configuring Non-Web Server Publishing
Server Publishing Configuration Options How Non-Web Server Publishing Works How to Configure a Non-Web Server Publishing Rule How to Troubleshoot Web and Non-Web Server Publishing

Non-Web Server Publishing Configuration Options
Server publishing rules configuration: Action Traffic Traffic source Traffic destination Networks Schedule

How Non-Web Server Publishing Works
Media Publishing Rule: Port 1755 mms://media.demo.com Demo Media Site Demo FTP Site TMG Server ftp://ftp.demo.com FTP Publishing Rule: Port 21

How to Configure a Non-Web Server Publishing Rule
Non-Web Server Publishing Rule Wizard configuration: Select server to publish Select protocol Select IP addresses where clients will connect

Practice: Configuring Non-Web Server Publishing
Configuring a New Non-Web Server Publishing Rule Testing the Non-Web Server Publishing Rule InternalWeb-01 InternetWeb-01 TMG-xx Internet Server-xx FTP

How to Troubleshoot Web and Non-Web Server Publishing
To troubleshoot Web and server publishing issues: Check the resource availability Check the DNS records Check the error message Check which ports the TMG Server is listening on for connections Check the publishing rule configuration Check the SSL configuration and certificates

Lesson: Configuring TMG Server Authentication
How Authentication and Web Publishing Rules Work TMG Server Web Publishing Authentication Scenarios Using RADIUS for Authentication How to Implement RADIUS Server for ISA Authentication

How Authentication and Web Publishing Rules Work Together
TMG Server uses authentication to grant access to publishing rules: When the publishing rule specifies a user set other than the All Users group Based on the Web listener authentication methods specified for a Web publishing or secure Web publishing rule By processing the firewall rules in order of priority. When a firewall rule matches, but requires authentication, TMG Server will prompt for user credentials

TMG Server Web Publishing Authentication Scenarios
Web Server authentication TMG Server authentication TMG Server TMG Server and Web server authentication

Using RADIUS for Authentication
RADIUS Server RADIUS Client TMG Server Domain Controller Using RADIUS for authentication means that TMG Server can authenticate users based on their Active Directory credentials without requiring that the computer running TMG Server be a member of an Active Directory domain

How to Implement RADIUS Server for TMG Authentication
To implement RADIUS authentication: Install and configure NPS to use Active Directory for authentication and configure the TMG Server as a RADIUS client 1 Configure the Active Directory user accounts or configure remote access policies to enable dial-in access 2 Configure TMG Server to use the RADIUS server and configure a Web listener to use RADIUS authentication 3

Lab: Configuring Access to Internal Resources
Exercise 1: Configuring TMG Server Authentication and Secure Publishing Exercise 2: Testing the TMG Server Configuration InternalWeb-01 InternetWeb-01 TMG-xx Internet DC-xx

Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks

Overview Virtual Private Networking Overview
Configuring Virtual Private Networking for Remote Clients Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine Control Using Forefront TMG

Lesson: Virtual Private Networking Overview
What Is Virtual Private Networking? VPN Protocol Options VPN Authentication Protocol Options VPN Quarantine Control Virtual Private Networking Using Routing and Remote Access Virtual Private Networking Using Forefront TMG Benefits of Using TMG Server for Virtual Private Networking

What Is Virtual Private Networking?
TMG Server Branch Office

VPN Protocol Options L2TP/IPSec advantages and disadvantages
Factor PPTP advantages and disadvantages L2TP/IPSec advantages and disadvantages Client operating systems supported Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 Windows 2000 up Certificate support Requires a certificate infrastructure only for EAP-TLS authentication Requires a certificate infrastructure or a pre-shared key Security Provides data encryption Does not provide data integrity Provides data encryption, data confidentiality, data origin authentication, and replay protection NAT support To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP To locate L2TP/IPSec–based clients or servers behind a NAT, both client and server must support IPSec NAT-T

VPN Authentication Protocol Options
Considerations PAP Uses plaintext passwords and is the least secure authentication protocol SPAP Uses a reversible encryption mechanism employed by Shiva CHAP Requires passwords stored by using reversible encryption Compatible with Macintosh and UNIX-based clients Data cannot be encrypted MS-CHAP Does not require that passwords be stored by using reversible encryption Encrypts data MS-CHAPv2 Performs mutual authentication Data is encrypted by using separate session keys for transmitted and received data EAP-TLS Most secure remote authentication protocol Enables multifactor authentication

VPN ต้องมีการ Authentication
PAP ใช้รหัสผ่านตรวจสอบอย่างเดียว SPAP กลไกการตรวจสอบรหัสผ่านแบบ Reversible CHAP ต้องการรหัสผ่านที่เก็บ และใช้แบบ Reversible encryption MS-CHAP เป็นเทคนิคการ Reversible ของ Microsoft MS-CHAPv2 เป็นเทคนิคการทำ Mutual authentication EAP-TLS เป็นความปลอดภัยที่อาศัยหลากหลายกลไก 187

PAP & SPAP S1 รหัสผ่าน PAP S2 SPAP นำรหัสผ่านตรวจสอบผู้ล็อกออน
Positive 188

CHAP MS-CHAP CHAP, MSCHAP A pass1 S2 S1 นำชื่อผู้ใช้+รหัสผ่าน ตอบ Ack
B pass2 C pass3 MS-CHAP Algorithm A Algorithm A เข้ารหัสด้วยเทคนิค นำชื่อผู้ใช้+รหัสผ่าน ถอดรหัสด้วยเทคนิค ตอบ Ack 189

MS-CHAP v 2 MSCHAP v2 Mutual Authentication A + pass1 นำชื่อผู้ใช้ A
B pass2 C pass3 Validation Key (Server) Validation Key (Login) Validation Key เข้ารหัสด้วยเทคนิค ถอดรหัสด้วยเทคนิค ถ้า Validation Key จาก Login กับ Server ตรงกันยอมให้ผ่าน 190

EAP-TLS (Extensible Authentication protocol-Transport layer Security)
Multi Factor Authentication A pass1 smartcard B pass2 smartcard C pass3 smartcard A+pass1 + MD5 หรือ Smart card A+pass1 เข้ารหัสในการขนส่งระหว่างติดต่อ 191

VPN Quarantine Control
Enables screening of VPN client machines before granting them access to the organization’s network Uses a client script that analyzes the security configuration of the remote access client VPN clients connecting to TMG Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network

Virtual Private Networking Using Routing and Remote Access
RRAS supports: Remote access policies that define remote access connections and connection parameters Connection Manager components to simplify the configuration of remote access clients RADIUS servers for authentication and the centralization of remote access policies VPN quarantine control to restrict network access to quarantined clients Packet filtering for securing VPN and network quarantine connections

Virtual Private Networking Using Forefront TMG
TMG Server enables VPN access: Including remote client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks including: VPN Clients network Quarantined VPN Clients network Remote-site networks By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running TMG Server By extending RRAS functionality

Benefits of Using TMG Server for Virtual Private Networking
Explanation Connection security TMG Server uses firewall access policies to inspect and filter all traffic from VPN clients Performance TMG Server is optimized to enforce complex security requirements on VPN connections Quarantine control for Windows 2000 VPN quarantine is not available in Windows 2000 RRAS but can be enabled with TMG Server 2004 on Windows 2000 Logging and monitoring TMG Server can log all VPN connections and enables live monitoring of VPN connections IPSec tunnel-mode stateful inspection Enables stateful inspection to enforce user/group, site, computer, protocol, and application-layer access controls for IPSec tunnel-mode traffic Enhanced protection TMG Server is protected via firewall access policy on all interfaces

Lesson: Configuring Virtual Private Networking for Remote Clients
VPN Client Access Configuration Options How to Enable and Configure VPN Client Access Default VPN Client Access Configuration How to Configure VPN Address Assignment How to Configure VPN Authentication How to Configure Authentication Using RADIUS How to Configure User Accounts for VPN Access How to Configure VPN Connections from Client Computers

VPN Client Access Configuration Options
Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options

How to Enable and Configure VPN Client Access
Use user mapping is to apply firewall policies to users who do not use Windows authentication

Default VPN Client Access Configuration
Component Default Configuration System policy rules System policy rule that allows the use of PPTP, L2TP, or both is enabled VPN access network TMG Server will listen for VPN client connections only on the External network VPN protocols Only PPTP is enabled for VPN client access Network rules A route relationship between the VPN Clients network and the Internal network A NAT relationship between the VPN Clients network and the External network Firewall access rules No firewall access rules are enabled Remote access policy Default policy requires MS-CHAP v2 authentication

How to Configure VPN Address Assignment
Configure DNS and WINS servers using DHCP or manually Configure static IP address assignment or DHCP

How to Configure VPN Authentication
Accept default for secure authentication Configure EAP for additional security Configure less secure options only if required for client compatibility

How to Configure Authentication Using RADIUS
Enable RADIUS for authentication and accounting, and then configure a RADIUS server

How to Configure User Accounts for VPN Access
Configure dial-in and VPN access permissions

How to Configure VPN Connections from Client Computers

Practice: Configuring VPN Access for Remote Clients
Configuring VPN access on TMG Server Configuring user account dial-in permissions Configuring and testing a VPN client configuration Client-XX TMG-XX Internet Den-DC-01

What Is SSTP VPN? New Feature VPN on TMG Server for tunnels PPP connections over an SSL encrypted HTTP connection. SSTP provides: Enhance connectivity channel — no need to use only PPTP and L2TP/IPSec Ease of Manage Firewall Policy (only allow Port 80/443 ) Client requirement: Remark: Site to Site VPN cannot use in SSTP VPN. Vista SP1 and above. Need to Place CA Certificate in Trust Root CA.

How to Set SSTP VPN? SSTP VPN Server Require:
Only Windows 2008 or Windows 2008 R2 TMG need to request Web Server Certificate. Web Listener is configured to allow anonymous connections. Give dedicated IP Address for the Web listener. Can not use together with Web listener that’ use for pre-authen published Web servers. If use Internal CA: need to publish CRL (Certificate Revocation List) to client by http channel.

How does SSTP VPN Work? Process on below.

Lesson: Configuring Virtual Private Networking for Remote Sites
Site-to-Site VPN Access Configuration Components About Choosing a VPN Tunneling Protocol How to Configure a Remote-Site Network Network and Access Rules for Site-to-Site VPNs How to Configure the Remote-Site VPN Gateway Server How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

Site-to-Site VPN Access Configuration Components
Default Configuration Choose a VPN protocol Choose the appropriate protocol-based security requirements and the VPN gateway servers Configure a remote-site network The remote-site network includes all IP addresses in the remote site Configure VPN client access VPN client access must be enabled in order to enable site-to-site access Configure network rules and access rules Use access rules or publishing rules to make internal resources accessible to remote office users Configure the remote-site VPN gateway Configure the remote office VPN server to connect TMG Server and to accept connections from TMG Server

About Choosing a VPN Tunneling Protocol
Use to Comments IPSec Tunnel Mode Connect to non-Microsoft VPN gateways Only option if you are connecting to a non-Microsoft VPN server Requires certificates or pre-shared keys L2TP over IPSec Connect to TMG Server or Windows RRAS VPN gateways Requires user name and password and certificates or pre-shared keys for authentication PPTP Requires user name and password for authentication Less secure than L2TP over IPSec

About Choosing a VPN Tunneling Protocol

How to Configure a Remote-Site Network
Configuration Option Explanation VPN protocol Choose the tunneling protocol that you will use to connect to the remote site Remote VPN server Enter the server name or IP address for the VPN gateway server in the remote site Remote authentication Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server L2TP/IPSec authentication If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel Network address Configure the IP address range for all of the computers in the remote-site network

Network and Access Rules for Site-to-Site VPNs
To enable network traffic across a site-to-site VPN: Two system policy rules are enabled: Allow VPN site-to-site traffic to TMG Server Allow VPN site-to-site traffic from TMG Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access For full access, allow all protocols through TMG Server For limited access, configure access rules or publish rules that define allowed network traffic

How to Configure the Remote-Site VPN Gateway Server
Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks

How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode
Configure a local VPN gateway IP address used by the computer running TMG Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security

Lesson: Configuring Quarantine Control Using Forefront TMG
How Does Network Quarantine Control Work? About Quarantine Control on TMG Server How to Prepare the Client-Side Script How to Configure VPN Clients Using Connection Manager How to Prepare the Listener Component How to Enable Quarantine Control How to Configure Internet Authentication Service for Quarantine Control How to Configure Quarantine Access Rules

How Does Network Quarantine Control Work?
TMG Server DNS Server Web Server Domain Controller File Server Quarantine script VPN Quarantine Clients Network VPN Clients Network RQC.exe Quarantine remote access policy VPN Clients Network Domain Controller Web Server Quarantine script Quarantine remote access policy RQC.exe ISA Server DNS Server File Server VPN Quarantine Clients Network

How to Enable VPN Clients Quarantine

About Quarantine Control on TMG Server
To implement quarantine control on TMG Server: Create a client-side script that validates client configuration 1 Use CMAK to create a CM profile for remote access clients 2 Create and install a listener component 3 Enable quarantine control on TMG Server 4 Configure network rules and access rules for the Quarantined VPN Clients network 5

How to Prepare the Client-Side Script
Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Command for running Rqc.exe rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

How to Configure VPN Clients Using Connection Manager
Configure a quarantine VPN client profile that includes: A post-connect action that runs the client-side script A client-side script that checks the client security configuration A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access

How to Prepare the Listener Component
Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe ConfigureRQSforISA.vbs: Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running TMG Server so that RQS will work with TMG Server Starts the RQS service

Module 7: Implementing Caching

Overview Caching Overview Configuring General Cache Properties
Configuring Cache Rules Configuring Content Download Jobs

Lesson: Caching Overview
What Is Caching? How Caching Works for Requests for New Objects How Caching Works for Requests for Cached Objects How Content Download Jobs Work How Caching Is Implemented in TMG Server 2004 Web Proxy Chaining and Caching

What Is Caching? TMG Server caching stores a copy of requested Web content in the server memory or on the hard disk TMG Server caching provides: Improved performance — information is stored on the computer running TMG Server Reduced bandwidth usage — no additional Internet network traffic TMG Server caching scenarios include: Forward caching — Internet Web servers Reverse caching — internal Web servers

How Caching Works for Requests for New Objects
Server RAM Server hard disk 6 4 2 3 1 5 TMG Server

How Caching Works for Requests for Cached Objects
Server RAM Server hard disk 2 1 3 TMG Server

How Content Download Jobs Work
Server RAM Server hard disk 4 1 2 3 5 TMG Server

How Caching Is Implemented in Forefront TMG
TMG Server caching optimizes Web caching performance by: Using RAM and disk caching Maintaining the RAM cache in physical memory Maintaining a directory of cached items Using a single cache file Providing quick recovery Using efficient cache updates Providing automatic cleanup

Web Proxy Chaining and Caching
4 Internet 2 5 3 Branch Office Branch Office Head Office 1 6

Lesson: Configuring General Cache Properties
Caching Configuration Components How to Enable Caching and Configure Cache Drives How to Configure Cache Settings

Caching Configuration Components
Explanation Define cache drives Enables caching by configuring a cache drive for storing the cached content Configure caching settings Modifies the default TTL and types of cached content Configure caching rules Enables unique caching policies for specific Web content Configure content download jobs Enables the prefetch of content before clients request the content

How to Enable Caching and Configure Cache Drives

How to Enable Caching and Configure Cache Drives cont.
Caching is disabled by default on Forefront TMG. When you enable caching, TMG Server creates a file with an initial size equal to the size you chose for the maximum cache size on the hard disk

Practice: Configuring General Cache Properties
Enabling Web Caching on TMG Server Configuring Web caching on TMG Server TMG-XX Internet

Lesson: Configuring Cache Rules
What Are Cache Rules? How to Create a Cache Rule Managing Cache Rules

การกำหนดค่ารายละเอียดใน Caching
โดยทั่วไปจะมี Default Cache ดีฟอลท์จะกำหนด To: All Network กำหนดค่าของ HTTP และ FTP กำหนดการดาวน์โหลดอัตโนมัติ กำหนดค่าขนาดของไฟล์ที่เก็บแคชของ HTTP กำหนดขนาดไฟล์ของ FTP 239

What Are Cache Rules? Cache rule options Default cache rule
Define the destination set that the rule applies to Applies to all Web content Define how content is returned to the user Returns non-expired content to the user Define whether content is stored in the cache Caches the default cacheable objects Define whether to cache HTTP, FTP, or both types of content Enables caching of both HTTP and FTP content Define the maximum size for cached objects Does not apply any size restrictions to cached objects Define whether to cache SSL content Caches SSL content

How to Create a Cache Rule
Cache Rule Wizard Page Configuration Options Cache Rule Destinations Use destination sets to define the Web content that this rule applies to Content Retrieval Defines how TMG Server responds to client requests if the content is or is not in cache Cache Content Defines the types of content TMG Server will cache Cache Advanced Configuration Defines maximum size for caching objects and SSL response caching HTTP Caching Enables and configures TTL settings for HTTP content FTP Caching Enables and configures TTL settings for FTP content

Managing Cache Rules Managing cache rules includes:
Modifying the cache rule configuration after creating the rule Modifying the cache rule order to evaluate cache rules for specific Web sites before cache rules for all Web sites Disabling or deleting cache rules that are no longer required Exporting the cache rule configuration before modifying the cache rules in case the modification is not successful

กำหนดแคชใน HTTP 243

HTTP Cache (Case 1) Web Client Web Server 2 1 HTTP Header Ex: 1 Days 3
Set 20% of TTL >> 24/5 = 4.8 Hours (Interval update) Set 50% of TTL >> 24/2 = 12 Hours Set Min & Max 1 Hours & 24 Hours Select 4.8 Hours for 20% Select 12 Hours for 50% 244

HTTP Cache (Case 2) Web Client Web Server 2 1 HTTP Header Ex: 1 Week 3
1 Days Set 20% of TTL >> 7*24/5 = 33.6 Hours (Interval update) Set 50% of TTL >> 7*24/2 = 86 Hours Set Min & Max 1 Hours & 24 Hours Select 24 Hours for 20% Select 24 Hours for 50% 245

HTTP Cache (Case 3) Web Client Web Server 2 1 HTTP Header Ex: 2.5 Days
Set 20% of TTL >> 2.5*24/5 = 12 Hours (Interval update) Set 50% of TTL >> 2.5*24/2 = 30 Hours Set Min & Max 1 Hours & 24 Hours Select 12 Hours for 20% Select 24 Hours for 50% 246

Content Retrieval ถ้ามีแคชอยู่ และยังไม่หมดอายุ ถ้าไม่มีจะวิ่งไปที่เว็บภายนอก ถ้ามีแคชไม่ว่าจะหมดอายุหรือไม่จะตอบกลับให้ ถ้าไม่มีจะวิ่งไปที่เว็บภายนอก ใช้เฉพาะกรณีที่มีเก็บไว้ในแคช ถ้าไม่มีไม่ยอมให้ติดต่อออกภายนอก 247

Practice: Configuring Cache Rules
Configuring cache rules on TMG Server TMG-XX Internet

Lesson: Configuring Content Download Jobs
What Are Content Download Jobs? How to Create a Content Download Job Managing Content Download Jobs

What Are Content Download Jobs?
Allow you to schedule content for download at a specific time even if no user on the network has requested the content Improve Internet access performance Can be used to download content to the branch office during nonworking hours Can be used to ensure access to critical Internet content even when the Internet connection is not available

How to Create a Content Download Job
Content Download Job Wizard Page Configuration Options Download Frequency Defines a schedule for when the content download will occur Content Download Defines the content that will be downloaded Includes maximum links, objects, and concurrent connections used for downloads Content Caching Defines what types of content to cache Defines the TTL for cached content

Managing Content Download Jobs
Managing content download jobs includes: Modifying the content download job configuration after creating the job Starting content download jobs outside the scheduled time or stopping content download jobs that are running Disabling or deleting content download jobs that are no longer required

Practice: Configuring Content Download Jobs
Creating a Content Download Job Internet-Web-XX TMG-XX Internet

Module 8: Monitoring Forefront TMG

Overview Monitoring Overview Configuring Alerts
Configuring Session Monitoring Configuring Logging Configuring Reports Monitoring Connectivity Monitoring Services and Performance

About Monitoring the Server Running TMG Server
TMG Server monitoring tasks include Task Description Monitor Event Viewer Includes information about service failures, application errors, and warnings Use the TMG Server Dashboard Single interface for ISA alerts and performance Review the TMG Server Alerts Includes information about service conditions and error conditions Monitor Connectivity to Network Services Monitor connectivity to Active Directory, DNS servers, internal Web servers, and selected Internet Web servers Monitor Server Performance Use the pre-configured TMG Server Performance Monitor console

Lesson: Monitoring Overview
Why Implement Monitoring? TMG Server Monitoring Components Designing a Monitoring and Reporting Strategy Using the TMG Server Dashboard for Monitoring

Why Implement Monitoring?
Use monitoring to: Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between TMG Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the TMG Server or Internet access infrastructure

TMG Server Monitoring Components
Explanation Alerts Monitors TMG Server for configured events and then performs actions when the specified events occur Sessions Provides information on the current client sessions Logging Provides detailed archived information about the Web Proxy, Microsoft Firewall service, or SMTP Message Screener Reports Summarizes information about the usage patterns on TMG Server Connectivity Monitors connections from TMG Server to any other computer or URL on any network Performance Monitors server performance in real time, create a log file of server performance or configure performance alerts

Designing a Monitoring and Reporting Strategy
When: Determine: Monitoring real-time information Which events should trigger an alert The event threshold before the alert is triggered The information that you need to monitor server performance Collecting long-term information The information you need to monitor server performance over time The information you need to monitor server usage The information you need to monitor security events Developing a response strategy How to respond to the critical events that occur on the TMG Server

Using the TMG Server Dashboard for Monitoring
Session Monitor Alert Monitor Service Monitor update Monitor Performance

Lesson: Configuring Alerts
What Is an Alert? How to Configure Alert Definitions How to Configure Alert Events and Conditions How to Configure Alert Actions Alert Management Tasks

What Is an Alert? An alert is:
A notification of an event or action that has occurred on TMG Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert When a server event takes place and records an alert: The TMG Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category

How to Configure Alert Definitions

How to Configure Alert Category and Actions

Alert Management Tasks
Alerts are managed by performing the following tasks: Acknowledge registered alerts Reset registered alerts When you configure an alert to stop the TMG Server Firewall Service, TMG Server goes into a lockdown mode. While in lockdown mode, TMG Server blocks most network traffic

Practice: Configuring and Managing Alerts
Creating a New Alert Definition Modifying an Existing Alert Definition TMG-XX Internet

Lesson: Configuring Session Monitoring
What Is Session Monitoring? About Managing Sessions How to Configure Session Filtering

What Is Session Monitoring?
Provides real-time information about client sessions hosted through TMG Server Includes information on: When the session was established The session type The source network The client user name and computer name Provides the ability to immediately stop any unwanted sessions

About Managing Sessions
Use these options to manage sessions Right click session to disconnect

How to Configure Session Filtering
Add multiple filters Configure filters to view specific sessions

Practice: Configuring Session Monitoring
Monitoring Sessions Applying a Session Filter Internet-Web-XX TMG-XX Internet ClientXX DC-01

Lesson: Configuring Logging
What Is Logging? Log Storage Options How to Configure Logging How to View TMG Server Logs How to Configure Log Filter Definitions

What Is Logging? The logging feature:
Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs

Log Storage Options Log storage option: Explanation:
MSDE Logs can be viewed in the log viewer Default format for Web proxy and Firewall Service logs SQL database Logs can be stored on separate server Logs can be analyzed by using database tools File Logs can be stored in W3C or TMG Server format Only available format for SMTP message screener logs The MSDE and log files are stored by default in the ISALogs folder, which is located in the TMG Server installation folder

How to Configure Logging
storage format Configure the information captured in the logs

How to View TMG Server Logs

How to Configure Log Filter Definitions
Load/Save filters Configure filters to view specific log entries

Lesson: Configuring Reports
What Are Reports? How to Configure the Report Summary Database How to Generate a Report How to Create a Recurring Report Job How to View Reports How to Publish Reports

What Are Reports? Use reporting to summarize and analyze:
Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis

How to Configure the Report Summary Database
Select to enable log summaries Configure summary files location Configure number of saved summaries

How to Generate a Report
Configure the content to include in the report Configure the time period included in the report Configure where the report will be stored

How to Create a Recurring Report Job
Configure when the recurring report will run Configure the content to include in the recurring report

How to View Reports Reports can be viewed: ü ü
Only on the computer running TMG Server Management By double-clicking the report name in the Report view of TMG Server Management ü ü

How to Publish Reports You can publish reports to a shared folder where users without TMG Server Management installed can view the reports

Practice: Configuring Reports
Generating a Report Creating a Recurring Report Job Internet-Web-XX TMG-XX Internet ClientXX DC-01

Lesson: Monitoring Connectivity
How Does Connectivity Monitoring Work? Configuring Connectivity Monitoring

How Does Connectivity Monitoring Work?
Uses connectivity verifiers to monitor connections from TMG Server to other servers or URLs Can be configured to use any of the following in connection methods: Ping to check for simple network connectivity TCP connection to verify that a service is running on the destination server HTTP GET request to verify that a Web server is running on the destination server

Configuring Connectivity Monitoring
Configure the URL or server to connect to Configure the method used to test connectivity

Practice: Configuring Connectivity Monitoring
TMG-XX Internet

Lesson: Monitoring Services and Performance
Monitoring TMG Server Services Performance Monitoring with TMG Server

Monitoring TMG Server Services

Performance Monitoring with TMG Server
Performance Objects Explanation TMG Server Package Engine Includes performance counters to monitor connections and throughput for the firewall engine TMG Server Cache Includes performance counters to monitor the memory, disk, and URL activity associated with the cache as well as cache performance TMG Server Firewall Service Includes counters to monitor Firewall service connections and associated services such as DNS. This object monitors only TMG Client connections TMG Server Web Proxy Service Includes counters to monitor the number of users and the rate at which TMG Server transfers data for Web Proxy clients to remote and upstream servers Monitoring the TMG Server counters as well as other performance counters to determine server performance and bottlenecks

Example: Performance Monitoring with TMG Server
You can monitor TMG Resource separate counter and object.

Lab: Monitoring TMG Server
Exercise 1: Testing the Alerts Feature Exercise 2: Testing the Reporting Feature Exercise 3: Testing the Connectivity Monitoring Feature TMG-XX Internet

THANK YOU

Implementing Microsoft ® Forefront Threat Management Gateway Server

Similar presentations

Presentation on theme: "Implementing Microsoft ® Forefront Threat Management Gateway Server"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Implementing Microsoft ® Forefront Threat Management Gateway Server

Similar presentations

Presentation on theme: "Implementing Microsoft ® Forefront Threat Management Gateway Server"— Presentation transcript:

Similar presentations

About project

Feedback