Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Microsoft ® Forefront Threat Management Gateway Server.

Similar presentations


Presentation on theme: "Implementing Microsoft ® Forefront Threat Management Gateway Server."— Presentation transcript:

1 Implementing Microsoft ® Forefront Threat Management Gateway Server

2 Course Outline Module 1: Overview of Microsoft Forefront TMG Module 2: Installing and Maintaining TMG Server Module 3: Enabling Access to Internet Resources Module 4: Configuring TMG Server as a Firewall Module 5: Configuring Access to Internal Resources

3 Course Outline (continued) Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks Module 7: Implementing Caching Module 8: Monitoring Forefront TMG

4 Module 1: Overview of Microsoft Forefront TMG

5 Overview Introducing Microsoft Forefront TMG Deployment Scenarios for Forefront TMG

6 Lesson: Introducing Forefront TMG What Are the Benefits of Forefront TMG? Multimedia: Overview of Forefront TMG Functionality Forefront TMG Management Interface Forefront TMG Enterprise Edition Features Differences Between TMG Server 2000 and Forefront TMG

7 What Are the Benefits of Forefront TMG? Advanced Protection Advanced Protection Multi-layer packet inspection Unified firewall and VPN server Multi-networking Application-layer filtering Multi-layer packet inspection Unified firewall and VPN server Multi-networking Application-layer filtering Ease of Use Efficient management tools Network templates Product integration Ease of use for clients Efficient management tools Network templates Product integration Ease of use for clients Enhanced Performance Enhanced Performance Optimized for performance Integrated functionality Scalability Web caching Optimized for performance Integrated functionality Scalability Web caching

8 Differences Between ISA Server 2006 and Forefront TMG Simplified management (Deployment) Protect users from web browsing threats (Web Access Policy) with Malware and HTTPS inspection Protect users from threats ( Policy) with Antispam and Antivirus Protect desktops and servers from intrusion attempts with Network Inspection System (NIS) as IPS Using Active Directory Lightweight Directories Services as ADAM New Dashboard for Monitoring

9 Differences Between ISA Server 2006 and Forefront TMG cont. Support VoIP New VPN Service with SSTP VPN Redundancy and Load Balancing ISP

10 Lesson: Deployment Scenarios for Forefront TMG How TMG Server Works as an Internet Edge Firewall How TMG Server Works as a Back-End Firewall How TMG Server Works as a Branch Office Firewall How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server How TMG Server Works as a Proxy- and Caching-Only Server

11 How TMG Server Works as an Internet Edge Firewall Use TMG Server to:  Block all Internet traffic unless explicitly allowed  Publish internal servers such as Web or Exchange servers  Provide a VPN gateway for remote users  Provide proxy and caching services UserExchange Server Web Server TMG Server Server LAN Web Server VPN Internet Remote User

12 How TMG Server Works as a Back-End Firewall Use TMG Server to:  Securely publish Exchange servers  Securely publish other internal Web servers  Provide proxy and caching services Remote User Internet UserExchange Server Web Server Server LAN Web Server Firewall TMG Server Web Server

13 User LAN TMG Server or other VPN gateway How TMG Server Works as a Branch Office Firewall Use TMG Server to:  Create an IPSec tunnel-mode VPN between offices  Create a PPTP or L2TP with IPSec VPN between offices  Inspect and filter all traffic between offices  Provide secure access to the Internet at the branch office Corporate Headquarters Server Internet LAN TMG Server VPN Tunnel Branch Office

14 How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server Use TMG Server to:  Provide proxy and caching services to conserve Internet bandwidth  Configure dial-up connections to the Internet  Block all inbound network traffic  Provide secure configurations using network templates and server publishing wizards User LAN Server TMG Server Internet ISP Server Web Server

15 How TMG Server Works as a Proxy- and Caching-Only Server Use TMG Server with a single network adapter to provide proxy and caching services Deploying TMG Server with a single network adapter means that it does not provide additional security functionality User LAN Server TMG Server Internet Web Server Firewall

16 Module 2: Installing and Maintaining TMG Server

17 Overview Installing Forefront TMG Choosing TMG Server Clients Installing and Configuring TMG Clients Advanced TMG Client Configuration Securing Forefront TMG Maintaining Forefront TMG

18 Lesson: Installing Forefront TMG System and Hardware Requirements for Forefront TMG Installation Types and Components Configuration Choices During Installation How to Perform an Unattended Installation of Forefront TMG How to Verify an Installation of Forefront TMG Default Configuration for Forefront TMG How to Modify the TMG Server Installation Upgrade Options from TMG Server 2000 to Forefront TMG

19 Preparation TMG TMG will only run on 64-bit Windows Server There will be a 32- bit demo version after the TMG goes RTM, but there won’t be any beta versions that run on 32-bit Windows TMG requires at least 2 GB of memory (it will probably run on less, but not very quickly) 2.5 GB of disk space At least one NIC (although I always recommend two or more NICs to provide true security) You must install to the default folder on the C: drive TMG will install IIS 7 on your machine in order to support SQL reporting services. If you remove TMG from the machine, II7 will not be removed for you and you will need to do that manually Services and driver files for the TMG are installed in the TMG installation folder

20 System and Hardware Requirements for Forefront TMG Windows Server bits CPU RAM 2 GB1.8 GHZ(2core) Hard Disk Format NTFS Hard Disk Space 2.5 GB Internal External

21 Hardware Requirements for Forefront TMG

22 System Requirements for Forefront TMG

23 System Requirements for Forefront TMG cont.

24 Installation Types and Components

25 Practice: Installing Forefront TMG Installing Forefront TMG Internet TMG-XX

26 How to Verify an Installation of Forefront TMG Verify that the TMG Server services are installed and started Verify that the MSDE services are installed and started Review the setup log files Check the Application Log in the Event Viewer Check for TMG Server Alerts

27 Verify after installation: Service TMG Service

28 Verify after installation: Service cont. MSSQL Service

29 Only Administrators can modify firewall policies Traffic is routed between the TMG Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network Default Configuration for Forefront TMG System policy permits access to the TMG Server but access rules deny all network traffic through the TMG Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the TMG Client installation share is configured if you install the TMG Client installation files Only Administrators can modify firewall policies Traffic is routed between the TMG Server and all other networks Traffic between the Internal network, the VPN network, the VPN Quarantine network, and the Internet will use network address translation Traffic is routed between the VPN network and the Internal network System policy permits access to the TMG Server but access rules deny all network traffic through the TMG Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the TMG Client installation share is configured if you install the TMG Client installation files

30 Example: Default Configuration

31

32 Example Default Firewall Policy โดย Default จะ Deny ทุกกรณี

33 Practice: Verifying the Installation and Default Configuration of Forefront TMG Verifying the successful installation of Forefront TMG Examining the default installation of Forefront TMG Internet TMG-XX

34 Migration Options from ISA Server to Forefront TMG ISA Server Extract the ISA Server 2006 configuration Import the ISA Server Configuration Install Forefront TMG Migration Remark: ISA Server 2006 cannot upgrade to TMG directly due to 64 bits platform

35 Lesson: Choosing TMG Server Clients Types of TMG Server Clients How to Configure a SecureNAT Client How to Configure Web Proxy Clients Guidelines for Choosing an TMG Server Client

36 Types of TMG Server Clients Improves the performance of Web requests for internal clients Allows internet access only for authenticated users Does not require you to deploy client software TMG Server Internet Web Proxy ClientTMG Client SecureNAT Client

37 Guidelines for Choosing an TMG Server Client If you need to… Then use… Avoid deploying client software SecureNAT clients Use TMG Server only for forward caching SecureNAT or Web Proxy clients Allow access only for authenticated clients TMG Clients or Web Proxy clients Publish servers on your internal network SecureNAT clients Improve Web performance for non-Windows operating systems SecureNAT or Web Proxy clients

38 Client Characteristics

39 SecureNAT clients do not require client installation or client configuration How to Configure a SecureNAT Client On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway

40 How to Configure Web Proxy Clients

41 Monitoring Session on TMG

42 Internet TMG-XX Internet-xx Practice: Configuring SecureNAT and Web Proxy Clients Configuring TMG Server to log client connections Configuring and testing a SecureNAT client Configuring and testing a Web Proxy client Clientxx

43 Lesson: Installing and Configuring TMG Clients How to Configure TMG Client Settings The TMG Client Installation and Configuration Process Options for Automating the TMG Client Installation

44 How to Configure TMG Client Settings

45 The TMG Client Installation and Configuration Process The TMG Client: Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to TMG Server Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to TMG Server Install the TMG Client: From the TMG Client share on computer running TMG Server or another network share

46 Practice: Installing the TMG Client Configuring the TMG Client settings on TMG Server Installing the TMG Client Internet TMG-XX Internet-xx Web Clientxx

47 Step for Setup TMG Client เรียกจากแผ่นติดตั้ง

48 Step for Setup TMG Client cont. ทำการ Setup ตามขั้นตอน Wizard ระบุ TMG Server

49 Step for Setup TMG Client cont. เมื่อเสร็จแล้วให้ทำการ restart add record ของ TMG เข้าไปใน host file.

50 Step for Setup TMG Client cont.

51 Automatic Setting

52 Step for Setup TMG Client cont.

53 Options for Automating the TMG Client Installation SMS package distributed to specific clients using SMS Unattended installation Software package distributed using Group Policies

54 Configuring Administrative Roles Role Description Forefront TMG Auditor Full Access Monitoring Read only ISA Configuration Forefront TMG Monitoring Auditor Restricted Access Monitoring View Session, Query Service Status View and Reset Alerts Forefront TMG Administrator Can perform all administrative tasks TMG Server Administrative Roles

55 Example for Delegate Job for ISA Role Properties of TMG Server

56 Best Practices for Securing the Server Securing TMG Server Do Not Install TMG Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices Do Not Install TMG Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices

57 Lesson: Maintaining Forefront TMG About Exporting and Importing the ISA Server Configuration About Backing Up and Restoring the ISA Server Configuration Remote Administration Options for TMG Server

58 About Exporting and Importing the TMG Server Configuration Use export and import to clone an TMG Server or to save a configuration for troubleshooting or to roll back a configuration change You can export the entire TMG Server configuration, or any individual or group of configuration settings Importing a configuration overwrites all settings from the exported file

59 About Backing Up and Restoring the TMG Server Configuration Use back up to create a configuration file that can be used for disaster recovery Back up creates a file with the entire TMG Server configuration Restoring a back up overwrites all TMG Server settings

60 Remote Administration Options for TMG Server Use remote administration to manage physically secured servers or servers in other offices Use Remote Desktop or Terminal Services to manage all settings on the server running TMG Server Configure the server running TMG Server to enable Remote Desktop and configure System Policy to enable remote MMC management Use the TMG Server Management MMC to manage TMG Server settings remotely

61 Practice: Remote Management for TMG Using Remote Desktop for remote management Using MMC for remote management Clientxx TMGxx

62 Module 3: Enabling Access to Internet Resources

63 Overview Forefront TMG as a Proxy Server Configuring Multi-Networking on TMG Server Configuring Access Rule Elements Configuring Access Rules for Internet Access

64 Lesson: Forefront TMG as a Proxy Server How TMG Server Enables Secure Access to Internet Resources Why Use a Proxy Server? How Does a Forward Web Proxy Server Work? What Is a Reverse Web Proxy Server? How to Configure TMG Server as a Proxy Server DNS Configuration for Internet Access How to Configure Web Chaining How to Configure Dial-Up Connections

65 How TMG Server Enables Secure Access to Internet Resources TMG Server Web Server Proxy Server Is the … User allowed access? Computer allowed access? Protocol allowed? Destination allowed? Content allowed?

66 Why Use a Proxy Server? Improved Internet access security: User authentication Filtering client requests Content inspection Logging user access Hiding the internal network details User authentication Filtering client requests Content inspection Logging user access Hiding the internal network details TMG Server Improved Internet access performance Web Server

67 How Does a Forward Web Proxy Server Work? TMG Server Web Server Is the … User allowed access? Protocol allowed? Destination allowed?

68 What Is a Reverse Web Proxy Server? 3 3 Web Server DNS Server TMG Server Is the … Request allowed? Protocol allowed? Destination allowed?

69 How to Configure TMG Server as a Proxy Server

70 DNS Configuration for Internet Access Configure TMG Server clients to use an internal DNS server if the DNS server can resolve Internet addresses If no internal DNS server is available to resolve Internet addresses, configure the TMG Server clients to use an Internet DNS server TMG Server includes a DNS cache that caches the results of all DNS lookups performed through TMG Server TMG Server can proxy DNS requests for Web proxy and TMG Clients but not for SecureNAT clients

71 DNS Request by Client Secure NAT - Client จะเป็นคนถาม DNS Server เอง Web Proxy Client, TMG Client - TMG จะเป็นคนถาม DNS Server เอง ( Proxy DNS Request)

72 Practice: Configuring DNS Configure Client use Internal DNS Configure Internal DNS by Internal Technique Configure Internal DNS by Internet Technique SV-xx DC DNS DHCP Internet TMG-XX Internet-xx Web DNS Clientxx

73 How to Configure Web Chaining Head Office Branch Office Internet Branch Office

74 Example Web Chaining

75 Practice: Configuring TMG Server as a Web Proxy Server Configuring the proxy server settings on TMG Server SV-xx DC DNS Server DHCP Server Internet TMG-XX Internet-xx Web DNS Clientxx

76 Lesson: Configuring Multi-Networking on TMG Server How Does Forefront TMG Support Multiple Networks? Default Networks Enabled in TMG Server About Network Objects How to Create and Modify Network Objects What Are Network Rules?

77 Internet How Does Forefront TMG Support Multiple Networks? Support any Number of Networks VPN Networks Represented as Networks Dynamic Network Membership Per Network Rules Per Network Policies Network Sets LAN1 LAN2 VPN Perimeter2 Perimeter1

78 Default Networks Enabled in TMG Server Default NetworkIncludes Local Host The TMG Server Default External All IP addresses not associated with another network Internal All IP addresses specified as internal during installation VPN Clients All IP addresses for currently connected VPN clients Quarantined VPN Clients All IP addresses of connected VPN clients that have not cleared quarantine

79 Example Default Network on ISA2006

80 About Network Objects Network ObjectIncludes Network All computers connected to a single network interface Network Set One or more networks Computer A single computer identified by an IP address Computer Set All computers included in specified computer, subnet or address range objects Address Range All computers identified by continuous IP addresses Subnet All computers on a specified subnet URL Set All specified URLs Domain Name Set All specified domain names Web Listener The IP address on which the TMG Server listens for connections

81 How to Create and Modify Network Objects Click Firewall Policy, Toolbox, then Network Objects Click Networks, then Networks or Network Sets

82 What Are Network Rules? NAT connection: A NAT relationship is directional Addresses from the source network are always translated when passing through TMG Server A NAT relationship is directional Addresses from the source network are always translated when passing through TMG Server Route connection: A route relationship is bidirectional If a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A A route relationship is bidirectional If a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A

83 Practice: Managing Network Objects Configuring a new network on TMG Server Configuring a new network rule on TMG Server Configuring a new computer network object on TMG Server Internet TMG-XX

84 Lesson: Configuring Access Rule Elements What Are Access Rule Elements? How to Configure Protocol Elements How to Configure User Elements How to Configure Content Type Elements How to Configure Schedule Elements How to Configure Domain Name Sets and URL Sets

85 What Are Access Rule Elements? Access Rule ElementUsed to Configure Protocols The protocols that will be allowed or denied by an access rule Users The users that will be allowed or denied by an access rule Content Types The content type that will be allowed or denied by an access rule Schedules The time of day when Internet access will be allowed or denied by an access rule Network Objects The computers or destinations that will be allowed or denied by an access rule

86 ***Example Policy ***

87 How to Configure Protocol Elements

88 How to Configure User Elements

89 การอนุญาต เฉพาะ User ที่ต้องการใช้ระบบ 1. ไม่ support protocol เรื่องเกี่ยวกับการ ping 2. กรณีเป็น HTTP ที่ใช้งานผ่าน browser จำเป็นต้อง เป็น client 2 ประเภท คือ Web Proxy, TMG Client โดย 2.1 ถ้ามี user ที่ตรงกับรายชื่อ user ใน TMG จะดูว่า ตกลงใน policy สามารถเข้าใช้งานได้หรือเปล่า (windows integrated) 2.2 ถ้ามี user ไม่ตรงกับรายชื่อ user ใน ISA จะทำ การ popup เพื่อระบุ user logon 3. กรณีที่เป็น protocol อื่นๆ จำเป็นต้องเป็น TMG Client เท่านั้นและต้องมีรายชื่อของ ทั้ง Client และ TMG ตรงกันด้วย Remark ยกเว้น DNS กรณีที่ใช้ Web Proxy หรือ TMG Client จะใช้ DNS ของ ISA โดยตรง.. ( ไม่มีการ authen )

90 Summary กฏที่ใช้ในการ assign ใน Firewall Policy ถ้า user ที่ระบุไว้เป็นสมาชิกทั้ง 2 กลุ่ม แต่ขัดแย้งกัน จะเชื่อ except ก่อนเสมอ somchai หมดสิทธิ เข้าใช้งาน !!!!

91 How to Configure Content Type Elements ( ทำได้ เฉพาะ HTTP เท่านั้น ) Define the MIME types and file extensions to include

92 Example Content Types If not allow All Image in policy See result like this ( work only HTTP Traffic )

93 How to Configure Schedule Elements Define the times when this schedule is active or inactive

94 How to Configure Domain Name Sets and URL Sets Use this to configure access to a URL Use this to configure access to a URL Use this to configure access to an entire domain Use this to configure access to an entire domain

95 Example Block Bad Website การกำหนด firewall policy ควรกำหนด - URL ที่ไม่อนุญาต - - IP ของ Server ที่ไม่อนุญาต

96 Example Block Bad Website cont.

97 Logic ในการคิด Firewall Policy การอ่าน Policy จะทำการอ่านจากบนลงไป ล่าง ถ้าเกิดเข้า กฏตัวไหนก่อนจะ apply ทันที โดยจะไม่ไปอ่านกฏอื่นๆ อีก อ่านจากบนลงล่าง เจอตัวไหนก่อนทำ ทันที

98 Practice: Configuring Firewall Rule Elements Configuring a new user set Configuring a new content type element Configuring a new schedule element Configuring a new URL set SV-xx DC DNS Server DHCP Server Internet TMG-XX Internet-xx Web DNS Clientxx

99 Lesson: Configuring Access Rules for Internet Access What Are Access Rules? How Network Rules and Access Rules Are Applied About Authentication and Internet Access How to Configure Access Rules How to Configure HTTP Policy How to Troubleshoot Access to Internet Resources

100 What Are Access Rules? Allow Deny Allow Deny User Destination Network Destination IP Destination Site Destination Network Destination IP Destination Site Protocol IP Port/Type Protocol IP Port/Type Source network Source IP Source network Source IP Schedule Content Type Schedule Content Type Access rules always define: action on traffic from user from source to destination with conditions

101 TMG Server Domain Controller 1 1 Network Rules Access Rules Web Server 6 6 How Network Rules and Access Rules Are Applied

102 About Authentication and Internet Access Authentication and TMG Server Clients Authentication Methods  Basic authentication  Digest authentication  Integrated Windows authentication  Digital certificates authentication  RADIUS authentication  RSA SecureID authentication

103 How to set Authentication.

104 Type of Standard Authentication Basic Authentication - จะมีการส่ง password โดยแบบ clear text ควรใช้ ร่วมกับ SSL - ใช้งานร่วมกับ Client ส่วนใหญ่ได้ - ไม่ support single sign-on

105 Example Basic Authentication Most support for Browser Not encryption ****** Basic Clear text.

106 Type of Standard Authentication Digest Authentication - มีการส่งค่า password โดยใช้ Hashing - ใช้กับ user ที่มีรายชื่ออยู่ภายใต้ Active Directory เท่านั้น

107 Example Digest Authentication Work only Domain Account Send user and Password By use Hashing

108 Type of Standard Authentication Integrated with Windows Authentication - User ไม่จำเป็นต้องใส่ค่า user และ password - server จะทำการคุยกับ client computer ด้วยตัวเองว่า user ที่ทำการ logon อยู่ที่เครื่องคือใคร - กรณี account ไม่ตรงกันจะ pop up authen ขึ้นมา - Encryption

109 Example Windows Integrated Integrated with windows account จะใช้ window account ทำการ logon อัตโนมัติ กรณี account ไม่ตรงกันจะ pop up authen ขึ้นมา Encryption

110 How to Configure Access Rules

111 Practice: Integrated TMG with NPS (Radius Server) Installing NPS Server Set Radius Server, Radius Client Configure Firewall Policy with Radius SV-xx DC DNS Server NPS Internet TMG-XX Internet-xx Web DNS Clientxx

112 How to Troubleshoot Access to Internet Resources Use TMG Server logging to determine which access rule is granting or denying access To troubleshoot Internet access issues: Check for DNS name resolution Determine the extent of the problem Review access rule objects and access rule configuration Review access rule order Check access rule authentication Check for DNS name resolution Determine the extent of the problem Review access rule objects and access rule configuration Review access rule order Check access rule authentication

113 What Are Web Access Policy? New Feature of TMG: A new wizard based tool Focus only HTTP/HTTPS Functionality like malware inspection Include HTTPS Outbound Inspection A new wizard based tool Focus only HTTP/HTTPS Functionality like malware inspection Include HTTPS Outbound Inspection Use malware inspection can update definition directly with update center (Microsoft Update or WSUS)

114 How to use Web Access Policy

115 How to use Web Access Policy: Web Destinations

116 How to use Web Access Policy: Malware Inspection

117 How to use Web Access Policy: HTTPS Inspection

118 Lab: Enabling Access to Internet Resources Exercise 1: Configuring TMG Server Access Rule Elements Exercise 2: Configuring TMG Server Access Rules Exercise 3: Testing TMG Server Access Rules

119 Module 4: Configuring TMG Server as a Firewall

120 Overview Using TMG Server as a Firewall Examining Perimeter Networks and Templates Configuring System Policies Configuring Intrusion Detection and IP Preferences

121 Lesson: Using TMG Server as a Firewall What Is a TCP/IP Packet? What Is Packet Filtering? What Is Stateful Filtering? What Is Application Filtering? What Is Intrusion Detection? How Forefront TMG Filters Network Traffic Implementing Forefront TMG as a Firewall

122 What Is a TCP/IP Packet? Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Network Interface Layer Physical payload Destination: Source: Protocol: TCP Destination: Source: Protocol: TCP Internet Layer IP payload Destination Port: 80 Source Port: 1159 Sequence: Acknowledgment: Destination Port: 80 Source Port: 1159 Sequence: Acknowledgment: Transport Layer TCP payload HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =www.contoso.com HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =www.contoso.com Application Layer

123 Web Server TMG Server Packet Filter Packet Filter What Is Packet Filtering? Is the … Source address allowed? Destination address allowed? Protocol allowed? Destination port allowed?

124 What Is Stateful Filtering? Web Server TMG Server Web Server Connection Rules Create connection rule Is packet part of a connection?

125 What Is Application Filtering? TMG Server Get Respond to client Get method allowed? Does the response contain only allowed content and methods? Does the response contain only allowed content and methods? Web Server

126 What Is Intrusion Detection? TMG Server TMG Server Alert the administrator All ports scan attack Port scan limit exceeded

127 Implementing Forefront TMG as a Firewall To configure TMG Server as a firewall: Determine perimeter network configuration Configure networks and network rules Configure system policy Configure intrusion detection Configure access rule elements and access rules Configure server and Web publishing Determine perimeter network configuration Configure networks and network rules Configure system policy Configure intrusion detection Configure access rule elements and access rules Configure server and Web publishing

128 Lesson: Examining Perimeter Networks and Templates What Is a Perimeter Network? Why Use a Perimeter Network? Network Perimeter Configurations About Network Templates How to Use the Network Template Wizard Modifying Rules Applied by Network Templates

129 What Is a Perimeter Network? Perimeter Network Internal Network Firewall Internet Firewall

130 Why Use a Perimeter Network? A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security

131 Network Perimeter Configurations Back-to-back configuration Perimeter Network Web Server LAN Three-legged configuration Bastion host LAN Perimeter Network LAN

132 Back-to-back configuration Perimeter Network Web Server LAN Three-legged configuration Bastion host LAN Perimeter Network LAN Deploy the Edge Firewall template Deploy the Front-End or Back-End template Deploy the Front-End or Back-End template Deploy the 3-Leg Perimeter template Deploy the 3-Leg Perimeter template About Network Templates Deploy the Single Network Adapter template for proxy and caching only

133 How to Use the Network Template Wizard

134 How to Use the Network Template Wizard cont.

135 Modifying Rules Applied by Network Templates You may need to modify the rules applied by a network template to: Modify Internet access based on user or computer sets Modify Internet access based on protocols Modify network rules to change network relationships Modify Internet access based on user or computer sets Modify Internet access based on protocols Modify network rules to change network relationships You can either change the properties of one of the rules configured by the network template, or you can create a new access rule to apply a specific setting

136 Lesson: Configuring System Policies What Is System Policy? System Policy Settings How to Modify System Policy Settings

137 What Is System Policy? System policy is: A default set of access rules applied to the TMG Server to enable management of the server A set of predefined rules that you can enable or disable as required A default set of access rules applied to the TMG Server to enable management of the server A set of predefined rules that you can enable or disable as required Modify the default set of rules provided by the system policy to meet your organization’s requirements. Disable all functionality that is not required Modify the default set of rules provided by the system policy to meet your organization’s requirements. Disable all functionality that is not required

138 System Policy Settings System policy settings include: Network Services Authentication Services Remote Management TMG Client Diagnostic Services Logging and Monitoring SMTP Scheduled Download Jobs Allowed Sites Network Services Authentication Services Remote Management TMG Client Diagnostic Services Logging and Monitoring SMTP Scheduled Download Jobs Allowed Sites

139 How to Modify System Policy Settings

140 Practice: Modifying System Policy Examining and modifying the default system policy Testing the modified system policy Internet TMG-XX Clientxx

141 About Intrusion Prevention Configuration Options Intrusion Prevention on Forefront TMG: NIS Signature can now be update dynamically. Detects well-known protocols attack: HTTP, DNS, SMB, NetBIOS, MSRPC, SMTP, POP3, IMAP4 and MIME Work together with Microsoft Malware Protection to newly discovery threats. NIS Signature can now be update dynamically. Detects well-known protocols attack: HTTP, DNS, SMB, NetBIOS, MSRPC, SMTP, POP3, IMAP4 and MIME Work together with Microsoft Malware Protection to newly discovery threats.

142 Example: IPS for TMG

143 How to Configure Intrusion Prevention

144 About Intrusion Detection Configuration Options Intrusion detection on Forefront TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level

145 Example: IDS for TMG

146 How to Configure Intrusion Detection

147 Using Update Center

148 Module 5: Configuring Access to Internal Resources

149 Overview Introduction to Publishing Configuring Web Publishing Configuring Secure Web Publishing Configuring Server Publishing Configuring TMG Server Authentication

150 Lesson: Introduction to Publishing Multimedia: Using Forefront TMG to Enable Access to Internal Network Resources What Are Web Publishing Rules? What Are Server Publishing Rules? DNS Configuration for Web and Server Publishing

151 What Are Web Publishing Rules? Web publishing rules provide the following features: Secure Web publishing rules enable the use of SSL to encrypt network traffic between client and server Web publishing rules provide the following features: Secure Web publishing rules enable the use of SSL to encrypt network traffic between client and server Publish HTTP or HTTPS content Application-layer filtering Path mapping User authentication Publish HTTP or HTTPS content Application-layer filtering Path mapping User authentication Content caching Publish multiple Web sites with one IP address Link translation Logging client IP address Content caching Publish multiple Web sites with one IP address Link translation Logging client IP address TMG Server

152 What Are Non-Web Server Publishing Rules? Server publishing rules provide the following features: Non-Web Server publishing rules forward requests to internal servers based on protocol and port number Server publishing rules provide the following features: Non-Web Server publishing rules forward requests to internal servers based on protocol and port number Publish content using multiple protocols Application layer filtering for protocols with application filters Publish content using multiple protocols Application layer filtering for protocols with application filters Support for encryption Logging client IP address Support for encryption Logging client IP address TMG Server

153 Internet DNS Configuration for Web and Non-Web Server Publishing TMG Server DNS Server 1 1 Perimeter Network Internal Network DNS Server

154 Lesson: Configuring Web Publishing Web Publishing Rules Configuration Components How to Configure Path Mapping How to Configure Web Listeners How to Configure Link Translation How to Configure a New Web Publishing Rule

155 Web Publishing Rules Configuration Components Web publishing rules configuration: Action Name Users Traffic source Public name Web listener Path mappings Bridging Link Translation

156 Sales Human Resources Online Store How to Configure Path Mapping Virtual Directories TMG Server

157 Example Path Mapping

158 How to Configure Multiple Web Publishing Web1 TMG Server Web2

159 Example Multiple Web Publishing Same web listener

160 How to Configure Web Listeners Private Web Site CohoVineyard Web Site Anonymous Web listener Authenticated Web listener TMG Server

161 How to Configure a New Web Publishing Rule Web Publishing Rule Wizard configuration: Action Published Website Public name Web listener User Sets

162 Practice: Configuring Web Publishing Configuring a New Web Listener Configuring a New Web Publishing Rule Testing the Web Publishing Rule Server-xx DC DNS DHCP Internet TMG-XX Internet-xx Web DNS Clientxx DMZxx Web

163 Lesson: Configuring Secure Web Publishing What Is Secure Sockets Layer? How to Prepare TMG Server for SSL How SSL Bridging Works How SSL Tunneling Works How to Configure a New Secure Web Publishing Rule

164 What Is Secure Sockets Layer? Web Server Server Authentication Client Authentication Encrypted SSL Connection

165 How to Prepare TMG Server for SSL TMG Server Import Web Server

166 How SSL Bridging Works TMG Server TMG Server

167 How to Configure a New Secure Web Publishing Rule SSL Web Publishing Rule Wizard configuration: Publishing Mode Action Bridging Mode Published Website Public name Web listener User Sets

168 Practice: Configuring Secure Web Publishing Enabling Access to the Certificate Authority Web Site Installing a Server Certificate Configuring a New Secure Web Publishing Rule Testing the Secure Web Publishing Rule InternalWeb-01 Internet TMG-xx DC-xx InternetWeb-01

169 Lesson: Configuring Non-Web Server Publishing Server Publishing Configuration Options How Non-Web Server Publishing Works How to Configure a Non-Web Server Publishing Rule How to Troubleshoot Web and Non-Web Server Publishing

170 Non-Web Server Publishing Configuration Options Server publishing rules configuration: Action Traffic Traffic source Traffic destination Networks Schedule

171 mms://media.demo.com Demo FTP Site Demo Media Site How Non-Web Server Publishing Works ftp://ftp.demo.com Media Publishing Rule: Port 1755 FTP Publishing Rule: Port 21 TMG Server

172 How to Configure a Non-Web Server Publishing Rule Non-Web Server Publishing Rule Wizard configuration: Select server to publish Select protocol Select IP addresses where clients will connect

173 Practice: Configuring Non-Web Server Publishing Configuring a New Non-Web Server Publishing Rule Testing the Non-Web Server Publishing Rule InternalWeb-01 Internet TMG-xx Server-xx FTP InternetWeb-01

174 How to Troubleshoot Web and Non-Web Server Publishing To troubleshoot Web and server publishing issues: Check the resource availability Check the DNS records Check the error message Check which ports the TMG Server is listening on for connections Check the publishing rule configuration Check the SSL configuration and certificates Check the resource availability Check the DNS records Check the error message Check which ports the TMG Server is listening on for connections Check the publishing rule configuration Check the SSL configuration and certificates

175 Lesson: Configuring TMG Server Authentication How Authentication and Web Publishing Rules Work TMG Server Web Publishing Authentication Scenarios Using RADIUS for Authentication How to Implement RADIUS Server for ISA Authentication

176 How Authentication and Web Publishing Rules Work Together TMG Server uses authentication to grant access to publishing rules: When the publishing rule specifies a user set other than the All Users group Based on the Web listener authentication methods specified for a Web publishing or secure Web publishing rule By processing the firewall rules in order of priority. When a firewall rule matches, but requires authentication, TMG Server will prompt for user credentials When the publishing rule specifies a user set other than the All Users group Based on the Web listener authentication methods specified for a Web publishing or secure Web publishing rule By processing the firewall rules in order of priority. When a firewall rule matches, but requires authentication, TMG Server will prompt for user credentials

177 TMG Server Web Publishing Authentication Scenarios TMG Server and Web server authentication TMG Server authentication Web Server authentication TMG Server TMG Server

178 Using RADIUS for Authentication Using RADIUS for authentication means that TMG Server can authenticate users based on their Active Directory credentials without requiring that the computer running TMG Server be a member of an Active Directory domain RADIUS Client RADIUS Server Domain Controller TMG Server

179 To implement RADIUS authentication: Configure TMG Server to use the RADIUS server and configure a Web listener to use RADIUS authentication 3 3 Configure the Active Directory user accounts or configure remote access policies to enable dial-in access 2 2 Install and configure NPS to use Active Directory for authentication and configure the TMG Server as a RADIUS client 1 1 How to Implement RADIUS Server for TMG Authentication

180 Lab: Configuring Access to Internal Resources Exercise 1: Configuring TMG Server Authentication and Secure Publishing Exercise 2: Testing the TMG Server Configuration InternalWeb-01 Internet TMG-xx DC-xx InternetWeb-01

181 Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks

182 Overview Virtual Private Networking Overview Configuring Virtual Private Networking for Remote Clients Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine Control Using Forefront TMG

183 Lesson: Virtual Private Networking Overview What Is Virtual Private Networking? VPN Protocol Options VPN Authentication Protocol Options VPN Quarantine Control Virtual Private Networking Using Routing and Remote Access Virtual Private Networking Using Forefront TMG Benefits of Using TMG Server for Virtual Private Networking

184 What Is Virtual Private Networking? TMG Server TMG Server Branch Office

185 VPN Protocol Options Factor PPTP advantages and disadvantages L2TP/IPSec advantages and disadvantages Client operating systems supported Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 Windows 2000 up Certificate support Requires a certificate infrastructure only for EAP-TLS authentication Requires a certificate infrastructure or a pre-shared key Security Provides data encryption Does not provide data integrity Provides data encryption, data confidentiality, data origin authentication, and replay protection NAT support To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP To locate L2TP/IPSec– based clients or servers behind a NAT, both client and server must support IPSec NAT-T

186 VPN Authentication Protocol Options Authentication protocol Considerations PAP Uses plaintext passwords and is the least secure authentication protocol SPAP Uses a reversible encryption mechanism employed by Shiva CHAP Requires passwords stored by using reversible encryption Compatible with Macintosh and UNIX-based clients Data cannot be encrypted MS-CHAP Does not require that passwords be stored by using reversible encryption Encrypts data MS-CHAPv2 Performs mutual authentication Data is encrypted by using separate session keys for transmitted and received data EAP-TLS Most secure remote authentication protocol Enables multifactor authentication

187 VPN ต้องมีการ Authentication PAP ใช้รหัสผ่านตรวจสอบอย่างเดียว SPAP กลไกการตรวจสอบรหัสผ่านแบบ Reversible CHAP ต้องการรหัสผ่านที่เก็บ และใช้แบบ Reversible encryption MS-CHAP เป็นเทคนิคการ Reversible ของ Microsoft MS-CHAPv2 เป็นเทคนิคการทำ Mutual authentication EAP-TLS เป็นความปลอดภัยที่อาศัยหลากหลาย กลไก 187

188 PAP & SPAP 188 รหัสผ่าน PAP นำรหัสผ่านตรวจสอบผู้ล็อกออน Positive SPAP S1S2

189 CHAP, MSCHAP 189 นำชื่อผู้ใช้ + รหัสผ่าน A A pass1 B pass2 C pass3 pass1 ตอบ Ack นำชื่อผู้ใช้ + รหัสผ่าน ตอบ Ack CHAP MS-CHAP เข้ารหัสด้วยเทคนิค ถอดรหัสด้วยเทคนิค Algorithm A S1 S2

190 MSCHAP v2 190 นำชื่อผู้ใช้ A A pass1 B pass2 C pass3 A + pass1 MS-CHAP v 2 เข้ารหัสด้วยเทคนิค ถอดรหัสด้วยเทคนิค Mutual Authentication Validation Key (Login) Validation Key Validation Key (Server) ถ้า Validation Key จาก Login กับ Server ตรงกันยอมให้ผ่าน

191 EAP-TLS (Extensible Authentication protocol- Transport layer Security) 191 A pass1 smartcard B pass2 smartcard C pass3 smartcard A+pas s1 + MD5 หรือ Smart card A+pass1 เข้ารหัสในการขนส่งระหว่างติดต่อ Multi Factor Authentication

192 VPN Quarantine Control VPN Quarantine Control: Enables screening of VPN client machines before granting them access to the organization’s network Uses a client script that analyzes the security configuration of the remote access client VPN clients connecting to TMG Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network Enables screening of VPN client machines before granting them access to the organization’s network Uses a client script that analyzes the security configuration of the remote access client VPN clients connecting to TMG Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network

193 Virtual Private Networking Using Routing and Remote Access RRAS supports: Remote access policies that define remote access connections and connection parameters Connection Manager components to simplify the configuration of remote access clients RADIUS servers for authentication and the centralization of remote access policies VPN quarantine control to restrict network access to quarantined clients Packet filtering for securing VPN and network quarantine connections Remote access policies that define remote access connections and connection parameters Connection Manager components to simplify the configuration of remote access clients RADIUS servers for authentication and the centralization of remote access policies VPN quarantine control to restrict network access to quarantined clients Packet filtering for securing VPN and network quarantine connections

194 Virtual Private Networking Using Forefront TMG TMG Server enables VPN access: Including remote client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks including:  VPN Clients network  Quarantined VPN Clients network  Remote-site networks By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running TMG Server By extending RRAS functionality Including remote client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks including:  VPN Clients network  Quarantined VPN Clients network  Remote-site networks By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running TMG Server By extending RRAS functionality

195 Benefits of Using TMG Server for Virtual Private Networking BenefitsExplanation Connection security TMG Server uses firewall access policies to inspect and filter all traffic from VPN clients Performance TMG Server is optimized to enforce complex security requirements on VPN connections Quarantine control for Windows 2000 VPN quarantine is not available in Windows 2000 RRAS but can be enabled with TMG Server 2004 on Windows 2000 Logging and monitoring TMG Server can log all VPN connections and enables live monitoring of VPN connections IPSec tunnel-mode stateful inspection Enables stateful inspection to enforce user/group, site, computer, protocol, and application-layer access controls for IPSec tunnel-mode traffic Enhanced protection TMG Server is protected via firewall access policy on all interfaces

196 Lesson: Configuring Virtual Private Networking for Remote Clients VPN Client Access Configuration Options How to Enable and Configure VPN Client Access Default VPN Client Access Configuration How to Configure VPN Address Assignment How to Configure VPN Authentication How to Configure Authentication Using RADIUS How to Configure User Accounts for VPN Access How to Configure VPN Connections from Client Computers

197 VPN Client Access Configuration Options Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options

198 How to Enable and Configure VPN Client Access Use user mapping is to apply firewall policies to users who do not use Windows authentication

199 Default VPN Client Access Configuration ComponentDefault Configuration System policy rules System policy rule that allows the use of PPTP, L2TP, or both is enabled VPN access network TMG Server will listen for VPN client connections only on the External network VPN protocols Only PPTP is enabled for VPN client access Network rules A route relationship between the VPN Clients network and the Internal network A NAT relationship between the VPN Clients network and the External network Firewall access rules No firewall access rules are enabled Remote access policy Default policy requires MS-CHAP v2 authentication

200 How to Configure VPN Address Assignment Configure static IP address assignment or DHCP Configure static IP address assignment or DHCP Configure DNS and WINS servers using DHCP or manually Configure DNS and WINS servers using DHCP or manually

201 How to Configure VPN Authentication Configure EAP for additional security Configure EAP for additional security Configure less secure options only if required for client compatibility Configure less secure options only if required for client compatibility Accept default for secure authentication Accept default for secure authentication

202 How to Configure Authentication Using RADIUS Enable RADIUS for authentication and accounting, and then configure a RADIUS server Enable RADIUS for authentication and accounting, and then configure a RADIUS server

203 How to Configure User Accounts for VPN Access Configure dial-in and VPN access permissions Configure dial-in and VPN access permissions

204 How to Configure VPN Connections from Client Computers

205 Practice: Configuring VPN Access for Remote Clients Configuring VPN access on TMG Server Configuring user account dial-in permissions Configuring and testing a VPN client configuration Internet TMG-XX Den-DC-01 Client-XX

206 What Is SSTP VPN? SSTP provides: Enhance connectivity channel — no need to use only PPTP and L2TP/IPSec Ease of Manage Firewall Policy (only allow Port 80/443) Enhance connectivity channel — no need to use only PPTP and L2TP/IPSec Ease of Manage Firewall Policy (only allow Port 80/443) Client requirement: Vista SP1 and above. Need to Place CA Certificate in Trust Root CA. Vista SP1 and above. Need to Place CA Certificate in Trust Root CA. New Feature VPN on TMG Server for tunnels PPP connections over an SSL encrypted HTTP connection.

207 How to Set SSTP VPN? SSTP VPN Server Require: Only Windows 2008 or Windows 2008 R2 TMG need to request Web Server Certificate. Web Listener is configured to allow anonymous connections. Give dedicated IP Address for the Web listener. Can not use together with Web listener that’ use for pre-authen published Web servers. If use Internal CA: need to publish CRL (Certificate Revocation List) to client by http channel. Only Windows 2008 or Windows 2008 R2 TMG need to request Web Server Certificate. Web Listener is configured to allow anonymous connections. Give dedicated IP Address for the Web listener. Can not use together with Web listener that’ use for pre-authen published Web servers. If use Internal CA: need to publish CRL (Certificate Revocation List) to client by http channel.

208 How does SSTP VPN Work? Process on below.

209 Lesson: Configuring Virtual Private Networking for Remote Sites Site-to-Site VPN Access Configuration Components About Choosing a VPN Tunneling Protocol How to Configure a Remote-Site Network Network and Access Rules for Site-to-Site VPNs How to Configure the Remote-Site VPN Gateway Server How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

210 Site-to-Site VPN Access Configuration Components ComponentDefault Configuration Choose a VPN protocol Choose the appropriate protocol-based security requirements and the VPN gateway servers Configure a remote- site network The remote-site network includes all IP addresses in the remote site Configure VPN client access VPN client access must be enabled in order to enable site-to-site access Configure network rules and access rules Use access rules or publishing rules to make internal resources accessible to remote office users Configure the remote-site VPN gateway Configure the remote office VPN server to connect TMG Server and to accept connections from TMG Server

211 About Choosing a VPN Tunneling Protocol ProtocolUse toComments IPSec Tunnel Mode Connect to non- Microsoft VPN gateways Only option if you are connecting to a non-Microsoft VPN server Requires certificates or pre-shared keys L2TP over IPSec Connect to TMG Server or Windows RRAS VPN gateways Requires user name and password and certificates or pre-shared keys for authentication PPTP Connect to TMG Server or Windows RRAS VPN gateways Requires user name and password for authentication Less secure than L2TP over IPSec

212 About Choosing a VPN Tunneling Protocol

213 How to Configure a Remote-Site Network Configuration OptionExplanation VPN protocol Choose the tunneling protocol that you will use to connect to the remote site Remote VPN server Enter the server name or IP address for the VPN gateway server in the remote site Remote authentication Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server L2TP/IPSec authentication If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel Network address Configure the IP address range for all of the computers in the remote-site network

214 Network and Access Rules for Site-to-Site VPNs To enable network traffic across a site-to-site VPN: Two system policy rules are enabled:  Allow VPN site-to-site traffic to TMG Server  Allow VPN site-to-site traffic from TMG Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access  For full access, allow all protocols through TMG Server  For limited access, configure access rules or publish rules that define allowed network traffic Two system policy rules are enabled:  Allow VPN site-to-site traffic to TMG Server  Allow VPN site-to-site traffic from TMG Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access  For full access, allow all protocols through TMG Server  For limited access, configure access rules or publish rules that define allowed network traffic

215 How to Configure the Remote-Site VPN Gateway Server To configure the remote site VPN gateway server: Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks

216 How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode To configure site-to-site VPNs using IPSec tunnel mode: Configure a local VPN gateway IP address used by the computer running TMG Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security Configure a local VPN gateway IP address used by the computer running TMG Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security

217 Lesson: Configuring Quarantine Control Using Forefront TMG How Does Network Quarantine Control Work? About Quarantine Control on TMG Server How to Prepare the Client-Side Script How to Configure VPN Clients Using Connection Manager How to Prepare the Listener Component How to Enable Quarantine Control How to Configure Internet Authentication Service for Quarantine Control How to Configure Quarantine Access Rules

218 How Does Network Quarantine Control Work? ISA Server DNS Server Web Server Domain Controller File Server Quarantine script VPN Quarantine Clients Network VPN Clients Network RQC.exe Quarantine remote access policy TMG Server TMG Server DNS Server Web Server Domain Controller File Server Quarantine script VPN Quarantine Clients Network VPN Clients Network RQC.exe Quarantine remote access policy

219 How to Enable VPN Clients Quarantine

220 To implement quarantine control on TMG Server: Create and install a listener component 3 3 Enable quarantine control on TMG Server 4 4 Configure network rules and access rules for the Quarantined VPN Clients network 5 5 Use CMAK to create a CM profile for remote access clients 2 2 Create a client-side script that validates client configuration 1 1 About Quarantine Control on TMG Server

221 Command for running Rqc.exe How to Prepare the Client-Side Script The client-side script: Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion

222 How to Configure VPN Clients Using Connection Manager To configure VPN clients using Connection Manager: Configure a quarantine VPN client profile that includes:  A post-connect action that runs the client-side script  A client-side script that checks the client security configuration  A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access Configure a quarantine VPN client profile that includes:  A post-connect action that runs the client-side script  A client-side script that checks the client security configuration  A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access

223 ConfigureRQSforISA.vbs: How to Prepare the Listener Component Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running TMG Server so that RQS will work with TMG Server Starts the RQS service Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running TMG Server so that RQS will work with TMG Server Starts the RQS service Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe

224 Module 7: Implementing Caching

225 Overview Caching Overview Configuring General Cache Properties Configuring Cache Rules Configuring Content Download Jobs

226 Lesson: Caching Overview What Is Caching? How Caching Works for Requests for New Objects How Caching Works for Requests for Cached Objects How Content Download Jobs Work How Caching Is Implemented in TMG Server 2004 Web Proxy Chaining and Caching

227 What Is Caching? TMG Server caching provides: Improved performance — information is stored on the computer running TMG Server Reduced bandwidth usage — no additional Internet network traffic Improved performance — information is stored on the computer running TMG Server Reduced bandwidth usage — no additional Internet network traffic TMG Server caching scenarios include: Forward caching — Internet Web servers Reverse caching — internal Web servers Forward caching — Internet Web servers Reverse caching — internal Web servers TMG Server caching stores a copy of requested Web content in the server memory or on the hard disk

228 Server hard disk How Caching Works for Requests for New Objects Server RAM 6 6 TMG Server

229 How Caching Works for Requests for Cached Objects Server hard disk Server RAM TMG Server

230 Server hard disk How Content Download Jobs Work Server RAM TMG Server

231 How Caching Is Implemented in Forefront TMG TMG Server caching optimizes Web caching performance by: Using RAM and disk caching Maintaining the RAM cache in physical memory Maintaining a directory of cached items Using a single cache file Providing quick recovery Using efficient cache updates Providing automatic cleanup Using RAM and disk caching Maintaining the RAM cache in physical memory Maintaining a directory of cached items Using a single cache file Providing quick recovery Using efficient cache updates Providing automatic cleanup

232 Web Proxy Chaining and Caching Internet Branch Office Head Office Branch Office

233 Lesson: Configuring General Cache Properties Caching Configuration Components How to Enable Caching and Configure Cache Drives How to Configure Cache Settings

234 Caching Configuration Components Component Explanation Define cache drives Enables caching by configuring a cache drive for storing the cached content Configure caching settings Modifies the default TTL and types of cached content Configure caching rules Enables unique caching policies for specific Web content Configure content download jobs Enables the prefetch of content before clients request the content

235 How to Enable Caching and Configure Cache Drives Enable Caching

236 How to Enable Caching and Configure Cache Drives cont. Caching is disabled by default on Forefront TMG. When you enable caching, TMG Server creates a file with an initial size equal to the size you chose for the maximum cache size on the hard disk Caching is disabled by default on Forefront TMG. When you enable caching, TMG Server creates a file with an initial size equal to the size you chose for the maximum cache size on the hard disk

237 Practice: Configuring General Cache Properties Enabling Web Caching on TMG Server Configuring Web caching on TMG Server Internet TMG-XX

238 Lesson: Configuring Cache Rules What Are Cache Rules? How to Create a Cache Rule Managing Cache Rules

239 การกำหนดค่ารายละเอียดใน Caching โดยทั่วไปจะมี Default Cache ดีฟอลท์จะกำหนด To: All Network กำหนดค่าของ HTTP และ FTP กำหนดการดาวน์โหลดอัตโนมัติ กำหนดค่าขนาดของไฟล์ที่เก็บแคชของ HTTP กำหนดขนาดไฟล์ของ FTP 239

240 What Are Cache Rules? Cache rule optionsDefault cache rule Define the destination set that the rule applies to Applies to all Web content Define how content is returned to the user Returns non-expired content to the user Define whether content is stored in the cache Caches the default cacheable objects Define whether to cache HTTP, FTP, or both types of content Enables caching of both HTTP and FTP content Define the maximum size for cached objects Does not apply any size restrictions to cached objects Define whether to cache SSL content Caches SSL content

241 How to Create a Cache Rule Cache Rule Wizard Page Configuration Options Cache Rule Destinations Use destination sets to define the Web content that this rule applies to Content Retrieval Defines how TMG Server responds to client requests if the content is or is not in cache Cache Content Defines the types of content TMG Server will cache Cache Advanced Configuration Defines maximum size for caching objects and SSL response caching HTTP Caching Enables and configures TTL settings for HTTP content FTP Caching Enables and configures TTL settings for FTP content

242 Managing Cache Rules Managing cache rules includes: Modifying the cache rule configuration after creating the rule Modifying the cache rule order to evaluate cache rules for specific Web sites before cache rules for all Web sites Disabling or deleting cache rules that are no longer required Exporting the cache rule configuration before modifying the cache rules in case the modification is not successful Modifying the cache rule configuration after creating the rule Modifying the cache rule order to evaluate cache rules for specific Web sites before cache rules for all Web sites Disabling or deleting cache rules that are no longer required Exporting the cache rule configuration before modifying the cache rules in case the modification is not successful

243 กำหนดแคชใน HTTP 243

244 HTTP Cache (Case 1) 244 Web Server Web Client 1 Days 1 2 HTTP Header Ex: 1 Days 3 Set 20% of TTL >> 24/5 = 4.8 Hours (Interval update) Set 50% of TTL >> 24/2 = 12 Hours Set Min & Max 1 Hours & 24 Hours Select 4.8 Hours for 20% Select 12 Hours for 50%

245 HTTP Cache (Case 2) 245 Web Server Web Client 1 Days 1 2 HTTP Header Ex: 1 Week 3 Set 20% of TTL >> 7*24/5 = 33.6 Hours (Interval update) Set 50% of TTL >> 7*24/2 = 86 Hours Set Min & Max 1 Hours & 24 Hours Select 24 Hours for 20% Select 24 Hours for 50%

246 HTTP Cache (Case 3) 246 Web Server Web Client 1 Days 1 2 HTTP Header Ex: 2.5 Days 3 Set 20% of TTL >> 2.5*24/5 = 12 Hours (Interval update) Set 50% of TTL >> 2.5*24/2 = 30 Hours Set Min & Max 1 Hours & 24 Hours Select 12 Hours for 20% Select 24 Hours for 50%

247 Content Retrieval 247 ถ้ามีแคชอยู่ และยังไม่ หมดอายุ ถ้าไม่มีจะวิ่ง ไปที่เว็บภายนอก ถ้ามีแคชไม่ว่าจะ หมดอายุหรือไม่จะ ตอบกลับให้ ถ้าไม่มีจะ วิ่งไปที่เว็บภายนอก ใช้เฉพาะกรณีที่มีเก็บ ไว้ในแคช ถ้าไม่มีไม่ ยอมให้ติดต่อออก ภายนอก

248 Practice: Configuring Cache Rules Configuring cache rules on TMG Server Internet TMG-XX

249 Lesson: Configuring Content Download Jobs What Are Content Download Jobs? How to Create a Content Download Job Managing Content Download Jobs

250 What Are Content Download Jobs? Content download jobs: Allow you to schedule content for download at a specific time even if no user on the network has requested the content Improve Internet access performance Can be used to download content to the branch office during nonworking hours Can be used to ensure access to critical Internet content even when the Internet connection is not available Allow you to schedule content for download at a specific time even if no user on the network has requested the content Improve Internet access performance Can be used to download content to the branch office during nonworking hours Can be used to ensure access to critical Internet content even when the Internet connection is not available

251 How to Create a Content Download Job Content Download Job Wizard Page Configuration Options Download Frequency Defines a schedule for when the content download will occur Content Download Defines the content that will be downloaded Includes maximum links, objects, and concurrent connections used for downloads Content Caching Defines what types of content to cache Defines the TTL for cached content

252 Managing Content Download Jobs Managing content download jobs includes: Modifying the content download job configuration after creating the job Starting content download jobs outside the scheduled time or stopping content download jobs that are running Disabling or deleting content download jobs that are no longer required Modifying the content download job configuration after creating the job Starting content download jobs outside the scheduled time or stopping content download jobs that are running Disabling or deleting content download jobs that are no longer required

253 Internet TMG-XX Practice: Configuring Content Download Jobs Creating a Content Download Job Internet-Web-XX

254 Module 8: Monitoring Forefront TMG

255 Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring Reports Monitoring Connectivity Monitoring Services and Performance

256 About Monitoring the Server Running TMG Server Task Description Monitor Event Viewer Includes information about service failures, application errors, and warnings Use the TMG Server Dashboard Single interface for ISA alerts and performance Review the TMG Server Alerts Includes information about service conditions and error conditions Monitor Connectivity to Network Services Monitor connectivity to Active Directory, DNS servers, internal Web servers, and selected Internet Web servers Monitor Server Performance Use the pre-configured TMG Server Performance Monitor console TMG Server monitoring tasks include

257 Lesson: Monitoring Overview Why Implement Monitoring? TMG Server Monitoring Components Designing a Monitoring and Reporting Strategy Using the TMG Server Dashboard for Monitoring

258 Why Implement Monitoring? Use monitoring to: Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between TMG Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the TMG Server or Internet access infrastructure Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between TMG Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the TMG Server or Internet access infrastructure

259 TMG Server Monitoring Components ComponentsExplanation Alerts Monitors TMG Server for configured events and then performs actions when the specified events occur Sessions Provides information on the current client sessions Logging Provides detailed archived information about the Web Proxy, Microsoft Firewall service, or SMTP Message Screener Reports Summarizes information about the usage patterns on TMG Server Connectivity Monitors connections from TMG Server to any other computer or URL on any network Performance Monitors server performance in real time, create a log file of server performance or configure performance alerts

260 Designing a Monitoring and Reporting Strategy When:Determine: Monitoring real- time information Which events should trigger an alert The event threshold before the alert is triggered The information that you need to monitor server performance Collecting long- term information The information you need to monitor server performance over time The information you need to monitor server usage The information you need to monitor security events Developing a response strategy How to respond to the critical events that occur on the TMG Server

261 Using the TMG Server Dashboard for Monitoring Monitor Alert Monitor Alert Monitor Session Monitor Session Monitor update Monitor update Monitor Service Monitor Service Monitor Performance Monitor Performance

262 Lesson: Configuring Alerts What Is an Alert? How to Configure Alert Definitions How to Configure Alert Events and Conditions How to Configure Alert Actions Alert Management Tasks

263 What Is an Alert? An alert is: A notification of an event or action that has occurred on TMG Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert A notification of an event or action that has occurred on TMG Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert When a server event takes place and records an alert: The TMG Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category The TMG Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category

264 How to Configure Alert Definitions

265 How to Configure Alert Category and Actions

266 Alerts are managed by performing the following tasks: Alert Management Tasks Reset registered alerts Acknowledge registered alerts When you configure an alert to stop the TMG Server Firewall Service, TMG Server goes into a lockdown mode. While in lockdown mode, TMG Server blocks most network traffic

267 Practice: Configuring and Managing Alerts Creating a New Alert Definition Modifying an Existing Alert Definition Internet TMG-XX

268 Lesson: Configuring Session Monitoring What Is Session Monitoring? About Managing Sessions How to Configure Session Filtering

269 What Is Session Monitoring? Session monitoring: Provides real-time information about client sessions hosted through TMG Server Includes information on:  When the session was established  The session type  The source network  The client user name and computer name Provides the ability to immediately stop any unwanted sessions Provides real-time information about client sessions hosted through TMG Server Includes information on:  When the session was established  The session type  The source network  The client user name and computer name Provides the ability to immediately stop any unwanted sessions

270 About Managing Sessions Use these options to manage sessions Use these options to manage sessions Right click session to disconnect Right click session to disconnect

271 How to Configure Session Filtering Add multiple filters Configure filters to view specific sessions Configure filters to view specific sessions

272 Practice: Configuring Session Monitoring Monitoring Sessions Applying a Session Filter Internet ClientXX TMG-XX DC-01 Internet-Web-XX

273 Lesson: Configuring Logging What Is Logging? Log Storage Options How to Configure Logging How to View TMG Server Logs How to Configure Log Filter Definitions

274 The logging feature: Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs What Is Logging?

275 Log Storage Options Log storage option:Explanation: MSDE Logs can be viewed in the log viewer Default format for Web proxy and Firewall Service logs SQL database Logs can be stored on separate server Logs can be analyzed by using database tools File Logs can be stored in W3C or TMG Server format Only available format for SMTP message screener logs The MSDE and log files are stored by default in the ISALogs folder, which is located in the TMG Server installation folder

276 How to Configure Logging Configure log storage format Configure log storage format Configure the information captured in the logs Configure the information captured in the logs

277 How to View TMG Server Logs

278 How to Configure Log Filter Definitions Configure filters to view specific log entries Configure filters to view specific log entries Load/Save filters

279 Lesson: Configuring Reports What Are Reports? How to Configure the Report Summary Database How to Generate a Report How to Create a Recurring Report Job How to View Reports How to Publish Reports

280 What Are Reports? Use reporting to summarize and analyze: Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis

281 How to Configure the Report Summary Database Select to enable log summaries Select to enable log summaries Configure number of saved summaries Configure number of saved summaries Configure summary files location Configure summary files location

282 How to Generate a Report Configure the content to include in the report Configure the time period included in the report Configure where the report will be stored Configure where the report will be stored

283 How to Create a Recurring Report Job Configure the content to include in the recurring report Configure the content to include in the recurring report Configure when the recurring report will run Configure when the recurring report will run

284 How to View Reports Reports can be viewed: Only on the computer running TMG Server Management By double-clicking the report name in the Report view of TMG Server Management Only on the computer running TMG Server Management By double-clicking the report name in the Report view of TMG Server Management

285 How to Publish Reports You can publish reports to a shared folder where users without TMG Server Management installed can view the reports

286 Practice: Configuring Reports Generating a Report Creating a Recurring Report Job Internet ClientXX TMG-XX DC-01 Internet-Web-XX

287 Lesson: Monitoring Connectivity How Does Connectivity Monitoring Work? Configuring Connectivity Monitoring

288 How Does Connectivity Monitoring Work? Connectivity monitoring: Uses connectivity verifiers to monitor connections from TMG Server to other servers or URLs Can be configured to use any of the following in connection methods:  Ping to check for simple network connectivity  TCP connection to verify that a service is running on the destination server  HTTP GET request to verify that a Web server is running on the destination server Uses connectivity verifiers to monitor connections from TMG Server to other servers or URLs Can be configured to use any of the following in connection methods:  Ping to check for simple network connectivity  TCP connection to verify that a service is running on the destination server  HTTP GET request to verify that a Web server is running on the destination server

289 Configuring Connectivity Monitoring Configure the URL or server to connect to Configure the URL or server to connect to Configure the method used to test connectivity Configure the method used to test connectivity

290 Practice: Configuring Connectivity Monitoring Configuring Connectivity Monitoring Internet TMG-XX

291 Lesson: Monitoring Services and Performance Monitoring TMG Server Services Performance Monitoring with TMG Server

292 Monitoring TMG Server Services

293 Performance Monitoring with TMG Server Performance ObjectsExplanation TMG Server Package Engine Includes performance counters to monitor connections and throughput for the firewall engine TMG Server Cache Includes performance counters to monitor the memory, disk, and URL activity associated with the cache as well as cache performance TMG Server Firewall Service Includes counters to monitor Firewall service connections and associated services such as DNS. This object monitors only TMG Client connections TMG Server Web Proxy Service Includes counters to monitor the number of users and the rate at which TMG Server transfers data for Web Proxy clients to remote and upstream servers Monitoring the TMG Server counters as well as other performance counters to determine server performance and bottlenecks

294 Example: Performance Monitoring with TMG Server You can monitor TMG Resource separate counter and object.

295 Lab: Monitoring TMG Server Exercise 1: Testing the Alerts Feature Exercise 2: Testing the Reporting Feature Exercise 3: Testing the Connectivity Monitoring Feature Internet TMG-XX

296 THANK YOU


Download ppt "Implementing Microsoft ® Forefront Threat Management Gateway Server."

Similar presentations


Ads by Google