Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forefront Threat Management Gateway 2010

Similar presentations


Presentation on theme: "Forefront Threat Management Gateway 2010"— Presentation transcript:

1 Forefront Threat Management Gateway 2010

2 Introduction to Forefront TMG
2

3 Forefront TMG Value Proposition
Comprehensive Firewall – Control network policy access at the edge Secure Web Gateway – Protect users from Web browsing threats Secure Relay – Protect users from threats Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and servers from intrusion attempts Integrated Simplified 3

4 Features Summary VoIP traversal Enhanced NAT ISP link redundancy
Firewall HTTP antivirus/ antispyware URL filtering HTTPS forward inspection Secure Web Access Exchange Edge integration Antivirus Antispam Protection Network inspection system Intrusion Prevention NAP integration with client VPN SSTP integration Remote Access Array management Change tracking Enhanced reporting W2K8, native 64-bit Deployment and Management Malware protection Intrusion prevention Subscription Services 4

5 Deployment Scenarios Networks External DMZ External DMZ Internal
Forefront TMG networks represent your corporate network topology. Generally, a network is defined for each network adapter installed and enabled on the computer. Networks that do not require associated network adapters are the Local Host network, which represents Forefront TMG, and virtual private networks. When deployed at the edge of your network, Forefront TMG should be configured with at least two network adapters: One connected to the Forefront TMG Internal network that represents the main corporate network. One connected to the Forefront TMG External network that usually represents the Internet. The External network is defined dynamically, based on the IP address ranges of other networks. You can configure the IP address range and other properties of the Internal network. If three or more adapters are available, you can also configure the properties of one or more perimeter networks. You can configure a dial-up connection on one network only (for example, to dial up for Internet access). Local Host VPN Clients Internal

6 Deployment Scenarios Network Sets DMZ Networks
A Network Set is set of one or more networks. You can use network sets to specify a source or destination in firewall policy rules.

7 Deployment Scenarios Single Adapter Local Host VPN Clients Internal

8 Forefront TMG as a Secure Web Gateway
URL Filtering, Malware Inspection, NIS Competitive Feature Set Easily Manageable Integrated Logging & Reporting Support Scalable Array Support, Load balancing Web Access Wizard, Task Oriented New reports, log fields Policy Management, Directory Services Integration, Licensing

9 Secure Web Gateway Layered Security
Windows Server® 2008 / R2 Unifies inspection technologies to: Protect against multi-channel threats Simplify deployment Keeps security up to date with updates to: Web antimalware URL filtering Network Inspection System Logging & Reporting Malware Inspection URL Filtering Application Layer Proxy Network Inspection System HTTPS Inspection The following new Forefront TMG features support the Secure Web Gateway role: Web antimalware is part of a Web Protection subscription service for Forefront TMG. Web antimalware scans Web pages for viruses, malware, and other threats. URL filtering allows or denies access to Web sites based on URL categories (such as pornography, drug, hate, or shopping). Organizations can not only prevent employees from visiting sites with known malware, but also protect business productivity by limiting or blocking access to sites that are considered productivity distractions. URL filtering is also part of the Web Protection subscription service. Network Inspection System (NIS) enables traffic to be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS can block classes of attacks while minimizing false positives. Protections can be updated as needed. HTTPS inspection enables HTTPS-encrypted sessions to be inspected for malware or exploits. Specific groups of sites (for example, banking sites) can be excluded from inspection for privacy reasons. Users of the Forefront TMG client can be notified of the inspection. Logging and reporting – Forefront TMG collects log information for traffic handled by the Microsoft Firewall service and by the Web Proxy filter, and generates reports that summarize and analyze log information. It also provides the ability to send runtime event alerts (both pre-defined system alerts and custom alerts).

10 HTTPS Inspection

11 How HTTPS Inspection Works
Enable HTTPS inspection Generate trusted root certificate Install trusted root certificate on clients contoso.com https://contoso.com https://contoso.com Intercept HTTPS traffic Validate contoso.com server certificate Generate contoso.com server proxy certificate on TMG Copy data from the original server certificate to the proxy certificate Sign the new certificate with TMG trusted root certificate [TMG manages a certificate cache to avoid redundant duplications] Pretend to be contoso.com for client Bridge HTTPS traffic between client and server

12 HTTPS Traffic Inspection Process
URL Filtering Malware Inspection Network Inspection System SSL SSL To provide HTTPS protection, Forefront TMG acts as an intermediary between the client computer that initiates the HTTPS connection and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following: Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate. Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate. Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it. Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session. HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threats Trusted certificate generated by proxy matching the URL expected by the client

13 HTTPS Inspection Notifications
Notification provided by Forefront TMG client Notify user of inspection History of recent notifications Management of Notification Exception List May be a legal requirement in some geographies To receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer’s Trusted Root Certification Authorities certificate store. If the certificate is not installed in this specific certificate store, the user will not receive balloon notifications of HTTPS inspection. To enable HTTPS inspection notifications on Forefront TMG server In the Forefront TMG Management console, in the tree, click the Web Access Policy node. In the Tasks pane, click Configure HTTPS Inspection. On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK. To enable HTTPS inspection notification on Forefront TMG Client 1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.

14 HTTPS Inspection Notification
User Experience Notifications are shown as a balloon by the Forefront TMG client. The user may also ask the browser to display the web site certificate information, which will be shown as issued by Forefront TMG.

15 URL Filtering

16 URL Filtering Integrates leading URL database providers
TMG Integrates leading URL database providers Subscription-based 91 built-in categories Predefined and administrator defined category sets Customizable, per-rule, deny messages URL filtering identifies certain types of Web sites (for example, known malicious sites and sites that display inappropriate or pornographic materials) and allows or blocks access to the sites based on predefined URL categories. The default categorization of a specific Web site is determined by the Microsoft Reputation Service (MRS) and can be edited by the Forefront TMG system administrator. When a request to access a Web site is received, Forefront TMG queries MRS to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request. When users request access to a Web site to which access is blocked, they receive a denial notification that includes the denied request category. In some cases, users may contact the administrator to dispute the categorization of the Web site. In such a case, you can check whether the URL was categorized properly. If the Web site was not categorized correctly, you can create a custom setting for this URL. For more information, see the Microsoft TechNet article Introduction to managing URL filtering (http://technet.microsoft.com/en-us/library/dd aspx). Forefront TMG features over 70 URL categories. A URL category is a collection of URLs that match a pre-defined criterion, such as, malicious, anonymizers, or illegal drugs. Categories are grouped by category sets, which can be used to simplify the configuration of Forefront TMG policies. Forefront TMG uses Microsoft Reputation Service (MRS), a cloud-based object categorization system hosted in Microsoft data centers, to categorize the URLs that users request. MRS is designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. MRS maintains a database with tens of millions of unique URLs and their respective categories. URL category override URL category query Logging and reporting support Web Access Wizard integration

17 URL Filtering Benefits
2009 MVP Global Summit 4/14/2017 9:10 AM URL Filtering Benefits Control user web access based on URL categories Protect users from known malicious sites Reduce liability risks Increase productivity Reduce bandwidth and Forefront TMG resource consumption Analyze Web usage Utilizes Microsoft Reputation Service The benefits of applying URL filtering include: Enhancing your security by preventing access to malicious sites (such as phishing sites). Lowering liability risks by preventing access to sites that display inappropriate materials (such as, hate, criminal activities, or pornography sites). Improving the productivity of your organization, by preventing access to non-productive sites (such as games or instant messaging). Using URL filtering related reports and log entries to learn about the Web usage in your organization (such as the most commonly browsed URL categories). Excluding sites from inspection by the HTTPS and malware inspection mechanisms (such as excluding financial sites from HTTPS inspection because of privacy considerations). © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 How TMG Uses Microsoft Reputation Service
Multiple Vendors Microsoft Datacenters MRS Federated Query Combines with Telemetry Data Telemetry Path (also SSL) SSL Fetch on cache miss SSL for auth & privacy No PII Feedback mechanism on Category overrides Cache: Persistent In-memory Weighted TTL Cache Query (URL) Fetch URL Categorizer Policy

19 What Makes MRS Compelling?
Existing URL filtering solutions Single vendor cant be expert in all categories Categorization response time MRS unique architecture MRS merges URL databases from multiple sources/vendors Multi-vendor AV analogy Based on Microsoft internal sources as well as collaboration with third party partners Scalable Ongoing collaborative effort Recently announced an agreement with Marshal8e6 More announcements to follow The Microsoft Reputation Service (MRS) team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors, each one specializing in a specific area of the solution. Some vendors specialize in identifying malicious sites and spam URLs, while others are rich with productivity related categories. Some specialize in covering the Internet's long tail (see while others provide quick classification of previously unknown sites. Some use human-based classification, and others use machine-based techniques. Some are great with Web2.0 style URLs, and the list goes on. Even those vendors who employ several classification techniques and cover multiple categories can't deal with the huge and ever-expanding challenges of today's Web. MRS team's idea was simple: Let's leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporation of multiple streams of data into a merged database. In this way, each vendor and source brings its unique strengths to create a common solution. MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are internal to Microsoft, and others are the result of collaboration with third party partners. One such agreement, announced during RSA, is an agreement with Marshal8e6. (see this link for more information: But the real benefit of MRS is that because it is a Web service, and because of its unique architecture, MRS can easily incorporate new databases in a way that is completely transparent to its customers. We expect the MRS unified database to expand over time and become the recognized industry leader. Forefront TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.

20 URL Filtering Categories
Security Liability Productivity

21 Per-rule Customization
TMG administrator can customize denial message displayed to the user on a per-rule basis Add custom text or HTML Redirect the user to a specific URL

22 URL Category Override To change a domain's categorization, copy the URL or IP address, and click the URL Category Override tab. For more information, see the Microsoft TechNet article Overriding URL categorization (http://technet.microsoft.com/en-us/library/dd aspx). Administrator can override the categorization of a URL Feedback to MRS via Telemetry

23 User Experience http://www.phishingsite.com
In this example, the user receives a phishing message that persuades the user to click on a link to

24 User Experience HTML tags
URL filtering identifies the link as a known phishing site and blocks the user from connecting to it. The Forefront TMG administrator can customize the message displayed to the user by adding custom text or HTML. Or the administrator can redirect the user to a specific URL (for example, a page displaying the organization’s web access policy). 24

25 Malware Inspection

26 HTTP Malware Inspection
TMG Integrates Microsoft Antivirus engine Signature and engine updates Subscription-based Third party plug-ins can be used (native Malware inspection must be disabled) Content delivery methods by content type Source and destination exceptions Global and per-rule inspection options (encrypted files, nested archives, large files…) Logging and reporting support Web Access Wizard integration

27 Malware Inspection Filter
Content Trickling Firewall Service GET msrdp.cab GET msrdp.cab Web Proxy 200 OK 200 OK Malware Inspection Filter Request Context Accumulated Content Accumulated Content Accumulated Content Accumulated Content Accumulated Content Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content: Trickling Forefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected. Scanner

28 Malware Scanner Behavior
High Partial inspection for Standard Trickling Final inspection for files smaller than 1 MB when Progress Page is not used Normal Partial inspection for Fast Trickling Final inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not used Low Final inspection when Progress Page is used Final inspection for files larger than 50 MB Low Priority Queue Normal Priority Queue High Priority Queue Antimalware Engine

29 Malware Inspection Per-rule Overrides
The Forefront TMG administrator can override the general malware inspection settings on a per Web access rule basis.

30 User Experience Content Blocked

31 User Experience Progress Notification Progress notification
Forefront TMG sends an HTML page to the client computer, that informs the user that the requested content is being inspected, and displays a summary of the download and inspection progress. After the content has been download and inspected, the page informs the user that the content is ready, and displays a button that the user can click to download the content. 31

32 Network Inspection System (NIS)

33 Network Inspection System (NIS)
Microsoft Engineering Excellence Network Inspection System (NIS) Protocol decode-based traffic inspection system that uses signatures of known vulnerabilities Vulnerability-based signatures (vs. exploit-based signatures used by competing solutions) Detects and potentially block attacks on network resources NIS helps organizations reduce the vulnerability window Protect machines against known vulnerabilities until patch can be deployed Signatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability window Integrated into Forefront TMG Synergy with HTTPS Inspection NIS is a protocol decode-based traffic inspection system that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities (researched and developed by Microsoft Malware Protection Center - NIS Response Team) in addition to an operational signature distribution channel which enables dynamic signature snapshot distribution. For more information, see the Microsoft Malware Protection Center Threat Research & Response Blog (http://blogs.technet.com/mmpc/) The main differentiator in NIS is Signature Quality (minimum false positive and false negative) on Microsoft-focused vulnerabilities. NIS vulnerability signatures (versus exploit-based) cover all types of exploit attacks which exploit vulnerability in contrast to attacks that exploit specific detections (which are susceptible to evasion). Microsoft Confidential

34 New Vulnerability Use Case
Vulnerability is discovered Response team prepares and tests the vulnerability signature Signature released by Microsoft and deployed through distribution service, on security patch release All un-patched hosts behind Forefront TMG are protected Signature Authoring Team Corporate Network Vulnerability Discovered Signature Distribution Service TMG Signature Authoring Testing

35 Network Inspection System Architecture
Design Time GAPA Language Compiler Signatures & Protocol Parsers Protocol Parsers Signatures Microsoft Update Run Time Aim of Telemetry: Understand current malware landscape Improve signature quality TMG sends: Signature Matches Protocol Parse Errors No PII in Basic Mode Encourage customers to use it. Telemetry and Portal Network Interception NIS Engine

36 NIS Response Process Targeting 4 hours
Threat Identification Threat Research Signature Development Signature Testing Encyclopedia Write-up Signature Release Targeting 4 hours The Microsoft Malware Protection Center (MMPC) identify threats based on information received from various sources, including Microsoft Telemetry Service. When Malware Protection or NIS identifies an attack or potential malware, it reports information to Microsoft about the potential attack. This information is stored and analyzed by Microsoft to help identify attack patterns and improve precision and efficiency of threat mitigations. Based on this information, the MMPC develops a NIS signature for the vulnerability. This signature is tested to confirm that it properly identifies the threat and does not cause false positives, and then it is released through Microsoft Update.

37 Other Network Protection Mechanisms
Common OS attack detection DNS attack filtering IP option filtering Flood mitigation Forefront TMG also includes other network protection mechanisms in addition to NIS:

38 DNS Attack Filtering Enables the following checks in DNS traffic:
DNS host name overflow – DNS response for a host name exceeding 255 bytes DNS length overflow – DNS response for an IPv4 address exceeding 4 bytes DNS zone transfer – DNS request to transfer zones from an internal DNS server The Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity: DNS host name overflow – When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer. DNS length overflow – When a DNS response for an IP address exceeds 4 bytes, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response. DNS zone transfer – A client system uses a DNS client application to transfer zones from an internal DNS server. When offending packets are detected, they are dropped and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually

39 IP Options Filtering Forefront TMG can block IP packets based on the IP options set Deny all packets with any IP options Deny packets with the selected IP options Deny packets with all except selected IP options Forefront TMG can also block fragmented IP packets Forefront TMG can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. Forefront TMG can also drop all IP fragments. This topic includes procedures for enabling IP options filtering and IP fragment filtering. For more information about IP options filtering and IP fragment filtering, see the Microsoft TechNet article Overview of intrusion detection (http://technet.microsoft.com/en-us/library/cc aspx).

40 Flood Mitigation Forefront TMG flood mitigation mechanism uses:
Connection limits that are used to identify and block malicious traffic Logging of flood mitigation events Alerts that are triggered when a connection limit is exceeded TMG comes with default configuration settings Exceptions can be set per computer set Custom Limit Limit 600 160 80 1000 6000 400 The Forefront TMG flood mitigation mechanism uses: Connection limits that identify and block malicious traffic. Logging of flood mitigation events. Alerts that are triggered when a connection limit is exceeded. The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, and meanwhile Forefront TMG will continue to serve all other traffic. The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following: Worm propagation – An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address. TCP flood attacks – An offending host establishes numerous TCP connections with a Forefront TMG server or other servers that are protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources. SYN attacks – An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open. HTTP denial of service attacks – A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources. Non-TCP distributed denial of service (DDoS) attacks – A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small. UDP flood attacks – An offending host opens numerous concurrent UDP sessions with a Forefront TMG server. Connection Limits Forefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection. A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits: Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address, that is not included in the list of IP address exceptions during one minute. Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections. Custom connection limits that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.

41 Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)
Product Positioning Forefront TMG 2010 Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access Forefront TMG 2010 still provides support for remote access features, but not the recommended solution

42 Server Publishing

43 Non-HTTP Server Publishing
Allows map requests for non-Web servers in one of the TMG 2010 networks Clients can be either on the Internet or on a different internal network Can be used to publish most TCP and UDP protocol Behavior depends on whether non-Web server is behind a NAT relationship or not If behind NAT, clients will then connect to an IP address belonging to Forefront TMG If behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010 Forefront TMG 2010 uses server publishing rules to map requests for non-Web servers located in a Forefront TMG 2010 network from clients located in other networks. Clients can be external clients located on the Internet or internal clients located on a different internal network. When the network on which the published server is located has a NAT relationship with the network from which client requests are located, server publishing works as follows: The IP address published by the server-published rule belongs to Forefront TMG. Clients make a request for the published resource to the client-facing adapter on the Forefront TMG server and not directly to the internal server. By default, the client source address sent to the published server is that of client. You can change this setting to specify that the source address sent to the published server is that of the Forefront TMG server. When the network on which the published server is located has a route relationship with the network from which client requests are located, server publishing works as follows: Forefront TMG listens for requests on the IP address of the published server. Clients make a request to the IP address of the internal server. Server publishing rules display the following characteristics: Server publishing can be used to publish most TCP and UDP protocols. The published server should be configured as a SecureNAT client with a default gateway pointing to Forefront TMG 2010. You cannot authenticate user requests for server publishing rules. You can use IP address control to specify who can access published resources. A server publishing rule can only publish a single server and protocol In some circumstances you may want to consider using server publishing rules instead of access rules for internal client requests. For example, if you want to allow internal clients to access a non-Web server located in a perimeter network. For a comparison of using server publishing rules or access rules, see the Microsoft TechNet article About network relationships and firewall policy (http://technet.microsoft.com/en-us/library/cc aspx).

44 Sample Server Publishing Scenario
DNS Server Publishing 1. DNS request > 2. Check rule match

45 Check Publishing Rule Match
For non-HTTP requests, Forefront TMG 2010 checks network rules, and then checks publishing rules to determine if requests are allowed. Overriding default ports Server publishing configures Forefront TMG 2010 to listen on a specific port and forward requests to a published server. You can configure the following port properties: Specify the port on which should listen for requests for request. If you publish on a port other than the default port, Forefront TMG 2010 receives client requests for the published service on the nonstandard port, and then forwards requests to the designated port on the published server. For example, a server publishing rule may specify that client requests for FTP services connect through port 22 on the Forefront TMG 2010 computer before being redirected to the default port 21 on the published server.

46 Non-HTTP Server Publishing
Things to consider when planning Server Publishing No authentication support Access restriction by network elements only Networks, subnets, or IP addresses No support in single adapter configuration Client source IP address preserved Behavior can be changed using rule setting Application Layer Filter and NIS signature coverage SMTP, POP3, DNS, etc. When using server publishing rules, Forefront TMG 2010 forwards the traffic as it does for access rules, but it uses application filters directly. For example, the Single Mail Transfer Protocol (SMTP) filter is not used for SMTP traffic handled by an access rule, but it is used with traffic handled by a server publishing rule. In server publishing rules, the client in the destination network makes a connection to the Forefront TMG IP address on which the publishing rule is listening for requests. When Forefront TMG 2010 forwards the traffic to the published server, it replaces the Forefront TMG IP address with the IP address of the internal server that it is publishing, but it does not modify the source IP address. Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when forwarding traffic to the published server, the published server must use the Forefront TMG 2010 computer as the last hop in the routing structure to the destination network. If this is not possible, configure server publishing rules to use the setting Requests appear to come from the Forefront TMG computer. This causes Forefront TMG 2010 to perform full NAT on the traffic handled by the rule.

47 Web Publishing Provides secure access to Web content to users from the Internet Web content may be either on internal networks on in a DMZ Supports HTTP and HTTPS connections Forefront TMG 2010 Web Publishing features: Mapping requests to specific internal paths in specific servers Allows authentication and authorization of users at TMG level Allow delegation of user credentials after TMG authentication Caching of the published content (reverse caching) Inspection of incoming HTTPS requests using SSL bridging Load balancing of client requests among Web servers in a server farm Forefront TMG Web publishing makes Web content securely available to groups of users or to all users who send requests to your organization from the Internet. The Web content requested is typically stored on Web servers in the Internal network or in a perimeter network (also known as a screened subnet or a demilitarized zone (DMZ)). With Web publishing rules, you can allow or deny requests based on defined access policies. You can restrict access to specified users, computers, or networks, require user authentication, and inspect the traffic. Content caching enables Forefront TMG 2010 to cache Web content and to respond to user requests from the cache without forwarding the requests downstream to the published Web server. This type of content caching is called reverse caching. Web publishing rules have many features that determine how client Web requests are passed to the published Web servers, including the following: Mapping requests to specific internal paths to limit the portions of your Web servers that can be accessed. Delegation of user credentials for authenticating Forefront TMG to the Web server after authentication by Forefront TMG 2010, without requiring users to supply their credentials for a second time. Link translation for replacing internal host names and paths in Web content with public names and external paths. Secure Sockets Layer (SSL) bridging, which enables Forefront TMG to inspect incoming HTTPS requests and then forward them to the Web server over an encrypted SSL channel. Load balancing of client requests among the Web servers in a server farm, with maintenance of client affinity for increased availability and improved performance.

48 Accessing Web Resources
Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols

49 Securing SSL Traffic SSL Bridging:
Client on Internet encrypts communications TMG 2010 decrypts and inspects traffic TMG 2010 sends allowed traffic to published server, re-encrypting it if required

50 Authentication Process
1. Client credentials received 2&3. Credentials validated 4. Credentials delegated to internal server 5. Server send response 6. Response forwarded to client

51 Single Sign On Sample Scenario – Two Published Web Sites requiring AuthN With Single Signon User Prompted for authentication User Clicks Link to SharePoint User NOT Prompted for authentication Without Single Signon: User Prompted for authentication User Clicks Link to SharePoint User Prompted for authentication again Single sign-on (SSO) enables users to authenticate once to Microsoft Forefront Threat Management Gateway and then, without reauthenticating, access all of the Web sites with the same domain suffix that Forefront TMG 2010 publishes on a specific Web listener. Web sites can include Microsoft® Outlook® Web Access and Microsoft® SharePoint® Server sites, as well as standard Internet Information Services (IIS) Web sites. A typical example of SSO is a user who logs on to Outlook Web Access by providing credentials on a form. In one of the messages that the user receives, there is a link to a document that is stored on a SharePoint server. The user clicks the link, and the document opens without an additional request for authentication. This example relies on the use of persistent cookies. Security notes    As long as a user's browser process is still running, that user is logged on. For example, a user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user opens a new browser window and then navigates to another site. Closing the Outlook Web Access window does not end the session, and the user is still logged on. When enabling SSO, be sure to provide a restrictive SSO domain. Providing an inclusive domain, such as .co.uk, allows the Web browser to send the Forefront TMG SSO cookie to any Web site in that domain, creating a possible security risk. In a scenario where you create a Web listener that uses forms-based authentication with RSA SecurID validation and you enable Collect additional delegation credentials in the form, Forefront TMG 2010 does not verify whether a user enters the same or a different name for the additional credentials. Note: There is no support for SSO between different Web listeners. SSO is supported for published Web sites whose host names have the same DNS suffix after the first dot. For example, you can configure SSO when publishing mail.fabrikam.com and team.fabrikam.com by specifying .fabrikam.com as the SSO domain. However, you cannot configure SSO for mail.fabrikam.com and mail.contoso.com. In addition, a DNS suffix specified as an SSO domain must consist of at least two segments separated by an embedded dot. For example, .fabrikam.com and .portal.fabrikam.com are valid SSO domains, but .com is not a valid SSO domain.

52 Forefront TMG Virtual Private Networking (VPN)

53 Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs: Remote Access VPN Site-to-site VPN TMG 2010 implements Windows Server® 2008 VPN technology Implements support for Secure Socket Tunneling Protocol (SSTP) Implements support for Network Access Protection (NAP) Virtual private network (VPN) technology enables cost-effective, secure, remote access to private networks. With a VPN, you can extend your private network across a shared or public network, such as the Internet, in a manner that emulates a point-to-point private link. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy. About Forefront TMG VPNs Forefront TMG 2010 supports two types of VPNs: Remote access VPN – Provides roaming users with secure remote access to the internal network Site-to-site VPN – Enables quick connectivity between sites, for example between a main office and its branch offices. Note: All VPN connections to Forefront TMG are logged to the Firewall log, so that you can monitor them. Forefront TMG implements Windows Server VPN technology. For a description, see What Is VPN? (http://go.microsoft.com/fwlink/?LinkId=160092). When reading this content, keep in mind the functional differences between Windows Server 2003 and later versions of Windows as documented in What's New in Routing and Remote Access in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=160094).

54 Secure Socket Tunneling Protocol (SSTP)
New SSL-based VPN protocol HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets Support for unauthenticated Web proxies Support for Network Access Protection (NAP) Client support in Windows Vista® SP1 No plans to backport SSTP to previous versions

55 Network Access Protection (NAP)
Windows Policy Validation and Enforcement Platform Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy. Network Restriction Restricts network access to computers based on their health. Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed. Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions. Network Access Protection (NAP) consists of several components and architecture models that work in conjunction to provide security for the network. The infrastructure of NAP supports the different servers required to validate, remediate and provide health certificates. The enforcement methods used by NAP (802.1x, DHCP, VPN, NPS RADIUS and IPSec) provide flexibility in determining the appropriate method for securing client access to your network. 55

56 NAP Support in Forefront TMG 2010
Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN Supports all VPN protocols, including SSTP Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006 NAP validates health status of the remote client at connection time VPN network access limitation is done through IP packet filters applied to the VPN connection Access limited to resources on the restricted network NAP Support in TMG 2010 allows you to define levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation), and then dynamically increases its level of network access.

57 NAP with Forefront TMG Walkthrough
Restricted Network Corporate Network Remediation Servers System Health Servers Unhealthy SHA performs remediation against remediation servers Ongoing policy updates to Network Policy Server Here is the fix you need. VPN QEC passes SoH Responses back to NAPAgent VPN QEC queries NAPAgent for SOHs NAPAgent collects new SoH and passes to VPN QEC PEAP messages Here is my SOH EAP messages Can I please have access to the network? VPN Session Request EAP - Response/Identity PEAP messages Here is my SOH Forefront TMG 2010 EAP - Request/Identify EAP – Request/Start – Send SOH RADIUS Access-Accept According to policy, the client is up to date. Grant access – no filters RADIUS Access-Accept According to policy, the client is not up to date. Quarantine client. Restrict client to /24 The following process occurs when a NAP-capable VPN client connects to a NAP-capable VPN server: The VPN client initiates a connection to the VPN server using either Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunnelling Protocol with Internet Protocol Security (L2TP/IPsec) or the new Secure Socket Tunnelling Protocol (SSTP) . The VPN NAP component on the VPN server (a component of Routing and Remote Access) sends an EAP-Request/Identity message to the VPN QEC on the VPN client. The VPN QEC on the VPN client (a component of the Remote Access Connection Manager service) responds with an EAP-Response/Identity message that contains the user name of the VPN client. The VPN NES on the VPN server sends the EAP-Response/Identity message as a RADIUS Access-Request message to the NPS server. For all subsequent PEAP-based messages, the logical communication occurs between the NPS server and the VPN QEC on the VPN client, using the VPN server as a pass-through device. Messages between the VPN server and the NPS server are a series of RADIUS Access-Request, Access-Challenge, and Access-Accept messages. The NPS server sends an EAP-Request/Start PEAP message to the VPN client. The VPN client and the NPS server exchange a series of TLS messages to negotiate an encrypted TLS channel. The NPS server sends a request for the list of SoHs to the VPN client using a PEAP-TLV message. The VPN QEC queries the NAP Agent for the list of SoHs. The VPN QEC passes the list of SoHs to the NPS server using a PEAP-TLV message. The NPS server requests that the VPN client authenticate itself using its client credentials, using a PEAP authentication method such as PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The VPN client authenticates itself to the NPS server using the negotiated PEAP authentication method. The NPS component on the NPS server extracts the list of SoHs from the PEAP-TLV message sent in step 9 and passes it to the NAP Administration Server component. The NAP Administration Server component passes the SoHs in the list of SoHs to the appropriate SHVs. The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send a SoHResponse to the NAP Administration Server. The NAP Administration Server passes the list of SoHResponses to NPS. NPS compares the list of SoHResponses to a configured set of network access and system health policies and then makes a limited/unlimited network access decision. NPS constructs and sends a PEAP-TLV message containing the limited/unlimited network access decision and the list of SoHResponses to the VPN client. NPS sends a RADIUS Access-Accept message containing its limited/unlimited network access decision to the VPN server. If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP packet filters that limit the traffic of the VPN client to the restricted network. If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP packet filters to limit network access. After the VPN connection completes, the NAP client will have unlimited network access. The VPN client and VPN server complete the VPN connection. PEAP Message State: Quarantine SOH Responses PEAP Message State: Full Access SOH Responses EAP - Request/Identify EAP – Request/Start – Send SOH Client Network Policy Server

58 Enforcement Components
4/14/2017 9:10 AM NAP Components Enforcement Components Health Components Platform Components Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Network Access Devices = Provide network access to healthy endpoints. Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. System Health Validators (SHV) = Certify declarations made by health agents. Health Registration Authority = Issues certificates to clients that pass health checks. System Health Servers = Define health requirements for system components on the client. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. System Health Servers Remediation Servers Updates Health policy Client Health Statements Network Access Requests Network Policy Server SHA<n> The Network Access Protection solution is a combination of the Microsoft platform plus enforcement and health components. The NAP platform contains pieces both in Windows and those provided by 3rd parties. This 3rd party components can be Microsoft as well, as in the case of SMS. Network Access Protection is a collection of platform pieces Windows, plus Partner components: Health partners and Enforcement partners Platform and partner pieces work in concert to provide a powerful end-to-end solution. The platform by itself will not determine what is healthy or doing health validation. Health vendors (e.g. antivirus vendors) will determine what will be checked. System health servers are where you write the health policies. These can be Microsoft or 3rd party (e.g. SMS or Altiris). These pass policy information to the Microsoft Network Policy Server (NPS). NPS is the renamed Internet Authentication Service (IAS) Server, which is Microsoft’s implementation of RADIUS. Remediation server – once you’re in restriction, you are given access routes to the remediation server. The goal is not to keep you off the network, the goal is to get you healthy and back on. Enforcement mechanisms The Network Access Protection platform is designed to support DHCP, VPN, 802.1x and IPSec enforcement. Vendors can provide extensions and plug-ins where they want to do something specific, for example intrusion detection services. Network Access Device Will turn access to the network on or off. This could be a firewall, a switch or router, it could be an appliance. Core Windows components Quarantine Agent (QA) – will ship as part of Windows Vista. The Quarantine Agent is cross platform meaning that a vendor has the ability free to write extensions to the QA APIs for the Linux, MAC, or other OS. Quarantine Server (QS) – sits on Microsoft Network Policy Server (NPS) which makes the rules decision. NPS is the renamed Internet Authentication Service (IAS) Server, Microsoft’s implementation of RADIUS. The NAP architecture provides a general framework to deliver a solution a customer can configure to meet specific business needs, e.g. DHCP enforcement now and IPsec enforcement in the future; or a combination of IPsec and 802.1X enforcement; monitor & report now, enforce later. Health Result Quarantine Agent SHV<n> Quarantine Server QEC 1 QEC 2 Network Access Device (Forefront TMG 2010) © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59 Mail Protection

60 Mail Protection – Forefront Threat Management Gateway
Full featured SMTP hygiene Exchange Edge Transport for SMTP stack Requires valid license Integrated with Microsoft® Forefront™ Protection 2010 for Exchange Server Antimalware Antispam Antiphishing Also supports generic SMTP mail servers protection subscription service Forefront TMG provides an protection subscription service, based on technology integrated from Forefront Protection 2010 for Exchange Server. Forefront TMG serves as a relay for SMTP traffic, and scans for viruses, malware, spam and content (such as executable or encrypted files) as it crosses the network. Utilizing Microsoft mail protection technologies Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization. When deploying the protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the protection feature provides a number of benefits, which are described in Benefits of creating an policy with Forefront TMG (http://technet.microsoft.com/en-us/library/dd aspx#benis). Layered protection Because spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.

61 E-mail Threats ~98% of all e-mail is spam/malicious
Over 400 billion unwanted s in H2 2008 Estimated cost is $130 billion in 2009 Causes 90% of NDRs Risk of software vulnerabilities Microsoft Security Intelligence Report, volume 6 (www.microsoft.com/sir) reports that 98% of is spam. Microsoft Forefront Online Security for Exchange (FOSE; formerly Microsoft Exchange Hosted Services, or EHS) provides enterprise-class spam and malware filtering services for thousands of customers. This figure shows the percentage of incoming messages that FOSE has filtered as spam in every half-year period since 1H06. In 2H08, FOSE filtered 97.3 percent of all messages it received, delivering only about one out of every 40 messages to intended recipients. This figure was down from 98.4 percent in 1H08. The source for the $130 billion loss is Ferris Research (http://www.ferris.com/research-library/industry-statistics/).

62 The Solution Filter unwanted e-mail as early as possible
FOSE performs spam filtering in two stages. The vast majority of spam is blocked by servers at the network edge, which use a number of non-content–based rules to block probable spam or other unwanted messages. Messages that are not blocked at the first stage are scanned using content-based rules, which detect and filter additional threats, including attachments containing malware. This figure shows the percentage of messages blocked at each stage in every half-year period since 1H06. Percentage of incoming messages blocked by Forefront™ Protection for Exchange using edge-blocking and content filtering, 1H06-2H08

63 E-mail Protection Features
Protection at the edge Protects mail at the edge of the organization with Forefront Protection 2010 for Exchange Server Advanced protection and premium antispam Multiple scan engines to protect against malware and provide a premium antispam solution Integrated management Easy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMG Array deployment Support for managing and load balancing traffic among multiple servers Benefits of creating an policy with Forefront TMG There are a number of advantages to implementing protection with Forefront TMG: Protection on the edge – The protection feature in Forefront TMG inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage. Integrated management – When you create an policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing protection consequently does not require expertise in Exchange Edge and FPES. Extended management – Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the protection feature, which is a benefit not available to other Exchange Server and FPES deployments. When you configure an policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage. Native support for Network Load Balancing (NLB) – Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.

64 Solution Components Microsoft Products
Forefront Protection 2010 for Exchange Server Microsoft® Exchange Server® 2007 (or 2010) Edge Transport Forefront Threat Management Gateway Windows Server® 2008 x64 Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization. When deploying the protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the protection feature provides a number of benefits.

65 Mail Protection – Forefront Threat Management Gateway

66 Typical Deployment Topology
Any SMTP Servers Forefront TMG Array myorg.com Internal SMTP Server Internet SMTP Traffic Internal Network Partner SMTP Server TLS encrypted connection SMTP Traffic EdgeSync (Exchange Server Only) MX pointing to Forefront TMG external IP address A mail exchanger (MX) resource record for your domain must be registered on Internet DNS servers, and the MX record must point to the external IP address of Forefront TMG. Forefront TMG can use a specific IP address for outbound mail, or use DNS to locate the Mail Exchange (MX) record of the remote SMTP server. In this case TMG will query DNS for the IP address in the MX record, which Forefront TMG uses to deliver the mail. If you select this routing method, verify that your DNS server can successfully resolve names on the Internet.

67 Configure SMTP Routes Defines how Forefront TMG routes traffic from and to the organization SMTP servers At least two routes required: Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail servers External_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mail The first step in creating the policy is to configure how Forefront TMG routes mail traffic to and from the internal Simple Mail Transfer Protocol (SMTP) servers in your organization. The Exchange Edge Transport server installed on your Forefront TMG server acts as a relay between your internal SMTP servers and those outside your organization, and applies the policy that you create to mail in transit. In Forefront TMG, these mail routes are called SMTP routes. You must create at least two routes, as follows: On the Internal_Mail_Servers route, you enter the IP addresses of your internal mail servers and the SMTP domains of your mail organization (what are known as accepted authoritative domains in Microsoft Exchange), and networks from which mail may be sent. This instructs Forefront TMG to accept and relay internal mail only from these authorized networks, IP addresses and domains. On the External_Mail_Servers route, you define from which networks mail is allowed to enter the mail organization, select the mail routing method to use to send internal mail to external networks, and enter the publicly registered FQDN or IP address that external mail servers should use as the address for your mail organization. Each SMTP route has an listener which responds to mail requests from permitted IP addresses and networks. You can create these initial SMTP routes with the Policy Wizard; and then create additional routes by using the Create SMTP Route Wizard. In order to configure SMTP routes, you must install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array.

68 Configure Spam Filtering
Defines spam filtering policy Connection-level filtering IP Allow List IP Allow List Providers IP Block List Block List Providers Protocol-level filtering Configuring Recipient Filtering Configuring Sender Filtering Configuring Sender ID Configuring Sender Reputation Content-level filtering Spam Filtering options are configured in the Spam Filtering tab.

69 Spam Filtering Connection-level Filtering

70 Virus and Content Filtering
Configures antivirus, file attachment, and message body filtering Virus filter – Engine selection policy and remediation actions File filters – Unwanted file attachments based on file type, filename, and prefix Message body filters – Identify unwanted messages by applying keyword lists to the contents of the message body Virus filters – Forefront TMG lets you employ multiple scan engines (up to five) to detect and clean viruses from attachments. Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs to keep your environments virus-free; a virus might slip by one engine, but it's unlikely to get past three. The intelligent engine selection policy setting controls how many of the selected engines should be used in order to provide you with an acceptable probability that your system is protected (because there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater is the impact on your system's performance. File filters – Identify unwanted file attachments within messages. You can filter file attachments based on file type, filename, and prefix. Message body filters – Identify unwanted messages by analyzing the contents of the message body. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences. About keyword list syntax rules The following are the syntax rules for a keyword list: Each item (line of text) is considered a search query. Queries use the OR operator. It is considered to be a positive detection if any entry is a match. Queries can contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character: _AND_ (Logical AND). For example: apple•_AND_•orange juice _NOT_ (Negation). For example: apple•_AND__NOT_•juice _ANDNOT_ (Same as _AND__NOT_). For example: apple•_ANDNOT_•juice _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example: free•_WITHIN[10]OF_•offer. (If free is within 10 words of offer, this query is true.) _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example: _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified. Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest): 1) _WITHIN[#]OF_ 2) _HAS[#]OF_ 3) _NOT_ 4) _AND_ This precedence cannot be overridden with parentheses. The logical operators must be entered in uppercase letters. Phrases can also be used as keywords, for example, apple juice or get rich quick. Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B. In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but not html.

71 Virus and Content Filtering

72 Replicating Configuration to Exchange Server and FPE
FPE Service 4. Configure services using PowerShell API 1. TMG UI Administrator 2. Store to DB 3. Array members load new configuration Exchange Edge Service

73 Design Options Single purpose and location, no high availability
Forefront TMG 2010 Standard Edition Single purpose and location, high availability Forefront TMG 2010 Enterprise Edition in stand-alone array Multiple purposes and/or locations, high availability Enterprise Management Server

74 Single Purpose and Location
Forefront TMG 2010 Standard Edition (SE) Light and medium traffic All-in-one solution No high availability requirements

75 Single Purpose and Location
Forefront TMG 2010 Enterprise Edition (EE): Stand-alone array Shared configuration High traffic solution Simple upgrade to EE Data maintained EE license key Provides high availability and scale out

76 4/14/2017 9:10 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Forefront Threat Management Gateway 2010"

Similar presentations


Ads by Google