3Forefront TMG Value Proposition ComprehensiveFirewall – Control network policy access at the edgeSecure Web Gateway – Protect users from Web browsing threatsSecure Relay – Protect users from threatsRemote Access Gateway – Enable users to remotely access corporate resourcesIntrusion Prevention – Protect desktops and servers from intrusion attemptsIntegratedSimplified3
4Features Summary VoIP traversal Enhanced NAT ISP link redundancy FirewallHTTP antivirus/ antispywareURL filteringHTTPS forward inspectionSecure Web AccessExchange Edge integrationAntivirusAntispamProtectionNetwork inspection systemIntrusion PreventionNAP integration with client VPNSSTP integrationRemote AccessArray managementChange trackingEnhanced reportingW2K8, native 64-bitDeployment and ManagementMalware protectionIntrusion preventionSubscription Services4
5Deployment Scenarios Networks External DMZ External DMZ Internal Forefront TMG networks represent your corporate network topology. Generally, a network is defined for each network adapter installed and enabled on the computer. Networks that do not require associated network adapters are the Local Host network, which represents Forefront TMG, and virtual private networks.When deployed at the edge of your network, Forefront TMG should be configured with at least two network adapters:One connected to the Forefront TMG Internal network that represents the main corporate network.One connected to the Forefront TMG External network that usually represents the Internet.The External network is defined dynamically, based on the IP address ranges of other networks. You can configure the IP address range and other properties of the Internal network. If three or more adapters are available, you can also configure the properties of one or more perimeter networks. You can configure a dial-up connection on one network only (for example, to dial up for Internet access).Local HostVPN ClientsInternal
6Deployment Scenarios Network Sets DMZ Networks A Network Set is set of one or more networks. You can use network sets to specify a source or destination in firewall policy rules.
9Secure Web Gateway Layered Security Windows Server® 2008 / R2Unifies inspection technologies to:Protect against multi-channel threatsSimplify deploymentKeeps security up to date with updates to:Web antimalwareURL filteringNetwork Inspection SystemLogging & ReportingMalware InspectionURL FilteringApplication Layer ProxyNetwork Inspection SystemHTTPS InspectionThe following new Forefront TMG features support the Secure Web Gateway role:Web antimalware is part of a Web Protection subscription service for Forefront TMG. Web antimalware scans Web pages for viruses, malware, and other threats.URL filtering allows or denies access to Web sites based on URL categories (such as pornography, drug, hate, or shopping). Organizations can not only prevent employees from visiting sites with known malware, but also protect business productivity by limiting or blocking access to sites that are considered productivity distractions. URL filtering is also part of the Web Protection subscription service.Network Inspection System (NIS) enables traffic to be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS can block classes of attacks while minimizing false positives. Protections can be updated as needed.HTTPS inspection enables HTTPS-encrypted sessions to be inspected for malware or exploits. Specific groups of sites (for example, banking sites) can be excluded from inspection for privacy reasons. Users of the Forefront TMG client can be notified of the inspection.Logging and reporting – Forefront TMG collects log information for traffic handled by the Microsoft Firewall service and by the Web Proxy filter, and generates reports that summarize and analyze log information. It also provides the ability to send runtime event alerts (both pre-defined system alerts and custom alerts).
11How HTTPS Inspection Works Enable HTTPS inspectionGenerate trusted root certificateInstall trusted root certificate on clientscontoso.comhttps://contoso.comhttps://contoso.comIntercept HTTPS trafficValidate contoso.com server certificateGenerate contoso.com server proxy certificate on TMGCopy data from the original server certificate to the proxy certificateSign the new certificate with TMG trusted root certificate[TMG manages a certificate cache to avoid redundant duplications]Pretend to be contoso.com for clientBridge HTTPS traffic between client and server
12HTTPS Traffic Inspection Process URL FilteringMalware InspectionNetwork Inspection SystemSSLSSLTo provide HTTPS protection, Forefront TMG acts as an intermediary between the client computer that initiates the HTTPS connection and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.HTTPS Inspection terminates the SSL traffic at the proxy for both ends, and inspects the traffic against different threatsTrusted certificate generated by proxy matching the URL expected by the client
13HTTPS Inspection Notifications Notification provided by Forefront TMG clientNotify user of inspectionHistory of recent notificationsManagement of Notification Exception ListMay be a legal requirement in some geographiesTo receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer’s Trusted Root Certification Authorities certificate store. If the certificate is not installed in this specific certificate store, the user will not receive balloon notifications of HTTPS inspection.To enable HTTPS inspection notifications on Forefront TMG serverIn the Forefront TMG Management console, in the tree, click the Web Access Policy node.In the Tasks pane, click Configure HTTPS Inspection.On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK.To enable HTTPS inspection notification on Forefront TMG Client1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.
14HTTPS Inspection Notification User ExperienceNotifications are shown as a balloon by the Forefront TMG client.The user may also ask the browser to display the web site certificate information, which will be shown as issued by Forefront TMG.
16URL Filtering Integrates leading URL database providers TMGIntegrates leading URL database providersSubscription-based91 built-in categoriesPredefined and administrator defined category setsCustomizable, per-rule, deny messagesURL filtering identifies certain types of Web sites (for example, known malicious sites and sites that display inappropriate or pornographic materials) and allows or blocks access to the sites based on predefined URL categories. The default categorization of a specific Web site is determined by the Microsoft Reputation Service (MRS) and can be edited by the Forefront TMG system administrator. When a request to access a Web site is received, Forefront TMG queries MRS to determine the categorization of the Web site. If the Web site has been categorized as a blocked URL category or category set, Forefront TMG blocks the request.When users request access to a Web site to which access is blocked, they receive a denial notification that includes the denied request category. In some cases, users may contact the administrator to dispute the categorization of the Web site. In such a case, you can check whether the URL was categorized properly. If the Web site was not categorized correctly, you can create a custom setting for this URL. For more information, see the Microsoft TechNet article Introduction to managing URL filtering (http://technet.microsoft.com/en-us/library/dd aspx).Forefront TMG features over 70 URL categories. A URL category is a collection of URLs that match a pre-defined criterion, such as, malicious, anonymizers, or illegal drugs. Categories are grouped by category sets, which can be used to simplify the configuration of Forefront TMG policies.Forefront TMG uses Microsoft Reputation Service (MRS), a cloud-based object categorization system hosted in Microsoft data centers, to categorize the URLs that users request. MRS is designed to provide comprehensive reputation content to enable core trust scenarios across Microsoft solutions. MRS maintains a database with tens of millions of unique URLs and their respective categories.URL category overrideURL category queryLogging and reporting supportWeb Access Wizard integration
18How TMG Uses Microsoft Reputation Service Multiple VendorsMicrosoftDatacentersMRSFederatedQueryCombines with Telemetry DataTelemetry Path(also SSL)SSLFetch on cache missSSL for auth & privacyNo PIIFeedback mechanism on Category overridesCache:PersistentIn-memoryWeighted TTLCacheQuery (URL)FetchURLCategorizerPolicy
19What Makes MRS Compelling? Existing URL filtering solutionsSingle vendor cant be expert in all categoriesCategorization response timeMRS unique architectureMRS merges URL databases from multiple sources/vendorsMulti-vendor AV analogyBased on Microsoft internal sources as well as collaboration with third party partnersScalableOngoing collaborative effortRecently announced an agreement with Marshal8e6More announcements to followThe Microsoft Reputation Service (MRS) team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution on its own. As a result, there are multiple vendors, each one specializing in a specific area of the solution.Some vendors specialize in identifying malicious sites and spam URLs, while others are rich with productivity related categories. Some specialize in covering the Internet's long tail (see while others provide quick classification of previously unknown sites. Some use human-based classification, and others use machine-based techniques. Some are great with Web2.0 style URLs, and the list goes on. Even those vendors who employ several classification techniques and cover multiple categories can't deal with the huge and ever-expanding challenges of today's Web.MRS team's idea was simple: Let's leverage complementary capabilities of different vendors/sources to create a unified database that is best suited to deal with the challenges described above. And so, they have implemented a scalable architecture that allows incorporation of multiple streams of data into a merged database. In this way, each vendor and source brings its unique strengths to create a common solution.MRS already integrates several data sources and others will be on-boarded in the following months. Some of these data sources are internal to Microsoft, and others are the result of collaboration with third party partners. One such agreement, announced during RSA, is an agreement with Marshal8e6. (see this link for more information:But the real benefit of MRS is that because it is a Web service, and because of its unique architecture, MRS can easily incorporate new databases in a way that is completely transparent to its customers. We expect the MRS unified database to expand over time and become the recognized industry leader. Forefront TMG customers will benefit naturally from this ongoing upgrade, through our Web security subscription services.
21Per-rule Customization TMG administrator can customize denial message displayed to the user on a per-rule basisAdd custom text or HTMLRedirect the user to a specific URL
22URL Category OverrideTo change a domain's categorization, copy the URL or IP address, and click the URL Category Override tab. For more information, see the Microsoft TechNet article Overriding URL categorization (http://technet.microsoft.com/en-us/library/dd aspx).Administrator can override the categorization of a URLFeedback to MRS via Telemetry
23User Experience http://www.phishingsite.com In this example, the user receives a phishing message that persuades the user to click on a link to
24User Experience HTML tags URL filtering identifies the link as a known phishing site and blocks the user from connecting to it.The Forefront TMG administrator can customize the message displayed to the user by adding custom text or HTML. Or the administrator can redirect the user to a specific URL (for example, a page displaying the organization’s web access policy).24
26HTTP Malware Inspection TMGIntegrates Microsoft Antivirus engineSignature and engine updatesSubscription-basedThird party plug-ins can be used (native Malware inspection must be disabled)Content delivery methods by content typeSource and destination exceptionsGlobal and per-rule inspection options (encrypted files, nested archives, large files…)Logging and reporting supportWeb Access Wizard integration
27Malware Inspection Filter Content TricklingFirewall ServiceGET msrdp.cabGET msrdp.cabWeb Proxy200 OK200 OKMalware Inspection FilterRequest ContextAccumulated ContentAccumulated ContentAccumulated ContentAccumulated ContentAccumulated ContentBecause malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:TricklingForefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.Scanner
28Malware Scanner Behavior HighPartial inspection for Standard TricklingFinal inspection for files smaller than 1 MB when Progress Page is not usedNormalPartial inspection for Fast TricklingFinal inspection for files larger than 1 MB but smaller than 50 MB when Progress Page is not usedLowFinal inspection when Progress Page is usedFinal inspection for files larger than 50 MBLow Priority QueueNormal Priority QueueHigh Priority QueueAntimalware Engine
29Malware Inspection Per-rule Overrides The Forefront TMG administrator can override the general malware inspection settings on a per Web access rule basis.
31User Experience Progress Notification Progress notification Forefront TMG sends an HTML page to the client computer, that informs the user that the requested content is being inspected, and displays a summary of the download and inspection progress. After the content has been download and inspected, the page informs the user that the content is ready, and displays a button that the user can click to download the content.31
33Network Inspection System (NIS) Microsoft Engineering ExcellenceNetwork Inspection System (NIS)Protocol decode-based traffic inspection system that uses signatures of known vulnerabilitiesVulnerability-based signatures (vs. exploit-based signatures used by competing solutions)Detects and potentially block attacks on network resourcesNIS helps organizations reduce the vulnerability windowProtect machines against known vulnerabilities until patch can be deployedSignatures can be released and deployed much faster than patches, concurrently with patch release, closing the vulnerability windowIntegrated into Forefront TMGSynergy with HTTPS InspectionNIS is a protocol decode-based traffic inspection system that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities (researched and developed by Microsoft Malware Protection Center - NIS Response Team) in addition to an operational signature distribution channel which enables dynamic signature snapshot distribution.For more information, see the Microsoft Malware Protection Center Threat Research & Response Blog (http://blogs.technet.com/mmpc/)The main differentiator in NIS is Signature Quality (minimum false positive and false negative) on Microsoft-focused vulnerabilities. NIS vulnerability signatures (versus exploit-based) cover all types of exploit attacks which exploit vulnerability in contrast to attacks that exploit specific detections (which are susceptible to evasion).Microsoft Confidential
34New Vulnerability Use Case Vulnerability is discoveredResponse team prepares and tests the vulnerability signatureSignature released by Microsoft and deployed through distribution service, on security patch releaseAll un-patched hosts behind Forefront TMG are protectedSignature AuthoringTeamCorporate NetworkVulnerabilityDiscoveredSignature Distribution ServiceTMGSignature AuthoringTesting
35Network Inspection System Architecture Design TimeGAPA LanguageCompilerSignatures &Protocol ParsersProtocol ParsersSignaturesMicrosoft UpdateRun TimeAim of Telemetry:Understand current malware landscapeImprove signature qualityTMG sends:Signature MatchesProtocol Parse ErrorsNo PII in Basic ModeEncourage customers to use it.Telemetryand PortalNetwork InterceptionNIS Engine
36NIS Response Process Targeting 4 hours Threat IdentificationThreat ResearchSignature DevelopmentSignature TestingEncyclopedia Write-upSignature ReleaseTargeting 4 hoursThe Microsoft Malware Protection Center (MMPC) identify threats based on information received from various sources, including Microsoft Telemetry Service. When Malware Protection or NIS identifies an attack or potential malware, it reports information to Microsoft about the potential attack. This information is stored and analyzed by Microsoft to help identify attack patterns and improve precision and efficiency of threat mitigations.Based on this information, the MMPC develops a NIS signature for the vulnerability. This signature is tested to confirm that it properly identifies the threat and does not cause false positives, and then it is released through Microsoft Update.
37Other Network Protection Mechanisms Common OS attack detectionDNS attack filteringIP option filteringFlood mitigationForefront TMG also includes other network protection mechanisms in addition to NIS:
38DNS Attack Filtering Enables the following checks in DNS traffic: DNS host name overflow – DNS response for a host name exceeding 255 bytesDNS length overflow – DNS response for an IPv4 address exceeding 4 bytesDNS zone transfer – DNS request to transfer zones from an internal DNS serverThe Forefront TMG Domain Name System (DNS) filter intercepts and analyzes all inbound DNS traffic that is destined for the internal network and other protected networks. If DNS attack detection is enabled, you can specify that the DNS filter checks for the following types of suspicious activity:DNS host name overflow – When a DNS response for a host name exceeds 255 bytes, applications that do not check host name length may overflow internal buffers when copying this host name, allowing a remote attacker to execute arbitrary commands on a targeted computer.DNS length overflow – When a DNS response for an IP address exceeds 4 bytes, some applications executing DNS lookups will overflow internal buffers, allowing a remote attacker to execute arbitrary commands on a targeted computer. Forefront TMG also checks that the value of RDLength does not exceed the size of the rest of the DNS response.DNS zone transfer – A client system uses a DNS client application to transfer zones from an internal DNS server.When offending packets are detected, they are dropped and an event that triggers a DNS Intrusion alert is generated. You can configure the alerts to notify you that an attack was detected. When the DNS Intrusion event is generated five times during one second for DNS zone transfer, a DNS Zone Transfer Intrusion alert is triggered. By default, after the applicable predefined alerts are triggered, they are not triggered again until they are reset manually
39IP Options FilteringForefront TMG can block IP packets based on the IP options setDeny all packets with any IP optionsDeny packets with the selected IP optionsDeny packets with all except selected IP optionsForefront TMG can also block fragmented IP packetsForefront TMG can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. Forefront TMG can also drop all IP fragments.This topic includes procedures for enabling IP options filtering and IP fragment filtering. For more information about IP options filtering and IP fragment filtering, see the Microsoft TechNet article Overview of intrusion detection (http://technet.microsoft.com/en-us/library/cc aspx).
40Flood Mitigation Forefront TMG flood mitigation mechanism uses: Connection limits that are used to identify and block malicious trafficLogging of flood mitigation eventsAlerts that are triggered when a connection limit is exceededTMG comes with default configuration settingsExceptions can be set per computer setCustom LimitLimit6001608010006000400The Forefront TMG flood mitigation mechanism uses:Connection limits that identify and block malicious traffic.Logging of flood mitigation events.Alerts that are triggered when a connection limit is exceeded.The default configuration settings for flood mitigation help ensure that Forefront TMG continues to function under a flood attack. Forefront TMG classifies the traffic and provides different levels of service to different types of traffic. Traffic that is considered malicious (with intent to cause a flood attack) can be denied, and meanwhile Forefront TMG will continue to serve all other traffic.The Forefront TMG flood mitigation mechanism helps to identify various types of flood attacks, including the following:Worm propagation – An infected host scans a network for vulnerable hosts by sending TCP connect requests to randomly selected IP addresses and a specific port. Resources are depleted at an accelerated rate, if there are policy rules based on Domain Name system (DNS) names, which require a reverse DNS lookup for each IP address.TCP flood attacks – An offending host establishes numerous TCP connections with a Forefront TMG server or other servers that are protected by Forefront TMG. In some cases, the attacker sequentially opens and immediately closes many TCP connections, in an attempt to elude the counters. This consumes a large amount of resources.SYN attacks – An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server without completing the TCP handshake, leaving the TCP connections half-open.HTTP denial of service attacks – A single offending host or a small number of hosts send a huge number of HTTP requests to a Forefront TMG server. In some cases, the attacker sends HTTP requests at a high rate over a persistent (keep-alive) TCP connection. Because the Forefront TMG Web proxy authenticates every request, this consumes a large amount of resources.Non-TCP distributed denial of service (DDoS) attacks – A large number of offending hosts send requests to a Forefront TMG server. Although the total amount of traffic sent to the victim is enormous, the amount of traffic sent from each offending host can be small.UDP flood attacks – An offending host opens numerous concurrent UDP sessions with a Forefront TMG server.Connection LimitsForefront TMG provides a quota mechanism that imposes connection limits for TCP and non-TCP traffic, handled by the Microsoft Firewall service. Connection limits are applied to requests from internal client computers configured as SecureNAT clients, Firewall clients, Web proxy clients in forward proxy scenarios, and to requests from external clients handled by Web publishing and server publishing rules in reverse proxy scenarios. The mechanism helps prevent flood attacks from specific IP addresses, and helps administrators identify IP addresses that generate excessive traffic, which might be a symptom of a worm or other malware infection.A connection limit policy can be configured for an array or a standalone Forefront TMG server. A connection limit policy includes the following categories of connection limits:Connection limits that establish how many TCP connect requests and HTTP requests are allowed from a single IP address, that is not included in the list of IP address exceptions during one minute.Connection limits that establish how many concurrent transport-layer protocol connections may be accepted from a single IP address, that is not included in the list of IP address exceptions. These include connection limits for TCP connections, UDP sessions, and ICMP and other raw IP connections.Custom connection limits that establish how many connect requests and how many concurrent transport-layer protocol connections may be accepted from a single special IP address, that is included in the list of IP address exceptions. IP address exceptions might include published servers, chained proxy servers, and network address translation (NAT) devices (routers), which would require many more connections than most other IP addresses. Custom connection limits are applied to TCP connections, UDP sessions, and ICMP and other raw IP connections.
41Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG) Product PositioningForefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threatsForefront UAGComprehensive, secure remote access to corporate resourcesForefront UAG is the preferred solution for providing remote accessForefront TMG 2010 still provides support for remote access features, but not the recommended solution
43Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networksClients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocolBehavior depends on whether non-Web server is behind a NAT relationship or notIf behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web serverThe published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010Forefront TMG 2010 uses server publishing rules to map requests for non-Web servers located in a Forefront TMG 2010 network from clients located in other networks. Clients can be external clients located on the Internet or internal clients located on a different internal network.When the network on which the published server is located has a NAT relationship with the network from which client requests are located, server publishing works as follows:The IP address published by the server-published rule belongs to Forefront TMG. Clients make a request for the published resource to the client-facing adapter on the Forefront TMG server and not directly to the internal server.By default, the client source address sent to the published server is that of client. You can change this setting to specify that the source address sent to the published server is that of the Forefront TMG server.When the network on which the published server is located has a route relationship with the network from which client requests are located, server publishing works as follows:Forefront TMG listens for requests on the IP address of the published server.Clients make a request to the IP address of the internal server.Server publishing rules display the following characteristics:Server publishing can be used to publish most TCP and UDP protocols.The published server should be configured as a SecureNAT client with a default gateway pointing to Forefront TMG 2010.You cannot authenticate user requests for server publishing rules.You can use IP address control to specify who can access published resources.A server publishing rule can only publish a single server and protocolIn some circumstances you may want to consider using server publishing rules instead of access rules for internal client requests. For example, if you want to allow internal clients to access a non-Web server located in a perimeter network. For a comparison of using server publishing rules or access rules, see the Microsoft TechNet article About network relationships and firewall policy (http://technet.microsoft.com/en-us/library/cc aspx).
44Sample Server Publishing Scenario DNS Server Publishing1. DNS request >2. Check rule match
45Check Publishing Rule Match For non-HTTP requests, Forefront TMG 2010 checks network rules, and then checks publishing rules to determine if requests are allowed.Overriding default portsServer publishing configures Forefront TMG 2010 to listen on a specific port and forward requests to a published server. You can configure the following port properties:Specify the port on which should listen for requests for request. If you publish on a port other than the default port, Forefront TMG 2010 receives client requests for the published service on the nonstandard port, and then forwards requests to the designated port on the published server. For example, a server publishing rule may specify that client requests for FTP services connect through port 22 on the Forefront TMG 2010 computer before being redirected to the default port 21 on the published server.
46Non-HTTP Server Publishing Things to consider when planning Server PublishingNo authentication supportAccess restriction by network elements onlyNetworks, subnets, or IP addressesNo support in single adapter configurationClient source IP address preservedBehavior can be changed using rule settingApplication Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.When using server publishing rules, Forefront TMG 2010 forwards the traffic as it does for access rules, but it uses application filters directly. For example, the Single Mail Transfer Protocol (SMTP) filter is not used for SMTP traffic handled by an access rule, but it is used with traffic handled by a server publishing rule.In server publishing rules, the client in the destination network makes a connection to the Forefront TMG IP address on which the publishing rule is listening for requests. When Forefront TMG 2010 forwards the traffic to the published server, it replaces the Forefront TMG IP address with the IP address of the internal server that it is publishing, but it does not modify the source IP address.Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when forwarding traffic to the published server, the published server must use the Forefront TMG 2010 computer as the last hop in the routing structure to the destination network.If this is not possible, configure server publishing rules to use the setting Requests appear to come from the Forefront TMG computer. This causes Forefront TMG 2010 to perform full NAT on the traffic handled by the rule.
47Web PublishingProvides secure access to Web content to users from the InternetWeb content may be either on internal networks on in a DMZSupports HTTP and HTTPS connectionsForefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG levelAllow delegation of user credentials after TMG authenticationCaching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farmForefront TMG Web publishing makes Web content securely available to groups of users or to all users who send requests to your organization from the Internet. The Web content requested is typically stored on Web servers in the Internal network or in a perimeter network (also known as a screened subnet or a demilitarized zone (DMZ)).With Web publishing rules, you can allow or deny requests based on defined access policies. You can restrict access to specified users, computers, or networks, require user authentication, and inspect the traffic. Content caching enables Forefront TMG 2010 to cache Web content and to respond to user requests from the cache without forwarding the requests downstream to the published Web server. This type of content caching is called reverse caching. Web publishing rules have many features that determine how client Web requests are passed to the published Web servers, including the following:Mapping requests to specific internal paths to limit the portions of your Web servers that can be accessed.Delegation of user credentials for authenticating Forefront TMG to the Web server after authentication by Forefront TMG 2010, without requiring users to supply their credentials for a second time.Link translation for replacing internal host names and paths in Web content with public names and external paths.Secure Sockets Layer (SSL) bridging, which enables Forefront TMG to inspect incoming HTTPS requests and then forward them to the Web server over an encrypted SSL channel.Load balancing of client requests among the Web servers in a server farm, with maintenance of client affinity for increased availability and improved performance.
48Accessing Web Resources Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
49Securing SSL Traffic SSL Bridging: Client on Internet encrypts communicationsTMG 2010 decrypts and inspects trafficTMG 2010 sends allowed traffic to published server, re-encrypting it if required
50Authentication Process 1. Client credentials received2&3. Credentials validated4. Credentials delegated to internal server5. Server send response6. Response forwarded to client
51Single Sign OnSample Scenario – Two Published Web Sites requiring AuthNWith Single SignonUser Prompted for authenticationUser Clicks Link to SharePointUser NOT Prompted for authenticationWithout Single Signon:User Prompted for authenticationUser Clicks Link to SharePointUser Prompted for authentication againSingle sign-on (SSO) enables users to authenticate once to Microsoft Forefront Threat Management Gateway and then, without reauthenticating, access all of the Web sites with the same domain suffix that Forefront TMG 2010 publishes on a specific Web listener. Web sites can include Microsoft® Outlook® Web Access and Microsoft® SharePoint® Server sites, as well as standard Internet Information Services (IIS) Web sites.A typical example of SSO is a user who logs on to Outlook Web Access by providing credentials on a form. In one of the messages that the user receives, there is a link to a document that is stored on a SharePoint server. The user clicks the link, and the document opens without an additional request for authentication. This example relies on the use of persistent cookies.Security notes As long as a user's browser process is still running, that user is logged on. For example, a user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user opens a new browser window and then navigates to another site. Closing the Outlook Web Access window does not end the session, and the user is still logged on. When enabling SSO, be sure to provide a restrictive SSO domain. Providing an inclusive domain, such as .co.uk, allows the Web browser to send the Forefront TMG SSO cookie to any Web site in that domain, creating a possible security risk. In a scenario where you create a Web listener that uses forms-based authentication with RSA SecurID validation and you enable Collect additional delegation credentials in the form, Forefront TMG 2010 does not verify whether a user enters the same or a different name for the additional credentials.Note: There is no support for SSO between different Web listeners. SSO is supported for published Web sites whose host names have the same DNS suffix after the first dot. For example, you can configure SSO when publishing mail.fabrikam.com and team.fabrikam.com by specifying .fabrikam.com as the SSO domain. However, you cannot configure SSO for mail.fabrikam.com and mail.contoso.com. In addition, a DNS suffix specified as an SSO domain must consist of at least two segments separated by an embedded dot. For example, .fabrikam.com and .portal.fabrikam.com are valid SSO domains, but .com is not a valid SSO domain.
53Forefront TMG Virtual Private Networking (VPN) TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPNTMG 2010 implements Windows Server® 2008 VPN technologyImplements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)Virtual private network (VPN) technology enables cost-effective, secure, remote access to private networks. With a VPN, you can extend your private network across a shared or public network, such as the Internet, in a manner that emulates a point-to-point private link. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy.About Forefront TMG VPNsForefront TMG 2010 supports two types of VPNs:Remote access VPN – Provides roaming users with secure remote access to the internal networkSite-to-site VPN – Enables quick connectivity between sites, for example between a main office and its branch offices.Note: All VPN connections to Forefront TMG are logged to the Firewall log, so that you can monitor them.Forefront TMG implements Windows Server VPN technology. For a description, see What Is VPN? (http://go.microsoft.com/fwlink/?LinkId=160092). When reading this content, keep in mind the functional differences between Windows Server 2003 and later versions of Windows as documented in What's New in Routing and Remote Access in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=160094).
54Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocolHTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1No plans to backport SSTP to previous versions
55Network Access Protection (NAP) Windows Policy Validation and Enforcement PlatformPolicyValidationDetermines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.NetworkRestrictionRestricts network access to computers based on their health.RemediationProvides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.OngoingComplianceChanges to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Network Access Protection (NAP) consists of several components and architecture models that work in conjunction to provide security for the network. The infrastructure of NAP supports the different servers required to validate, remediate and provide health certificates. The enforcement methods used by NAP (802.1x, DHCP, VPN, NPS RADIUS and IPSec) provide flexibility in determining the appropriate method for securing client access to your network.55
56NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPNSupports all VPN protocols, including SSTPDifferent solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006NAP validates health status of the remote client at connection timeVPN network access limitation is done through IP packet filters applied to the VPN connectionAccess limited to resources on the restricted networkNAP Support in TMG 2010 allows you to define levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation), and then dynamically increases its level of network access.
57NAP with Forefront TMG Walkthrough Restricted NetworkCorporate NetworkRemediationServersSystem HealthServersUnhealthy SHA performs remediation against remediation serversOngoing policy updates to Network Policy ServerHere is the fix you need.VPN QEC passes SoH Responses back to NAPAgentVPN QEC queries NAPAgent for SOHsNAPAgent collects new SoH and passes to VPN QECPEAP messagesHere is my SOHEAP messagesCan I please have access to the network?VPN Session RequestEAP - Response/IdentityPEAP messagesHere is my SOHForefront TMG2010EAP - Request/IdentifyEAP – Request/Start – Send SOHRADIUS Access-AcceptAccording to policy, the client is up to date.Grant access – no filtersRADIUS Access-AcceptAccording to policy, the client is not up to date. Quarantine client.Restrict client to /24The following process occurs when a NAP-capable VPN client connects to a NAP-capable VPN server:The VPN client initiates a connection to the VPN server using either Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunnelling Protocol with Internet Protocol Security (L2TP/IPsec) or the new Secure Socket Tunnelling Protocol (SSTP) .The VPN NAP component on the VPN server (a component of Routing and Remote Access) sends an EAP-Request/Identity message to the VPN QEC on the VPN client.The VPN QEC on the VPN client (a component of the Remote Access Connection Manager service) responds with an EAP-Response/Identity message that contains the user name of the VPN client.The VPN NES on the VPN server sends the EAP-Response/Identity message as a RADIUS Access-Request message to the NPS server. For all subsequent PEAP-based messages, the logical communication occurs between the NPS server and the VPN QEC on the VPN client, using the VPN server as a pass-through device. Messages between the VPN server and the NPS server are a series of RADIUS Access-Request, Access-Challenge, and Access-Accept messages.The NPS server sends an EAP-Request/Start PEAP message to the VPN client.The VPN client and the NPS server exchange a series of TLS messages to negotiate an encrypted TLS channel.The NPS server sends a request for the list of SoHs to the VPN client using a PEAP-TLV message.The VPN QEC queries the NAP Agent for the list of SoHs.The VPN QEC passes the list of SoHs to the NPS server using a PEAP-TLV message.The NPS server requests that the VPN client authenticate itself using its client credentials, using a PEAP authentication method such as PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).The VPN client authenticates itself to the NPS server using the negotiated PEAP authentication method.The NPS component on the NPS server extracts the list of SoHs from the PEAP-TLV message sent in step 9 and passes it to the NAP Administration Server component.The NAP Administration Server component passes the SoHs in the list of SoHs to the appropriate SHVs.The SHVs analyze the contents of the SoH passed by the NAP Administration Server and then construct and send a SoHResponse to the NAP Administration Server.The NAP Administration Server passes the list of SoHResponses to NPS.NPS compares the list of SoHResponses to a configured set of network access and system health policies and then makes a limited/unlimited network access decision.NPS constructs and sends a PEAP-TLV message containing the limited/unlimited network access decision and the list of SoHResponses to the VPN client.NPS sends a RADIUS Access-Accept message containing its limited/unlimited network access decision to the VPN server.If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IP packet filters that limit the traffic of the VPN client to the restricted network.If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IP packet filters to limit network access. After the VPN connection completes, the NAP client will have unlimited network access.The VPN client and VPN server complete the VPN connection.PEAP MessageState: QuarantineSOH ResponsesPEAP MessageState: Full AccessSOH ResponsesEAP - Request/IdentifyEAP – Request/Start – Send SOHClientNetwork PolicyServer
60Mail Protection – Forefront Threat Management Gateway Full featured SMTP hygieneExchange Edge Transport for SMTP stackRequires valid licenseIntegrated with Microsoft® Forefront™ Protection 2010 for Exchange ServerAntimalwareAntispamAntiphishingAlso supports generic SMTP mail serversprotection subscription serviceForefront TMG provides an protection subscription service, based on technology integrated from Forefront Protection 2010 for Exchange Server. Forefront TMG serves as a relay for SMTP traffic, and scans for viruses, malware, spam and content (such as executable or encrypted files) as it crosses the network.Utilizing Microsoft mail protection technologiesForefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.When deploying the protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the protection feature provides a number of benefits, which are described in Benefits of creating an policy with Forefront TMG (http://technet.microsoft.com/en-us/library/dd aspx#benis).Layered protectionBecause spammers or malicious senders use a variety of techniques, Forefront TMG implements a layered and multifaceted approach to reducing spam and viruses. The layered approach to reducing spam refers to the configuration of several anti-spam and antivirus features that filter inbound messages in a specific order. Each feature filters for a specific characteristic or set of related characteristics on the inbound message.
61E-mail Threats ~98% of all e-mail is spam/malicious Over 400 billion unwanted s in H2 2008Estimated cost is $130 billion in 2009Causes 90% of NDRsRisk of software vulnerabilitiesMicrosoft Security Intelligence Report, volume 6 (www.microsoft.com/sir) reports that 98% of is spam.Microsoft Forefront Online Security for Exchange (FOSE; formerly Microsoft Exchange Hosted Services, or EHS) provides enterprise-class spam and malware filtering services for thousands of customers. This figure shows the percentage of incoming messages that FOSE has filtered as spam in every half-year period since 1H06. In 2H08, FOSE filtered 97.3 percent of all messages it received, delivering only about one out of every 40 messages to intended recipients. This figure was down from 98.4 percent in 1H08.The source for the $130 billion loss is Ferris Research (http://www.ferris.com/research-library/industry-statistics/).
62The Solution Filter unwanted e-mail as early as possible FOSE performs spam filtering in two stages. The vast majority of spam is blocked by servers at the network edge, which use a number of non-content–based rules to block probable spam or other unwanted messages. Messages that are not blocked at the first stage are scanned using content-based rules, which detect and filter additional threats, including attachments containing malware. This figure shows the percentage of messages blocked at each stage in every half-year period since 1H06.Percentage of incoming messages blocked by Forefront™ Protection for Exchange using edge-blocking and content filtering, 1H06-2H08
63E-mail Protection Features Protection at the edgeProtects mail at the edge of the organization with Forefront Protection 2010 for Exchange ServerAdvanced protection and premium antispamMultiple scan engines to protect against malware and provide a premium antispam solutionIntegrated managementEasy management of Microsoft Exchange Server Edge role and Forefront Protection 2010 for Exchange Server through Forefront TMGArray deploymentSupport for managing and load balancing traffic among multiple serversBenefits of creating an policy with Forefront TMGThere are a number of advantages to implementing protection with Forefront TMG:Protection on the edge – The protection feature in Forefront TMG inspects mail traffic at the edge (the point of entry into an enterprise’s core networks), as opposed to scanning messages for viruses and other malware further along the mail flow path, thus saving processing resources, bandwidth, and storage. Integrated management – When you create an policy using Forefront TMG, you configure the settings in the Forefront TMG Management console, and then Forefront TMG applies your configuration to Exchange Edge and FPES. When using this integrated management solution, you do not need to open the management consoles of Exchange Edge or FPES (in fact, you should not open them except for troubleshooting requirements). Implementing protection consequently does not require expertise in Exchange Edge and FPES. Extended management – Forefront TMG allows you to deploy multiple servers in an array, and manage those servers from a single interface. This is true for the protection feature, which is a benefit not available to other Exchange Server and FPES deployments. When you configure an policy with Forefront TMG, the configuration settings are stored for the entire array. Configuring policy is done once only, after which all array members receive the configuration when they synchronize with the configuration storage. Native support for Network Load Balancing (NLB) – Using NLB and a virtual IP address, you can deploy more Forefront TMG servers at a single point of entry, thereby processing more mail traffic. Similarly, by deploying multiple Forefront TMG servers, each running Exchange Edge and FPES, you can more easily maintain a highly available and protected mail delivery service for your organization.
64Solution Components Microsoft Products Forefront Protection 2010 for Exchange ServerMicrosoft® Exchange Server® 2007 (or 2010) Edge TransportForefront Threat Management GatewayWindows Server® 2008 x64Forefront TMG leverages the capabilities of the Exchange Edge Transport Server role and Forefront Protection 2010 for Exchange Server (FPES) to provide mail relay and anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work cumulatively, to reduce the spam that enters and exits your organization.When deploying the protection feature in Forefront TMG, you install Exchange Edge and FPES on the Forefront TMG computer. While these products can be installed independently on separate computers, installing them on Forefront TMG and implementing the protection feature provides a number of benefits.
66Typical Deployment Topology Any SMTP ServersForefront TMGArraymyorg.com Internal SMTP ServerInternetSMTP TrafficInternal NetworkPartner SMTP ServerTLS encrypted connectionSMTP TrafficEdgeSync(Exchange Server Only)MX pointing to Forefront TMG external IP addressA mail exchanger (MX) resource record for your domain must be registered on Internet DNS servers, and the MX record must point to the external IP address of Forefront TMG.Forefront TMG can use a specific IP address for outbound mail, or use DNS to locate the Mail Exchange (MX) record of the remote SMTP server. In this case TMG will query DNS for the IP address in the MX record, which Forefront TMG uses to deliver the mail. If you select this routing method, verify that your DNS server can successfully resolve names on the Internet.
67Configure SMTP RoutesDefines how Forefront TMG routes traffic from and to the organization SMTP serversAt least two routes required:Internal_Mail_Servers define the IP addresses and SMTP domains of the internal mail serversExternal_Mail_Servers define which mail is allowed to enter the organization and the external FQDN/IP address that will receive mailThe first step in creating the policy is to configure how Forefront TMG routes mail traffic to and from the internal Simple Mail Transfer Protocol (SMTP) servers in your organization. The Exchange Edge Transport server installed on your Forefront TMG server acts as a relay between your internal SMTP servers and those outside your organization, and applies the policy that you create to mail in transit.In Forefront TMG, these mail routes are called SMTP routes. You must create at least two routes, as follows:On the Internal_Mail_Servers route, you enter the IP addresses of your internal mail servers and the SMTP domains of your mail organization (what are known as accepted authoritative domains in Microsoft Exchange), and networks from which mail may be sent. This instructs Forefront TMG to accept and relay internal mail only from these authorized networks, IP addresses and domains.On the External_Mail_Servers route, you define from which networks mail is allowed to enter the mail organization, select the mail routing method to use to send internal mail to external networks, and enter the publicly registered FQDN or IP address that external mail servers should use as the address for your mail organization.Each SMTP route has an listener which responds to mail requests from permitted IP addresses and networks.You can create these initial SMTP routes with the Policy Wizard; and then create additional routes by using the Create SMTP Route Wizard.In order to configure SMTP routes, you must install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array.
68Configure Spam Filtering Defines spam filtering policyConnection-level filteringIP Allow ListIP Allow List ProvidersIP Block ListBlock List ProvidersProtocol-level filteringConfiguring Recipient FilteringConfiguring Sender FilteringConfiguring Sender IDConfiguring Sender ReputationContent-level filteringSpam Filtering options are configured in the Spam Filtering tab.
70Virus and Content Filtering Configures antivirus, file attachment, and message body filteringVirus filter – Engine selection policy and remediation actionsFile filters – Unwanted file attachments based on file type, filename, and prefixMessage body filters – Identify unwanted messages by applying keyword lists to the contents of the message bodyVirus filters – Forefront TMG lets you employ multiple scan engines (up to five) to detect and clean viruses from attachments. Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs to keep your environments virus-free; a virus might slip by one engine, but it's unlikely to get past three.The intelligent engine selection policy setting controls how many of the selected engines should be used in order to provide you with an acceptable probability that your system is protected (because there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater is the impact on your system's performance.File filters – Identify unwanted file attachments within messages. You can filter file attachments based on file type, filename, and prefix.Message body filters – Identify unwanted messages by analyzing the contents of the message body. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences. About keyword list syntax rulesThe following are the syntax rules for a keyword list:Each item (line of text) is considered a search query.Queries use the OR operator. It is considered to be a positive detection if any entry is a match.Queries can contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:_AND_ (Logical AND). For example: apple•_AND_•orange juice_NOT_ (Negation). For example: apple•_AND__NOT_•juice_ANDNOT_ (Same as _AND__NOT_). For example: apple•_ANDNOT_•juice_WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example: free•_WITHINOF_•offer. (If free is within 10 words of offer, this query is true.)_HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example: _HASOF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified.Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest): 1) _WITHIN[#]OF_ 2) _HAS[#]OF_ 3) _NOT_ 4) _AND_ This precedence cannot be overridden with parentheses.The logical operators must be entered in uppercase letters.Phrases can also be used as keywords, for example, apple juice or get rich quick.Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but not html.
72Replicating Configuration to Exchange Server and FPE FPE Service4. Configure services using PowerShell API1. TMG UIAdministrator2. Store to DB3. Array members load new configurationExchange Edge Service
73Design Options Single purpose and location, no high availability Forefront TMG 2010 Standard EditionSingle purpose and location, high availabilityForefront TMG 2010 Enterprise Edition in stand-alone arrayMultiple purposes and/or locations, high availabilityEnterprise Management Server
74Single Purpose and Location Forefront TMG 2010 Standard Edition (SE)Light and medium trafficAll-in-one solutionNo high availability requirements
75Single Purpose and Location Forefront TMG 2010 Enterprise Edition (EE):Stand-alone arrayShared configurationHigh traffic solutionSimple upgrade to EEData maintainedEE license keyProvides high availability and scale out