1. Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor

2. Agenda 2  First session:  Module 1 – Overview  Module 2 – Setup & Deployments  Second session:  Module 3 – URL filtering (URL-F)  Module 4 – Edge Malware Protection (EMP)  Third session:  Module 5 – HTTPS Inspections  Module 6 – ISP Redundancy (ISP-R)  Module 8 – NAT Enhancement

3. Threat Management Gateway 2010 Module 5 – HTTPS Inspections

4. HTTPS Inspection - Motivation  Today more and more web traffic is https. Some of this traffic is legitimate; some isn’t and might contain malicious traffic.  We have lot of tools for http protection (antimalware, NIS..), but no for https protection as this traffic is tunneled through the Proxy.  This feature will enable the TMG administrator to inspect outgoing https traffic on the edge and will prevent the end user from downloading malicious software (malware) that could infect the entire organization.

5. HTTPS Traffic Inspection Microsoft Confidential

6. Motivation  In order to be able to inspect outgoing https traffic, TMG will break HTTPS connections using a man in the middle mechanism (doing sort of “bridging”)

7. Typical Flow between Client and TMG 1. Client sends a request for https://www.somesite.com to TMG 2. TMG connects to the HTTPS site, creates an SSL tunnel between TMG and the site. 3. TMG validates the certificate received from Server (make sure it is not expired, trusted, etc…) 4. TMG duplicates certificate on the fly, signs it with its CA certificate, and sends it to the client 5. Client accepts (thanks to the trust chain) the certificate generated by TMG on behalf of the web server, and agrees to open a secure connection with TMG 6. Client is notified about inspection (if enabled by TMG administrator) by the TMG client 7. TMG relays the user/server data between the two open SSL tunnels, inspecting the traffic

8. HTTPS Traffic Inspection Microsoft Confidential Proxy Certificates generation/import and customization. Exclusion list (Validate only option) Logging Support Web Access Wizard integration Proxy Certificates generation/import and customization. Exclusion list (Validate only option) Logging Support Web Access Wizard integration Deployment options (via Group Policy or via Export) Client notifications about HTTPS inspection (via Firewall Client) Certificate validation (Revocation, Trusted, Expiration validation,..)

9. HTTPS Inspection Mechanism In Web browser: https://www.fabrikam.com www.fabrikam.com In TMG request: https://www.fabrikam.com SSL Request Certificate SSL Request Certificate Signed by Verisign www.fabrikam.com Signed by”TMG CA”

10. Client certificate is required  This is not a supported scenario

11. TMG CA Certificate not installed on client  The CA certificate (e.g. self signed certificate) used by TMG must be deployed on the client, otherwise the client won’t trust the certificate issued by TMG on behalf of the web server (user won’t receive the inspection notifications in that case)  If the client does not have the CA certificate used by TMG, it will receive the error below when accessing an SSL web site if https inspection is enabled.

12. CA Certificate generation and deployment  The CA certificate used by TMG to issue the certificate can be of two types:  a generated self signed certificate  an existing trusted certificate authority

13. CA Certificate generation and deployment  This CA certificate must then be deployed on the client computers (under “Trusted Root Certification Authorities” of the Local computer certificates store), otherwise the client won’t trust the server certificate received from TMG  Two possible deployment methods for the CA certificate:

14. User notifications  Client must have TMG Client to receive notification of inspection and CA Certificate must be properly deployed on client

15. Threat Management Gateway 2010 Module 7 – ISP Redundancy

16. ISP-R – Introduction  New feature introduced in TMG that allows the coexistence of 2 ISP connections  With this feature TMG ensures Internet connectivity is not lost even when one Internet service provider (ISP) is down

17. Two different scenarios:  High Availability of Internet connectivity  TMG will use a backup line in case the primary is down (Failover)  Load balancing between ISP providers /connections  TMG will use 2 concurrent ISP connections Feature Overview

18. Scenarios  2 network adapters’ scenario: TMG is configured with 2 NICs on the external network. Each NIC has a different subnet and is connected to a different ISP.  Single network adapter scenario: TMG is configured with single NIC on the external network with 2 different subnets – one for each ISP.  Note that Windows will display a warning when the administrator defines more than one default gateway on the system. In our case we can ignore this warning.

19.  Configuration  Organization signs up with two different ISP links  Administrator identifies the two ISP gateways  TMG Server uses the ISP subnet information to direct traffic to each of the ISPs  Connectivity Validation  Periodic connectivity test to root DNS servers (or custom DNS servers) on the internet enable us to identify an ISP link availability Feature Components

20. ISP-R

22. Threat Management Gateway 2010 RTM Module 9 – NAT Enhancement

23.  ‘Small’ enhancement for NAT network rule definition to enable specifying the NAT address which should be used.  Targets scenarios in which the NAT address is important:  Publishing multiple SMTP servers (not via Edge Protection)  Highly asked by many customers NAT Enhancement Feature Overview

24. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.