Installing TMG & Choosing a Client Type 6NPS Session 2

Objectives To understand some final considerations before installing TMG Installing TMG 2010 Troubleshoot an installation Upstanding the client types

Some Final Considerations Internal addresses Determine what IP address range will be used for the internal network. Authentication methods and requirements Define the internal client authentication methods and requirements. Network template Decide which network template to apply during and after installation. Name resolution Define the DNS server that will provide name resolution for TMG.

Some Final Considerations Installation location Define the physical disk that you will use during TMG installation. Operating system security update level Update the operating system install all important and critical security updates before and after installing TMG. Drivers Ensure that all drivers are up to date

Additional Recommendations Rename your network interfaces Review the binding order of the NICs, it is more efficient if the internal NICS is on top.(windows name resolution) disable all unnecessary services on the External NIC so that TMG will not respond external.

Troubleshooting TMG Setup Applying Security Updates and Service Packs After installation install any TMG rollup updates or service packs. What to Look for When Setup Fails During installation, TMG Setup logs step in the %systemroot%\temp folder.

Understanding the Setup Log Files Table 9-1 TMG setup log files

Setup Failed—Now What? When setup fails, the TMG Installer triggers an error It explains the reasons for the failure. If you click OK, the TMG Setup rolls back the changes. To workout the error search the log, use notepad to open it

Types of Clients Does not require you to deploy client software Internet SecureNET Client TMG Web Proxy Client Forefront TMG Client Allows internet access only for authenticated users

Choosing a TMG Client Type Web Proxy Client Any client that sends CERN proxy requests to TMG is considered a Web proxy client. Eg.: Browser, Antivirus, Bit torrent client, IM clients, etc Windows apps that need Internet access through a Web proxy can use the WinHTTP application programming interface (API) Restricted to http, https & ftp

How the Web Proxy Client Works The client sends an HTTP GET request to TMG on the listening port. By default on TCP port 8080. After TMG receives the request, the firewall service checks its access rules to determine if this request is allowed or denied. The request is sent to the destination host. When this operation succeeds, TMG responds with an HTTP 200 status code to inform the client that the connection has been established. 2 www.tafesa.edu.au 3 1 4 TMG http:// www.tafesa.edu.au

When to Use the Web Proxy Client

SecureNET Client Any computer with TCP/IP networking can be a SecureNET client. No additional software is required. Just configure TMG as the default gateway. TMG needs at least two NICs.

SecureNET Client

Advantages Vs Disadvantages

Forefront TMG Firewall Client A software component that provides the ability to proxy any application that uses Winsock, regardless if the application itself is proxy aware. Require the installation of the Forefront TMG firewall client software on to the workstation. Allows administrators to control access to non-web-proxy protocols based on users or groups.

Choosing the Right Client Need to consider the functionality and security requirements Ease of deployment and restrictions on installing software Support for various operating systems Protocol support (simple versus complex protocols) Authentication requirements for user- or group-based access controls Security of your network and applications.

Choosing the Right Client

Choosing the Right Client

Choosing the Right Client SecureNet Client No configuration is required other than setting up a default gateway Supports all operating systems supports all simple protocols. Application filters enable support of complex protocols. SecureNET supports non-TCP/UDP protocols Does not forward user credentials therefore cannot support authentication-based access rules. Connections are unencrypted; uses the application’s protocol default port Client does it’s own name resolution

Choosing the Right Client Web Proxy Client Need to specify Web proxy settings in the Web browser or use WPAD. Web proxy–aware apps can use the Web proxy client Limited to Web protocols. (http, https & http proxied ftp) Forwards credentials when challenged for authentication. Connections are unencrypted and are sent to the port on TMG that is set to listen for Web proxy connections (TCP port 8080 by default). TMG resolve name for clients

Choosing the Right Client TMG Firewall Client Need to install the TMGC software. Only on windows OS Supports all TCP and UDP simple and complex protocols. Forwards credentials of the logged-in user automatically;(supports authentication based access rules.) The TMGC sets up a control channel on TCP port 1745 and then all information within the control channel may be encrypted if any rule requires authentication. TMG resolve name for clients

Practice: Installing TMG Server Installing TMG(Textbook page 156) Basic access rules for a web proxy TMG Internet Windows 7 Web proxy client