Presentation is loading. Please wait.

Presentation is loading. Please wait.

6NPS Session 1 Introduction and Planning for Microsoft Forefront Threat Management Gateway (TMG)

Published byClyde Hutchinson Modified over 6 years ago

Similar presentations

Presentation on theme: "6NPS Session 1 Introduction and Planning for Microsoft Forefront Threat Management Gateway (TMG)"— Presentation transcript:

1 6NPS Session 1 Introduction and Planning for Microsoft Forefront Threat Management Gateway (TMG)

2 Objectives What Are the Benefits of TMG? Identify System Requirements
Analyse Network Requirements Choosing the right Network Topology

3 What is Microsoft Forefront Threat Management Gateway 2010 (TMG)
A firewall with application-layer intelligence and anti-malware capabilities. A successor to MS ISA server

4 TMG Enterprise Can be deployed in an array
Integrated Network Load Balancing (NLB) Cache Array Routing Protocol (CARP) Enterprise Management

5 Benefits of TMG Traffic filtering
Layer 3 and above for IPv4 & IPv6 Packet filtering Application layer filtering Stateful inspection Layer 2 filtering Windows Filtering Platform (WFP) Integration Works with ICF (internet connection firewall) and ICS (internet connection sharing)

6 System Requirements Minimum requirements for TMG 2010 are:
A 64-bit version of Windows Server 2008 Standard, Enterprise, or Data centre editions; RTM with Service Pack 2 (SP2) or R2 2 GB of RAM One dual-core CPU One local hard disk partition formatted with NTFS file system 150 MB HDD space At least two network interfaces are required to support full firewall functionality One network card for each physical network TMG will be connected to

7 Software Requirements
Must be install on to a 64 bit version of windows server 2008 When TMG is installed on a Windows Server 2008 operating system, it also installs the following: The Active Directory Lightweight Directory Services Server Role The Network Policy and Access Services Server Role Windows Powershell 1.0 The Web Server (IIS) Server Role on port 8008 Microsoft SQL Express (TMG logging instance) Microsoft SQL Express (TMG reporting instance) Microsoft SQL Server backward compatibility Microsoft SQL Server Native Client Microsoft SQL Server Setup Support Files Microsoft SQL Server Volume Shadow Copy Service (VSS) Writer Microsoft Office 2003 Web Components (part of the SQL Server)

8 General Recommendations
Network Infrastructure Name resolution Highly dependant on DNS Consider the following prior to deploying TMG: Policy evaluation Names used in rules (i.e. IP address & names) Windows name resolution configuration NetBIOS broadcasts will fail and take too long. Recommend turn off NetBIOS broadcasts Name services configuration Reverse lookup is often overlooked Name services load TMG’s internal name cache helps reduce name resolution load Dedicated name server for TMG Non-TMG effects If the name-lookup load TMG is too high, it may cause name resolution for internal resources to be delayed or even fail outright

9 General Recommendations
Authentication Can control traffic based on user and groups Understand the following about authentication: Policy evaluation When using user and groups for traffic rules/policies, TMG must authenticate, this causes a delay. TMG has local credential cache to reduce delay and improve performance. Windows Authentication With AD TMG must be a member of the same domain or a trusting domain. Non-Windows Authentication TMG is able to authenticate users based on Windows or RADIUS Authentication load can place a high traffic load on TMG and the credentials authority, if too slow it may impair TMG Non-TMG effects Load from TMG authentication may affect other services on DC

10 General Recommendations
Traffic control devices (IDS and IPS) When other traffic monitoring devices like IDS & IPS can’t process traffic fast enough TMG buffers the traffic but will cause delay. These device will think traffic is only coming fro TMG and mistaken this as a flood, may result in blocking of this traffic. Performance Monitoring Important management activity If TMG is tasked beyond capacity this will result in denial of service. Establish a performance baseline. Disk Performance TMG uses local disk for cache and logs Watch for disk related performance counters: Disk Write Queue Length Avg. Disk Write Queue Length Log Items enqueued/sec Log queue size on disk Malware Inspection - Disk Errors Total Disk Failures Disk Failure Rate (Fail/sec)

11 General Recommendations
Network Performance counters to look for Bytes Received/sec Output Queue Length Behavioural Monitoring Called alerts, designed to give administrators near instantaneous insight to to problems or actions

12 Deploying in Virtual Environments
TMG is supported in virtual environments. Must consider security, functionality, and manageability issues Networks virtual network traffic is often invisible to physical network monitoring and management systems. Must provide some form of visibility into the virtual networks. Performance All VMs are sharing host computer resource, the performance is unlikely to meet the performance characteristics of a physical deployment. Performance monitoring of a virtualized is likely to be inaccurate. Security Strict access controls and change management policies and procedures on the virtual host and the virtual machines are paramount to ensuring a secure virtual deployment.

13 Analysing Network Requirements
Determining Your Traffic Profile A traffic profile is a map of the application protocols used within your network Network mapping Give you a better understanding of the network infrastructure and where your TMG should be placed. Application mapping Identify the application servers’ network location and the location of their clients, this will help you identify application bottlenecks. Can use TMG to provide security for both internal and external access. Protocol mapping Determine which protocols are in use on your network. ( lists the ports and protocols used by most Microsoft server applications. Several examples

14 TMG Deployment Options
Edge Firewall Use TMG to primarily protect the internal network to: Block all Internet traffic unless explicitly allowed Publish internal servers such as Web or Exchange servers Provide a VPN gateway for remote users Provide proxy and caching services LAN Web Server Web Server TMG Server VPN Internet Server User Exchange Server Remote User

15 TMG Deployment Options
Back Firewall Use TMG to: Primarily to separate the internal network and the perimeter network Securely publish Exchange servers Securely publish other internal Web servers Provide proxy and caching services LAN Web Server Web Server TMG Server Firewall Web Server Server Internet Exchange Server User Remote User

16 TMG Deployment Options
Single Network Adapter Can only control protocols handled by the web proxy filter (http, https, ftp) and dial-in VPN Can not act as a firewall LAN TMG Server Web Server Server Firewall Internet User

17 TMG Deployment Options
Domain Isolation Used to: Separate various internal networks Allow or restrict various protocols from traversing through TMG

18 Addressing Complex Networks
Branch Office Firewall Use TMG to: Create an IPSec tunnel-mode VPN between offices Create a PPTP or L2TP with IPSec VPN between offices Inspect and filter all traffic between offices Provide secure access to the Internet at the branch office LAN TMG Server LAN TMG Server or other VPN gateway VPN Tunnel Branch Office Server Internet Corporate Headquarters User

19 Choosing the Network Topology
TMG help you to configure your network by providing network topology templates. Edge Firewall Blocks all access to the Internal Network from the External Network. TMG hides the default Internal Network from the outside. Provide secure access to internal servers by publishing them. The template carries little overhead and has an easy configuration. 3-Leg Perimeter Protects the Internal Network from external attacks. Securely publish services to the Internet by putting them in a perimeter (DMZ) External users can access resources in the perimeter network while still being prevented from accessing internal resources.

20 Choosing the Network Topology
Back Firewall Granular access control Multiple layers of protection Separation of duties (Each firewall is responsible for different traffic profiles.) Single Network Adapter A forward Web proxy server A Web caching server A reverse Web proxy (Web publishing—HTTP/HTTPs, RPC over HTTPs, and FTP) A VPN remote-access client server

21 Domain Vs Workgroup TMG in a Domain Pros Cons
More granular control for user access If your TMG Server is located in a Perimeter network in front of another firewall, you need to allow more protocols through it to allow Communication with the domain. Full support for client certificate authentication No need to have a certificate for connectivity with CSS Support for Active Directory Group Policy. Enhanced security while publishing services, such as Exchange Server by using Kerberos Constrained Delegation.

22 Domain Vs Workgroup TMG in a Workgroup Pros Cons
If the firewall is compromised, the directory services might not be affected. Requires additional overhead for administration because a certificate is required if CSS is installed in Workgroup. Even if Active Directory is compromised, the firewall might not be compromised Can’t use domain users and groups for outbound access Can’t use client certificates as the primary authentication method. User accounts are created on the firewall itself to allow intra-server communication Can’t use Active Directory Group Policy. TMG client authentication requires account mirroring on TMG

23 Practice: Install TMG Demo – Install TMG Demo – Basic Configuration

Download ppt "6NPS Session 1 Introduction and Planning for Microsoft Forefront Threat Management Gateway (TMG)"

Similar presentations

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Test Review. What is the main advantage to using shadow copies?

Test Review. What is the main advantage to using shadow copies?
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Similar presentations

Ads by Google