1-introduzioneatmg-120625161730-phpapp01 (1)

7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)

1/42

Introduzione a TMG 2010

Fabrizio VolpeMVP Directory [email protected]


2/42

Breve Storia della Perimeter Protection

Proxy Server 1.0

Proxy Server 2.0

Internet Security And Accelleration (ISA) 2000

Stateful Packet InspectionTrusted Networks

ISA 2004

NO network trafficout of the box

ISA 2006

Web Publishing

Forefront Threat ManagementGateway 2010


3/42

Forefront Edge Security and Access Products

Before Now

Network

Protection

Network

Access

The Forefront Edge Security and Access products provide enhancednetwork edge protection and application-centric, policy-based access tocorporate IT infrastructures

Integrated and comprehensiveprotection from Internet-based threats

Unified platform for allenterprise remote access needs


4/42

Forefront TMG ed UAG

4

New features make Forefront TMG the ideal outbound access solution

In contrast to ISA 2006, very little has been done in Forefront TMG interms of improvements for inbound access control

Exceptions :

Secure Socket Tunneling Protocol (SSTP) for VPN client connections

NAP Integration

You will not see any other major changes in the Web or ServerPublishing features when moving from ISA 2006 to Forefront TMG

The majority of inbound access (remote access) effort is going into theMicrosoft Forefront Unified Access Gateway (UAG) 2010

It is expected that Forefront TMG will be used primarily for outboundaccess control and network firewall, and UAG will be used for inboundaccess (remote access) control


5/42

Possibili Collocazioni nel Network Perimeter

5

Edge of the corporate networkBack-end firewall behindanother Forefront TMG

firewall or third-party firewall

As a parallel firewall on theedge, next to anotherForefront TMG or third-party

firewall

As a network service segmentfirewall, providing a secureperimeter between client systems

and network services

Multi-homed firewall that acts as the hub betweenmultiple internal and perimeter networks


6/42

Forefront TMG: caratteristiche

Firewall Control network policy access at the

edge

Secure Web Gateway Protect users fromWeb browsing threats

Secure E-mail Relay Protect users frome-mail threats

Remote Access Gateway Enable users toremotely access corporate resources

Intrusion Prevention Protect desktops andservers from intrusion attempts

Comprehensive

Integrated

Simplified


7/42

Forefront TMG: Scenari di Implementazione

All-in-one solution for medium businesses

Firewall, VPN, Web security, IPS, e-mail relayin a single box

Unified ThreatManagement (UTM)

Authenticating proxy with security

Web antivirus and URL filtering

Inspection of HTTP and HTTPS traffic

Secure Web

Gateway

Secure Web publishing

Dial-in VPN

Site to site VPN

Remote AccessGateway

Antispam

Antivirus

E-mail filtering

Secure E-mail Relay


8/42

Forward, Reverse Proxy, Web Proxy, e WinsockProxy Server

Application layer inspection For forward proxy connections, Web anti-

malware capabilities and URL filtering

For reverse proxy SSL bridging

For both HTTP protocol inspection

Web proxy serverReverse proxy services

Stateful packet and application layer inspection onall traffic moving through the VPN

User-based access controls (based on user nameor user group membership)

Remote Access Quarantine Control and NetworkAccess Protection (NAP)

Remote Access VPNServer

Forefront TMG email gateway feature is powered bythe Edge Transport Server role of Exchange Server2010 together with Microsoft Forefront Protection2010 for

Secure E-mail Gateway


9/42

Network Inspection System, Malware Inspection eHTTPS Inspection

Usa signatures of known vulnerabilities from theMicrosoft Malware Protection Center (MMPC) tohelp detect malicious traffic and then to takeaction

Network InspectionSystem

The Malware Inspection filter (Edge MalwareProtection) is a built-in Web filter

Delayed download, HTML progress page,Trickling

Malware Inspection

Forefront TMG introduces a new feature called

HTTPS inspection Is based on a trusted man-in-the-middle

mechanism, in which Forefront TMG works as atrusted man in the middle to be the SSL site forthe clientman in the middle to be the SSL site forthe client

HTTPS Inspection


10/42

Riepilogo delle funzionalit

VoIP traversal Enhanced NAT

ISP linkredundancy

Firewall

HTTP antivirus/antispyware

URL filtering

HTTPS forwardinspection

Secure Web

Access

Exchange Edgeintegration

Antivirus

Antispam

E-mail

Protection

Networkinspectionsystem

Intrusion

Prevention

NAP integrationwith client VPN

SSTP integration

RemoteAccess

Array management

Change tracking

Enhanced reporting

W2K8, native 64-bit

Deployment andManagement

Malware protection

URL filtering

Intrusion

prevention

SubscriptionServices


11/42

Network layer firewall

Application layer firewall

Internet access protection (proxy)

Basic OWA and SharePoint publishing

IPSec VPN (remote and site-to-site)

Web caching, HTTP compression

Web antivirus, antimalware

URL filtering

E-mail antimalware, antispam

Network intrusion prevention

Confronto con ISA Server 2006 ISA Server2006

ForefrontTMG

New

New

New

New

Enhanced UI, management, reporting New

Exchange publishing (RPC over HTTP)

Windows Server 2008 R2, 64-bit (only) New

Riepilogo delle funzionalit


12/42

E

LicenzeTwo editions and Two Client Access Licenses (CALs)

Standard EditionFull UTM

Enterprise EditionScalability and management

Web protection E-mail protection

Subscriptions


13/42

Confronto tra le edizioni

Standard Edition Enterprise Edition

Number of CPUs Up to 4 CPUs Unlimited

Array/NLB/CARP support

Enterprise management Yes, with added ability for EMSto manage SEs

Publishing

VPN support

Forward proxy/cache,compression

Network IPS (NIS)

E-mail protection Requires Microsoft Exchange Server License (Server + CALs)and installation by the admin


14/42

Passaggio licenze da ISA 2006 a TMG 2010

ISA Server SE

ISA Server EE

Forefront TMG 2010 SE

Forefront TMG 2010 EE

Forefront TMG 2010 EE

Covered by Software Assurance

Available per user/device, per year

Today At Launch


15/42

Installazione e configurazione iniziale


16/42

Requisiti di sistema

16

Minimum Recommended

Processor 2 core (1 CPU x dual core)64-bit processor

4 core (2 CPU x dual core or1 CPU x quad core) 64-bitprocessor

Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory

Hard Disk Space 2.5 GB of available hard diskspace*

2.5 GB of available hard diskspace*

Hard Disks One local hard disk partitionformatted with NTFS

Two disks for system and logging,and one for caching and malwareinspection

Network One network adapter for

communicating with theinternal network

One network adapter for each

network connected to theForefront TMG 2010 server

Operating System Windows Server 2008 x64 with Service Pack 2, orWindows Server 2008 R2

* Exclusive of the hard disk space used for caching and for storing temporary files


17/42

Server Roles e Features richieste

17

Server roles andfeatures required by

Forefront TMG

include:

Network PolicyServer

Routing and

Remote AccessService

Active DirectoryLightweight

Directory Services

Network LoadBalancing

WindowsPowerShell

Other software

Microsoft .NETFramework 3.5

SP1

Windows Web

Services API

Microsoft Update

MicrosoftWindows Installer

4.5

These server roles areinstalled during ForefrontTMG installation; you donot need to install them inadvance

They are not removed ifyou uninstall ForefrontTMG

Forefront TMGPreparation Tool

Forefront TMG is notsupported on a machinethat is configured as adomain controller, withthe exception of a read-only domain controller,which requires that TMGService Pack 1 beinstalled.


18/42

Prerequisiti

Basic installation

Connected to the network, with DNS server settings configured

For the Secure Mail Relay usage scenarioExchange Edge Transport Role

Microsoft Exchange Server 2007 with Service Pack 1, or

Microsoft Exchange Server 2010Microsoft Forefront Protection 2010 for Exchange Server


19/42

Nota : Enterprise Management Server

Both the Standard and Enterprise editions of Forefront TMG storetheir configurations in an Active Directory Lightweight DirectoriesServices (AD LDS) database

Standard Edition : the AD LDS database is always on the ForefrontTMG firewall itself

Enterprise Edition : option of installing the AD LDS configurationdatabase on a firewall array member or on a separate computer.The separate computer hosting the AD LDS database is called theEnterprise Management Server (EMS)


20/42

Installazione

20


21/42

Installazione

21


22/42

Configurazione iniziale

22

Getting Started Wizard


23/42

Configurazione dei Network Settings

23

Select the networktopology used:

Edge firewall

3-Leg perimeter

Back firewall

Single networkadapter

Network Setup (Template) Wizard


24/42

Define the IPconfiguration foreach networkadapter

Assign adapter tothe appropriatenetwork

Configurazione dei Network Settings

24

Network Setup Wizard


25/42

Define hostname, domainmembership and

DNS suffix

Configurazione dei System Settings

25

System Configuration Wizard


26/42

Configurazione dei Deployment Settings

26

Activate subscriptionlicensesEnable malwareprotection andintrusion prevention

Configure signatureupdate schedule andresponse policy

Join the CustomerExperience

ImprovementProgram (CEIP) andthe MicrosoftTelemetry Service

Deployment Wizard


27/42

Configurazione dei Deployment Settings

27

Deployment Wizard


28/42

Concetti base


29/42

Network Relationship

29

TMG, defines a network as a logical representation of a network

connection owned by the computer where TMG operates

These networks can be

a physical connection such as network interface card (NIC) or modem

a logical interface such as a dial-in or site-to-site VPN connection

In each case, TMG must have a clear understanding of how to defineand process the traffic that is received from a given network

The simplest definition for a network relationship is that relationship indicated by thesource and destination hosts as defined in the traffic 5-tuple

Note 5-tuple is an industry-standard standard term describing the

criteria used to uniquely identify an Ip communication channel This data includes:

n Source and destination IP addresses

n Source and destination ports (if used)

n Transport Protocol (TCP, UDP, and so on)


30/42

Configurazione

30

Network Rules

Like firewall policy rules, network rules define how TMG will handle traffic betweensource and destination hosts

Network rules are also processed in the order in which they are defined

Because network rules form a primary criterion for traffic processing, they haveDefine allowed traffic flows the power to discard traffic before any firewall policyrule has the opportunity to evaluate it

When this happens, the firewall log will not include a name in the rule field because

no firewall policy rule processed the traffic

As is the case with firewall policy rules, the order of network rules is critical tocorrect traffic evaluation by TMG


31/42

Configurazione

31

Network Rules

All network rule setswill begin with thesame rule, Local HostAccess, which definesa route relationshipfor traffic that is

sourced orterminated by TMGitself

This rule cannot bemodified by theTMG administrator

All network rulesoperate in the

context of networkobjects

When you run theNetwork Rule Wizard,

you are given theopportunity to selectfrom a subset of the

firewall policynetwork objects

Options presented fora network rule source

and destination

criteria are limited tothose items that are

defined as somevariation or grouping

of an IP address, IPsubnet, IP address

range, orcombinations of

these as in Computeror Network Sets

No firewall policyelements which

abstract the source ordestination into a

name (such asdomain or URL sets)

can be used fornetwork rules

because they cannotrepresent literal

network membership


32/42

Configurazione

32

Forefront TMG supports unlimited network adaptersLimited by hardware

Network Adapters


33/42

Configurazione

33

Networks configuration model the enterprise network

infrastructureContains all reachable IPs for network adapter

Cannot overlap with other Networks

Static or dynamic

Networks


34/42

Configurazione

34

Network Sets are used to group one or more networks

Defined by selecting the networks included in the set (Include) or aset of networks excluded from the set (Exclude)

Used in the definition of network and policy rules

Network Sets


35/42

Configurazione

35

Determine the relationship between two networksRouteBi-directional

Source address not modified

NATUni-directionalSource address is modified

Required for non-Web access and Server

Publishing rulesWeb proxy filter ignores network rules

Network Relationship


36/42

Configurazione

36

New Feature: Enhanced NATSpecify the IP address to be used when doing NAT

Network Rules


37/42

Configurazione

37

Display the routing table used between networksSet via route p add command or GUI

Routing


38/42

Forefront TMG Policy

Three types of rules:

1. Network rules

2. System policy

3. Firewall policy

38


39/42

Installazione su server a singola scheda di rete

Forefront TMG supports using a single network adapter

Supported scenariosSecure Web Gateway (forward Web proxy and cache)

Web Publishing (reverse Web proxy and cache)

Remote client VPN access

Unsupported scenariosApplication layer inspection (except for Web proxy)

Server publishing

Non-Web clients

Firewall client

Secure NATSite-to-site VPNs

39


40/42

Cosa Verificare in caso di Setup Failed

40

If TMG Setup fails for any reason, first read the description of the error message that appears onscreen

Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt,which is located in %sytemdrive%\Users\All Users\Microsoft\Forefront Security for Exchange Server

If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and ForefrontProtection 2010 for Exchange Server

The log files for the Exchange component of the installation are stored at %systemdrive%\ExchangeSetupLogs

During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%\temp folder

The information in TMG Setup log files is based on Microsoft Windows Installer logging


41/42

Setup Log Files

41


42/42

Classici errori di configurazione

Multiple default gateways

Define only one default gateway

Not adding reachable addresses to networks

Ensure all reachable addresses added

DNS resolution issues

DNS server list is system wide, not per adapter

Use the internal DNS servers, or host a DNS server service locallyand use conditional forwarding

Documents

1-introduzioneatmg-120625161730-phpapp01 (1)