Access Point 2 - Siemens · Managing the MS ISA Server/MS TMG as Access Point Commissioning Manual, 12/2011, A5E02657550-02 3 Table of contents 1 Preface

Managing the MS ISA Server/MS TMG as

Access Point

___________________

______________________________

SIMATIC

Process Control System PCS 7Managing the MS ISA Server/MS TMG as Access Point

Commissioning Manual

12/2011 A5E02657550-02

Preface 1

Managing the MS ISA Server/MS TMG as Access Point

2

Practical information 3

Legal information

Legal information Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE indicates that an unintended result or situation can occur if the relevant information is not taken into account.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens products Note the following:

WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Siemens AG Industry Sector Postfach 48 48 90026 NÜRNBERG GERMANY

A5E02657550-02 Ⓟ 11/2011

Copyright © Siemens AG 2011. Technical data subject to change

Managing the MS ISA Server/MS TMG as Access Point Commissioning Manual, 12/2011, A5E02657550-02 3

Table of contents

1 Preface ...................................................................................................................................................... 5

1.1 Structure and organization of the document..................................................................................5

1.2 Special Notes.................................................................................................................................6

2 Managing the MS ISA Server/MS TMG as Access Point ........................................................................... 7

2.1 Managing the MS ISA Server/MS TMG as Access Point ..............................................................7

2.2 Network positions...........................................................................................................................9 2.2.1 Front firewall.................................................................................................................................10 2.2.2 Back firewall .................................................................................................................................11 2.2.3 Three-homed firewall ...................................................................................................................12

2.3 Technologies and configurations .................................................................................................13 2.3.1 General information .....................................................................................................................13 2.3.2 Web publication............................................................................................................................14 2.3.3 VPN server...................................................................................................................................16 2.3.4 Device direct dialing.....................................................................................................................20 2.3.5 IPSec connection .........................................................................................................................21 2.3.6 User-specific rules .......................................................................................................................21

2.4 Special case: Trust function between ERP and perimeter network.............................................22

3 Practical information ................................................................................................................................ 23

3.1 General information .....................................................................................................................23 3.1.1 Further information and instructions ............................................................................................26

Table of contents

Managing the MS ISA Server/MS TMG as Access Point 4 Commissioning Manual, 12/2011, A5E02657550-02


Preface 11.1 Structure and organization of the document

The Security Concept PCS 7 & WinCC has several parts:

● The basic document provides a central overview and guidance through Security Concept PCS 7 & WinCC.

It systematically describes the basic principles and security strategies of the security concept. All additional detail documents assume the reader has read the basic document.

● The detail documents (this is one such detail document) explain the individual principles, solutions and configuration recommended there in detailed form, and each focuses on a particular detailed issue. The detail documents are supplemented, updated and published independently of one another to ensure that they are always up-to-date.

Preface 1.2 Special Notes


1.2 Special Notes

Objective of the Security Concept PCS 7 & WinCC The main priority of automation is to maintain control over production and process. Even measures which aim to prevent the spread of a security threat must not affect control over production and process.

Security Concept PCS 7 & WinCC is intended to ensure that only authenticated users can perform authorized (permitted) operations via operating permissions (assigned to them) for authenticated devices. These operations should only be performed via defined and planned access routes to ensure safe production or coordination of a job without danger to humans, the environment, product, goods to be coordinated and the business of the enterprise.

Security Concept PCS 7 & WinCC, therefore, recommends the use of the latest available security mechanisms. To achieve the highest possible level of security, scaled, system-specific configurations should never contradict the basic principles of this security concept.

Security Concept PCS 7 & WinCC is intended to facilitate the cooperation between network administrators of company networks (IT administrators) and automation networks (automation engineers) to exploit the advantages provided by the networking of process control technology and the data processing of other production levels, without increasing security risks at either end.

Required Knowledge This documentation is aimed at anyone who is involved in configuring, commissioning and operating automated systems based on SIMATIC. It is assumed that readers have appropriate management knowledge of office IT.

Validity Security Concept PCS 7 & WinCC incrementally replaces the following previous documents and recommendations: "Security Concept PCS 7" and "Security Concept WinCC", and is valid as of WinCC V6.2 and PCS 7 V7.0.


Managing the MS ISA Server/MS TMG as Access Point 22.1 Managing the MS ISA Server/MS TMG as Access Point

Security Concept PCS 7 & WinCC recommends the "Microsoft® Internet Security and Acceleration (ISA) Server" as a high-performance firewall or access point and the "Microsoft® Forefront Threat Management Gateway (TMG)" successor product released in 2010. This document only relates to the Microsoft ISA Server\TMG; other documents deal with other products, e.g. Siemens SCALANCE S.

Instead of listing the reasons why the ISA Server\TMG is the recommended product, we will explain a few security "myths" with regard to the ISA Server\TMG here.

1. "A Windows-based firewall - that is a contradiction in itself."

On the contrary, the strength of ISA Server\TMG is that it is based on Windows Server 2003 and therefore inherits all of the strengths of this operating system. It is the most frequently used server operating system and is subject to very strict quality and system test requirements. As a result of its widespread use, potential gaps are discovered and closed quickly. As the ISA Server\TMG is based on Windows, it can use all of the services and technologies of the Windows environment and an be perfectly integrated into an existing Windows network. Windows authentication and communication mechanisms can be used directly and do not have to be provided to the firewall via "proprietary" interfaces, which often have security gaps. This makes it possible to create user-specific rules on the ISA Server\TMG with the applicable and most recent authentication options such as Kerberos.

2. "So many security gaps are found in Windows that the ISA Server\TMG cannot possibly be secure."

Nearly all of these gaps are errors in programs running on the relevant Windows operating system that can only be exploited when a user is logged into the operating system and starts the program. Any virus/trojan that exploits such weaknesses has to enter the application layer of the OSI reference model. However, the ISA Server\TMG works at layers 2 to 5 of this model. These are the transport and network layers (e.g. the TCP/IP layer) and can therefore not be infected by such malware. To guarantee this advantage across the board, the ISA Server\TMG must not be treated as a workstation or application server. It is a network device. After installation and initial configuration the ISA Server\TMG works like a router, for example, without a keyboard, mouse or screen and with no user logged in. For maintenance and service you can connect remotely to the ISA Server\TMG via the individually installable management console or a secured terminal session, which prevents the local execution of insecure programs.

3. “The ISA Server\TMG is not a proper firewall and can only be used within the network structure, not as protection against external threats."

Correctly configured, the ISA Server\TMG can be used at any network position. Microsoft protects its complete global network using the ISA Server\TMG exclusively wherever a firewall is used.

Managing the MS ISA Server/MS TMG as Access Point 2.1 Managing the MS ISA Server/MS TMG as Access Point


4. "As the ISA/TMG is Windows-based it cannot be used without a local virus scanner."

In spite of its modern and secure design the ISA Server\TMG can be penetrated if it is improperly configured or used incorrectly. The use of a local virus scanner represents a potential risk to the security of the ISA Server\TMG. Currently there are no virus scan clients that have been developed and approved for the ISA Server\TMG. A virus scanner is in any case not necessary, as firewalls should in general not carry out local data exchange, execute third-party programs or have local logins etc.

5. There are a number of modules by well-known virus scanner manufacturers that allow the ISA Server\TMG to scan incoming network data traffic for viruses. Scanning and forwarding, however, take place in layers 2-5, whereas a local virus scan client in general only works in layers 6-7 and requires local execution and login.

"Microsoft products are insecure and have to be patched too often."

6. Since the publication of ISA Server 2004, in contrast to other firewall manufacturers, no security gaps have been found.

Except for two service packs that have improved the functionality and range of functions, no security-related patches have been issued for ISA Server 2004 and the more recent ISA Server 2006.

7. “The ISA Server\TMG is an office firewall and is not suitable for industry."

Yes, it is correct that the ISA Server\TMG provides a lot of options and interfaces that have been designed specifically for Web servers, mail servers and other office applications. However, this does not equate to any restrictions whatsoever on industrial use and operation of this firewall solution. On the contrary, these interfaces are being used more and more frequently in industrial applications to implement more secure web-based operating and observation solutions, for example. Appliance manufacturers (manufacturers of ISA Server\TMG / hardware bundle systems) are also increasingly offering ISA Server\TMG in industrial-grade housings, i.e. protected from dust and splash- and explosion-proof. The high performance and the large number of potential standard configurations are also of interest to industry.

Managing the MS ISA Server/MS TMG as Access Point 2.2 Network positions


2.2 Network positions The most secure and effective configuration is a front/back firewall solution and this should be used for large and medium-sized systems (see the graphic below). The back firewall protects the production network and the MON network. The front firewall protects the perimeter network and all of the networks behind it.

ECN(office network)

Support Station

WANIntranet

Router ISDN

Router ISDN

FirewallISA Server

FirewallISA Server

Perimeter Network

Manufacturing Operations Network

Process Control Network

ISDN 1

ISDN 2

extern

Dial in

Dial inMES

intern

Front-Firewall

Back-Firewall

Adequate security can be provided for small systems with a “single firewall strategy” or a three-homed firewall to avoid the cost and administrative cost of the above solution.



2.2.1 Front firewall The front firewall in the following graphic protects the system's perimeter network and therefore also the other production networks behind it from unauthorized external access, regardless of whether it is used in a corporate network (intranet/office network) or on the Internet directly. The front firewall can therefore also act as the access point for all security zones at the production level (MCS as per ISA S95) and the production planning level (MES as per IS S95).

It has the following main functions:

● Publication of Web servers in the perimeter network to the Internet/intranet (office network)

● HTTP/HTTPS access for the servers in the perimeter to the Internet/intranet (e.g. download new updates from WSUS or virus scan server)

● VPN server publication for the back firewall (e.g. support dialup)

● Access and forwarding of essential services for the Internet/intranet (e.g. DNS, NTP)

● Refusal of all other accesses



2.2.2 Back firewall The back firewall in the following graphic directly protects the Process Control Network (PCN). A network for Manufacturing Execution Systems (MES) (the Manufacturing Operation Network, MON) should also be connected to the back firewall and protected by it. The back firewall thus acts as a direct access point to the security zone of the production level and regulates the connection of downstream computers to this security zone.

It has the following main functions:

● IPSec connection for computers from other security cells

● Publication of the Web servers in the perimeter network to the PCN and MON (e.g. for security patch or virus pattern updates)

● Access to services in and from PCN (e.g. DNS, WINS, NTP)

● Access to services in and from MON (e.g. DNS, WINS, NTP)

● VPN server for PCN and MON

● HTTP/HTTPS access for the servers in the perimeter to the MON

(e.g. WSUS or virus scan server)

● Remote support access

● Active Directory replication between PCN and MON



2.2.3 Three-homed firewall A three-homed firewall (see following graphic) may be an adequate solution for small systems that have no connection to an independent MON and only have a very small perimeter network. Depending on requirements, it combines the functions of the front and back firewalls. Individual MES components can be integrated directly into the PCN.

Managing the MS ISA Server/MS TMG as Access Point 2.3 Technologies and configurations


2.3 Technologies and configurations The following description only deals with the configuration of the front and back firewalls. The three-homed firewall is an analogous combination of the two configurations.

2.3.1 General information The Microsoft ISA Server\TMG is a network device similar to a switch or router (but not similar to a workstation PC), and must be viewed as such. This means that it must be placed in a secure location after initial configuration. It should never be possible or permitted for a simple user to log on to the ISA Server\TMG locally. The remote-enabled ISA management console should be used for maintenance and configuration purposes. Programs other than the ISA Server\TMG services must not be installed or started on the computer. No memory media (e.g. USB sticks, CDs/DVDs) should be connected or read.

The front firewall is the first line of defense against external threats. This ISA Server\TMG is therefore exposed to the majority of attacks. It should therefore never be a member of a domain or save information on internal users and passwords locally. User accounts with administrative rights to the ISA Server\TMG should not be created on another computer in the system and should not have access. This means that any attacker who manages to take over the front firewall will find it impossible or at least very difficult to obtain access to other computers within the system.

The back firewall does not have to be treated so restrictively. It is part of the MCS security zone and can query the user authentications of this domain as a member of the production domain (MCS domain), as required.

Only technologies and their configurations that are needed in terms of PCS 7 and WinCC systems are discussed in more detail below. Not all of the conventional "rules" that have to be created on the ISA Server\TMG are explained in detail. For example, rules for DNS, NTP or WINS communication are not required in each case, but rather arise from the applicable network structure. The details of such conventional rules are explained in the documentation for the ISA Server\TMG.



2.3.2 Web publication In order to access a Web server in the perimeter network from the MON or from external networks, the Web server has to be published via the front firewall. The web bridging technology that is supported by ISA Server\TMG and is used in this case offers much better security than the outmoded web tunneling technology. Opening ports 80 or 443 and thus simply passing through the queries by the ISA Server\TMG directly to the Web server should therefore no longer be used.

In Web bridging (see following graphics), the Web client places its query to the ISA Server\TMG (1.) instead of accessing the Web server directly. The ISA Server forwards this query to the Web server (2.) after checking, receives the desired information (3.) back and passes it on to Web client (4.).

Only HTTPS should be allowed between the Web client and the ISA Server\TMG. The authenticity of the ISA Server\TMG can then be guaranteed with a server certificate. Either HTTP or HTTPS can be used for the ISA Server\TMG access to the Web server depending on the desired degree of internal security.

If Web clients are to access the Web server from an external network, they have to be published at the front firewall. If, on the other hand, Web clients are to access from a MES network (MON), publishing is performed at the back firewall.

Figure 2-1 Web bridging



Figure 2-2 Web bridging

The greatest advantage of Web bridging is that direct access to the target network from the outside is not possible. The connection of the Web clients always ends at the external interface of the ISA Server\TMG. The ISA Server\TMG checks these access attempts with various application filters and can thus prevent "harmful" queries.

When Web tunneling is used, the Web server has to recognize "harmful" queries by itself and its functionality can therefore be impaired.

A further advantage provided by Web bridging is that it allows public names to be used externally. This means that in the perimeter network the Web server is called, for example, PRM29.prm.plant.com but is accessed in the external network by the name www.plant.com/Plant1. Special consideration needs to be given to such Web publication in combination with the SIMATIC WebNavigator Server, see Chapter Practical information (Page 23).



2.3.3 VPN server This section describes the positioning and configuration of the VPN server. How the VPN accesses the system is described in the "Support & Remote Access" detailed report.

There are two options when positioning the VPN server (front or back firewall). In this case, the target network is responsible for the positioning the VPN server, not the source network. It is unlikely that VPN access attempts originate from the MON network, as the MON network should be "known" and potentially trustworthy network that belongs to the system operator. If this is not the case it is not a conventional trusted network, but rather another external network.

If only computers in the perimeter network are accessed via the VPN connection, the VPN server should be positioned at the front firewall (see following graphic).

The VPN client establishes a connection to the ISA Server\TMG (1.). After successful authentication, it obtains access to a specially isolated quarantine network, if the quarantine function of the ISA Server\TMG has been configured correspondingly. Customer-specific checks are carried out on the client computer. If these checks are completed successfully, the tunnel into the VPN network of the ISA Server\TMG is fully established (2.) and the VPN client is allowed access to specified computers in the perimeter network (3.). Without a quarantine function, VPN client access is granted immediately after successful authentication.



If direct access to computer in the MON or PCN is required, i.e. access without Remote Desktop, NetMeeting or a similar function, the VPN server has to be positioned at the back firewall (see following graphic) and published at the front firewall. This is necessary as the front firewall does not "know" the PCN and CSN for security reasons and it should not have any routing information to the PCN and CSN. If an attacker were able to "take over" the front firewall, he would have access to the perimeter network, but still not to the system itself. The system continues to be reliably protected by the back firewall.



The VPN client (see previous graphic) establishes a connection to the front firewall (1.). This query is passed on to the back firewall by the VPN publishing (2.). After successful authentication and confirmation by the back and front firewalls (3.) (4.),the VPN client establishes a tunnel through the front firewall into the VPN network of the back firewall (see following graphic) (5.) and obtains defined access to the networks (see following graphic) (6.).



A certificate-based L2TP connection should always be used for every VPN dialup.

The use of PPTP is only adequate for connections that are additionally protected via VPN.

For authentication of the VPN user we recommend the use of a radius server positioned either in the perimeter network or, if the VPN server was set up on the back firewall, installed directly on the domain controllers in the PCN network. In addition, the quarantine function of the ISA Server\TMG should be used for every VPN connection, as it allows the client that is dialing to be checked to ensure, for example, that all security updates have been installed and that a virus scanner is installed on the client and is up-to-date etc.



2.3.4 Device direct dialing As direct dialup always uses a VPN connection in order to increase the security for the device, there is no difference in the procedure described above for positioning dialup devices. Depending on the networks to be accessed, the dialup device is connected either to the front or the back firewall. In the following graphic, the dialup device is connected to the back firewall via an ISDN router. The devices first establish a connection with each other (1.) then a VPN tunnel is established between e.g. the support PC and ISA Server\TMG (2.) and the support PC receives access to the relevant networks (3.).

Always ensure that the dialup device does not connect directly to the ISA Server\TMG when using direct dialup for devices. If the device, e.g. an ISDN card, were installed directly in the ISA Server\TMG, the ISA Server\TMG cannot protect itself against potential attacks by this device. An external device, e.g. an ISDN router, should therefore always be used for dialup. The router is connected with ISA Server\TMG and integrated there as a separate network. The ISA Server\TMG can therefore control any traffic with its built-in firewall mechanisms.



2.3.5 IPSec connection IPSec is used to connect trusted devices from known networks, such as the MON. As this usually involves connections by individual devices, the firewall rules for these devices have to be set very specifically. In general IPSec should not be allowed between MON and PCN. Only access by individual devices via IPSec in the MON should be allowed to individual devices in the PCN.

2.3.6 User-specific rules The ISA Server\TMG is one of the few firewalls that offers the option of creating user-specific rules. This means that it is not the protocol or the client's IP address that is key to whether access is granted or not, but the user logged onto the client. However, some general conditions have to be fulfilled. The ISA Firewall Client has to be installed and configured on the client and the application that attempts to access has to be a WinSocket application. The ISA Server\TMG must be a member of the domain in which the accessing user is created or has been linked by a trust function. For further information please refer to the detail documentation "Managing Computers and Users".

Managing the MS ISA Server/MS TMG as Access Point 2.4 Special case: Trust function between ERP and perimeter network


2.4 Special case: Trust function between ERP and perimeter network A trust function between the ECN, i.e. the corporate or office network, which is also protected by its own firewall (see following graphic) (GateCorp) and the system's perimeter network is not recommended from the perspective of maximum protection of the front firewall. However, it is often necessary for economic reasons and in order to avoid duplicate user account maintenance.

The purpose of such a trust function is that user accounts from the ERP domains in the office network can, for example, access resources from the perimeter network. However, this requires several configurations to be made, and the advice above was not to avoid multiple configurations. The ECN (office network) must be made known to the front firewall, and the back firewall needs its own routing information in order to reach this network. Normally the ECN, like all other external networks, is not known to the firewalls and is covered by the ISA Server\TMG-specific standard "external" network and is therefore checked with the strictest rules. In addition, a separate production domain must be established. If user-dependent rules also have to be created for office user accounts, the front firewall ISA Server\TMG has to become a member of the production domain or be able to query this information from the production domain via the radius protocol. At least a one-sided trust function then has to be established between the production domain and the ERP domain (see “Management of Computers and Users" detail document). Users of the ERP domain can now be authenticated by the production domain (1.) and access can be granted to the specified resources in the system (2.).


Practical information 33.1 General information

Instructions and descriptions Detailed instructions and descriptions about how to set up and configure the configurations stated above are available under the following links:

● ISA:

http://www.microsoft.com/germany/technet/prodtechnol/isa/default.mspx

http://www.isaserver.org/articles_tutorials/

● TMG:

http://www.microsoft.com/germany/forefront/edgesecurity/tmg/default.mspx

http://www.microsoft.com/germany/technet/prodtechnol/isa/default.mspx�

http://www.isaserver.org/articles_tutorials/�

http://www.microsoft.com/germany/forefront/edgesecurity/tmg/default.mspx�



AddOn Automation Firewall In cooperation with SecureGUARD (www.secureguard.de), Siemens offers the SecureGUARD Automation Firewall Appliance series as an add-on. The SecureGUARD Automation Firewall Appliance series is used to secure SIMATIC® PCS 7- and SIMATIC® WinCC®-based automation systems in industrial systems. A pre-installed wizard simplifies and automates startup.

The SecureGUARD Automation Firewall Appliance series secures the access points to the production networks and guarantees restriction to the data traffic required to operate the automation system. Based on the firewall solution from Microsoft (Forefront Threat Management Gateway 2010), the industrial wizard of the integrated SecureGUARD Appliance Management is used to create an optimized set of rules.

The necessary information on system and network components is entered using the industrial wizard depending on the configuration variant. All necessary access policies are generated automatically in order to protect the communication both within the system and externally.

TMG restrictions (as of September 2011) The TMG implements some innovations such as virus scanning functionality for all data traffic that runs via the TMG, and intrusion prevention functionality. At present these functions have not yet been released due to compatibility with PCS 7/WinCC. Please contact your sales partner for more up-to-date information.



Track changes (only available from ISA Server 2006 SP1) ISA Server 2006 SP1 delivers a range of new features, including track changes. Each configuration change can now be logged on the ISA Server\TMG and also assigned to a specific administrator. This option is included in the standard TMG package.

Track changes is a separate tab in the monitoring area of the administration console. It is not activated by default. In order to log configuration changes, we recommend activating track changes.

Background networks If the network structures are more complex and there are, for example, reasons for dividing the load, several stepped networks must also be configured on the ISA Server\TMG. As the ISA Server\TMG has no physical contact in these networks and therefore does not “recognize" them, the address ranges of these networks must be added to the known networks of the ISA Server\TMG.

Routes must also be configured so that the ISA Server\TMG can reach these networks.

In the example shown in the graphic below, the address range 192.168.35.x of network MCS 2 must be added to the ISA Server\TMG in addition to the known network MCS 1 with address range 192.168.25.x. A route must also be created on the ISA Server\TMG that defines the 192.168.25.201 gateway for the MCS2 network.

Ping ICMP (INTERNET CONTROL MESSAGE PROTOCOL), often informally referred to simply as ping, is used to check the availability of network devices and computers. Many devices and programs use it before actual communication to check whether the partner is even reachable. We therefore recommend permitting “pinging" between all networks on the ISA Server\TMG as a "network diagnosis tool”, as long as this creates no security risk.

Pinging must always be allowed between a PCS 7/WinCC Engineering Station and all the computers to be loaded from it.



3.1.1 Further information and instructions

Publishing the SIMATIC WebNavigator Server If one or more WebNavigator servers are published using external names with sub-folders on the ISA Server\TMG, or if the WebNavigator server to be published is installed as a virtual website, please note the following:

● As shown in the following two graphics, the WebNavigator creates the additional virtual directories "WebNavigator" and “SCSWebBridge”, and therefore at least 2 publishing rules must be created on the ISA Server\TMG for these virtual directories.

● A separate publishing rule with its own link compilation, etc. has to be created for both the

"WebNavigator" web page and for the virtual directory "SCSWebBridge".



Publishing "load balanced" WinCC WebNavigator servers The following information applies to WinCC up to and including WinCC V6.2.x.

The following particular points should be noted when "load balanced" WebNavigator servers are published on the ISA Server\TMG:

● All WebNavigator servers must be published on the ISA server with different external names (e.g. WebServer01.ent.com and WebServer02.ent.com).

● The external interface of the ISA Server\TMG (e.g. 222.222.222.222) through which the Web clients get access must be accessible via all of the external names.

● The "load balanced" WebNavigator servers have to be able to reach each other via their external names (e.g. WebServer01.ent.com and WebServer02.ent.com).

● The external names must be entered in the "load balance" configuration dialog (see the WebNavigator documentation for further details) (see following graphic).



The following graphic shows an implementation with split DNS. In the external network, all the external DNS names point to the external IP address of the front firewall. In the local network they point to the real IP address of the relevant WebNavigator server.



Hardening of the ISA Server\TMG Microsoft provides documents that describe in detail how the ISA Server\TMG can be protected even further, so-called “hardening”.

They are available under the following links:

ISA http://www.microsoft.com/technet/isa/2006/security_guide.mspx

http://www.microsoft.com/technet/isa/2004/plan/securityhardeningguide.mspx

The second link refers to the ISA Server 2004. However, the described settings are also valid for the ISA Server 2006.

TMG Included in the standard documentation

http://technet.microsoft.com/en-us/library/ff355324.aspx

The Security Configuration Wizard can also be used to harden the ISA Server\TMG.

ISA http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en

TMG TMGRolesForSCW.exe Part of the Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11183

Deactivate the "IP routing" option in order to further increase the security of the ISA Server\TMG (this option is set for TMG by default and can no longer be changed). It is activated automatically as soon as a network rule with the “Route" relation is created. It is often claimed that this option is required for routing rules, but this is not correct. If the option is enabled, the ISA Server\TMG passes packages directly on to the target. If it is disabled, the ISA Server\TMG generates a new package and copies the data block of the incoming package into the new package. This eliminates the danger that the target devices may be attacked via corrupt header information. The data throughput of the ISA Server\TMG is slightly lower if IP routing is disabled. However, as protection and not the throughput has top priority for industrial usage as a front firewall, this option should be disabled.

http://www.microsoft.com/technet/isa/2006/security_guide.mspx�

http://www.microsoft.com/technet/isa/2004/plan/securityhardeningguide.mspx�

http://technet.microsoft.com/en-us/library/ff355324.aspx�

http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en�

http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en�

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11183�



This option can be found under "Configuration > General > Configure IP protection > IP routing" (see the following graphic).

Documents

Access Point 2 - Siemens · Managing the MS ISA Server/MS TMG as Access Point Commissioning Manual, 12/2011, A5E02657550-02 3 Table of contents 1 Preface