Embed Size (px)
DESCRIPTION
Citation preview
Module 1: Forefront Threat Management Gateway (TMG) 2010 Overview
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
Module Overview
Introduction to Forefront TMG
Deployment scenarios
Basic configuration concepts
Introduction to Forefront TMG
Deployment scenarios
Basic configuration concepts
Lesson 1 – Introduction to Forefront TMG
Forefront Edge Security and Access Products
Before Now
Network Protection
Network Access
The Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures
Integrated and comprehensive protection from Internet-based threats
Unified platform for all enterprise remote access needs
The Threat LandscapeVulnerabilities down, threats upIncreasing sophistication of threatsThreats moving to the application layerRising threats
PhishingSpam and malicious e-mailBlended threats
Forefront TMG Value Proposition
Firewall – Control network policy access at the edge
Secure Web Gateway – Protect users from Web browsing threats
Secure E-mail Relay – Protect users from e-mail threats
Remote Access Gateway – Enable users to remotely access corporate resources
Intrusion Prevention – Protect desktops and servers from intrusion attempts
Comprehensive
Integrated
Simplified
Forefront TMG Deployment Scenarios
•All-in-one solution for medium businesses
•Firewall, VPN, Web security, IPS, e-mail relay in a single box
Unified Threat Management
(UTM)
•Authenticating proxy with security
•Web antivirus and URL filtering
•Inspection of HTTP and HTTPS traffic
Secure Web Gateway
•Secure Web publishing
•Dial-in VPN
•Site to site VPN
Remote Access Gateway
•Antispam
•Antivirus
•E-mail filtering
Secure E-mail Relay
Features Summary
• VoIP traversal• Enhanced NAT• ISP link redundancy
Firewall
• HTTP antivirus/antispyware
• URL filtering• HTTPS forward inspection
Secure Web Access
• Exchange Edge integration
• Antivirus• Antispam
E-mail Protection
• Network inspection system
Intrusion Prevention
• NAP integration with client VPN
• SSTP integration
Remote Access
• Array management• Change tracking• Enhanced reporting• W2K8, native 64-bit
Deployment and Management
• Malware protection
• URL filtering• Intrusion prevention
Subscription Services
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispam
Network intrusion prevention
Features SummaryComparing with ISA Server 2006ISA Server
2006Forefront
TMG
New
New
New
New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server® 2008 R2, 64-bit (only) New
E
Forefront TMG LicensingTwo editions and Two Client Access Licenses (CALs)
Standard EditionFull UTM
Enterprise Edition Scalability and management
Web protectionE-mail
protection
Subscriptions
Comparing Forefront TMG Editions
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management
Yes, with added ability for EMS to manage SEs
Publishing
VPN support
Forward proxy/cache, compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
SubscriptionsSubscription-based licenses
Sold as Client Access Licenses (CALs) Charged per user/per year
Protection ComponentsE-mail protection
AntispamAntivirus
HTTP protectionAntimalwareURL filtering
Network Inspection System is free!
Translating Licenses
ISA Server SE
ISA Server EE
Forefront TMG 2010 SE
Forefront TMG 2010 EE
Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year
Today At Launch
Lesson 2 – Installation and Initial Setup
15
System Requirements
Minimum Recommended
Processor 2 core (1 CPU x dual core) 64-bit processor
4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
Memory 2 gigabytes (GB) of memory
4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk space*
2.5 GB of available hard disk space*
Hard Disks One local hard disk partition formatted with NTFS
Two disks for system and logging, and one for caching and malware inspection
Network One network adapter for communicating with the internal network
One network adapter for each network connected to the Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
Installation PrerequisitesBasic installation
Connected to the network, with DNS server settings configuredRequired operating system components:
Windows® Roles and FeaturesMicrosoft® .NET Framework 3.5 SP1Windows Web Services API Windows Installer 4.5
Preparation Tool installs the required components
For the Secure Mail Relay usage scenarioExchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server
17
Installation
18
Installation
19
Initial ConfigurationGetting Started Wizard
20
Configuring Network Settings
Select the network topology used:
Edge firewall3-Leg perimeterBack firewallSingle network adapter
Network Setup Wizard
21
Define the IP configuration for each network adapterAssign adapter to the appropriate network
Configuring Network SettingsNetwork Setup Wizard
22
Define host name, domain membership and DNS suffix
Configuring System SettingsSystem Configuration Wizard
23
Configuring Deployment Settings
Activate subscription licensesEnable malware protection and intrusion preventionConfigure signature update schedule and response policyJoin the Customer Experience Improvement Program (CEIP) and the Microsoft Telemetry Service
Deployment Wizard
24
Configuring Deployment SettingsDeployment Wizard
Lesson 3 – Basic Configuration Concepts
26
Configuration Concepts
Forefront TMG supports unlimited network adaptersLimited by hardware
Network Adapters
27
InternetISP 1
ISP 2
DMZ EXT
DMZ INT
LAN 1
LAN 3
LAN 2
TMG
Branch
VPN client
Configuration ConceptsNetworks
Internal
External
Local Host
DMZ InternalDMZ External
VPN Clients
28
Configuration Concepts
Networks configuration model the enterprise network infrastructure
Contains all reachable IPs for network adapterCannot overlap with other NetworksStatic or dynamic
Networks
Configuration ConceptsNetwork Sets
InternetISP 1
ISP 2
DMZ EXT
DMZ INT
LAN 1
LAN 3
LAN 2
TMG
Branch
VPN client
DMZ Networks
30
Configuration Concepts
Network Sets are used to group one or more networksDefined by selecting the networks included in the set (Include) or a set of networks excluded from the set (Exclude)Used in the definition of network and policy rules
Network Sets
31
Configuration Concepts
Define allowed traffic flowsDetermine the relationship between two networks
RouteBi-directionalSource address not modified
NATUni-directionalSource address is modified
Required for non-Web access and Server Publishing rules
Web proxy filter ignores network rules
Network Rules
32
Configuration Concepts
New Feature: Enhanced NATSpecify the IP address to be used when doing NAT
Network Rules
33
Configuration Concepts
Display the routing table used between networksSet via route –p add command or GUI
Routing
34
Forefront TMG PolicyThree types of rules:1. Network rules2. System policy3. Firewall policy
35
Single Adapter ScenarioForefront TMG supports using a single network adapterSupported scenarios
Secure Web Gateway (forward Web proxy and cache)Web Publishing (reverse Web proxy and cache)Remote client VPN access
Unsupported scenariosApplication layer inspection (except for Web proxy)Server publishingNon-Web clients
Firewall clientSecure NAT
Site-to-site VPNs
36
Single Adapter Scenario
Internet
LAN 1
LAN 3
LAN 2
TMG
VPN Client
Internal
Local Host
VPN Clients
37
Common Configuration MistakesMultiple default gateways
Define only one default gateway
Not adding reachable addresses to networksEnsure all reachable addresses added
DNS resolution issuesDNS server list is system wide, not per adapterUse the internal DNS servers, or host a DNS server service locally and use conditional forwarding
Questions
Lab 1: Forefront TMG Installation
In this lab, you will:
Install Forefront TMG on a Windows Server® 2008 R2 serverPerform an initial configuration of Forefront TMG using the Getting Started wizards
Lab 1 - Exercises 1 and 2Estimated completion time: 45 min
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
