7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
1/42
Introduzione a TMG 2010
Fabrizio VolpeMVP Directory [email protected]
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
2/42
Breve Storia della Perimeter Protection
Proxy Server 1.0
Proxy Server 2.0
Internet Security And Accelleration (ISA) 2000
Stateful Packet InspectionTrusted Networks
ISA 2004
NO network trafficout of the box
ISA 2006
Web Publishing
Forefront Threat ManagementGateway 2010
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
3/42
Forefront Edge Security and Access Products
Before Now
Network
Protection
Network
Access
The Forefront Edge Security and Access products provide enhancednetwork edge protection and application-centric, policy-based access tocorporate IT infrastructures
Integrated and comprehensiveprotection from Internet-based threats
Unified platform for allenterprise remote access needs
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
4/42
Forefront TMG ed UAG
4
New features make Forefront TMG the ideal outbound access solution
In contrast to ISA 2006, very little has been done in Forefront TMG interms of improvements for inbound access control
Exceptions :
Secure Socket Tunneling Protocol (SSTP) for VPN client connections
NAP Integration
You will not see any other major changes in the Web or ServerPublishing features when moving from ISA 2006 to Forefront TMG
The majority of inbound access (remote access) effort is going into theMicrosoft Forefront Unified Access Gateway (UAG) 2010
It is expected that Forefront TMG will be used primarily for outboundaccess control and network firewall, and UAG will be used for inboundaccess (remote access) control
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
5/42
Possibili Collocazioni nel Network Perimeter
5
Edge of the corporate networkBack-end firewall behindanother Forefront TMG
firewall or third-party firewall
As a parallel firewall on theedge, next to anotherForefront TMG or third-party
firewall
As a network service segmentfirewall, providing a secureperimeter between client systems
and network services
Multi-homed firewall that acts as the hub betweenmultiple internal and perimeter networks
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
6/42
Forefront TMG: caratteristiche
Firewall Control network policy access at the
edge
Secure Web Gateway Protect users fromWeb browsing threats
Secure E-mail Relay Protect users frome-mail threats
Remote Access Gateway Enable users toremotely access corporate resources
Intrusion Prevention Protect desktops andservers from intrusion attempts
Comprehensive
Integrated
Simplified
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
7/42
Forefront TMG: Scenari di Implementazione
All-in-one solution for medium businesses
Firewall, VPN, Web security, IPS, e-mail relayin a single box
Unified ThreatManagement (UTM)
Authenticating proxy with security
Web antivirus and URL filtering
Inspection of HTTP and HTTPS traffic
Secure Web
Gateway
Secure Web publishing
Dial-in VPN
Site to site VPN
Remote AccessGateway
Antispam
Antivirus
E-mail filtering
Secure E-mail Relay
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
8/42
Forward, Reverse Proxy, Web Proxy, e WinsockProxy Server
Application layer inspection For forward proxy connections, Web anti-
malware capabilities and URL filtering
For reverse proxy SSL bridging
For both HTTP protocol inspection
Web proxy serverReverse proxy services
Stateful packet and application layer inspection onall traffic moving through the VPN
User-based access controls (based on user nameor user group membership)
Remote Access Quarantine Control and NetworkAccess Protection (NAP)
Remote Access VPNServer
Forefront TMG email gateway feature is powered bythe Edge Transport Server role of Exchange Server2010 together with Microsoft Forefront Protection2010 for
Secure E-mail Gateway
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
9/42
Network Inspection System, Malware Inspection eHTTPS Inspection
Usa signatures of known vulnerabilities from theMicrosoft Malware Protection Center (MMPC) tohelp detect malicious traffic and then to takeaction
Network InspectionSystem
The Malware Inspection filter (Edge MalwareProtection) is a built-in Web filter
Delayed download, HTML progress page,Trickling
Malware Inspection
Forefront TMG introduces a new feature called
HTTPS inspection Is based on a trusted man-in-the-middle
mechanism, in which Forefront TMG works as atrusted man in the middle to be the SSL site forthe clientman in the middle to be the SSL site forthe client
HTTPS Inspection
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
10/42
Riepilogo delle funzionalit
VoIP traversal Enhanced NAT
ISP linkredundancy
Firewall
HTTP antivirus/antispyware
URL filtering
HTTPS forwardinspection
Secure Web
Access
Exchange Edgeintegration
Antivirus
Antispam
Protection
Networkinspectionsystem
Intrusion
Prevention
NAP integrationwith client VPN
SSTP integration
RemoteAccess
Array management
Change tracking
Enhanced reporting
W2K8, native 64-bit
Deployment andManagement
Malware protection
URL filtering
Intrusion
prevention
SubscriptionServices
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
11/42
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Web antivirus, antimalware
URL filtering
E-mail antimalware, antispam
Network intrusion prevention
Confronto con ISA Server 2006 ISA Server2006
ForefrontTMG
New
New
New
New
Enhanced UI, management, reporting New
Exchange publishing (RPC over HTTP)
Windows Server 2008 R2, 64-bit (only) New
Riepilogo delle funzionalit
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
12/42
E
LicenzeTwo editions and Two Client Access Licenses (CALs)
Standard EditionFull UTM
Enterprise EditionScalability and management
Web protection E-mail protection
Subscriptions
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
13/42
Confronto tra le edizioni
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management Yes, with added ability for EMSto manage SEs
Publishing
VPN support
Forward proxy/cache,compression
Network IPS (NIS)
E-mail protection Requires Microsoft Exchange Server License (Server + CALs)and installation by the admin
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
14/42
Passaggio licenze da ISA 2006 a TMG 2010
ISA Server SE
ISA Server EE
Forefront TMG 2010 SE
Forefront TMG 2010 EE
Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year
Today At Launch
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
15/42
Installazione e configurazione iniziale
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
16/42
Requisiti di sistema
16
Minimum Recommended
Processor 2 core (1 CPU x dual core)64-bit processor
4 core (2 CPU x dual core or1 CPU x quad core) 64-bitprocessor
Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard diskspace*
2.5 GB of available hard diskspace*
Hard Disks One local hard disk partitionformatted with NTFS
Two disks for system and logging,and one for caching and malwareinspection
Network One network adapter for
communicating with theinternal network
One network adapter for each
network connected to theForefront TMG 2010 server
Operating System Windows Server 2008 x64 with Service Pack 2, orWindows Server 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
17/42
Server Roles e Features richieste
17
Server roles andfeatures required by
Forefront TMG
include:
Network PolicyServer
Routing and
Remote AccessService
Active DirectoryLightweight
Directory Services
Network LoadBalancing
WindowsPowerShell
Other software
Microsoft .NETFramework 3.5
SP1
Windows Web
Services API
Microsoft Update
MicrosoftWindows Installer
4.5
These server roles areinstalled during ForefrontTMG installation; you donot need to install them inadvance
They are not removed ifyou uninstall ForefrontTMG
Forefront TMGPreparation Tool
Forefront TMG is notsupported on a machinethat is configured as adomain controller, withthe exception of a read-only domain controller,which requires that TMGService Pack 1 beinstalled.
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
18/42
Prerequisiti
Basic installation
Connected to the network, with DNS server settings configured
For the Secure Mail Relay usage scenarioExchange Edge Transport Role
Microsoft Exchange Server 2007 with Service Pack 1, or
Microsoft Exchange Server 2010Microsoft Forefront Protection 2010 for Exchange Server
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
19/42
Nota : Enterprise Management Server
Both the Standard and Enterprise editions of Forefront TMG storetheir configurations in an Active Directory Lightweight DirectoriesServices (AD LDS) database
Standard Edition : the AD LDS database is always on the ForefrontTMG firewall itself
Enterprise Edition : option of installing the AD LDS configurationdatabase on a firewall array member or on a separate computer.The separate computer hosting the AD LDS database is called theEnterprise Management Server (EMS)
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
20/42
Installazione
20
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
21/42
Installazione
21
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
22/42
Configurazione iniziale
22
Getting Started Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
23/42
Configurazione dei Network Settings
23
Select the networktopology used:
Edge firewall
3-Leg perimeter
Back firewall
Single networkadapter
Network Setup (Template) Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
24/42
Define the IPconfiguration foreach networkadapter
Assign adapter tothe appropriatenetwork
Configurazione dei Network Settings
24
Network Setup Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
25/42
Define hostname, domainmembership and
DNS suffix
Configurazione dei System Settings
25
System Configuration Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
26/42
Configurazione dei Deployment Settings
26
Activate subscriptionlicensesEnable malwareprotection andintrusion prevention
Configure signatureupdate schedule andresponse policy
Join the CustomerExperience
ImprovementProgram (CEIP) andthe MicrosoftTelemetry Service
Deployment Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
27/42
Configurazione dei Deployment Settings
27
Deployment Wizard
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
28/42
Concetti base
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
29/42
Network Relationship
29
TMG, defines a network as a logical representation of a network
connection owned by the computer where TMG operates
These networks can be
a physical connection such as network interface card (NIC) or modem
a logical interface such as a dial-in or site-to-site VPN connection
In each case, TMG must have a clear understanding of how to defineand process the traffic that is received from a given network
The simplest definition for a network relationship is that relationship indicated by thesource and destination hosts as defined in the traffic 5-tuple
Note 5-tuple is an industry-standard standard term describing the
criteria used to uniquely identify an Ip communication channel This data includes:
n Source and destination IP addresses
n Source and destination ports (if used)
n Transport Protocol (TCP, UDP, and so on)
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
30/42
Configurazione
30
Network Rules
Like firewall policy rules, network rules define how TMG will handle traffic betweensource and destination hosts
Network rules are also processed in the order in which they are defined
Because network rules form a primary criterion for traffic processing, they haveDefine allowed traffic flows the power to discard traffic before any firewall policyrule has the opportunity to evaluate it
When this happens, the firewall log will not include a name in the rule field because
no firewall policy rule processed the traffic
As is the case with firewall policy rules, the order of network rules is critical tocorrect traffic evaluation by TMG
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
31/42
Configurazione
31
Network Rules
All network rule setswill begin with thesame rule, Local HostAccess, which definesa route relationshipfor traffic that is
sourced orterminated by TMGitself
This rule cannot bemodified by theTMG administrator
All network rulesoperate in the
context of networkobjects
When you run theNetwork Rule Wizard,
you are given theopportunity to selectfrom a subset of the
firewall policynetwork objects
Options presented fora network rule source
and destination
criteria are limited tothose items that are
defined as somevariation or grouping
of an IP address, IPsubnet, IP address
range, orcombinations of
these as in Computeror Network Sets
No firewall policyelements which
abstract the source ordestination into a
name (such asdomain or URL sets)
can be used fornetwork rules
because they cannotrepresent literal
network membership
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
32/42
Configurazione
32
Forefront TMG supports unlimited network adaptersLimited by hardware
Network Adapters
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
33/42
Configurazione
33
Networks configuration model the enterprise network
infrastructureContains all reachable IPs for network adapter
Cannot overlap with other Networks
Static or dynamic
Networks
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
34/42
Configurazione
34
Network Sets are used to group one or more networks
Defined by selecting the networks included in the set (Include) or aset of networks excluded from the set (Exclude)
Used in the definition of network and policy rules
Network Sets
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
35/42
Configurazione
35
Determine the relationship between two networksRouteBi-directional
Source address not modified
NATUni-directionalSource address is modified
Required for non-Web access and Server
Publishing rulesWeb proxy filter ignores network rules
Network Relationship
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
36/42
Configurazione
36
New Feature: Enhanced NATSpecify the IP address to be used when doing NAT
Network Rules
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
37/42
Configurazione
37
Display the routing table used between networksSet via route p add command or GUI
Routing
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
38/42
Forefront TMG Policy
Three types of rules:
1. Network rules
2. System policy
3. Firewall policy
38
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
39/42
Installazione su server a singola scheda di rete
Forefront TMG supports using a single network adapter
Supported scenariosSecure Web Gateway (forward Web proxy and cache)
Web Publishing (reverse Web proxy and cache)
Remote client VPN access
Unsupported scenariosApplication layer inspection (except for Web proxy)
Server publishing
Non-Web clients
Firewall client
Secure NATSite-to-site VPNs
39
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
40/42
Cosa Verificare in caso di Setup Failed
40
If TMG Setup fails for any reason, first read the description of the error message that appears onscreen
Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt,which is located in %sytemdrive%\Users\All Users\Microsoft\Forefront Security for Exchange Server
If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and ForefrontProtection 2010 for Exchange Server
The log files for the Exchange component of the installation are stored at %systemdrive%\ExchangeSetupLogs
During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%\temp folder
The information in TMG Setup log files is based on Microsoft Windows Installer logging
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
41/42
Setup Log Files
41
7/31/2019 1-introduzioneatmg-120625161730-phpapp01 (1)
42/42
Classici errori di configurazione
Multiple default gateways
Define only one default gateway
Not adding reachable addresses to networks
Ensure all reachable addresses added
DNS resolution issues
DNS server list is system wide, not per adapter
Use the internal DNS servers, or host a DNS server service locallyand use conditional forwarding
Top Related