4. TMG & UAG
Forefront Edge Security and Access products provide
enhanced network edge protection and application-centric,
policy-based access to corporate IT infrastructures
Protection
Access
5. TMG New Features
• HTTP Antivirus/
antimalware
• URL Filtering
• HTTPS forward
inspection
Secure Web
Access
• VoIP traversal (SIP)
• Enhanced NAT
• ISP Link Redundancy
Firewall
• NAP integration with
VPN role
• SSTP
Remote Access
• Exchange Edge/FPE
integration
• Anti-Virus
• Anti-spam
• Network Inspection
System (NIS)
• Security Assessment and
Response (SAS)
E-mail
Protection
Intrusion
Prevention
• Array Management
• Scenario UI & Wizards
• Change tracking
• Enhanced reporting
• W2K8, native 64-bit
• Update Center :
•HTTP: AV+URL
Filtering
• Email: AV+Anti-Spam
• NIS signatures
Deployment &
Management
Subscription
Services
5
6. TMG Features Summary
ISA
2006
TMG
2010
Network firewall
Application firewall
Internet access protection (proxy)
Basic OWA & SharePoint publishing
Exchange publishing (RPC over HTTP)
IPSec VPN (remote & site-to-site)
Web caching, HTTP compression
Windows Server 2008, 64-Bit (only)
New
Web anti-virus, anti malware
New
URL filtering
New
Email anti-malware, anti-spam
New
Network intrusion prevention
New
Integration with codename “Stirling”
New
Enhanced UI, management, reporting
New
7. TMG versioning
Standard Edition
Supported deployment
scenarios
CPUs
Standalone server
Enterprise Edition
•
•
Servers in a Standalone Array
Servers in an array managed by EMS
Up to 4 CPUs
Unlimited
Array/NLB/CARP support
No, you can only have one Server
Yes
Enterprise Management
No
Yes, with added ability to manage Standard
Editions
Not supported
Supported
Publishing
VPN support
Forward proxy/cache,
compression
Network IPS (NIS)
Require subscription
Require subscription
Require exchange license
Require exchange license
Stirling integration
Web AV + URL Filtering
Email AV/AS
9. Setup
Feature
TMG
Supported OS
Windows Server 2008 SP2 x64
Windows Server 2008 R2 x64
EMS
Windows Server 2008 SP2 x64
Windows Server 2008 R2 x64
TMG
management
console
Windows Server 2008 R2-SP2 x32, x64
Windows Vista SP1 x32, x64
Windows 7 x32, x64
11. URL-F Introduction
URL Filtering allows controlling end-user access to Web
sites and protecting the organization by denying access
to known malicious sites and to sites displaying
inappropriate or pornographic materials, based on
predefined URL categories
The typical use case for this feature includes:
Enhancing your security.
Lowering liability risks.
Improving the productivity of your organization.
Saving network bandwidth.
12. MRS – Microsoft Reputation Services
Aggregate reputation data from
multiple vendors
Use telemetry in order to
improve data accuracy
iFilter
Marshal
8e6
IE
Security
MRS
BrightCl
oud
13. URL Filtering
Microsoft Reputation Service (MRS) returns
one of 80 “category” indications for each URL
Including “Unknown”
MRS
www.soccer.com ?
category = sports
+ in cache
www.soccer.com
Request
Content
Content
Firewall rule:
Allow category Sports after 5 PM only
14. URL category usage
URL category information is used for
Rules (Allow/Deny rules according to category)
Log
EMP exclusion list
HTTPS exclusion list
No reverse lookups.
16. Category query tool
Available from the Web Protection Tasks
Allows the administrator to know the category of a URL and source of
categorization (local cache, MRS, override)
17. URL category overrides
Available from the Web Protection Tasks
Gives the possibility to assign a URL to a different
category that its default category (returned by MRS)
18. Licensing
URL Filtering is a subscription based service
Per-user and per-year
License must be valid for URL Filtering to work
19. System Rule
Traffic with MRS is SSL encrypted
A system rule allows HTTPS between LocalHost
to Microsoft Reputation Service Sites domain
name set
23. Edge Malware Protection
Inspect web traffic on the edge to prevent any malware
from infecting machines inside the organization
Easier to keep the edge updated with malware signatures
rather then individual client machines
Unmanaged machines that might not have host AV up to
date are also protected
Malware activity detected on the edge can be easily
monitored thanks to logging and reporting
25. Client Comforting
Accumulating an entire file and scanning it may take a significant amount of
time
During this period of time, the client doesn't receive any data and as a result
a software timeout can occur or the user can even cancel the download.
“Client comforting” defines a set of methods that guaranty a good user’s
experience while content is inspected on the Edge
Comforting methods:
Delayed Download
HTML Progress Page
Trickling:
Standard
Fast
26. End User Scenarios – Delayed
1) User browses to site.com and attempts to
download a file
2) site.com responds with content
3) TMG accumulates the content, timing the
download and inspection
site.com
request
request
response
response
4) In case the content is downloaded
and inspected in less than X seconds
(Delivery Delay) TMG passes the whole
file to the client
27. End User Scenarios – Progress Page
End user will receive an HTML Progress Page if time for download and inspection
exceeds X seconds (delivery delay) and if some others conditions are satisfied (see
next slide)
site.com
request
request
response
progress page
28. End User Scenarios – Scanning completed
If content is safe (or
successfully cleaned), the
page informs the user that
the content is ready and
displays a button for
downloading the content,
otherwise the page
notifies the user that a
malware was detected. In
that case, the file is
purged immediately from
the temporary storage.
29. Standard Trickling
• TMG will use this method if the client application is not a browser (not able to handle
the dynamic code embedded in the Progress Page).
• TMG will deliver content to the client using Trickling when Delayed download and
Progress can’t apply. Trickling consists in sending very small chunk of data to the
client until the whole file is inspected.
site.com
request
request
response
trickled response
User’s experience : download will start at a
very low transfer rate and speeds up after
inspection completion
30. Fast Trickling
Similar to Standard Trickling
Intended to be used for media files played by online
players (like YouTube)
TMG delivers the data as fast as possible to the end
user to keep a good user experience.
The tradeoff between user experience and inspection
performance is governed by the FastTricklingMode
COM setting
User experience degrades (but inspection performance
improves) when the EMP filter need more minimum bytes
to perform a partial inspection so increasing buffering on
TMG
32. HTTPS Inspection
Today more and more web traffic is https. Some
of this traffic is legitimate; some isn’t and might
contain malicious traffic.
We have lot of tools for http protection
(antimalware, NIS ..), but no for https protection
as this traffic is tunneled through the Proxy.
This feature will enable the TMG administrator to
inspect outgoing https traffic on the edge and will
prevent the end user from downloading
malicious software (malware) that could infect
the entire organization.
34. Motivation
In order to be able to inspect outgoing https
traffic, TMG will break HTTPS connections
using a man in the middle mechanism (doing
sort of “bridging”)
35. HTTPS Inspection
Mechanism
Signed by”TMG CA”
www.fabrikam.com
Request
Signed by Verisign
www.fabrikam.com
Request
Certificate
SSL
In Web browser:
https://www.fabrikam.com
Certificate
SSL
In TMG request:
https://www.fabrikam.com
36. TMG CA Certificate not installed on client
The CA certificate (e.g. self signed certificate) used by
TMG must be deployed on the client, otherwise the client
won’t trust the certificate issued by TMG on behalf of the
web server (user won’t receive the inspection
notifications in that case)
If the client does not have the CA certificate used by
TMG, it will receive the error below when accessing an
SSL web site if https inspection is enabled.
37. CA Certificate generation and deployment
The CA certificate used by TMG to issue the
certificate can be of two types:
a generated self signed certificate
an existing trusted certificate authority
38. CA Certificate generation and deployment
This CA certificate must then be deployed on the client
computers (under “Trusted Root Certification Authorities” of the
Local computer certificates store), otherwise the client won’t
trust the server certificate received from TMG
Two possible deployment methods for the CA certificate:
39. User notifications
Client must have TMG Client to receive notification of inspection
and CA Certificate must be properly deployed on client
44. Intrusion Prevention System
Forefront Network Inspection System (NIS)
Closing the vulnerability window between vulnerability announcement and
patch deployment
Signatures distribution by
Microsoft Update
Concurrent with security patches
or in response to a 0-Day attack
45. Using NIS for IPS
TMG
Vulnerability
found
Signature authoring team
Detect and prevent known vulnerability-based attack
attempts at the Edge of the network or in datacenter
Same day availability of the patch and NIS signature
Closes the vulnerability window which is needed for
patch testingdeployment:
Patches need to be tested more thoroughly
Customer acceptance (similar to AV updates)
50
50. ISP-R – Introduction
New feature introduced in TMG that allows the
coexistence of 2 ISP connections
With this feature TMG ensures Internet
connectivity is not lost even when one Internet
service provider (ISP) is down
51. Feature Overview
Two different scenarios:
High Availability of Internet connectivity
TMG will use a backup line in case the primary is
down (Failover)
Load balancing between ISP providers
/connections
TMG will use 2 concurrent ISP connections
52. Scenarios
2 network adapters’ scenario: TMG is configured with 2
NICs on the external network. Each NIC has a different
subnet and is connected to a different ISP.
Single network adapter scenario: TMG is configured
with single NIC on the external network with 2
different subnets – one for each ISP.
Note that Windows will display a warning when the
administrator defines more than one default gateway
on the system. In our case we can ignore this warning.
55. TMG 2010 Virtualization
Security Considerations
with Forefront Edge
Virtual Deployments
Zabezpieczanie ISA
Server i Forefront TMG
w środowisku
wirtualnym