Introduzione a TMG 2010Fabrizio VolpeMVP Directory Servicesfabrizio.volpe@gmx.com
Breve Storia della Perimeter Protection           Proxy Server 1.0     Internet Security And Accelleration (ISA) 2000     ...
Forefront Edge Security and Access ProductsThe Forefront Edge Security and Access products provide enhancednetwork edge pr...
Forefront TMG ed UAG New features make Forefront TMG the ideal outbound access solution In contrast to ISA 2006, very litt...
Possibili Collocazioni nel Network Perimeter                                       Back-end firewall behind   Edge of the ...
Forefront TMG: caratteristiche       Firewall – Control network policy access at the       edge                           ...
Forefront TMG: Scenari di Implementazione                       • All-in-one solution for medium businesses  Unified Threa...
Forward, Reverse Proxy, Web Proxy, e WinsockProxy Server                           • Application layer inspection         ...
Network Inspection System, Malware Inspection eHTTPS Inspection                       • Usa signatures of known vulnerabil...
Riepilogo delle funzionalità• VoIP traversal         • HTTP antivirus/      • Exchange Edge         • Network• Enhanced NA...
Riepilogo delle funzionalitàConfronto con ISA Server 2006              ISA Server                                         ...
LicenzeTwo editions and Two Client Access Licenses (CALs)                   Enterprise Edition                Scalability ...
Confronto tra le edizioni                              Standard Edition              Enterprise EditionNumber of CPUs     ...
Passaggio licenze da ISA 2006 a TMG 2010    Today                                          At Launch   ISA Server SE      ...
Installazione e configurazione iniziale
Requisiti di sistema                             Minimum                                    Recommended Processor         ...
Server Roles e Features richieste                                Server roles and                              features re...
Prerequisiti  Basic installation     Connected to the network, with DNS server settings configured  For the Secure Mail Re...
Nota : Enterprise Management Server   Both the Standard and Enterprise editions of Forefront TMG store   their configurati...
Installazione                20
Installazione                21
Configurazione inizialeGetting Started Wizard                          22
Configurazione dei Network SettingsNetwork Setup (Template) Wizard                                  Select the network    ...
Configurazione dei Network SettingsNetwork Setup Wizard                              Define the IP                        ...
Configurazione dei System SettingsSystem Configuration Wizard                              Define host                    ...
Configurazione dei Deployment SettingsDeployment Wizard                            Activate subscription                  ...
Configurazione dei Deployment SettingsDeployment Wizard                                         27
Concetti base
Network Relationship  TMG, defines a network as a logical representation of a network  connection owned by the computer wh...
ConfigurazioneNetwork Rules Like firewall policy rules, network rules define how TMG will handle traffic between source an...
ConfigurazioneNetwork RulesAll network rule setswill begin with thesame rule, Local Host                                  ...
ConfigurazioneNetwork Adapters  Forefront TMG supports unlimited network adapters    Limited by hardware                  ...
ConfigurazioneNetworks  Networks configuration model the enterprise network  infrastructure    Contains all reachable IPs ...
ConfigurazioneNetwork Sets  Network Sets are used to group one or more networks     Defined by selecting the networks incl...
ConfigurazioneNetwork Relationship  Determine the relationship between two networks     Route       Bi-directional       S...
ConfigurazioneNetwork Rules  New Feature: Enhanced NAT    Specify the IP address to be used when doing NAT                ...
ConfigurazioneRouting  Display the routing table used between networks    Set via route –p add command or GUI             ...
Forefront TMG Policy Three types of rules:  1. Network rules  2. System policy  3. Firewall policy                        ...
Installazione su server a singola scheda di rete Forefront TMG supports using a single network adapter Supported scenarios...
Cosa Verificare in caso di Setup Failed During the installation process, TMG Setup stores information about each step that...
Setup Log Files                  41
Classici errori di configurazione  Multiple default gateways    Define only one default gateway  Not adding reachable addr...
Upcoming SlideShare
Loading in...5
×

1. introduzione a TMG

946

Published on

1. introduzione a TMG Seminario TMG e UAG presso Microsoft (Roma)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
946
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • To run the Preparation Tool On the Installation Type page, select the required installation type option:Forefront TMG services and ManagementForefront TMG Management only Enterprise Management Server (EMS) for centralized array management The Preparation Tool downloads and installs the prerequisite applications, according to the selected Forefront TMG installation type.Insert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive.On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.On the main setup page, click Run Preparation Tool to launch the Preparation Tool. On the main setup page, click Run Installation Wizard to launch the Forefront TMG Installation Wizard.On the Installation Type page, click the Forefront TMG Services and Management button. On the Installation Path page, specify the Forefront TMG 2010 installation path.On the Define Internal Network page, click Add, click Add Adapter, and then select the adapter which is connected to the main corporate network.Note: If you are installing Forefront TMG on a computer with a single network adapter, all IP address ranges should be configured for the Internal network, except for the following: 0.0.0.0255.255.255.255127.0.0.0-127.255.255.255 (Local Host)224.0.0.0-254.255.255.255 (multicast)7. On the Ready to Install the Program page, click Install.Adding IP addresses to the internal networkOn the Addresses page, select any of the following methods to add addresses to the Internal network: Add Range – Addsa range of IP addresses. You must specify the beginning and ending IP address in the range; for example, 10.0.0.1 to 10.0.0.255.Add Adapter– Selects a network adapter. The IP addresses that are included in the Internal network are based on the IP address and subnet mask of the selected adapter.Add Private – Adds IP addresses defined as non-routable IP addresses, based on Request for Comment (RFC) 1918, and on the Automatic Private IP Addressing (APIPA) feature.
  • You can configure your deployment settings using the Deployment Wizard. To configure your deployment settings1. In the Getting Started Wizard, click Define deployment options.2. On the Microsoft Update Setup page of the Deployment wizard, click Use the Microsoft Update service to check for updates (recommended) to specify that the Microsoft Update service should be used to obtain malware definition updates. 3.On the Forefront TMG Protection Features Settings page of the wizard, do the following:a. For Network Inspection System, select to activate the complementary license and enable Network Inspection System (NIS).b. For Web Protection, select the license activation type for Web protection. If you selected Activate purchased license and enable Web Protection, enter the license key and expiration date of the purchased license.c. If you want to scan requested HTTP content allowed by access rules for malware, such as viruses and spyware, select Enable malware inspection.4. On the NIS Signature Update Settings page of the wizard, for Select automatic update action, select the type of action to deploy when there are new or updated signature sets.5. For New Signature Set Configuration, select the response policy option for new signatures.6.On the Customer Feedback page of the wizard, if you want to participate in the Customer Experience Improvement Program, click Yes, I am willing to participate anonymously to join the Customer Experience Improvement Program. This program helps Microsoft to improve the quality and reliability of Forefront TMG. If you join the program, Microsoft collects anonymous information about hardware configuration, use of software and services, and trend patterns. No personally identifiable information is collected.7. On the Microsoft Telemetry Reporting Service page, do one of the following:Click the Basic button to send basic information to Microsoft regarding filtered URLs, URL category overrides, potential threats, and the response taken.Click the Advanced button to provide information to Microsoft about potential threats including traffic samples and full URL strings.Click the None button to decline participation in the service.
  • 1. introduzione a TMG

    1. 1. Introduzione a TMG 2010Fabrizio VolpeMVP Directory Servicesfabrizio.volpe@gmx.com
    2. 2. Breve Storia della Perimeter Protection Proxy Server 1.0 Internet Security And Accelleration (ISA) 2000 Proxy Server 2.0 Stateful Packet Inspection «Trusted Networks» ISA 2004 ISA 2006 Forefront Threat Management NO network traffic Web Publishing Gateway 2010 out of the box
    3. 3. Forefront Edge Security and Access ProductsThe Forefront Edge Security and Access products provide enhancednetwork edge protection and application-centric, policy-based access tocorporate IT infrastructures Before Now Network Protection Integrated and comprehensive protection from Internet-based threats Network Access Unified platform for all enterprise remote access needs
    4. 4. Forefront TMG ed UAG New features make Forefront TMG the ideal outbound access solution In contrast to ISA 2006, very little has been done in Forefront TMG in terms of improvements for inbound access control Exceptions :  Secure Socket Tunneling Protocol (SSTP) for VPN client connections  NAP Integration You will not see any other major changes in the Web or Server Publishing features when moving from ISA 2006 to Forefront TMG The majority of inbound access (remote access) effort is going into the Microsoft Forefront Unified Access Gateway (UAG) 2010 It is expected that Forefront TMG will be used primarily for outbound access control and network firewall, and UAG will be used for inbound access (remote access) control 4
    5. 5. Possibili Collocazioni nel Network Perimeter Back-end firewall behind Edge of the corporate network another Forefront TMG firewall or third-party firewall As a parallel firewall on the As a network service segment edge, next to another firewall, providing a secure Forefront TMG or third-party perimeter between client systems firewall and network services Multi-homed firewall that acts as the hub between multiple internal and perimeter networks 5
    6. 6. Forefront TMG: caratteristiche Firewall – Control network policy access at the edge Comprehensive Secure Web Gateway – Protect users from Web browsing threats Secure E-mail Relay – Protect users from e-mail threats Integrated Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and Simplified servers from intrusion attempts
    7. 7. Forefront TMG: Scenari di Implementazione • All-in-one solution for medium businesses Unified Threat • Firewall, VPN, Web security, IPS, e-mail relayManagement (UTM) in a single box • Authenticating proxy with security Secure Web • Web antivirus and URL filtering Gateway • Inspection of HTTP and HTTPS traffic • Secure Web publishing Remote Access • Dial-in VPN Gateway • Site to site VPN • Antispam Secure E-mail Relay • Antivirus • E-mail filtering
    8. 8. Forward, Reverse Proxy, Web Proxy, e WinsockProxy Server • Application layer inspection • For forward proxy connections, Web anti- Web proxy server malware capabilities and URL filtering Reverse proxy services • For reverse proxy SSL bridging • For both HTTP protocol inspection • Stateful packet and application layer inspection on all traffic moving through the VPN Remote Access VPN • User-based access controls (based on user name Server or user group membership) • Remote Access Quarantine Control and Network Access Protection (NAP) • Forefront TMG email gateway feature is powered by the Edge Transport Server role of Exchange Server Secure E-mail Gateway 2010 together with Microsoft Forefront Protection 2010 for
    9. 9. Network Inspection System, Malware Inspection eHTTPS Inspection • Usa signatures of known vulnerabilities from the Network Inspection Microsoft Malware Protection Center (MMPC) to System help detect malicious traffic and then to take action • The Malware Inspection filter (Edge Malware Protection) is a built-in Web filter Malware Inspection • Delayed download, HTML progress page, Trickling • Forefront TMG introduces a new feature called HTTPS inspection • Is based on a trusted man-in-the-middle HTTPS Inspection mechanism, in which Forefront TMG works as a trusted man in the middle to be the SSL site for the clientman in the middle to be the SSL site for the client
    10. 10. Riepilogo delle funzionalità• VoIP traversal • HTTP antivirus/ • Exchange Edge • Network• Enhanced NAT antispyware integration inspection• ISP link • URL filtering • Antivirus system redundancy • HTTPS forward • Antispam inspection Secure Web E-mail IntrusionFirewall Prevention Access Protection • NAP integration • Array management • Malware protection with client VPN • Change tracking • URL filtering • SSTP integration • Enhanced reporting • Intrusion • W2K8, native 64-bit prevention Remote Deployment and Subscription Access Management Services
    11. 11. Riepilogo delle funzionalitàConfronto con ISA Server 2006 ISA Server 2006 Forefront TMG Network layer firewall   Application layer firewall   Internet access protection (proxy)   Basic OWA and SharePoint publishing   Exchange publishing (RPC over HTTP)   IPSec VPN (remote and site-to-site)   Web caching, HTTP compression   Windows Server® 2008 R2, 64-bit (only)  New Web antivirus, antimalware  New URL filtering  New E-mail antimalware, antispam  New Network intrusion prevention  New Enhanced UI, management, reporting  New
    12. 12. LicenzeTwo editions and Two Client Access Licenses (CALs) Enterprise Edition Scalability and management E Standard Edition Full UTM Subscriptions Web protection E-mail protection
    13. 13. Confronto tra le edizioni Standard Edition Enterprise EditionNumber of CPUs Up to 4 CPUs UnlimitedArray/NLB/CARP support  Enterprise management  Yes, with added ability for EMS to manage SEsPublishing  VPN support  Forward proxy/cache,  compressionNetwork IPS (NIS)  E-mail protection Requires Microsoft® Exchange Server License (Server + CALs) and installation by the admin
    14. 14. Passaggio licenze da ISA 2006 a TMG 2010 Today At Launch ISA Server SE Forefront TMG 2010 SE ISA Server EE Forefront TMG 2010 EE Covered by Software Assurance Available per user/device, per year Forefront TMG 2010 EE
    15. 15. Installazione e configurazione iniziale
    16. 16. Requisiti di sistema Minimum Recommended Processor 2 core (1 CPU x dual core) 4 core (2 CPU x dual core or 64-bit processor 1 CPU x quad core) 64-bit processor Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory Hard Disk Space 2.5 GB of available hard disk 2.5 GB of available hard disk space* space* Hard Disks One local hard disk partition Two disks for system and logging, formatted with NTFS and one for caching and malware inspection Network One network adapter for One network adapter for each communicating with the network connected to the internal network Forefront TMG 2010 server Operating System Windows Server® 2008 x64 with Service Pack 2, or Windows Server® 2008 R2* Exclusive of the hard disk space used for caching and for storing temporary files 16
    17. 17. Server Roles e Features richieste Server roles and features required by Other software Forefront TMG include:These server roles are Forefront TMGinstalled during Forefront Network Policy Microsoft .NET Preparation Tool Framework 3.5TMG installation; you do Server SP1not need to install them inadvance Routing and Windows WebThey are not removed if Remote Access Services API Serviceyou uninstall ForefrontTMG Active Directory Lightweight Microsoft Update Directory Services Forefront TMG is not supported on a machine that is configured as a Network Load Microsoft domain controller, with Windows Installer Balancing 4.5 the exception of a read- only domain controller, which requires that TMG Service Pack 1 be Windows PowerShell installed. 17
    18. 18. Prerequisiti Basic installation Connected to the network, with DNS server settings configured For the Secure Mail Relay usage scenario Exchange Edge Transport Role Microsoft® Exchange Server 2007 with Service Pack 1, or Microsoft® Exchange Server 2010 Microsoft® Forefront™ Protection 2010 for Exchange Server
    19. 19. Nota : Enterprise Management Server Both the Standard and Enterprise editions of Forefront TMG store their configurations in an Active Directory Lightweight Directories Services (AD LDS) database Standard Edition : the AD LDS database is always on the Forefront TMG firewall itself Enterprise Edition : option of installing the AD LDS configuration database on a firewall array member or on a separate computer. The separate computer hosting the AD LDS database is called the Enterprise Management Server (EMS)
    20. 20. Installazione 20
    21. 21. Installazione 21
    22. 22. Configurazione inizialeGetting Started Wizard 22
    23. 23. Configurazione dei Network SettingsNetwork Setup (Template) Wizard Select the network topology used: Edge firewall 3-Leg perimeter Back firewall Single network adapter 23
    24. 24. Configurazione dei Network SettingsNetwork Setup Wizard Define the IP configuration for each network adapter Assign adapter to the appropriate network 24
    25. 25. Configurazione dei System SettingsSystem Configuration Wizard Define host name, domain membership and DNS suffix 25
    26. 26. Configurazione dei Deployment SettingsDeployment Wizard Activate subscription licenses Enable malware protection and intrusion prevention Configure signature update schedule and response policy Join the Customer Experience Improvement Program (CEIP) and the Microsoft Telemetry Service 26
    27. 27. Configurazione dei Deployment SettingsDeployment Wizard 27
    28. 28. Concetti base
    29. 29. Network Relationship TMG, defines a network as a logical representation of a network connection owned by the computer where TMG operates • These networks can be • a physical connection such as network interface card (NIC) or modem • a logical interface such as a dial-in or site-to-site VPN connection In each case, TMG must have a clear understanding of how to define and process the traffic that is received from a given network • The simplest definition for a network relationship is that relationship indicated by the source and destination hosts as defined in the traffic 5-tuple Note 5-tuple is an industry-standard standard term describing the criteria used to uniquely identify an Ip communication channel • This data includes: • n Source and destination IP addresses • n Source and destination ports (if used) • n Transport Protocol (TCP, UDP, and so on) 29
    30. 30. ConfigurazioneNetwork Rules Like firewall policy rules, network rules define how TMG will handle traffic between source and destination hosts Network rules are also processed in the order in which they are defined Because network rules form a primary criterion for traffic processing, they have Define allowed traffic flows the power to discard traffic before any firewall policy rule has the opportunity to evaluate it When this happens, the firewall log will not include a name in the rule field because no firewall policy rule processed the traffic As is the case with firewall policy rules, the order of network rules is critical to correct traffic evaluation by TMG 30
    31. 31. ConfigurazioneNetwork RulesAll network rule setswill begin with thesame rule, Local Host Options presented forAccess, which defines a network rule source No firewall policya route relationship and destination elements whichfor traffic that is When you run the criteria are limited to abstract the source orsourced or Network Rule Wizard, those items that are destination into aterminated by TMG All network rules you are given the defined as some name (such asitself operate in the opportunity to select variation or grouping domain or URL sets)•This rule cannot be context of network from a subset of the of an IP address, IP can be used for modified by the objects firewall policy subnet, IP address network rules TMG administrator network objects range, or because they cannot combinations of represent literal these as in Computer network membership or Network Sets 31
    32. 32. ConfigurazioneNetwork Adapters Forefront TMG supports unlimited network adapters Limited by hardware 32
    33. 33. ConfigurazioneNetworks Networks configuration model the enterprise network infrastructure Contains all reachable IPs for network adapter Cannot overlap with other Networks Static or dynamic 33
    34. 34. ConfigurazioneNetwork Sets Network Sets are used to group one or more networks Defined by selecting the networks included in the set (Include) or a set of networks excluded from the set (Exclude) Used in the definition of network and policy rules 34
    35. 35. ConfigurazioneNetwork Relationship Determine the relationship between two networks Route Bi-directional Source address not modified NAT Uni-directional Source address is modified Required for non-Web access and Server Publishing rules Web proxy filter ignores network rules 35
    36. 36. ConfigurazioneNetwork Rules New Feature: Enhanced NAT Specify the IP address to be used when doing NAT 36
    37. 37. ConfigurazioneRouting Display the routing table used between networks Set via route –p add command or GUI 37
    38. 38. Forefront TMG Policy Three types of rules: 1. Network rules 2. System policy 3. Firewall policy 38
    39. 39. Installazione su server a singola scheda di rete Forefront TMG supports using a single network adapter Supported scenarios Secure Web Gateway (forward Web proxy and cache) Web Publishing (reverse Web proxy and cache) Remote client VPN access Unsupported scenarios Application layer inspection (except for Web proxy) Server publishing Non-Web clients Firewall client Secure NAT Site-to-site VPNs 39
    40. 40. Cosa Verificare in caso di Setup Failed During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%temp folder The information in TMG Setup log files is based on Microsoft Windows Installer logging If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and Forefront Protection 2010 for Exchange Server The log files for the Exchange component of the installation are stored at %systemdrive%ExchangeSetupLogs Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt, which is located in %sytemdrive%UsersAll UsersMicrosoftForefront Security for Exchange Server If TMG Setup fails for any reason, first read the description of the error message that appears onscreen 40
    41. 41. Setup Log Files 41
    42. 42. Classici errori di configurazione Multiple default gateways Define only one default gateway Not adding reachable addresses to networks Ensure all reachable addresses added DNS resolution issues DNS server list is system wide, not per adapter Use the internal DNS servers, or host a DNS server service locally and use conditional forwarding 42
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×