Your SlideShare is downloading. ×
0
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
4. tmg 2010 e uag 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

4. tmg 2010 e uag 2010

859

Published on

4. TMG 2010 e UAG 2010 …

4. TMG 2010 e UAG 2010
Seminario TMG e UAG presso Microsoft (Roma)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
859
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The Web listener is used to:Indicate the IP address and port to which a client makes a connection. Enable TMG 2010 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule.
  • Transcript

    • 1. TMG 2010 e UAG 2010 per la pubblicazione diapplicazioni web
    • 2. TMG - Remote Access Gateway
    • 3. Forefront™ Unified Access Gateway – Le Basi Forefront UAG is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAGs functionality UAG is designed to enable remote access in two primary roles: application publishing and VPN
    • 4. Tipologie di connettivitàForefront TMG 2010 Connectivity Example Method Goal Usage Scenario Non-HTTP server Connectivity to specific Access to internal e-mail Publishing internal non-HTTP servers (SMTP) server Web server publishing Connectivity to internal Access to Outlook Web Web servers application Virtual Private Network Full connectivity to the Access for employees corporate network connecting from home or at a customer site
    • 5. Forefront TMG 2010 vs. Forefront™ Unified AccessGateway (UAG)Product Positioning Forefront TMG 2010 Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
    • 6. Pubblicazione di Non-HTTP Server
    • 7. Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networks Clients can be either on the Internet or on a different internal network Can be used to publish most TCP and UDP protocol Behavior depends on whether non-Web server is behind a NAT relationship or not If behind NAT, clients will then connect to an IP address belonging to Forefront TMG If behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
    • 8. Gestione delle porte di pubblicazione 8
    • 9. Pubblicazione porte interne 9
    • 10. Network Inspection System (NIS) Filters 10
    • 11. Wizard disponibili Available from Firewall Policy Tasks Publish common non-Web protocols Publish mail (SMTP) servers
    • 12. Non-HTTP Server Publishing Things to consider when planning Server Publishing No authentication support Access restriction by network elements only Networks, subnets, or IP addresses No support in single adapter configuration Client source IP address preserved Behavior can be changed using rule setting Application Layer Filter and NIS signature coverage SMTP, POP3, DNS, etc. 12
    • 13. Web Publishing
    • 14. Web Publishing Provides secure access to Web content to users from the Internet Web content may be either on internal networks on in a DMZ Supports HTTP and HTTPS connections Forefront TMG 2010 Web Publishing features: Mapping requests to specific internal paths in specific servers Allows authentication and authorization of users at TMG level Allow delegation of user credentials after TMG authentication Caching of the published content (reverse caching) Inspection of incoming HTTPS requests using SSL bridging Load balancing of client requests among Web servers in a server farm
    • 15. Accesso a risorse Web OWA RPC/HTTP(S) HTTPS ActiveSync Exchange Server HTTPS HTTP ` HTTP HTTPS Web Internet Server HTTP SharePoint Server Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
    • 16. Configurazione1. Define web listeners IP addresses and ports that will listen for Web requests Authentication method used (client to TMG 2010) Server certificates and SSL options Number of client connections allowed2. Create other rule elements Source addresses Web farms User sets Schedules3. Run appropriate wizard 16
    • 17. Configurazione di Web Listeners
    • 18. Configurazione di Web ListenersAssigning Certificate to Web Listener Showing Invalid Certificates Private Key not Installed Certificate Missing
    • 19. Gestione di traffico SSL SSL Bridging: 1. Client on Internet encrypts communications 2. TMG 2010 decrypts and inspects traffic 3. TMG 2010 sends allowed traffic to published server, re-encrypting it if required
    • 20. Processo di autenticazione1. Client credentials received2&3. Credentials validated4. Credentials delegated to internal server5. Server send response6. Response forwarded to client
    • 21. Configurazione di Web ListenersClient Authentication Methods Authentication Providers: Credential Types: Credential Types: AuthenticationPassword Basic Username and Password Username and Username and Passcode Active Directory Username and Passcode Providers: LDAP Username, Password and Active Directory only RADIUS Passcode Fallback to: Providers: Authentication Providers: Digest Authentication BasicActiveDirectory only Active Directory Active Directory Digest server Integrated LDAP server LDAP Integrated Directory only RADIUS Active RADIUS RADIUS OTP RADIUS OTP RSA SecurID RSA SecurID Fallback to Basic Fallback to Basic Password Management Password Management
    • 22. Delega di autenticazioneAuthentication Methods  None – client cannot authenticate directly None – client can authenticate directly Basic authentication NTLM authentication Negotiate Kerberos/NTLM Kerberos Constrained Delegation SPN required for Kerberos Forefront TMG 2010 needs to be in the same domain as the published server
    • 23. Delega di autenticazioneAuthentication Methods x Delegation Support MatrixAuthentication AuthenticationMethod Provider Delegation Method Basic  Active Directory  Basic Forms-based  LDAP  NTLM Authentication (password  RADIUS  Negotiate (Kerberos/NTLM) only)  Kerberos Constrained Delegation Forms-based  SecurID  SecurID Authentication (passcode  RADIUS OTP  Kerberos Constrained Delegation only) Forms-based  SecurID  SecurID Authentication (password  RADIUS OTP  Basic & passcode)  NTLM  Negotiate (Kerberos/NTLM) Digest  Active Directory®  Kerberos Constrained Delegation Integrated Client Certificate None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods
    • 24. Web Publishing Wizards Publish Web sites Publish SharePoint sites Publish Exchange Web client access Outlook® Web Access Outlook® Anywhere Exchange ActiveSync® Outlook® Mobile Access Microsoft® Exchange Server® 2003
    • 25. Web Publishing Rules
    • 26. Web Publishing Rules Define membership to user group Across different authentication namespaces Used for authorization at Forefront TMG 2010 level
    • 27. Web Publishing Rules Configure Web rule schedule Define access hours for accessing the Web site Configure link translation Translates internal names in links to public names of the Web sites
    • 28. Virtual Private Networking (VPN)
    • 29. Forefront TMG Virtual Private Networking (VPN) TMG 2010 supports two types of VPNs: Remote Access VPN Site-to-site VPN TMG 2010 implements Windows Server® 2008 VPN technology Implements support for Secure Socket Tunneling Protocol (SSTP) Implements support for Network Access Protection (NAP)
    • 30. Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocol HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets Support for unauthenticated Web proxies Support for Network Access Protection (NAP) Client support in Windows Vista® SP1 No plans to backport SSTP to previous versions
    • 31. Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform Policy Determines whether the computers are compliant with the company’s Validation security policy. Compliant computers are deemed healthy. Network Restricts network access to computers based on their health. Restriction Provides necessary updates to allow the computer to get healthy. Remediation Once healthy, the network restrictions are removed. Ongoing Changes to the company’s security policy or to the computers’ health Compliance may dynamically result in network restrictions.
    • 32. NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN Supports all VPN protocols, including SSTP Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006 NAP validates health status of the remote client at connection time VPN network access limitation is done through IP packet filters applied to the VPN connection Access limited to resources on the restricted network
    • 33. Unified Access Gateway 2010
    • 34. Caratteristiche SSL VPN SSTP Remote Desktop Gateway on the UAG itself DirectAccess
    • 35. Sicurezza integrata Overlay granular access control to specific sites and/or features within sites Built-in endpoint security policies (integrated with NAP) Expanded authentication and authorization capabilities Session clean-up and information leakage prevention Integrated network security 35
    • 36. Gestione Semplificata Simplifies deployment and ongoing tasks through wizards and built-in policies Simplifies user experience, reducing support costs Consolidates remote access infrastructure Step 1: Step 3:Choose the Configure the same type of external name on yourapplication SharePoint serveryou wish to publish Step 2: Provide the internal name All of the SharePoint Server Done! Provide the external name 14
    • 37. From IAG to UAG IAG UAG APPLICATION PUBLISHING Granular application filtering   Improved Session cleanup and removal   Endpoint health detection   Improved INTEGRATION Integrated with NAP policies  New Remote Desktop and RemoteApp integration  New Extends and simplifies DirectAccess deployments  New SCALE AND MANAGEMENT Built-in load balancing  New Array management capabilities  New Enhanced monitoring and management (SCOM)  New
    • 38. Architettura di UAG • Exchange • CRM • SharePoint Mobile • LoB • IBM, SAP,Home / Friend / UAG Oracle Kiosk HTTPS (443) TS / RDS Internet Direct Access Non-WebBusiness Partners / AD, ADFS, Subcontractors RADIUS, LDAP, etc. Data Center or Employee-Managed Machines Corporate Network 38
    • 39. Forefront TMG and UAG Forefront TMG is installed during Forefront UAG setup TMG acts as a firewall protecting the UAG server UAG leverages TMG array management and monitoring functionality Supported Forefront TMG configurations Creating access rules when deploying UAG for VPN access Monitoring via the TMG console Configuring system policy rules for controlling access to and from the UAG server Publishing some Exchange and OCS protocols using TMG No other Forefront TMG functionality is supported Intrusion prevention, malware inspection, and forward and reverse Web proxying, etc. 39
    • 40. Trunks and Portals
    • 41. Forefront UAG Trunks Transfer channels that make internal resources and applications available to remote endpoints A Forefront UAG server can have multiple trunks Trunks can be either HTTP or HTTPS Types of trunks Portal trunks Presents a Web portal to the user with multiple associated applications and resources Active Directory® (AD) FS trunks Used to publish AD FS servers Redirection trunks Redirect HTTP requests to HTTPS trunk 41
    • 42. Trunk Settings The following settings are configured per trunk: IP address and port Server certificate Portal homepage Authentication methods Session settings Endpoint policy requirements Traffic inspection HTTP compression 42
    • 43. Forefront UAG User AuthenticationSupported Authentication SchemesAuthentication Protocol Identity RepositoryPassthrough (no authentication) User authenticates directly with the back-end applicationActive Directory Uses Active Directory for authentication and authorizationLDAP Active Directory, Active Directory Lightweight Directory Services (AD LDS), Netscape Directory server, Notes Directory Server, Novell Directory ServiceLDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP service for authorizationNT Domain Windows® NT and SAMBA domainsRADIUS Uses a RADIUS server (such as the Windows® Network Policy Server) for authenticationTACACS Uses a TACACS authentication server (such as NTTacPlus)RSA SecurID One-time password (OTP) authentication using the RSA ACE/ServerWinHTTP Assigns a Web page that require users to authenticate 43
    • 44. Creating a TrunkUse the Create Trunk Wizard 1. Select trunk type 2. Define host name, IP address, and port 3. Configure authentication servers 4. Select server certificate 5. Select endpoint security policies 44
    • 45. Types of Application Once a portal trunk has been setup, be it an HTTP or HTTPS trunk you can start publishing applications on it Applications are published using a wizard, which includes approximately 40 types of application templates The top-level type list is divided into the following categories of applications:• Built-in services• Web (applications)• Client/Server and Legacy• Browser-embedded• Terminal Services and Remote Desktop 45
    • 46. Forefront UAG Portal The portal is the front-end Web application for a portal trunk Authenticate users and provide access to the published applications and resources It allows users to view, search for, and run applications published by the administrator New application, completely remade for Forefront UAG using Microsoft® ASP.NET™ and AJAX 46
    • 47. Forefront UAG Portal – Premium PC Interface 47
    • 48. Nuove funzionalità TMG SP1 Reporting Url Filtering User Override Branch Offfice Support Publishing Sharepoint 2010

    ×