TMG 2010 e UAG 2010 per la pubblicazione diapplicazioni web
TMG - Remote Access Gateway
Forefront™ Unified Access Gateway – Le Basi Forefront UAG is fundamentally a router. It has an external side that would be...
Tipologie di connettivitàForefront TMG 2010  Connectivity                                          Example  Method        ...
Forefront TMG 2010 vs. Forefront™ Unified AccessGateway (UAG)Product Positioning  Forefront TMG 2010     Enables users to ...
Pubblicazione di Non-HTTP Server
Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networks   Clients can be either...
Gestione delle porte di pubblicazione                                        8
Pubblicazione porte interne                              9
Network Inspection System (NIS) Filters                                          10
Wizard disponibili Available from Firewall Policy Tasks    Publish common non-Web protocols    Publish mail (SMTP) servers
Non-HTTP Server Publishing Things to consider when planning Server Publishing   No authentication support   Access restric...
Web Publishing
Web Publishing Provides secure access to Web content to users from the Internet   Web content may be either on internal ne...
Accesso a risorse Web                                                          OWA                                        ...
Configurazione1. Define web listeners     IP addresses and ports that will listen for Web requests     Authentication meth...
Configurazione di Web Listeners
Configurazione di Web ListenersAssigning Certificate to Web Listener                                 Showing Invalid Certi...
Gestione di traffico SSL SSL Bridging:   1. Client on Internet encrypts communications   2. TMG 2010 decrypts and inspects...
Processo di autenticazione1.   Client credentials received2&3. Credentials validated4.   Credentials delegated to     inte...
Configurazione di Web ListenersClient Authentication Methods                                Authentication Providers:     ...
Delega di autenticazioneAuthentication Methods                                                                      None ...
Delega di autenticazioneAuthentication Methods x Delegation Support MatrixAuthentication               AuthenticationMetho...
Web Publishing Wizards Publish Web sites Publish SharePoint sites Publish Exchange Web client access    Outlook® Web Acces...
Web Publishing Rules
Web Publishing Rules                       Define membership to                       user group                         A...
Web Publishing Rules                       Configure Web rule                       schedule                          Defi...
Virtual Private Networking (VPN)
Forefront TMG Virtual Private Networking (VPN) TMG 2010 supports two types of VPNs:   Remote Access VPN   Site-to-site VPN...
Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocol    HTTP with SSL session (TCP 443) between VPN clients ...
Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform     Policy      Determines whether the c...
NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Rem...
Unified Access Gateway 2010
Caratteristiche  SSL VPN  SSTP  Remote Desktop Gateway on the UAG itself  DirectAccess
Sicurezza integrata Overlay granular access control to specific sites and/or features within sites Built-in endpoint secur...
Gestione Semplificata   Simplifies deployment and ongoing tasks through wizards and   built-in policies   Simplifies user ...
From IAG to UAG                                                     IAG   UAG             APPLICATION PUBLISHING          ...
Architettura di UAG                                                              • Exchange                               ...
Forefront TMG and UAG Forefront TMG is installed during Forefront UAG setup   TMG acts as a firewall protecting the UAG se...
Trunks and Portals
Forefront UAG Trunks Transfer channels that make internal resources and applications available to remote endpoints   A For...
Trunk Settings The following settings are configured per trunk:    IP address and port    Server certificate    Portal hom...
Forefront UAG User AuthenticationSupported Authentication SchemesAuthentication Protocol           Identity RepositoryPass...
Creating a TrunkUse the Create Trunk Wizard  1. Select trunk type  2. Define host name,     IP address, and port  3. Confi...
Types of Application    Once a portal trunk has been setup, be it an HTTP or HTTPS trunk    you can start publishing appli...
Forefront UAG Portal The portal is the front-end Web application for a portal trunk    Authenticate users and provide acce...
Forefront UAG Portal – Premium PC Interface                                              47
Nuove funzionalità TMG SP1 Reporting Url Filtering User Override Branch Offfice Support Publishing Sharepoint 2010
Upcoming SlideShare
Loading in …5
×

4. tmg 2010 e uag 2010

1,550 views

Published on

4. TMG 2010 e UAG 2010
Seminario TMG e UAG presso Microsoft (Roma)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,550
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The Web listener is used to:Indicate the IP address and port to which a client makes a connection. Enable TMG 2010 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule.
  • 4. tmg 2010 e uag 2010

    1. 1. TMG 2010 e UAG 2010 per la pubblicazione diapplicazioni web
    2. 2. TMG - Remote Access Gateway
    3. 3. Forefront™ Unified Access Gateway – Le Basi Forefront UAG is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate servers While it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAGs functionality UAG is designed to enable remote access in two primary roles: application publishing and VPN
    4. 4. Tipologie di connettivitàForefront TMG 2010 Connectivity Example Method Goal Usage Scenario Non-HTTP server Connectivity to specific Access to internal e-mail Publishing internal non-HTTP servers (SMTP) server Web server publishing Connectivity to internal Access to Outlook Web Web servers application Virtual Private Network Full connectivity to the Access for employees corporate network connecting from home or at a customer site
    5. 5. Forefront TMG 2010 vs. Forefront™ Unified AccessGateway (UAG)Product Positioning Forefront TMG 2010 Enables users to safely and productively use the Internet without worrying about malware and other threats Forefront UAG Comprehensive, secure remote access to corporate resources Forefront UAG is the preferred solution for providing remote access Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
    6. 6. Pubblicazione di Non-HTTP Server
    7. 7. Non-HTTP Server Publishing Allows map requests for non-Web servers in one of the TMG 2010 networks Clients can be either on the Internet or on a different internal network Can be used to publish most TCP and UDP protocol Behavior depends on whether non-Web server is behind a NAT relationship or not If behind NAT, clients will then connect to an IP address belonging to Forefront TMG If behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
    8. 8. Gestione delle porte di pubblicazione 8
    9. 9. Pubblicazione porte interne 9
    10. 10. Network Inspection System (NIS) Filters 10
    11. 11. Wizard disponibili Available from Firewall Policy Tasks Publish common non-Web protocols Publish mail (SMTP) servers
    12. 12. Non-HTTP Server Publishing Things to consider when planning Server Publishing No authentication support Access restriction by network elements only Networks, subnets, or IP addresses No support in single adapter configuration Client source IP address preserved Behavior can be changed using rule setting Application Layer Filter and NIS signature coverage SMTP, POP3, DNS, etc. 12
    13. 13. Web Publishing
    14. 14. Web Publishing Provides secure access to Web content to users from the Internet Web content may be either on internal networks on in a DMZ Supports HTTP and HTTPS connections Forefront TMG 2010 Web Publishing features: Mapping requests to specific internal paths in specific servers Allows authentication and authorization of users at TMG level Allow delegation of user credentials after TMG authentication Caching of the published content (reverse caching) Inspection of incoming HTTPS requests using SSL bridging Load balancing of client requests among Web servers in a server farm
    15. 15. Accesso a risorse Web OWA RPC/HTTP(S) HTTPS ActiveSync Exchange Server HTTPS HTTP ` HTTP HTTPS Web Internet Server HTTP SharePoint Server Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
    16. 16. Configurazione1. Define web listeners IP addresses and ports that will listen for Web requests Authentication method used (client to TMG 2010) Server certificates and SSL options Number of client connections allowed2. Create other rule elements Source addresses Web farms User sets Schedules3. Run appropriate wizard 16
    17. 17. Configurazione di Web Listeners
    18. 18. Configurazione di Web ListenersAssigning Certificate to Web Listener Showing Invalid Certificates Private Key not Installed Certificate Missing
    19. 19. Gestione di traffico SSL SSL Bridging: 1. Client on Internet encrypts communications 2. TMG 2010 decrypts and inspects traffic 3. TMG 2010 sends allowed traffic to published server, re-encrypting it if required
    20. 20. Processo di autenticazione1. Client credentials received2&3. Credentials validated4. Credentials delegated to internal server5. Server send response6. Response forwarded to client
    21. 21. Configurazione di Web ListenersClient Authentication Methods Authentication Providers: Credential Types: Credential Types: AuthenticationPassword Basic Username and Password Username and Username and Passcode Active Directory Username and Passcode Providers: LDAP Username, Password and Active Directory only RADIUS Passcode Fallback to: Providers: Authentication Providers: Digest Authentication BasicActiveDirectory only Active Directory Active Directory Digest server Integrated LDAP server LDAP Integrated Directory only RADIUS Active RADIUS RADIUS OTP RADIUS OTP RSA SecurID RSA SecurID Fallback to Basic Fallback to Basic Password Management Password Management
    22. 22. Delega di autenticazioneAuthentication Methods  None – client cannot authenticate directly None – client can authenticate directly Basic authentication NTLM authentication Negotiate Kerberos/NTLM Kerberos Constrained Delegation SPN required for Kerberos Forefront TMG 2010 needs to be in the same domain as the published server
    23. 23. Delega di autenticazioneAuthentication Methods x Delegation Support MatrixAuthentication AuthenticationMethod Provider Delegation Method Basic  Active Directory  Basic Forms-based  LDAP  NTLM Authentication (password  RADIUS  Negotiate (Kerberos/NTLM) only)  Kerberos Constrained Delegation Forms-based  SecurID  SecurID Authentication (passcode  RADIUS OTP  Kerberos Constrained Delegation only) Forms-based  SecurID  SecurID Authentication (password  RADIUS OTP  Basic & passcode)  NTLM  Negotiate (Kerberos/NTLM) Digest  Active Directory®  Kerberos Constrained Delegation Integrated Client Certificate None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods
    24. 24. Web Publishing Wizards Publish Web sites Publish SharePoint sites Publish Exchange Web client access Outlook® Web Access Outlook® Anywhere Exchange ActiveSync® Outlook® Mobile Access Microsoft® Exchange Server® 2003
    25. 25. Web Publishing Rules
    26. 26. Web Publishing Rules Define membership to user group Across different authentication namespaces Used for authorization at Forefront TMG 2010 level
    27. 27. Web Publishing Rules Configure Web rule schedule Define access hours for accessing the Web site Configure link translation Translates internal names in links to public names of the Web sites
    28. 28. Virtual Private Networking (VPN)
    29. 29. Forefront TMG Virtual Private Networking (VPN) TMG 2010 supports two types of VPNs: Remote Access VPN Site-to-site VPN TMG 2010 implements Windows Server® 2008 VPN technology Implements support for Secure Socket Tunneling Protocol (SSTP) Implements support for Network Access Protection (NAP)
    30. 30. Secure Socket Tunneling Protocol (SSTP) New SSL-based VPN protocol HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets Support for unauthenticated Web proxies Support for Network Access Protection (NAP) Client support in Windows Vista® SP1 No plans to backport SSTP to previous versions
    31. 31. Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform Policy Determines whether the computers are compliant with the company’s Validation security policy. Compliant computers are deemed healthy. Network Restricts network access to computers based on their health. Restriction Provides necessary updates to allow the computer to get healthy. Remediation Once healthy, the network restrictions are removed. Ongoing Changes to the company’s security policy or to the computers’ health Compliance may dynamically result in network restrictions.
    32. 32. NAP Support in Forefront TMG 2010 Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN Supports all VPN protocols, including SSTP Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006 NAP validates health status of the remote client at connection time VPN network access limitation is done through IP packet filters applied to the VPN connection Access limited to resources on the restricted network
    33. 33. Unified Access Gateway 2010
    34. 34. Caratteristiche SSL VPN SSTP Remote Desktop Gateway on the UAG itself DirectAccess
    35. 35. Sicurezza integrata Overlay granular access control to specific sites and/or features within sites Built-in endpoint security policies (integrated with NAP) Expanded authentication and authorization capabilities Session clean-up and information leakage prevention Integrated network security 35
    36. 36. Gestione Semplificata Simplifies deployment and ongoing tasks through wizards and built-in policies Simplifies user experience, reducing support costs Consolidates remote access infrastructure Step 1: Step 3:Choose the Configure the same type of external name on yourapplication SharePoint serveryou wish to publish Step 2: Provide the internal name All of the SharePoint Server Done! Provide the external name 14
    37. 37. From IAG to UAG IAG UAG APPLICATION PUBLISHING Granular application filtering   Improved Session cleanup and removal   Endpoint health detection   Improved INTEGRATION Integrated with NAP policies  New Remote Desktop and RemoteApp integration  New Extends and simplifies DirectAccess deployments  New SCALE AND MANAGEMENT Built-in load balancing  New Array management capabilities  New Enhanced monitoring and management (SCOM)  New
    38. 38. Architettura di UAG • Exchange • CRM • SharePoint Mobile • LoB • IBM, SAP,Home / Friend / UAG Oracle Kiosk HTTPS (443) TS / RDS Internet Direct Access Non-WebBusiness Partners / AD, ADFS, Subcontractors RADIUS, LDAP, etc. Data Center or Employee-Managed Machines Corporate Network 38
    39. 39. Forefront TMG and UAG Forefront TMG is installed during Forefront UAG setup TMG acts as a firewall protecting the UAG server UAG leverages TMG array management and monitoring functionality Supported Forefront TMG configurations Creating access rules when deploying UAG for VPN access Monitoring via the TMG console Configuring system policy rules for controlling access to and from the UAG server Publishing some Exchange and OCS protocols using TMG No other Forefront TMG functionality is supported Intrusion prevention, malware inspection, and forward and reverse Web proxying, etc. 39
    40. 40. Trunks and Portals
    41. 41. Forefront UAG Trunks Transfer channels that make internal resources and applications available to remote endpoints A Forefront UAG server can have multiple trunks Trunks can be either HTTP or HTTPS Types of trunks Portal trunks Presents a Web portal to the user with multiple associated applications and resources Active Directory® (AD) FS trunks Used to publish AD FS servers Redirection trunks Redirect HTTP requests to HTTPS trunk 41
    42. 42. Trunk Settings The following settings are configured per trunk: IP address and port Server certificate Portal homepage Authentication methods Session settings Endpoint policy requirements Traffic inspection HTTP compression 42
    43. 43. Forefront UAG User AuthenticationSupported Authentication SchemesAuthentication Protocol Identity RepositoryPassthrough (no authentication) User authenticates directly with the back-end applicationActive Directory Uses Active Directory for authentication and authorizationLDAP Active Directory, Active Directory Lightweight Directory Services (AD LDS), Netscape Directory server, Notes Directory Server, Novell Directory ServiceLDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP service for authorizationNT Domain Windows® NT and SAMBA domainsRADIUS Uses a RADIUS server (such as the Windows® Network Policy Server) for authenticationTACACS Uses a TACACS authentication server (such as NTTacPlus)RSA SecurID One-time password (OTP) authentication using the RSA ACE/ServerWinHTTP Assigns a Web page that require users to authenticate 43
    44. 44. Creating a TrunkUse the Create Trunk Wizard 1. Select trunk type 2. Define host name, IP address, and port 3. Configure authentication servers 4. Select server certificate 5. Select endpoint security policies 44
    45. 45. Types of Application Once a portal trunk has been setup, be it an HTTP or HTTPS trunk you can start publishing applications on it Applications are published using a wizard, which includes approximately 40 types of application templates The top-level type list is divided into the following categories of applications:• Built-in services• Web (applications)• Client/Server and Legacy• Browser-embedded• Terminal Services and Remote Desktop 45
    46. 46. Forefront UAG Portal The portal is the front-end Web application for a portal trunk Authenticate users and provide access to the published applications and resources It allows users to view, search for, and run applications published by the administrator New application, completely remade for Forefront UAG using Microsoft® ASP.NET™ and AJAX 46
    47. 47. Forefront UAG Portal – Premium PC Interface 47
    48. 48. Nuove funzionalità TMG SP1 Reporting Url Filtering User Override Branch Offfice Support Publishing Sharepoint 2010

    ×