Here are some common configuration errors in Forefront TMG and suggestions to resolve them:
- Defining multiple default gateways on the same network adapter. TMG only supports one default gateway per adapter.
- Not adding all reachable IP addresses and subnets to the appropriate network definitions. This prevents proper routing and policy evaluation.
- DNS resolution issues due to incorrect DNS server configuration. TMG uses the system-wide DNS server list, not per adapter. Ensure the internal DNS servers are used, or host a local DNS server service using conditional forwarding.
- Overlapping network definitions. Network ranges cannot overlap to prevent ambiguity in routing and policy matching.
- Incorrect network relationships defined between networks. The relationship must
2. Breve Storia della Perimeter Protection
Proxy Server 1.0 Internet Security And Accelleration (ISA) 2000
Proxy Server 2.0 Stateful Packet Inspection
«Trusted Networks»
ISA 2004
ISA 2006 Forefront Threat Management
NO network traffic
Web Publishing Gateway 2010
out of the box
3. Forefront Edge Security and Access Products
The Forefront Edge Security and Access products provide enhanced
network edge protection and application-centric, policy-based access to
corporate IT infrastructures
Before Now
Network
Protection
Integrated and comprehensive
protection from Internet-based threats
Network
Access
Unified platform for all
enterprise remote access needs
4. Forefront TMG ed UAG
New features make Forefront TMG the ideal outbound access solution
In contrast to ISA 2006, very little has been done in Forefront TMG in
terms of improvements for inbound access control
Exceptions :
Secure Socket Tunneling Protocol (SSTP) for VPN client connections
NAP Integration
You will not see any other major changes in the Web or Server
Publishing features when moving from ISA 2006 to Forefront TMG
The majority of inbound access (remote access) effort is going into the
Microsoft Forefront Unified Access Gateway (UAG) 2010
It is expected that Forefront TMG will be used primarily for outbound
access control and network firewall, and UAG will be used for inbound
access (remote access) control
4
5. Possibili Collocazioni nel Network Perimeter
Back-end firewall behind
Edge of the corporate network another Forefront TMG
firewall or third-party firewall
As a parallel firewall on the As a network service segment
edge, next to another firewall, providing a secure
Forefront TMG or third-party perimeter between client systems
firewall and network services
Multi-homed firewall that acts as the hub between
multiple internal and perimeter networks
5
6. Forefront TMG: caratteristiche
Firewall – Control network policy access at the
edge
Comprehensive
Secure Web Gateway – Protect users from
Web browsing threats
Secure E-mail Relay – Protect users from
e-mail threats Integrated
Remote Access Gateway – Enable users to
remotely access corporate resources
Intrusion Prevention – Protect desktops and
Simplified
servers from intrusion attempts
7. Forefront TMG: Scenari di Implementazione
• All-in-one solution for medium businesses
Unified Threat
• Firewall, VPN, Web security, IPS, e-mail relay
Management (UTM) in a single box
• Authenticating proxy with security
Secure Web
• Web antivirus and URL filtering
Gateway • Inspection of HTTP and HTTPS traffic
• Secure Web publishing
Remote Access
• Dial-in VPN
Gateway • Site to site VPN
• Antispam
Secure E-mail Relay • Antivirus
• E-mail filtering
8. Forward, Reverse Proxy, Web Proxy, e Winsock
Proxy Server
• Application layer inspection
• For forward proxy connections, Web anti-
Web proxy server malware capabilities and URL filtering
Reverse proxy services • For reverse proxy SSL bridging
• For both HTTP protocol inspection
• Stateful packet and application layer inspection on
all traffic moving through the VPN
Remote Access VPN • User-based access controls (based on user name
Server or user group membership)
• Remote Access Quarantine Control and Network
Access Protection (NAP)
• Forefront TMG email gateway feature is powered by
the Edge Transport Server role of Exchange Server
Secure E-mail Gateway 2010 together with Microsoft Forefront Protection
2010 for
9. Network Inspection System, Malware Inspection e
HTTPS Inspection
• Usa signatures of known vulnerabilities from the
Network Inspection Microsoft Malware Protection Center (MMPC) to
System help detect malicious traffic and then to take
action
• The Malware Inspection filter (Edge Malware
Protection) is a built-in Web filter
Malware Inspection • Delayed download, HTML progress page,
Trickling
• Forefront TMG introduces a new feature called
HTTPS inspection
• Is based on a trusted man-in-the-middle
HTTPS Inspection mechanism, in which Forefront TMG works as a
trusted man in the middle to be the SSL site for
the clientman in the middle to be the SSL site for
the client
11. Riepilogo delle funzionalità
Confronto con ISA Server 2006 ISA Server
2006
Forefront
TMG
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
Exchange publishing (RPC over HTTP)
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Windows Server® 2008 R2, 64-bit (only) New
Web antivirus, antimalware New
URL filtering New
E-mail antimalware, antispam New
Network intrusion prevention New
Enhanced UI, management, reporting New
12. Licenze
Two editions and Two Client Access Licenses (CALs)
Enterprise Edition
Scalability and management
E
Standard Edition
Full UTM
Subscriptions
Web protection E-mail protection
13. Confronto tra le edizioni
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management Yes, with added ability for EMS
to manage SEs
Publishing
VPN support
Forward proxy/cache,
compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
14. Passaggio licenze da ISA 2006 a TMG 2010
Today At Launch
ISA Server SE Forefront TMG 2010 SE
ISA Server EE Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year Forefront TMG 2010 EE
16. Requisiti di sistema
Minimum Recommended
Processor 2 core (1 CPU x dual core) 4 core (2 CPU x dual core or
64-bit processor 1 CPU x quad core) 64-bit
processor
Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk 2.5 GB of available hard disk
space* space*
Hard Disks One local hard disk partition Two disks for system and logging,
formatted with NTFS and one for caching and malware
inspection
Network One network adapter for One network adapter for each
communicating with the network connected to the
internal network Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or
Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
16
17. Server Roles e Features richieste
Server roles and
features required by
Other software
Forefront TMG
include:
These server roles are Forefront TMG
installed during Forefront Network Policy
Microsoft .NET Preparation Tool
Framework 3.5
TMG installation; you do Server
SP1
not need to install them in
advance
Routing and
Windows Web
They are not removed if Remote Access
Services API
Service
you uninstall Forefront
TMG
Active Directory
Lightweight Microsoft Update
Directory Services Forefront TMG is not
supported on a machine
that is configured as a
Network Load
Microsoft domain controller, with
Windows Installer
Balancing
4.5 the exception of a read-
only domain controller,
which requires that TMG
Service Pack 1 be
Windows
PowerShell installed.
17
18. Prerequisiti
Basic installation
Connected to the network, with DNS server settings configured
For the Secure Mail Relay usage scenario
Exchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or
Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server
19. Nota : Enterprise Management Server
Both the Standard and Enterprise editions of Forefront TMG store
their configurations in an Active Directory Lightweight Directories
Services (AD LDS) database
Standard Edition : the AD LDS database is always on the Forefront
TMG firewall itself
Enterprise Edition : option of installing the AD LDS configuration
database on a firewall array member or on a separate computer.
The separate computer hosting the AD LDS database is called the
Enterprise Management Server (EMS)
23. Configurazione dei Network Settings
Network Setup (Template) Wizard
Select the network
topology used:
Edge firewall
3-Leg perimeter
Back firewall
Single network
adapter
23
24. Configurazione dei Network Settings
Network Setup Wizard
Define the IP
configuration for
each network
adapter
Assign adapter to
the appropriate
network
24
25. Configurazione dei System Settings
System Configuration Wizard
Define host
name, domain
membership and
DNS suffix
25
26. Configurazione dei Deployment Settings
Deployment Wizard
Activate subscription
licenses
Enable malware
protection and
intrusion prevention
Configure signature
update schedule and
response policy
Join the Customer
Experience
Improvement
Program (CEIP) and
the Microsoft
Telemetry Service
26
29. Network Relationship
TMG, defines a network as a logical representation of a network
connection owned by the computer where TMG operates
• These networks can be
• a physical connection such as network interface card (NIC) or modem
• a logical interface such as a dial-in or site-to-site VPN connection
In each case, TMG must have a clear understanding of how to define
and process the traffic that is received from a given network
• The simplest definition for a network relationship is that relationship indicated by the
source and destination hosts as defined in the traffic 5-tuple
Note 5-tuple is an industry-standard standard term describing the
criteria used to uniquely identify an Ip communication channel
• This data includes:
• n Source and destination IP addresses
• n Source and destination ports (if used)
• n Transport Protocol (TCP, UDP, and so on)
29
30. Configurazione
Network Rules
Like firewall policy rules, network rules define how TMG will handle traffic between
source and destination hosts
Network rules are also processed in the order in which they are defined
Because network rules form a primary criterion for traffic processing, they have
Define allowed traffic flows the power to discard traffic before any firewall policy
rule has the opportunity to evaluate it
When this happens, the firewall log will not include a name in the rule field because
no firewall policy rule processed the traffic
As is the case with firewall policy rules, the order of network rules is critical to
correct traffic evaluation by TMG
30
31. Configurazione
Network Rules
All network rule sets
will begin with the
same rule, Local Host
Options presented for
Access, which defines
a network rule source No firewall policy
a route relationship
and destination elements which
for traffic that is
When you run the criteria are limited to abstract the source or
sourced or
Network Rule Wizard, those items that are destination into a
terminated by TMG All network rules
you are given the defined as some name (such as
itself operate in the
opportunity to select variation or grouping domain or URL sets)
•This rule cannot be context of network
from a subset of the of an IP address, IP can be used for
modified by the objects
firewall policy subnet, IP address network rules
TMG administrator network objects range, or because they cannot
combinations of represent literal
these as in Computer network membership
or Network Sets
31
33. Configurazione
Networks
Networks configuration model the enterprise network
infrastructure
Contains all reachable IPs for network adapter
Cannot overlap with other Networks
Static or dynamic
33
34. Configurazione
Network Sets
Network Sets are used to group one or more networks
Defined by selecting the networks included in the set (Include) or a
set of networks excluded from the set (Exclude)
Used in the definition of network and policy rules
34
35. Configurazione
Network Relationship
Determine the relationship between two networks
Route
Bi-directional
Source address not modified
NAT
Uni-directional
Source address is modified
Required for non-Web access and Server
Publishing rules
Web proxy filter ignores network rules
35
38. Forefront TMG Policy
Three types of rules:
1. Network rules
2. System policy
3. Firewall policy
38
39. Installazione su server a singola scheda di rete
Forefront TMG supports using a single network adapter
Supported scenarios
Secure Web Gateway (forward Web proxy and cache)
Web Publishing (reverse Web proxy and cache)
Remote client VPN access
Unsupported scenarios
Application layer inspection (except for Web proxy)
Server publishing
Non-Web clients
Firewall client
Secure NAT
Site-to-site VPNs
39
40. Cosa Verificare in caso di Setup Failed
During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%temp folder
The information in TMG Setup log files is based on Microsoft Windows Installer logging
If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and Forefront
Protection 2010 for Exchange Server
The log files for the Exchange component of the installation are stored at %systemdrive%ExchangeSetupLogs
Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt,
which is located in %sytemdrive%UsersAll UsersMicrosoftForefront Security for Exchange Server
If TMG Setup fails for any reason, first read the description of the error message that appears onscreen
40
42. Classici errori di configurazione
Multiple default gateways
Define only one default gateway
Not adding reachable addresses to networks
Ensure all reachable addresses added
DNS resolution issues
DNS server list is system wide, not per adapter
Use the internal DNS servers, or host a DNS server service locally
and use conditional forwarding
42
Editor's Notes
To run the Preparation Tool On the Installation Type page, select the required installation type option:Forefront TMG services and ManagementForefront TMG Management only Enterprise Management Server (EMS) for centralized array management The Preparation Tool downloads and installs the prerequisite applications, according to the selected Forefront TMG installation type.Insert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive.On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.On the main setup page, click Run Preparation Tool to launch the Preparation Tool. On the main setup page, click Run Installation Wizard to launch the Forefront TMG Installation Wizard.On the Installation Type page, click the Forefront TMG Services and Management button. On the Installation Path page, specify the Forefront TMG 2010 installation path.On the Define Internal Network page, click Add, click Add Adapter, and then select the adapter which is connected to the main corporate network.Note: If you are installing Forefront TMG on a computer with a single network adapter, all IP address ranges should be configured for the Internal network, except for the following: 0.0.0.0255.255.255.255127.0.0.0-127.255.255.255 (Local Host)224.0.0.0-254.255.255.255 (multicast)7. On the Ready to Install the Program page, click Install.Adding IP addresses to the internal networkOn the Addresses page, select any of the following methods to add addresses to the Internal network: Add Range – Addsa range of IP addresses. You must specify the beginning and ending IP address in the range; for example, 10.0.0.1 to 10.0.0.255.Add Adapter– Selects a network adapter. The IP addresses that are included in the Internal network are based on the IP address and subnet mask of the selected adapter.Add Private – Adds IP addresses defined as non-routable IP addresses, based on Request for Comment (RFC) 1918, and on the Automatic Private IP Addressing (APIPA) feature.
You can configure your deployment settings using the Deployment Wizard. To configure your deployment settings1. In the Getting Started Wizard, click Define deployment options.2. On the Microsoft Update Setup page of the Deployment wizard, click Use the Microsoft Update service to check for updates (recommended) to specify that the Microsoft Update service should be used to obtain malware definition updates. 3.On the Forefront TMG Protection Features Settings page of the wizard, do the following:a. For Network Inspection System, select to activate the complementary license and enable Network Inspection System (NIS).b. For Web Protection, select the license activation type for Web protection. If you selected Activate purchased license and enable Web Protection, enter the license key and expiration date of the purchased license.c. If you want to scan requested HTTP content allowed by access rules for malware, such as viruses and spyware, select Enable malware inspection.4. On the NIS Signature Update Settings page of the wizard, for Select automatic update action, select the type of action to deploy when there are new or updated signature sets.5. For New Signature Set Configuration, select the response policy option for new signatures.6.On the Customer Feedback page of the wizard, if you want to participate in the Customer Experience Improvement Program, click Yes, I am willing to participate anonymously to join the Customer Experience Improvement Program. This program helps Microsoft to improve the quality and reliability of Forefront TMG. If you join the program, Microsoft collects anonymous information about hardware configuration, use of software and services, and trend patterns. No personally identifiable information is collected.7. On the Microsoft Telemetry Reporting Service page, do one of the following:Click the Basic button to send basic information to Microsoft regarding filtered URLs, URL category overrides, potential threats, and the response taken.Click the Advanced button to provide information to Microsoft about potential threats including traffic samples and full URL strings.Click the None button to decline participation in the service.