The objective of this project is to make servers of web service, ftp service, VoIP video call service, and manage them centrally from a host in private connection or from remote connection. We will also monitor the services, we are going to install, from this central PC. If there is a problem found like no connectivity, then the monitor agent will notify the network administrator showing the error message.
What is squid? What is a proxy server? how it works.., What squid can offer??, How you get a fast internet access using caching server,,
you can download this ppt
[Advantech] ADAM-3600 open vpn setting Tutorial step by step Ming-Hung Hseih
This is tutorial how to configure VPN client on IOT gateway ADAM-3600.
•Build up OpenVPN server/client
•ADAM-3600 OpenVPN setting
•ADAM-3600 OpenVPN : 3G + DDNS + public dynamic IP
The Network File System (NFS) Version 4 is a distributed file system similar to previous versions of NFS in its straightforward design, simplified error recovery, and independence of transport protocols and operating systems for file access in a heterogeneous network.
NFS, was developed by Sun Microsystems to provide distributed transparent file access in a heterogeneous network. It achieves this by being relatively simple in design and not relying too heavily on any particular file system model.
This presentation is based on the paper of “The NFS Version 4 Protocol” written by Brian Pawlowski, Spencer Shepler, Carl Beame, Brent Callaghan, Michael Eisler, David Noveck, David Robinson and Robert Thurlow.
Domino Fitness. Time for a Health CheckJared Roberts
Here we explore your Domino ’fitness’ - that is - how well your Domino environment is performing, and show you how to execute a comprehensive health check including performance, security, database health, new features, and much more. Are you Domino fit?
Monitoring and Troubleshooting for Online OperationsThousandEyes
Your organization requires a proactive approach to network monitoring to achieve your application up-time goals. ThousandEyes brings visibility to the networks that handle your application traffic. In these slides, we share how to:
See your application's network path from customers to data centers.
Pinpoint exactly where network issues occur.
Correlate metrics including response time, page load time, packet loss and routing changes.
Watch the recorded webinar with live demo here: http://ow.ly/BzCo4
In this session, we will explore System Center data center end-to-end monitoring solution that helps IT specialists view systems across the data center to identify potential problems that could affect systems from responding to enterprise business demands. We will discuss how System Center Operations Manager (Ops Manager) is an integral part of this solution, and centrally monitors the health of systems in the data center including configuration changes to ensure that services and distributed applications are functioning to respond to end user requests.
The objective of this project is to make servers of web service, ftp service, VoIP video call service, and manage them centrally from a host in private connection or from remote connection. We will also monitor the services, we are going to install, from this central PC. If there is a problem found like no connectivity, then the monitor agent will notify the network administrator showing the error message.
What is squid? What is a proxy server? how it works.., What squid can offer??, How you get a fast internet access using caching server,,
you can download this ppt
[Advantech] ADAM-3600 open vpn setting Tutorial step by step Ming-Hung Hseih
This is tutorial how to configure VPN client on IOT gateway ADAM-3600.
•Build up OpenVPN server/client
•ADAM-3600 OpenVPN setting
•ADAM-3600 OpenVPN : 3G + DDNS + public dynamic IP
The Network File System (NFS) Version 4 is a distributed file system similar to previous versions of NFS in its straightforward design, simplified error recovery, and independence of transport protocols and operating systems for file access in a heterogeneous network.
NFS, was developed by Sun Microsystems to provide distributed transparent file access in a heterogeneous network. It achieves this by being relatively simple in design and not relying too heavily on any particular file system model.
This presentation is based on the paper of “The NFS Version 4 Protocol” written by Brian Pawlowski, Spencer Shepler, Carl Beame, Brent Callaghan, Michael Eisler, David Noveck, David Robinson and Robert Thurlow.
Domino Fitness. Time for a Health CheckJared Roberts
Here we explore your Domino ’fitness’ - that is - how well your Domino environment is performing, and show you how to execute a comprehensive health check including performance, security, database health, new features, and much more. Are you Domino fit?
Monitoring and Troubleshooting for Online OperationsThousandEyes
Your organization requires a proactive approach to network monitoring to achieve your application up-time goals. ThousandEyes brings visibility to the networks that handle your application traffic. In these slides, we share how to:
See your application's network path from customers to data centers.
Pinpoint exactly where network issues occur.
Correlate metrics including response time, page load time, packet loss and routing changes.
Watch the recorded webinar with live demo here: http://ow.ly/BzCo4
In this session, we will explore System Center data center end-to-end monitoring solution that helps IT specialists view systems across the data center to identify potential problems that could affect systems from responding to enterprise business demands. We will discuss how System Center Operations Manager (Ops Manager) is an integral part of this solution, and centrally monitors the health of systems in the data center including configuration changes to ensure that services and distributed applications are functioning to respond to end user requests.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
4. Remote Access Connectivity Options
Forefront TMG 2010
Connectivity Example
Method Goal Usage Scenario
Non-HTTP server Connectivity to specific Access to internal e-mail
Publishing internal non-HTTP servers (SMTP) server
Web server publishing Connectivity to internal Access to Outlook Web
Web servers application
Virtual Private Network Full connectivity to the Access for employees
corporate network connecting from home or
at a customer site
5. Forefront TMG 2010 vs. Forefront™ Unified Access
Gateway (UAG)
Product Positioning
Forefront TMG 2010
Enables users to safely and productively use the Internet without
worrying about malware and other threats
Forefront UAG
Comprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing
remote access
Forefront TMG 2010 still provides support for remote access
features, but not the recommended solution
7. Non-HTTP Server Publishing
Allows map requests for non-Web servers in one of the
TMG 2010 networks
Clients can be either on the Internet or on a different internal
network
Can be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a
NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging
to Forefront TMG
If behind a route relationship, TMG 2010 listens for requests on the
IP address of the non-Web server
The published server should be configured as a SecureNAT
client with a default gateway pointing to TMG 2010
8. Sample Server Publishing Scenario
DNS Server Publishing
192.168.0.100
DG: 192.168.0.3
`
DNS Server
203.16.4.1
10.0.0.3
192.168.0.3 192.168.0.254
TMG
1. DNS request
203.16.4.1 > 10.0.0.3
2. Check rule match
192.168.0.101
DG: 192.168.0.254
FTP Server
15. Sample Server Publishing Scenario
DNS Server Publishing
1. DNS request
203.16.4.1 > 10.0.0.3
2. Check rule match
192.168.0.100
DG: 192.168.0.3
3. Rule matched `
4. Check rule action DNS Server
203.16.4.1
5. Action is allow
6. Evaluate filters 10.0.0.3
192.168.0.254
7. Request OK
192.168.0.3
TMG
8. Forward request
203.16.4.1 > 192.168.0.100
9. Server response 192.168.0.101
DG: 192.168.0.254
192.168.0.100 > 203.16.4.1 FTP Server
16. Sample Server Publishing Scenario
FTP Server Publishing
1. FTP request
192.168.0.100
DG: 192.168.0.3
203.16.4.1 > 10.0.0.3 `
2. Check rule match DNS Server
3. Rule matched
203.16.4.1
4. Check rule action 10.0.0.3
5. Action is allow 192.168.0.3 192.168.0.254
TMG
6. Evaluate filters
7. Request OK
8. Forward request to FTP 192.168.0.101
DG: 192.168.0.254
192.168.0.3 > 192.168.0.101 FTP Server
9. FTP server response
192.168.0.101 > 192.168.0.3
10. TMG response
10.0.0.3 > 203.16.4.1
17. Server Publishing Wizards
Available from Firewall Policy Tasks
Publish common non-Web protocols
Publish mail (SMTP) servers
18. Non-HTTP Server Publishing
Things to consider when planning Server Publishing
No authentication support
Access restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configuration
Client source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverage
SMTP, POP3, DNS, etc.
18
20. Web Publishing
Provides secure access to Web content to users from the
Internet
Web content may be either on internal networks on in a DMZ
Supports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:
Mapping requests to specific internal paths in specific servers
Allows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)
Inspection of incoming HTTPS requests using SSL bridging
Load balancing of client requests among Web servers in a server
farm
21. Accessing Web Resources
OWA
RPC/HTTP(S)
HTTPS ActiveSync
Exchange
Server
HTTPS
HTTP
` HTTP
HTTPS
Web
Internet Server
HTTP
SharePoint
Server
Forefront TMG 2010 can publish multiple internal Web
servers, using multiple external IP addresses and protocols
22. Configuring
1. Define web listeners
IP addresses and ports that will listen for Web requests
Authentication method used (client to TMG 2010)
Server certificates and SSL options
Number of client connections allowed
2. Create other rule elements
Source addresses
Web farms
User sets
Schedules
3. Run appropriate wizard
22
25. Securing SSL Traffic
SSL Bridging:
1. Client on Internet encrypts communications
2. TMG 2010 decrypts and inspects traffic
3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
26. Authentication Process
1. Client credentials received
2&3. Credentials validated
4. Credentials delegated to
internal server
5. Server send response
6. Response forwarded to
client
27. Configuring Web Listeners
Client Authentication Methods
Authentication Providers:
Credential Types:
Credential Types:
AuthenticationPassword
Basic
Username and Password
Username and
Username and Passcode
Active Directory
Username and Passcode
Providers:
LDAP
Username, Password and
Active Directory only
RADIUS
Passcode
Fallback to: Providers:
Authentication Providers:
Digest
Authentication
BasicActiveDirectory only
Active Directory
Active Directory
Digest server
Integrated
LDAP server
LDAP
Integrated Directory only
RADIUS
Active
RADIUS
RADIUS OTP
RADIUS OTP
RSA SecurID
RSA SecurID
Fallback to Basic
Fallback to Basic
Password Management
Password Management
28. Authentication Delegation
Authentication Methods
None – client cannot
authenticate directly
None – client can
authenticate directly
Basic authentication
NTLM authentication
Negotiate
Kerberos/NTLM
Kerberos Constrained
Delegation
SPN required for Kerberos
Forefront TMG 2010 needs to be
in the same domain as the
published server
30. Single Sign On
Sample Scenario – Two Published Web Sites requiring AuthN
With Single Signon
Without Single Signon:
1. User Prompted for authentication
2. User Clicks Link to SharePoint
3. User NOT Prompted for authentication
Prompted for authentication again
Exchange.Company.Com
FBA
`
SharePoint.Company.Com
30
32. Web Publishing Wizards
Publish Web sites
Publish SharePoint sites
Publish Exchange Web
client access
Outlook® Web Access
Outlook® Anywhere
Exchange ActiveSync®
Outlook® Mobile Access
Microsoft® Exchange
Server® 2003
33. Web Farms
Distributes requests evenly
among available Web
servers
Detect offline servers and
implement consistent failover
Allow the draining, removal,
and addition of servers
without disrupting current
connections
Methods for monitoring
connectivity include HTTP GET,
PING request, or TCP
connection to a given port
Supports IP or cookie-based
affinity
35. Web Publishing Rules
Define membership to
user group
Across different
authentication
namespaces
Used for authorization at
Forefront TMG 2010 level
36. Web Publishing Rules
Configure Web rule
schedule
Define access hours for
accessing the Web site
Configure link translation
Translates internal names in
links to public names of the
Web sites
38. Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:
Remote Access VPN
Site-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN
technology
Implements support for Secure Socket Tunneling Protocol (SSTP)
Implements support for Network Access Protection (NAP)
39. Secure Socket Tunneling Protocol (SSTP)
New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers
to exchange encapsulated IPv4 or IPv6 packets
Support for unauthenticated Web proxies
Support for Network Access Protection (NAP)
Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
40. Network Access Protection (NAP)
Windows Policy Validation and Enforcement Platform
Policy Determines whether the computers are compliant with the company’s
Validation security policy. Compliant computers are deemed healthy.
Network Restricts network access to computers based on their health.
Restriction
Provides necessary updates to allow the computer to get healthy.
Remediation Once healthy, the network restrictions are removed.
Ongoing Changes to the company’s security policy or to the computers’ health
Compliance may dynamically result in network restrictions.
41. NAP Support in Forefront TMG 2010
Enforces compliance and provides remediation for clients
connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services
(RQS) supported in ISA Server 2006
NAP validates health status of the remote client at
connection time
VPN network access limitation is done through IP packet
filters applied to the VPN connection
Access limited to resources on the restricted network
42. NAP with Forefront TMG Walkthrough
Restricted Network Corporate Network
Remediation
Servers System Health
Servers
Unhealthy SHA performs
remediation against
remediation servers
Ongoing policy
updates to Network
Here is the fix you need. Policy Server
VPN QEC passes SoH
VPN QEC queries
NAPAgent collects
Responses back to
new SoH and for SOHs
NAPAgent passes
NAPAgent
to VPN QEC
PEAP messages
EAP
VPN Session Request
PEAP messages Can I pleaseHere is my SOH the network?
have access to
EAP - Response/Identity
Here is my SOH
EAP - Request/Identify
RADIUS Access-Accept
PEAPEAP - Request/Identify
PEAP Message
Message EAP – Request/Start – Send SOH
State: – Request/Start – Send SOH
EAP Quarantine
State: Full Access Forefront TMG According to policy, the client is
Client SOH Responses
SOH Responses 2010
not up to date. Quarantine client.
up to date.
Restrict client to – no filters
Grant access 10.10.10.0/24
Network Policy
Server
43. NAP Components
Platform Components
Enforcement Components
Health Components
System Health Agents (SHA) = Declare = health status, coordinates between SHA and QEC.
Quarantine Agent (QA) Clients (QEC) health (patch state, virus signature, system configuration,
Quarantine Enforcement= Reports client Negotiate access with network access device(s);
etc.). VPN, 1X, IPSec QECs.
DHCP,
System Health Validators= Restricts networknetworkto madebased on what SHV certifies.
Network Access Devices = Provide client’s access access by health agents.
Quarantine Server (QS) (SHV) = Certify declarations healthy endpoints.
System Registration Authority = Issues certificates to clients that componentschecks. client.
Health Health Servers = Define health requirements for system pass health on the
Remediation Servers = Install necessary patches, configurations, applications.
Bring clients to healthy state.
Remediation Servers System Health Servers
Updates Health policy
Client Health Network Network
Statements Access
Requests Policy
SHA<n> Server
Health Result
Quarantine SHV<n>
Agent
QEC QEC Quarantine Server
Network Access Device
1 2 (Forefront TMG 2010)
44. Comparing NAP to RQS/RQC
Remote Access Quarantine Service (RQS) and Remote Access
Quarantine Client (RQC)
Supports all versions of Windows®
Requires configuration of scripts for policy evaluation and remediation
Requires the use of Connection Manager
Supports only remote access (VPN or dial up) connections
Network Access Protection (NAP)
Supports Microsoft Windows XP® Service Pack 3 or newer operating
systems
Requires System Health Agents (SHAs) for policy evaluation and
remediation
Supports any kind of network connection, with no requirements for
Connection Manager usage
Both methods are supported by Forefront TMG 2010
45. Configuring Forefront TMG with NAP
1. Install Windows Server® 2008 or Windows Server® 2008
R2 Network Policy Server (NPS) role
Preferably in a separate server from Forefront TMG 2010
2. Configure Forefront TMG 2010 as a RADIUS client
3. Configure remote access policies at NPS server
Configure System Health Validators (SHVs) and health policies
Create network policies
Create connection request policies
Define remediation servers
4. Configure NAP clients
Enable NAP service and EAP quarantine agent
Configure SHAs
47. Lab 3: Remote Access Gateway Lab
In this lab, you will:
Use Web Publishing to publish
Exchange Web Services
Lab 3 - Exercise 6
Estimated completion time: 45 min
Forefront TMG 2010 uses server publishing rules to map requests for non-Web servers located in a Forefront TMG 2010 network from clients located in other networks. Clients can be external clients located on the Internet or internal clients located on a different internal network. When the network on which the published server is located has a NAT relationship with the network from which client requests are located, server publishing works as follows:The IP address published by the server-published rule belongs to Forefront TMG. Clients make a request for the published resource to the client-facing adapter on the Forefront TMG server and not directly to the internal server.By default, the client source address sent to the published server is that of client. You can change this setting to specify that the source address sent to the published server is that of the Forefront TMG server.When the network on which the published server is located has a route relationship with the network from which client requests are located, server publishing works as follows:Forefront TMG listens for requests on the IP address of the published server.Clients make a request to the IP address of the internal server.Server publishing rules display the following characteristics:Server publishing can be used to publish most TCP and UDP protocols.The published server should be configured as a SecureNAT client with a default gateway pointing to Forefront TMG 2010.You cannot authenticate user requests for server publishing rules.You can use IP address control to specify who can access published resources.A server publishing rule can only publish a single server and protocolIn some circumstances you may want to consider using server publishing rules instead of access rules for internal client requests. For example, if you want to allow internal clients to access a non-Web server located in a perimeter network. For a comparison of using server publishing rules or access rules, see the Microsoft TechNet article About network relationships and firewall policy (http://technet.microsoft.com/en-us/library/cc995201.aspx).
For non-HTTP requests, Forefront TMG 2010 checks network rules, and then checks publishing rules to determine if requests are allowed.Overriding default ports Server publishing configures Forefront TMG 2010 to listen on a specific port and forward requests to a published server. You can configure the following port properties:Specify the port on which should listen for requests for request. If you publish on a port other than the default port, Forefront TMG 2010 receives client requests for the published service on the nonstandard port, and then forwards requests to the designated port on the published server. For example, a server publishing rule may specify that client requests for FTP services connect through port 22 on the Forefront TMG 2010 computer before being redirected to the default port 21 on the published server.
When using server publishing rules, Forefront TMG 2010 forwards the traffic as it does for access rules, but it uses application filters directly. For example, the Single Mail Transfer Protocol (SMTP) filter is not used for SMTP traffic handled by an access rule, but it is used with traffic handled by a server publishing rule.In server publishing rules, the client in the destination network makes a connection to the Forefront TMG IP address on which the publishing rule is listening for requests. When Forefront TMG 2010 forwards the traffic to the published server, it replaces the Forefront TMG IP address with the IP address of the internal server that it is publishing, but it does not modify the source IP address. Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when forwarding traffic to the published server, the published server must use the Forefront TMG 2010 computer as the last hop in the routing structure to the destination network. If this is not possible, configure server publishing rules to use the setting Requests appear to come from the Forefront TMG computer. This causes Forefront TMG 2010 to perform full NAT on the traffic handled by the rule.
Forefront TMG Web publishing makes Web content securely available to groups of users or to all users who send requests to your organization from the Internet. The Web content requested is typically stored on Web servers in the Internal network or in a perimeter network (also known as a screened subnet or a demilitarized zone (DMZ)).With Web publishing rules, you can allow or deny requests based on defined access policies. You can restrict access to specified users, computers, or networks, require user authentication, and inspect the traffic. Content caching enables Forefront TMG 2010 to cache Web content and to respond to user requests from the cache without forwarding the requests downstream to the published Web server. This type of content caching is called reverse caching. Web publishing rules have many features that determine how client Web requests are passed to the published Web servers, including the following:Mapping requests to specific internal paths to limit the portions of your Web servers that can be accessed.Delegation of user credentials for authenticating Forefront TMG to the Web server after authentication by Forefront TMG 2010, without requiring users to supply their credentials for a second time.Link translation for replacing internal host names and paths in Web content with public names and external paths.Secure Sockets Layer (SSL) bridging, which enables Forefront TMG to inspect incoming HTTPS requests and then forward them to the Web server over an encrypted SSL channel.Load balancing of client requests among the Web servers in a server farm, with maintenance of client affinity for increased availability and improved performance.
When you create a Web publishing rule, you specify a Web listener to be used when applying the rule. The Web listener properties determine:Which Internet Protocol (IP) addresses and ports on the specified networks will listen for Web requests. Which authentication method will be usedwhen authentication is required. Number of client connections that are allowed. The Web listener is used to:Indicate the IP address and port to which a client makes a connection. Enable TMG 2010 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule.
The Web listener network, or networks, that you select depends on which network clients will use to connect to the published Web server. For example, if the Web site you are publishing allows client requests from the Internet (the external network), you should select the External network for the Web listener. By selecting the External network, you are selecting the IP addresses on the Forefront TMG 2010 computer that are associated with the external network adapter. If you do not limit the IP addresses, all IP addresses associated with the selected network adapter will be included in the listener configuration.Web listeners are used by a Web publishing rule. The rule specifies source network objects in addition to specifying a Web listener. The network objects specified as sources in the Web publishing rule must include the networks selected for the Web listener. Publishing multiple SSL Web sites on selected IP addresses You can specify that a Web listener will listen on one or more specific IP addresses. When you do so for an HTTPS Web listener, you can choose to assign a single certificate to all of the IP addresses, or to assign a different certificate to each IP address. Assigning a different certificate to each IP address enables you to publish several sites over HTTPS by using the same Web listener, without using a wildcard certificate. For example, you can publish mail.contoso.com by using a certificate with that name on one IP address, and team.contoso.com by using a certificate with that name on a different IP address.Alternatively, you can publish multiple Secure Sockets Layer (SSL) Web sites by using a single Web listener and a wildcard certificate. For instructions for implementing this scenario, see the Microsoft TechNet article Using wildcard certificates (http://technet.microsoft.com/en-us/library/cc441561.aspx).By using the same listener for several sites, you can take advantage of the Forefront TMG 2010 single sign-on (SS0) feature, which requires a common Web listener for all of the SSO sites.Authentication You can create Web publishing rules that allow or deny access to a set of computers or to a group of users. If the rule applies specifically to users, Forefront TMG 2010 checks the incoming Web request properties to determine how the user will be authenticated. For example, a Web publishing rule might allow access only to specific users. Forefront TMG 2010 will authenticate the user requesting the object, to determine whether the Web publishing rule allows the requesting user access. The user must authenticate, using one of the authentication methods specified for the incoming Web requests.Forefront TMG provides a secure, encrypted logon environment for browsers that support Microsoft Windows NT® Challenge/Response authentication, and for other browsers that use Basic authentication. Authentication methods can be set for all IP addresses on the server, or separately for each IP address.Single sign-on (SSO) enables your users to move safely from one application to another, without having to reauthenticate. SSO is configured on the Single Sign On Settings page of the New Web Listener Wizard, and is available for HTML forms-based authentication.For more information about authentication in Forefront TMG, see the Microsoft TechNet article Overview of client authentication (http://technet.microsoft.com/en-us/library/cc995161.aspx).Limiting concurrent connections By limiting the number of client connections allowed simultaneously to the Forefront TMG 2010 computer, you can prevent attacks that may overwhelm the system's resources. This is particularly useful when publishing servers.
Single sign-on (SSO) enables users to authenticate once to Microsoft Forefront Threat Management Gateway and then, without reauthenticating, access all of the Web sites with the same domain suffix that Forefront TMG 2010 publishes on a specific Web listener. Web sites can include Microsoft® Outlook® Web Access and Microsoft® SharePoint® Server sites, as well as standard Internet Information Services (IIS) Web sites.A typical example of SSO is a user who logs on to Outlook Web Access by providing credentials on a form. In one of the e-mail messages that the user receives, there is a link to a document that is stored on a SharePoint server. The user clicks the link, and the document opens without an additional request for authentication. This example relies on the use of persistent cookies.Security notes As long as a user's browser process is still running, that user is logged on. For example, a user logs on to Outlook Web Access. From the Microsoft Internet Explorer menu, the user opens a new browser window and then navigates to another site. Closing the Outlook Web Access window does not end the session, and the user is still logged on.When enabling SSO, be sure to provide a restrictive SSO domain. Providing an inclusive domain, such as .co.uk, allows the Web browser to send the Forefront TMG SSO cookie to any Web site in that domain, creating a possible security risk.In a scenario where you create a Web listener that uses forms-based authentication with RSA SecurID validation and you enable Collect additional delegation credentials in the form, Forefront TMG 2010 does not verify whether a user enters the same or a different name for the additional credentials.Note: There is no support for SSO between different Web listeners. SSO is supported for published Web sites whose host names have the same DNS suffix after the first dot. For example, you can configure SSO when publishing mail.fabrikam.com and team.fabrikam.com by specifying .fabrikam.com as the SSO domain. However, you cannot configure SSO for mail.fabrikam.com and mail.contoso.com. In addition, a DNS suffix specified as an SSO domain must consist of at least two segments separated by an embedded dot. For example, .fabrikam.com and .portal.fabrikam.com are valid SSO domains, but .com is not a valid SSO domain.
Server farm load balancing enables administrators of Microsoft Forefront Threat Management Gateway to publish a farm of Web servers that perform the same role or host the same content to do the following:Implement load balancing to distribute requests evenly among available Web servers.Detect offline servers and implement consistent failover.Allow the draining, removal, and addition of servers without disrupting current connections.Although you can publish a hardware load balancing device to balance traffic to Web servers, Forefront TMG 2010 server farm load balancing provides a number of advantages.Hardware load balancing devices may use source IP addresses to balance requests, and this may not be viable when balancing requests from clients situated behind network address translation (NAT) devices. For Web publishing requests, if Forefront TMG 2010 is not configured to forward the original client IP address to the published server, the source IP address for requests will be that of the Forefront TMG 2010 computer.Although one solution to the source IP address issue is to configure Forefront TMG 2010 to forward the original client IP address, this may be difficult to scale. It requires the Forefront TMG 2010 computer to be configured as the default gateway on published servers, so that the published server directs responses to the Internet to the Forefront TMG 2010 computer.The server farm load balancing feature eliminates the need to purchase a load balancing hardware device, thus saving costs. Creating server farms Forefront TMG allows you to group Web servers that share the following characteristics:All servers in the farm contain the same information, for example, mirrored servers.All servers in the farm perform the same function, for example, published Microsoft Outlook Web Access servers.Web servers are grouped into a farm by creating a server farm. Forefront TMG treats all the Web servers in the farm as a single entity. When you create a server farm, you specify the following:The computer names or IP addresses of the Web servers to be included in the farm. Computer names must be resolvable to IP addresses.A method for monitoring connectivity to each server in the farm. The possible methods include sending an HTTP GET request, a PING request, or a request to establish a TCP connection to a specific port. Based on the method you choose, Forefront TMG 2010 automatically creates a connectivity verifier for testing connectivity to all the servers in the farm. A connectivity verification request is sent every 30 seconds to each farm member, and the response time is compared with a default time-out response threshold of 5,000 milliseconds. Forefront TMG 2010 uses the response to determine the state of servers in the farm. Note the following limitations when you select sending an HTTP GET request as the connectivity verification method for server farm monitoring:Sending HTTP GET requests is supported only for servers whose names do not contain non-English characters.The host name in the URL that you specify should be an asterisk (*). Forefront TMG 2010 will replace the asterisk with the name of each server in the farm. For example, if you have a farm with the servers A and B, and you specify http://*/status.htm as the URL, Forefront TMG will use the URLs http://A/status.htm and http://B/status.htm for checking connectivity.In most cases, you must enable the Allow HTTP/HTTPS Requests from Forefront TMG to Selected Servers for Connectivity Verifiers system policy rule. However, if you specify a non-standard port in the URL (for example, http://*:88/status.htm), the predefined system policy rule cannot be used. Instead, you must create a custom access rule to allow HTTP and HTTPS traffic from Forefront TMG to the server farm on the custom port.When you select sending an HTTP GET request as the connectivity verification method, you can specify a custom Host header to be included in the connectivity verification request. This is useful if a Web application published by the server farm requires a specific Host header.After creating the server farm using the New Server Farm Wizard, you can configure the following additional properties on the property pages of the server farm:Modify the time-out response threshold of the connectivity verifier. By default, Forefront TMG 2010 sets the time-out response threshold to 5,000 milliseconds.For monitoring purposes, you can specify that an alert should be triggered if a response is not received within the time period specified.Load balancing and client affinity Forefront TMG can use session affinity (cookie-based load balancing) or IP address affinity (source IP address-based load balancing) to implement the load balancing algorithm.Session affinitySession affinity uses a cookie to identify the client and to maintain its affinity with a specific Web server. This function requires a browser that can accept HTTP cookies. Cookies are supported by all HTTP 1.1-compliant browsers and by some versions of HTTP 1.0 browsers. Session affinity is maintained until the browser is closed on the client computer.The aim of session affinity is to evenly disperse client sessions (where a session is a number of consecutive Web requests that share the same TCP connection) among farm members. Session affinity does not support an uneven distribution of requests (for example, 50 percent of traffic to Server 1 in the farm, 20 percent of traffic to Server 2, and so on). Instead, session affinity uses a round-robin mechanism to ensure that browser sessions with a Web application serviced by a server farm are distributed evenly among farm members that are online.When session affinity is used, if a Web server, such as Web Server 1, goes out of service, the clients that are associated with it will be directed by Forefront TMG 2010 to another server, such as Web Server 2. The context of the Web session is lost when this happens. When Web Server 1 becomes available again, client affinity is maintained with Web Server 2 until the session ends. All replies to HTTP requests originating from a client browser session are sent to the original client. We recommend that you use session affinity when possible, because it provides more reliable client affinity when a Web server is restarted. This is sometimes referred to as client stickiness. Stickiness is ensured using a cookie inserted by Forefront TMG in the response to client requests. The cookie is sent by the client’s browser in further requests and indicates the server in the farm to which Forefront TMG should connect.Session affinity is suited to publishing Outlook Web Access servers and SharePoint sites. It is not useful in Exchange RPC-over-HTTP publishing, where the client application is an instance of Outlook rather than a Web browser, and it cannot handle cookies.IP address affinityWith IP address affinity, when Forefront TMG receives a request, it determines which Web server in the farm should handle it, based on the client's IP address. Every request from that IP address will be sent to the same Web server, so affinity is maintained.The aim of IP address affinity is to evenly disperse requests from different IP addresses among farm members. The even spread is preserved during failover. For failover, servers that are not responding are detected, and the load is distributed among available servers. Forefront TMG 2010 administrators can remove a server from a farm in a two-step process without disconnecting existing client requests.When IP address-based affinity is used, if a Web server goes out of service, the clients that are associated with it will be directed by Forefront TMG 2010 to another server. The context of the Web session is lost when this happens. Similarly, when that Web server is restarted, requests from those clients are directed to the original Web server, and the context is lost again.IP address-based affinity has an advantage over session affinity in that it supports clients that are not fully compliant with HTTP 1.1 (clients that do not support HTTP cookies), such as some mobile devices. IP address affinity should not be used when remote clients are located behind a NAT device, or if Forefront TMG 2010 functions as an upstream server, and sees only the IP address of the downstream Forefront TMG 2010 computer. In this case, you should use session affinity only.IP address affinity is particularly useful in an Exchange RPC-over-HTTP scenario, where session affinity cannot be used because cookies are not supported by the Outlook client application.
Web pages returned from a Web server published by a Forefront TMG 2010 Web publishing rule may include links containing internal names of computers or Web sites and internal paths to Web content. Because external clients cannot resolve these internal names, these links are broken unless the internal names are replaced with the public names of published Web sites. Forefront TMG 2010 includes a built-in Web filter named Link Translation Filter, which uses mappings to translate internal names in links on Web pages to publicly resolvable names. Each mapping translates an internal URL (or part of a URL) to a public equivalent. For example, a mapping can translate the internal URL http://team to the public URL https://www.team.contoso.com for external users. Link translation mappings are stored in tables called link translation dictionaries.When link translation is enabled for a Web publishing rule, a default link translation dictionary is automatically created for each public name of the rule that does not contain a wildcard character (*).Forefront TMG 2010 includes link translation support for all published Web content, including support for Web publishing rules that publish servers running Microsoft Exchange Server and Microsoft Office SharePoint Server. Link translation is not applied to rules that publish FTP servers over HTTP.Types of mappings When link translation is enabled for a Web publishing rule, links in content sent from the published Web site to a client are translated according to the following mappings, which are stored in the effective link translation dictionary for the rule:Implicit mappings of the rule – These mappings are added automatically and map the internal name (or IP address) of the server published by the Web publishing rule to the public name (or IP address) of the Web site, or if there are multiple public names, to one of its public names. Local mappings – The user creates these mappings for the rule, and they map a string containing an internal host name to a string containing a publicly resolvable host name. The string to be translated must contain at least four characters. A local mapping can override an implicit mapping of the rule. Local mappings are not added automatically to the effective link translation dictionaries of other rules.Implicit mappings of other rules – These mappings are automatically added to the effective link translation dictionary of every Web publishing rule that is defined and enabled and has link translation enabled on the Forefront TMG computer. These mappings are derived from the implicit mappings defined in each Web publishing rule on the Forefront TMG computer. Global mappings – The user creates these mappings for the Forefront TMG computer, and they apply to all Web publishing rules in the Forefront TMG 2010 computer. These mappings override conflicting implicit mappings of other rules. Adding local mappingsLocal mappings can be defined for a Web publishing rule on the Locally Defined Mappings page. To open this page, on the Properties page for the rule, on the Link Translations tab, click Configure. To create a local mapping, you need to specify a string containing the internal name (or IP address) of a Web site or host and a string containing the publicly resolvable name to which the internal name should be translated. The translated name is typically the public name that can be accessed by external clients, such as the fully qualified domain name (FQDN) or IP address of the Forefront TMG 2010 computer. Note that in the same rule, you cannot define more than one local mapping for a string to be translated. Adding global mappingsGlobal mappings can be defined on the Global Mappings tab of the Link Translation properties. To create a global mapping, you need to specify an internal URL and the public URL to which the internal URL should be translated. The internal URL typically contains the name (or IP address) of an internal Web site or host. The translated URL is typically the public name that can be accessed by external clients, such as the FQDN or IP address of the Forefront TMG 2010 computer. The URLs specified in user-defined global mappings must begin with a valid protocol (http:// or https://).
Virtual private network (VPN) technology enables cost-effective, secure, remote access to private networks. With a VPN, you can extend your private network across a shared or public network, such as the Internet, in a manner that emulates a point-to-point private link. By using the Forefront TMG computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG firewall policy.About Forefront TMG VPNsForefront TMG 2010 supports two types of VPNs: Remote access VPN – Provides roaming users with secure remote access to the internal networkSite-to-site VPN – Enables quick connectivity between sites, for example between a main office and its branch offices. Note: All VPN connections to Forefront TMG are logged to the Firewall log, so that you can monitor them. Forefront TMG implements Windows Server VPN technology. For a description, see What Is VPN? (http://go.microsoft.com/fwlink/?LinkId=160092). When reading this content, keep in mind the functional differences between Windows Server 2003 and later versions of Windows as documented in What's New in Routing and Remote Access in Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=160094).
Network Access Protection (NAP) consists of several components and architecture models that work in conjunction to provide security for the network. The infrastructure of NAP supports the different servers required to validate, remediate and provide health certificates. The enforcement methods used by NAP (802.1x, DHCP, VPN, NPS RADIUS and IPSec) provide flexibility in determining the appropriate method for securing client access to your network.
NAP Support in TMG 2010 allows you to define levels of network access based on a client’s identity, the groups to which the client belongs, and the degree to which the client complies with corporate governance policy. If a client is not compliant, NAP provides a mechanism for automatically bringing the client into compliance (a process known as remediation), and then dynamically increases its level of network access.
Remote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC).
Used in combination with Forefront TMG 2010, NAP can enforce a health policy when client computers attempt to connect to the network by using a VPN connection. VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. Configuring NAP on the NPS includes the following tasks:Installing the NPS roleSetting Forefront TMG as a RADIUS clientCreating system health validators and policiesCreating network policiesCreating connection request policiesEnabling the NAP service on NAP-capable client computers