4. Forefront Edge Security and Access Products
The Forefront Edge Security and Access products provide enhanced
network edge protection and application-centric, policy-based access to
corporate IT infrastructures
Before Now
Network
Protection
Integrated and comprehensive
protection from Internet-based threats
Network
Access
Unified platform for all
enterprise remote access needs
5. The Threat Landscape
Vulnerabilities down, threats up
Increasing sophistication of threats
Threats moving to the application layer
Rising threats
Phishing
Spam and malicious e-mail
Blended threats
6. Forefront TMG Value Proposition
Firewall – Control network policy access at the
edge
Comprehensive
Secure Web Gateway – Protect users from
Web browsing threats
Secure E-mail Relay – Protect users from
e-mail threats Integrated
Remote Access Gateway – Enable users to
remotely access corporate resources
Intrusion Prevention – Protect desktops and
Simplified
servers from intrusion attempts
7. Forefront TMG Deployment Scenarios
• All-in-one solution for medium businesses
Unified Threat
• Firewall, VPN, Web security, IPS, e-mail relay
Management (UTM) in a single box
• Authenticating proxy with security
Secure Web
• Web antivirus and URL filtering
Gateway • Inspection of HTTP and HTTPS traffic
• Secure Web publishing
Remote Access
• Dial-in VPN
Gateway • Site to site VPN
• Antispam
Secure E-mail Relay • Antivirus
• E-mail filtering
9. Features Summary
Comparing with ISA Server 2006 ISA Server
2006
Forefront
TMG
Network layer firewall
Application layer firewall
Internet access protection (proxy)
Basic OWA and SharePoint publishing
Exchange publishing (RPC over HTTP)
IPSec VPN (remote and site-to-site)
Web caching, HTTP compression
Windows Server® 2008 R2, 64-bit (only) New
Web antivirus, antimalware New
URL filtering New
E-mail antimalware, antispam New
Network intrusion prevention New
Enhanced UI, management, reporting New
10. Forefront TMG Licensing
Two editions and Two Client Access Licenses (CALs)
Enterprise Edition
Scalability and management
E
Standard Edition
Full UTM
Subscriptions
Web protection E-mail protection
11. Comparing Forefront TMG Editions
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support
Enterprise management Yes, with added ability for EMS
to manage SEs
Publishing
VPN support
Forward proxy/cache,
compression
Network IPS (NIS)
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin
12. Subscriptions
Subscription-based licenses
Sold as Client Access Licenses (CALs)
Charged per user/per year
Protection Components
E-mail protection
Antispam
Antivirus
HTTP protection
Antimalware
URL filtering
Network Inspection System is free!
13. Translating Licenses
Today At Launch
ISA Server SE Forefront TMG 2010 SE
ISA Server EE Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year Forefront TMG 2010 EE
15. System Requirements
Minimum Recommended
Processor 2 core (1 CPU x dual core) 4 core (2 CPU x dual core or
64-bit processor 1 CPU x quad core) 64-bit
processor
Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk 2.5 GB of available hard disk
space* space*
Hard Disks One local hard disk partition Two disks for system and logging,
formatted with NTFS and one for caching and malware
inspection
Network One network adapter for One network adapter for each
communicating with the network connected to the
internal network Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or
Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
15
16. Installation Prerequisites
Basic installation
Connected to the network, with DNS server settings configured
Required operating system components:
Windows® Roles and Features
Microsoft® .NET Framework 3.5 SP1
Windows Web Services API
Windows Installer 4.5
Preparation Tool installs the required components
For the Secure Mail Relay usage scenario
Exchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or
Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server
20. Configuring Network Settings
Network Setup Wizard
Select the network
topology used:
Edge firewall
3-Leg perimeter
Back firewall
Single network
adapter
20
21. Configuring Network Settings
Network Setup Wizard
Define the IP
configuration for
each network
adapter
Assign adapter to
the appropriate
network
21
23. Configuring Deployment Settings
Deployment Wizard
Activate subscription
licenses
Enable malware
protection and
intrusion prevention
Configure signature
update schedule and
response policy
Join the Customer
Experience
Improvement
Program (CEIP) and
the Microsoft
Telemetry Service
23
27. Configuration Concepts
Networks External
DMZ External
DMZ Internal DMZ EXT
Internet
DMZ INT ISP 1
ISP 2
TMG
LAN 1 Local Host VPN client
LAN 2
VPN Clients
Branch
LAN 3
Internal
27
28. Configuration Concepts
Networks
Networks configuration model the enterprise network
infrastructure
Contains all reachable IPs for network adapter
Cannot overlap with other Networks
Static or dynamic
28
30. Configuration Concepts
Network Sets
Network Sets are used to group one or more networks
Defined by selecting the networks included in the set (Include) or a
set of networks excluded from the set (Exclude)
Used in the definition of network and policy rules
30
31. Configuration Concepts
Network Rules
Define allowed traffic flows
Determine the relationship between two networks
Route
Bi-directional
Source address not modified
NAT
Uni-directional
Source address is modified
Required for non-Web access and Server
Publishing rules
Web proxy filter ignores network rules
31
34. Forefront TMG Policy
Three types of rules:
1. Network rules
2. System policy
3. Firewall policy
34
35. Single Adapter Scenario
Forefront TMG supports using a single network adapter
Supported scenarios
Secure Web Gateway (forward Web proxy and cache)
Web Publishing (reverse Web proxy and cache)
Remote client VPN access
Unsupported scenarios
Application layer inspection (except for Web proxy)
Server publishing
Non-Web clients
Firewall client
Secure NAT
Site-to-site VPNs
35
36. Single Adapter Scenario
Local Host
Internet
TMG
LAN 2 LAN 1
LAN 3 VPN Client
VPN Clients
Internal
36
37. Common Configuration Mistakes
Multiple default gateways
Define only one default gateway
Not adding reachable addresses to networks
Ensure all reachable addresses added
DNS resolution issues
DNS server list is system wide, not per adapter
Use the internal DNS servers, or host a DNS server service locally
and use conditional forwarding
37
39. Lab 1: Forefront TMG Installation
In this lab, you will:
Install Forefront TMG on a Windows
Server® 2008 R2 server
Perform an initial configuration of
Forefront TMG using the Getting
Started wizards
Lab 1 - Exercises 1 and 2
Estimated completion time: 45 min
System RequirementsSupported Operating Systems: Windows Server 2008Minimum system requirements:Supported operating systems: Windows Server 2008 SP2 or Windows Server 2008 R2 A computer with 2 core (1 CPU x dual core) 64-bit processor 2 gigabytes (GB) or more of memory 2.5 GB of available hard disk space (this is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection)One local hard disk partition that is formatted with the NTFS file system One network adapter that is compatible with the computer's operating system, for communication with the Internal network An additional network adapter for each network connected to the Forefront TMG server Recommended system requirements: Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2 A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor 4 gigabytes (GB) or more of memory 2.5 GB of available hard disk space (this is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection)Two disks for system and TMG logging, and one for caching and malware inspectionOne network adapter that is compatible with the computer's operating system, for communication with the Internal network An additional network adapter for each network connected to the Forefront TMG server
Before installing Forefront TMG 2010, you must run the Preparation Tool to verify that the applications which are required for the successful installation of Forefront TMG 2010 are installed on your computer. If you run Forefront TMG 2010 without first running the Preparation Tool, the installation of Forefront TMG 2010 may fail if the computer does have the required applications installed. These applications are: Windows Roles and FeaturesMicrosoft .NET 3.5 Framework SP1Windows Web Services API
To run the Preparation Tool On the Installation Type page, select the required installation type option:Forefront TMG services and ManagementForefront TMG Management only Enterprise Management Server (EMS) for centralized array management The Preparation Tool downloads and installs the prerequisite applications, according to the selected Forefront TMG installation type.Insert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive.On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.On the main setup page, click Run Preparation Tool to launch the Preparation Tool. On the main setup page, click Run Installation Wizard to launch the Forefront TMG Installation Wizard.On the Installation Type page, click the Forefront TMG Services and Management button. On the Installation Path page, specify the Forefront TMG 2010 installation path.On the Define Internal Network page, click Add, click Add Adapter, and then select the adapter which is connected to the main corporate network.Note: If you are installing Forefront TMG on a computer with a single network adapter, all IP address ranges should be configured for the Internal network, except for the following: 0.0.0.0255.255.255.255127.0.0.0-127.255.255.255 (Local Host)224.0.0.0-254.255.255.255 (multicast)7. On the Ready to Install the Program page, click Install.Adding IP addresses to the internal networkOn the Addresses page, select any of the following methods to add addresses to the Internal network: Add Range – Addsa range of IP addresses. You must specify the beginning and ending IP address in the range; for example, 10.0.0.1 to 10.0.0.255.Add Adapter– Selects a network adapter. The IP addresses that are included in the Internal network are based on the IP address and subnet mask of the selected adapter.Add Private – Adds IP addresses defined as non-routable IP addresses, based on Request for Comment (RFC) 1918, and on the Automatic Private IP Addressing (APIPA) feature.
Use the Forefront TMG Getting Started Wizard to configure or modify initial deployment settings. The wizard contains the following three sub-wizards:Network Setup Wizard– Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. System Configuration Wizard– Use to configure operating system settings, such as computer name information, and domain or workgroup settings.Deployment Wizard– Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service. After Forefront TMG installation, you can run the Getting Started Wizard to configure basic deployment settings, including changing network adapter settings, making policy updates, and joining the server to a workgroup or domain.
The following Forefront TMG network topologies are available:Edge firewall– In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet). 3-Leg perimeter– This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network. Back firewall– In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.Single network adapter– This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet. For more information, see the Microsoft TechNet article About single network adapter topology(http://technet.microsoft.com/en-us/library/ee191507.aspx).
You can configure the settings for your Forefront TMG network topology using the Network Setup Wizard. To configure your network topology settingsIn the Getting Started Wizard, click Configure network settings.On the Network Template Selection page of the Network Setup wizard, select the option that most closely matches your Forefront TMG network topology. On the Local Area Network (LAN) Settings page of the wizard, in Network adapter connected to the LAN, click the adapter connected to the main corporate network, and enter an IP address. If you selected to apply the single network adapter template, you have the additional option of using a dynamic IP address allocated by DHCP. If you selected a setting other than the single network adapter template, only a static IP address is supported for this adapter. In Specify additional array topology routes,click the Add button to add static routes for the array topology route.On the Internet Settings page of the wizard, click the adapter connected to the Internet. You should set a default gateway on only one of the Forefront TMG network adapters. This is usually the network adapter associated with the Internet. Configure only a single default gateway on a network adapter. If your Internet service provider (ISP) allocates a dynamic IP address, click the Obtain an IP address automatically button.If your ISP allocates a static IP address, click the Use the following IP address button.If you have a third network adapter, on the Perimeter Network Settings page of the wizard, click the network adapter connected to the perimeter network. If you want to apply network address translation (NAT) to traffic between the perimeter network and the LAN, hiding internal IP addresses, in What type of IP addresses do servers in the perimeter networks use, click the Public button. Traffic between the perimeter network and the Internet is routed. If you want to apply NAT to traffic between the perimeter network and the Internet, hiding internal IP addresses, in What type of IP addresses do servers in the perimeter networks use, click the Private button. Traffic between the perimeter network and the LAN is routed, exposing internal addresses.
To configure your server and system settings1. In the Getting Started Wizard, click Configure system settings. 2. On the Host Identification page of the System configuration wizard, in the Computer name box, enter the name of the Forefront TMG server. 3. In Member of, define whether the server is a member of a Windows domain or workgroup, as follows:If you select Windows domain, the domain name is used as the primary Domain Name System (DNS) suffix, and you do not need to modify this setting. You will be required to restart the computer.If you select Workgroup, you may want to explicitly add a primary DNS suffix in order to register the computer in the correct zone, if allowed by DNS.
You can configure your deployment settings using the Deployment Wizard. To configure your deployment settings1. In the Getting Started Wizard, click Define deployment options.2. On the Microsoft Update Setup page of the Deployment wizard, click Use the Microsoft Update service to check for updates (recommended) to specify that the Microsoft Update service should be used to obtain malware definition updates. 3.On the Forefront TMG Protection Features Settings page of the wizard, do the following:a. For Network Inspection System, select to activate the complementary license and enable Network Inspection System (NIS).b. For Web Protection, select the license activation type for Web protection. If you selected Activate purchased license and enable Web Protection, enter the license key and expiration date of the purchased license.c. If you want to scan requested HTTP content allowed by access rules for malware, such as viruses and spyware, select Enable malware inspection.4. On the NIS Signature Update Settings page of the wizard, for Select automatic update action, select the type of action to deploy when there are new or updated signature sets.5. For New Signature Set Configuration, select the response policy option for new signatures.6.On the Customer Feedback page of the wizard, if you want to participate in the Customer Experience Improvement Program, click Yes, I am willing to participate anonymously to join the Customer Experience Improvement Program. This program helps Microsoft to improve the quality and reliability of Forefront TMG. If you join the program, Microsoft collects anonymous information about hardware configuration, use of software and services, and trend patterns. No personally identifiable information is collected.7. On the Microsoft Telemetry Reporting Service page, do one of the following:Click the Basic button to send basic information to Microsoft regarding filtered URLs, URL category overrides, potential threats, and the response taken.Click the Advanced button to provide information to Microsoft about potential threats including traffic samples and full URL strings.Click the None button to decline participation in the service.
Forefront TMG supports unlimited network adapters in accordance with hardware limitations.An adapter may have zero or more addresses. Each address can only belong to one network (be associated with exactly one network adapter). There should be no overlap of address ranges on a network.When creating or editing a network on your Forefront TMG server, for the following network types, you can specify an IP address range or select a network adapter associated with the network you are configuring:Internal networkPerimeter networkExternal networkIP addresses for network adapters associated with the same network should be identical on each array member.You can select a network adapter for your network by running the Create a New Network Wizard or editing a selected network. The list of network adapter settings configured in Windows Server is logged to the Network Adapters tab in the Networking node. You can edit the network adapter settings.Note: After adding a network adapter to the network you are creating or editing, it is recommended that you not change or rename the network adapter configured for your server.
Forefront TMG networks represent your corporate network topology. Generally, a network is defined for each network adapter installed and enabled on the computer. Networks that do not require associated network adapters are the Local Host network, which represents Forefront TMG, and virtual private networks.When deployed at the edge of your network, Forefront TMG should be configured with at least two network adapters: One connected to the Forefront TMG Internal network that represents the main corporate network.One connected to the Forefront TMG External network that usually represents the Internet.The External network is defined dynamically, based on the IP address ranges of other networks. You can configure the IP address range and other properties of the Internal network. If three or more adapters are available, you can also configure the properties of one or more perimeter networks. You can configure a dial-up connection on one network only (for example, to dial up for Internet access).
A Network Set is set of one or more networks. You can use network sets to specify a source or destination in firewall policy rules.
There are two types of network sets, Exclude and Include.Exclude network sets are defined by selecting a set of networks excluded from the network set. The network set contains all the networks that are not selected.Include network sets are defined by selecting the networks that are included in the network set. Used in Network Rules and Policy RulesInclude or ExcludeUsed to group networks
Enhanced NAT is used (for example) by SMTP publishing for Sender ID compatibility.
Forefront TMG controls internal network access by enforcing policies that determine whether or not connections between networks are allowed. These policies may be of the following types:Firewall policy – Inspects and filters connections between the internal network and the Internet. The firewall policy is made up of the following rule sets:Access rules – Control outbound Web access, that is, access from internal computer to the Internet.Web publishing rules – Control inbound access to published Web servers.Server publishing rules – Control inbound access to published non-Web servers.System policy – Controls traffic to and from the Local Host network (the Forefront TMG server) to allow traffic and protocols necessary for Forefront TMG to perform authentication, domain membership, network diagnostics, logging, and remote management. Forefront TMG provides a predefined rule set, which is created during system installation. You can enable or disable individual rules, and modify rule destinations, but you cannot delete existing rules or create new rules.Network rules – Specify that resources in one network are allowed to communicate with resources in other networks, and what type of relationship (either routing or NAT) exists between the source and destination.
Microsoft Forefront TMG can be installed on a computer with a single network adapter. Typically, you use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network and another firewall is located at the edge, protecting corporate resources from the Internet. When you install Forefront TMG on a computer with a single network adapter, Forefront TMG is only aware of two networks: Local Host network that represents the Forefront TMG computer itself.Internal network which includes all unicast IP addresses that are not part of the Local Host network.In this configuration, when an internal client browses the Internet, Forefront TMG sees the source and destination addresses of the Web request as belonging to the Internal network. There is no concept of an external network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (Forefront TMG protects itself in all scenarios.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols through the Forefront TMG server. The following scenarios are supported when running Forefront TMG with a single adapter:Forward Web Proxy requests using HTTP, HTTPS, or FTP for downloads.Cache Web content for use by clients on the corporate network. Web publishing to protect published Web or FTP servers.Microsoft® Outlook® Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP publishing.Remote client VPN access.Unsupported scenarios There are a number of feature limitations in a single network adapter configuration:Application layer inspection – Application-level filtering does not function, except for the Web proxy filter for HTTP, HTTPS, and FTP over HTTP traffic.Server publishing – Server publishing is not supported. Because there is no separation of Internal and External networks, Forefront TMG cannot provide the NAT functionality required in a server publishing scenario.Firewall clients – The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG computer), and Firewall client requests are not supported.SecureNAT clients – SecureNAT clients use Forefront TMG as a router to the Internet, and requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG 2010 computer), and SecureNAT client requests are not supported.Virtual private networking (VPN) – Site-to-site VPNs are not supported in a single network adapter scenario.