Transcript p**x

Implementing Microsoft
Forefront Threat
Management Gateway
Server
®
Course Outline
Module 1: Overview of Microsoft Forefront TMG
Module 2: Installing and Maintaining TMG Server
Module 3: Enabling Access to Internet Resources
Module 4: Configuring TMG Server as a Firewall
Module 5: Configuring Access to Internal Resources
Course Outline (continued)
Module 6: Configuring Virtual Private Network Access
for Remote Clients and Networks
Module 7: Implementing Caching
Module 8: Monitoring Forefront TMG
Module 1:
Overview of Microsoft
Forefront TMG
Overview
Introducing Microsoft Forefront TMG
Deployment Scenarios for Forefront TMG
Lesson: Introducing Forefront TMG
What Are the Benefits of Forefront TMG?
Multimedia: Overview of Forefront TMG Functionality
Forefront TMG Management Interface
Forefront TMG Enterprise Edition Features
Differences Between TMG Server 2000 and
Forefront TMG
What Are the Benefits of Forefront TMG?
Advanced
Protection
Ease of Use
Enhanced
Performance
Multi-layer packet inspection
Unified firewall and VPN server
Multi-networking
Application-layer filtering
Efficient management tools
Network templates
Product integration
Ease of use for clients
Optimized for performance
Integrated functionality
Scalability
Web caching
Differences Between ISA Server 2006 and Forefront TMG
Simplified management (Deployment)
Protect users from web browsing threats (Web Access
Policy) with Malware and HTTPS inspection
Protect users from E-mail threats (Email Policy) with
Antispam and Antivirus
Protect desktops and servers from intrusion attempts
with Network Inspection System (NIS) as IPS
Using Active Directory Lightweight Directories
Services as ADAM
New Dashboard for Monitoring
Differences Between ISA Server 2006 and Forefront TMG
cont.
Support VoIP
New VPN Service with SSTP VPN
Redundancy and Load Balancing ISP
Lesson: Deployment Scenarios for Forefront TMG
How TMG Server Works as an Internet Edge Firewall
How TMG Server Works as a Back-End Firewall
How TMG Server Works as a Branch Office Firewall
How TMG Server Works as an Integrated Firewall,
Proxy, and Caching Server
How TMG Server Works as a Proxy- and Caching-Only
Server
How TMG Server Works as an Internet Edge Firewall
Use TMG Server to:
 Block all Internet traffic unless explicitly allowed
 Publish internal servers such as Web or Exchange servers
 Provide a VPN gateway for remote users
 Provide proxy and caching services
LAN
Web
Server
TMG Server
VPN
Web
Server
Internet
Server
User
Exchange Server
Remote User
How TMG Server Works as a Back-End Firewall
Use TMG Server to:
 Securely publish Exchange servers
 Securely publish other internal Web servers
 Provide proxy and caching services
LAN
Web Server
Web Server
TMG Server
Server
Firewall
Web
Server
Internet
User
Exchange Server
Remote User
How TMG Server Works as a Branch Office
Firewall
Use TMG Server to:
 Create an IPSec tunnel-mode VPN between offices
 Create a PPTP or L2TP with IPSec VPN between offices
 Inspect and filter all traffic between offices
 Provide secure access to the Internet at the branch office
LAN
TMG Server
LAN
TMG Server
or other
VPN gateway
VPN Tunnel Branch Office
Server
Internet
User
Corporate
Headquarters
How TMG Server Works as an Integrated Firewall, Proxy,
and Caching Server
Use TMG Server to:
 Provide proxy and caching services to conserve Internet bandwidth
 Configure dial-up connections to the Internet
 Block all inbound network traffic
 Provide secure configurations using network templates and server
publishing wizards
LAN
ISP Server
TMG Server
Server
Internet
Web Server
User
How TMG Server Works as a Proxy- and
Caching-Only Server
Use TMG Server with a single network adapter to
provide proxy and caching services
Deploying TMG Server with a single network
adapter means that it does not provide
additional security functionality
LAN
TMG Server
Web
Server
Server
Firewall
User
Internet
Module 2: Installing and
Maintaining TMG Server
Overview
Installing Forefront TMG
Choosing TMG Server Clients
Installing and Configuring TMG Clients
Advanced TMG Client Configuration
Securing Forefront TMG
Maintaining Forefront TMG
Lesson: Installing Forefront TMG
System and Hardware Requirements for Forefront TMG
Installation Types and Components
Configuration Choices During Installation
How to Perform an Unattended Installation of
Forefront TMG
How to Verify an Installation of Forefront TMG
Default Configuration for Forefront TMG
How to Modify the TMG Server Installation
Upgrade Options from TMG Server 2000 to
Forefront TMG
Preparation TMG
TMG will only run on 64-bit Windows Server 2008. There will be a 32bit demo version after the TMG goes RTM, but there won’t be any
beta versions that run on 32-bit Windows
TMG requires at least 2 GB of memory (it will probably run on less,
but not very quickly)
2.5 GB of disk space
At least one NIC (although I always recommend two or more NICs to
provide true security)
You must install to the default folder on the C: drive
TMG will install IIS 7 on your machine in order to support SQL
reporting services. If you remove TMG from the machine, II7 will not
be removed for you and you will need to do that manually
Services and driver files for the TMG are installed in the TMG
installation folder
System and Hardware Requirements for Forefront TMG
RAM
Windows Server 2008
64 bits
CPU
2 GB
1.8 GHZ(2core)
Hard Disk Format
Hard Disk Space
NTFS
2.5 GB
Internal
External
Hardware Requirements for Forefront TMG
System Requirements for Forefront TMG
System Requirements for Forefront TMG cont.
Installation Types and Components
Practice: Installing Forefront TMG
Installing Forefront TMG
TMG-XX
Internet
How to Verify an Installation of Forefront TMG
Verify that the TMG Server services are installed
and started
Verify that the MSDE services are installed and started
Review the setup log files
Check the Application Log in the Event Viewer
Check for TMG Server Alerts
Verify after installation: Service
TMG Service
Verify after installation: Service cont.
MSSQL Service
Default Configuration for Forefront TMG
Only Administrators can modify firewall policies
Caching
is disabled
Web Proxy
requests will be retrieved directly from
the
Internet
but
network,
access
the
rules
VPNdeny
Quarantine
all network
network,
traffic
and
through
the
installation
share
is configured
if you
install
the
other
networks
Traffic
between
the Internal network, the VPN network, the VPN
Internal
network
the
Internet
will
Server
useand
network
address
TMGTMG
Client
installation
files
Quarantine
network,
the Internet
will usetranslation
network address
System
Traffic
between
policy
permits
the
Internal
access
network,
toand
the
TMG
the
VPN
Server
A
rule
enabling
access
to
the
TMG
Client
is
routed
between
the
TMG
Server
and
allthe
No
servers
are
published
Traffic
is
routed
between
the
TMG
Server
all
other
networks
Traffic
is
routed
between
the
VPN
network
and
Only Administrators can modify firewall policies
translation
Traffic is routed between the VPN network and the Internal network
System policy permits access to the TMG Server but access rules
deny all network traffic through the TMG Server
No servers are published
Web Proxy requests will be retrieved directly from the Internet
Caching is disabled
A rule enabling access to the TMG Client installation share is
configured if you install the TMG Client installation files
Example: Default Configuration
Example: Default Configuration
Example Default Firewall Policy
โดย Default จะ Deny ทุกกรณี
Practice: Verifying the Installation and Default
Configuration of Forefront TMG
Verifying the successful installation of
Forefront TMG
Examining the default installation of
Forefront TMG
TMG-XX
Internet
Migration Options from ISA Server to Forefront TMG
Migration
Extract the
ISA Server
2006
configuration
Import the ISA
Server Configuration
ISA Server 20006
Install Forefront TMG
Remark: ISA Server 2006 cannot upgrade to TMG directly due to 64 bits
platform
Lesson: Choosing TMG Server Clients
Types of TMG Server Clients
How to Configure a SecureNAT Client
How to Configure Web Proxy Clients
Guidelines for Choosing an TMG Server Client
Types of TMG Server Clients
Does not require you to
deploy client software
Internet
SecureNAT Client
TMG
Server
Web Proxy Client
Improves the performance of
Web requests for internal clients
TMG Client
Allows internet access only
for authenticated users
Guidelines for Choosing an TMG Server Client
If you need to…
Then use…
Avoid deploying client software
SecureNAT clients
Use TMG Server only for
forward caching
SecureNAT or Web Proxy
clients
Allow access only for
authenticated clients
TMG Clients or Web
Proxy clients
Publish servers on your
internal network
SecureNAT clients
Improve Web performance for
non-Windows operating systems
SecureNAT or Web
Proxy clients
How to Configure a SecureNAT Client
SecureNAT clients do not require client installation or
client configuration
On a single subnet network, configure the IP address
of the internal network interface as the SecureNAT
client default gateway
On a multiple subnet network, configure the IP address
of the router as the SecureNAT client default gateway
How to Configure Web Proxy Clients
Monitoring Session on TMG
Practice: Configuring SecureNAT and Web Proxy Clients
Configuring TMG Server to log
client connections
Configuring and testing
a SecureNAT client
Configuring and testing
a Web Proxy client
TMG-XX
Internet-xx
Internet
Clientxx
Lesson: Installing and Configuring TMG Clients
How to Configure TMG Client Settings
The TMG Client Installation and
Configuration Process
Options for Automating the TMG Client Installation
How to Configure TMG Client Settings
The TMG Client Installation and Configuration Process
The TMG Client:
Uses a common Winsock service provider that
other Winsock applications use to connect to
application servers
Intercepts Winsock client application calls for remote
application servers and redirects the request to
TMG Server
Install the TMG Client:
From the TMG Client share on computer running TMG
Server or another network share
Practice: Installing the TMG Client
Configuring the TMG Client settings on
TMG Server
Installing the TMG Client
TMG-XX
Internet-xx
Web
Internet
Clientxx
Step for Setup TMG Client
เรียกจากแผ่ นติดตั้ง
Step for Setup TMG Client cont.
ทาการ Setup ตามขั้นตอน Wizard
ระบุ TMG Server
Step for Setup TMG Client cont.
เมือ่ เสร็จแล้ วให้ ทาการ restart
add record ของ TMG เข้ าไปใน host file.
Step for Setup TMG Client cont.
Step for Setup TMG Client cont.
Automatic
Setting
Step for Setup TMG Client cont.
Options for Automating the TMG Client Installation
Software package distributed
using Group Policies
Unattended installation
SMS package distributed to
specific clients using SMS
Configuring Administrative Roles
TMG Server Administrative Roles
Role
Forefront TMG Auditor
Description
Full Access Monitoring
Read only ISA Configuration
Restricted Access Monitoring
Forefront TMG
Monitoring Auditor
View Session, Query Service
Status
View and Reset Alerts
Forefront TMG
Administrator
Can perform all administrative
tasks
Example for Delegate Job for ISA Role
Properties of TMG Server
Best Practices for Securing the Server
Securing TMG Server
Do Not Install TMG Server on a Domain Controller
Avoid Installing an Internet Edge Server on a
Domain Member
Rename the Administrator Account
Disable Unused Functionality
Apply Window Server Security Best Practices
Lesson: Maintaining Forefront TMG
About Exporting and Importing the ISA
Server Configuration
About Backing Up and Restoring the ISA
Server Configuration
Remote Administration Options for TMG Server
About Exporting and Importing the TMG Server
Configuration
Use export and import to clone an TMG Server or to
save a configuration for troubleshooting or to roll
back a configuration change
You can export the entire TMG Server configuration, or
any individual or group of configuration settings
Importing a configuration overwrites all settings from
the exported file
About Backing Up and Restoring the TMG Server
Configuration
Use back up to create a configuration file that can be
used for disaster recovery
Back up creates a file with the entire TMG Server
configuration
Restoring a back up overwrites all TMG Server settings
Remote Administration Options for TMG Server
Use remote administration to manage physically
secured servers or servers in other offices
Use Remote Desktop or Terminal Services to manage
all settings on the server running TMG Server
Use the TMG Server Management MMC to manage
TMG Server settings remotely
Configure the server running TMG Server to enable
Remote Desktop and configure System Policy to
enable remote MMC management
Practice: Remote Management for TMG
Using Remote Desktop for remote
management
Using MMC for remote management
TMGxx
Clientxx
Module 3: Enabling
Access to Internet
Resources
Overview
Forefront TMG as a Proxy Server
Configuring Multi-Networking on TMG Server
Configuring Access Rule Elements
Configuring Access Rules for Internet Access
Lesson: Forefront TMG as a Proxy Server
How TMG Server Enables Secure Access to Internet
Resources
Why Use a Proxy Server?
How Does a Forward Web Proxy Server Work?
What Is a Reverse Web Proxy Server?
How to Configure TMG Server as a Proxy Server
DNS Configuration for Internet Access
How to Configure Web Chaining
How to Configure Dial-Up Connections
How TMG Server Enables Secure Access to
Internet Resources
Is the …
User allowed access?
Computer allowed access?
Protocol allowed?
Destination allowed?
Content allowed?
TMG
Server
Web
Server
Proxy Server
Why Use a Proxy Server?
TMG Server
Improved Internet access security:
User authentication
Filtering client requests
Content inspection
Logging user access
Hiding the internal network details
Improved Internet access performance
Web Server
How Does a Forward Web Proxy Server Work?
Is the …
User allowed access?
3
1
6
Protocol allowed?
Destination allowed?
5
2
TMG
Server
4
Web
Server
What Is a Reverse Web Proxy Server?
Is the …
Request allowed?
Web
Server
Protocol allowed?
3
Destination allowed?
DNS
Server
4
5
2
TMG
Server
1
6
How to Configure TMG Server as a Proxy Server
DNS Configuration for Internet Access
If no internal DNS server is available to resolve Internet
addresses, configure the TMG Server clients to use an
Internet DNS server
Configure TMG Server clients to use an internal DNS
server if the DNS server can resolve Internet addresses
TMG Server can proxy DNS requests for Web proxy
and TMG Clients but not for SecureNAT clients
TMG Server includes a DNS cache that caches the
results of all DNS lookups performed through
TMG Server
DNS Request by Client
Secure NAT
- Client จะเป็ นคนถาม DNS Server เอง
Web Proxy Client, TMG Client
- TMG จะเป็ นคนถาม DNS Server เอง
( Proxy DNS Request)
Practice: Configuring DNS
Configure Client use Internal DNS
Configure Internal DNS by Internal
Technique
Configure Internal DNS by Internet
Technique
TMG-XX
Internet-xx
Web
DNS
Internet
Clientxx
SV-xx
DC
DNS
DHCP
How to Configure Web Chaining
Internet
Branch Office
Branch Office
Head Office
Example Web Chaining
Practice: Configuring TMG Server as a Web Proxy
Server
Configuring the proxy server settings on
TMG Server
Internet-xx
Web
TMG-XX
DNS
Internet
Clientxx
SV-xx
DC
DNS Server
DHCP Server
Lesson: Configuring Multi-Networking on TMG
Server
How Does Forefront TMG Support Multiple Networks?
Default Networks Enabled in TMG Server
About Network Objects
How to Create and Modify Network Objects
What Are Network Rules?
How Does Forefront TMG Support Multiple Networks?
Support any Number of Networks
VPN Networks Represented
as Networks
Internet
VPN
Dynamic Network
Membership
Per Network Rules
Perimeter1
Per Network Policies
Network Sets
LAN1
LAN2
Perimeter2
Default Networks Enabled in TMG Server
Default Network
Includes
Local Host
The TMG Server
Default External
All IP addresses not associated with
another network
Internal
All IP addresses specified as internal
during installation
VPN Clients
All IP addresses for currently
connected VPN clients
Quarantined VPN
Clients
All IP addresses of connected VPN
clients that have not cleared
quarantine
Example Default Network on ISA2006
About Network Objects
Network Object
Includes
Subnet
All computers connected to a single network
interface
One or more networks
A single computer identified by an IP address
All computers included in specified computer,
subnet or address range objects
All computers identified by continuous
IP addresses
All computers on a specified subnet
URL Set
All specified URLs
Domain Name Set
All specified domain names
The IP address on which the TMG Server
listens for connections
Network
Network Set
Computer
Computer Set
Address Range
Web Listener
How to Create and Modify Network Objects
Click Firewall Policy,
Toolbox, then
Network Objects
Click Networks, then
Networks or Network Sets
What Are Network Rules?
Route connection:
A route relationship is bidirectional
If a routed relationship is defined from network A
to network B, a routed relationship also exists from
network B to network A
NAT connection:
A NAT relationship is directional
Addresses from the source network are always
translated when passing through TMG Server
Practice: Managing Network Objects
Configuring a new network
on TMG Server
Configuring a new network rule
on TMG Server
Configuring a new computer network
object on TMG Server
TMG-XX
Internet
Lesson: Configuring Access Rule Elements
What Are Access Rule Elements?
How to Configure Protocol Elements
How to Configure User Elements
How to Configure Content Type Elements
How to Configure Schedule Elements
How to Configure Domain Name Sets and URL Sets
What Are Access Rule Elements?
Access Rule Element
Protocols
Users
Content Types
Used to Configure
The protocols that will be allowed or
denied by an access rule
The users that will be allowed or denied by
an access rule
The content type that will be allowed or
denied by an access rule
Schedules
The time of day when Internet access will
be allowed or denied by an access rule
Network Objects
The computers or destinations that will be
allowed or denied by an access rule
***Example Policy ***
How to Configure Protocol Elements
How to Configure User Elements
How to Configure User Elements
การอนุญาต เฉพาะ User ทีต่ ้ องการใช้ ระบบ
1.
ไม่ support protocol เรื่องเกีย่ วกับการ ping
2.
กรณีเป็ น HTTPทีใ่ ช้ งานผ่ าน browser จาเป็ นต้ องเป็ น client 2 ประเภท
คือ Web Proxy, TMG Client โดย
2.1 ถ้ ามี user ที่ตรงกับรายชื่อ user ใน TMG จะดูว่าตกลงใน policy
สามารถเข้ าใช้ งานได้ หรือเปล่ า (windows integrated)
3.
2.2 ถ้ ามี user ไม่ ตรงกับรายชื่อ user ใน ISA จะทาการ popup เพือ่ ระบุ
user logon
กรณีที่เป็ น protocol อืน่ ๆ จาเป็ นต้ องเป็ น TMG Client เท่ านั้นและต้ องมี
รายชื่อของ ทั้ง Client และ TMG ตรงกันด้ วย
Remark ยกเว้ น DNS กรณีทใี่ ช้ Web Proxy หรือ TMG Client จะใช้
DNS ของ ISA โดยตรง.. ( ไม่ มกี าร authen )
Summary กฏทีใ่ ช้ ในการ assign ใน Firewall Policy
ถ้ า user ทีร่ ะบุไว้ เป็ นสมาชิกทั้ง 2 กลุ่ม แต่ ขดั แย้ งกันจะเชื่อ except ก่ อนเสมอ
somchai หมดสิ ทธิ
เข้ าใช้ งาน !!!!
How to Configure Content Type Elements ( ทาได้ เฉพาะ
HTTP เท่ านั้น )
Define the MIME
types and file
extensions to include
Example Content Types
If not allow All Image in policy See result like this ( work only HTTP
Traffic )
How to Configure Schedule Elements
Define the times
when this schedule
is active or inactive
How to Configure Domain Name Sets and URL Sets
Use this to configure
access to an entire
domain
Use this to configure
access to a URL
Example Block Bad Website
การกาหนด firewall policy ควรกาหนด
- URL ที่ไม่ อนุญาต
-
- IP ของ Server ที่ไม่ อนุญาต
Example Block Bad Website cont.
Logic ในการคิด Firewall Policy
การอ่าน Policy จะทาการอ่านจากบนลงไปล่ าง ถ้ าเกิดเข้ า กฏตัวไหน
ก่อนจะ apply ทันที โดยจะไม่ ไปอ่านกฏอืน่ ๆ อีก
อ่ านจากบนลงล่ าง เจอตัวไหนก่ อน
ทาทันที
Practice: Configuring Firewall Rule Elements
Configuring a new user set
Configuring a new content type element
Configuring a new schedule element
Configuring a new URL set
TMG-XX
Internet-xx
Web
DNS
Internet
Clientxx
SV-xx
DC
DNS Server
DHCP Server
Lesson: Configuring Access Rules for Internet Access
What Are Access Rules?
How Network Rules and Access Rules Are Applied
About Authentication and Internet Access
How to Configure Access Rules
How to Configure HTTP Policy
How to Troubleshoot Access to Internet Resources
What Are Access Rules?
Access rules always define:
Allow
Deny
User
Destination Network
Destination IP
Destination Site
action on traffic from user from source to destination with conditions
Protocol
IP Port/Type
Source network
Source IP
Schedule
Content Type
How Network Rules and Access Rules Are Applied
Network
Rules
3
5
4
Access
Rules
1
2
Domain
Controller
TMG
Server
6
Web
Server
About Authentication and Internet Access
Authentication and TMG Server Clients
Authentication Methods
 Basic authentication
 Digest authentication
 Integrated Windows authentication
 Digital certificates authentication
 RADIUS authentication
 RSA SecureID authentication
How to set Authentication.
Type of Standard Authentication
Basic Authentication
- จะมีการส่ ง password โดยแบบ clear text ควรใช้ ร่วมกับ SSL
- ใช้ งานร่ วมกับ Client ส่ วนใหญ่ ได้
- ไม่ support single sign-on
Example Basic Authentication
Most support for Browser
Not encryption ******
Basic Clear text.
Type of Standard Authentication
Digest Authentication
- มีการส่ งค่ า password โดยใช้ Hashing
- ใช้ กบั user ทีม่ รี ายชื่ออยู่ภายใต้ Active Directory เท่ านั้น
Example Digest Authentication
Send user and Password
By use Hashing
Work only Domain Account
Type of Standard Authentication
Integrated with Windows Authentication
- User ไม่ จาเป็ นต้ องใส่ ค่า user และ password
- server จะทาการคุยกับ client computer ด้ วยตัวเองว่ า user ทีท่ าการ
logon อยู่ทเี่ ครื่องคือใคร
- กรณี account ไม่ ตรงกันจะ pop up authen ขึน้ มา
- Encryption
Example Windows Integrated
Integrated with windows account
จะใช้ window account ทาการ logon อัตโนมัติ
กรณี account ไม่ ตรงกันจะ pop up authen ขึน้ มา
Encryption
How to Configure Access Rules
Practice: Integrated TMG with NPS (Radius Server)
Installing NPS Server
Set Radius Server, Radius Client
Configure Firewall Policy with Radius
TMG-XX
Internet-xx
Web
DNS
Internet
Clientxx
SV-xx
DC
DNS Server
NPS
How to Troubleshoot Access to Internet Resources
To troubleshoot Internet access issues:
Check for DNS name resolution
Determine the extent of the problem
Review access rule objects and access rule configuration
Review access rule order
Check access rule authentication
Use TMG Server logging to determine which access rule
is granting or denying access
What Are Web Access Policy?
New Feature of TMG:
A new wizard based tool
Focus only HTTP/HTTPS
Functionality like malware inspection
Include HTTPS Outbound Inspection
Use malware inspection can update definition directly
with update center (Microsoft Update or WSUS)
How to use Web Access Policy
How to use Web Access Policy: Web Destinations
How to use Web Access Policy: Malware Inspection
How to use Web Access Policy: HTTPS Inspection
Lab: Enabling Access to Internet Resources
Exercise 1: Configuring TMG Server
Access Rule Elements
Exercise 2: Configuring TMG Server
Access Rules
Exercise 3: Testing TMG Server
Access Rules
Module 4:
Configuring TMG
Server as a Firewall
Overview
Using TMG Server as a Firewall
Examining Perimeter Networks and Templates
Configuring System Policies
Configuring Intrusion Detection and IP Preferences
Lesson: Using TMG Server as a Firewall
What Is a TCP/IP Packet?
What Is Packet Filtering?
What Is Stateful Filtering?
What Is Application Filtering?
What Is Intrusion Detection?
How Forefront TMG Filters Network Traffic
Implementing Forefront TMG as a Firewall
What Is a TCP/IP Packet?
Network
Interface Layer
Internet
Layer
Transport
Layer
Application
Layer
Destination Address: 0003FFD329B0
Source Address: 0003FFFDFFFF
Destination: 192.168.1.1
Source: 192.168.1.10
Protocol: TCP
Destination Port: 80
Source Port: 1159
Sequence: 3837066872
Acknowledgment: 2982470625
HTTP Request Method: Get
HTTP Protocol Version: =HTTP/1.1
HTTP Host: =www.contoso.com
Physical
payload
IP payload
TCP
payload
What Is Packet Filtering?
Is the …
Source address allowed?
Destination address allowed?
Web
Server
Protocol allowed?
Destination port allowed?
TMG
Server
Packet
Filter
What Is Stateful Filtering?
Connection Rules
Create connection rule
Is packet part of a connection?
Web
Server
Web
Server
TMG
Server
What Is Application Filtering?
Get www.contoso.com
Get method allowed?
Respond to client
Web
Server
TMG
Server
Does the response contain only
allowed content and methods?
What Is Intrusion Detection?
Alert the administrator
Port scan limit exceeded
TMG
Server
All ports scan attack
Implementing Forefront TMG as a Firewall
To configure TMG Server as a firewall:
Determine perimeter network configuration
Configure networks and network rules
Configure system policy
Configure intrusion detection
Configure access rule elements and access rules
Configure server and Web publishing
Lesson: Examining Perimeter Networks and Templates
What Is a Perimeter Network?
Why Use a Perimeter Network?
Network Perimeter Configurations
About Network Templates
How to Use the Network Template Wizard
Modifying Rules Applied by Network Templates
What Is a Perimeter Network?
Perimeter Network
Firewall
Firewall
Internet
Internal Network
Why Use a Perimeter Network?
A perimeter network provides an additional layer
of security:
Between the publicly accessible servers and the
internal network
Between the Internet and confidential data or critical
applications stored on servers on the internal network
Between potentially nonsecure networks such as
wireless networks and the internal network
Use defense in depth in addition to perimeter
network security
Network Perimeter Configurations
Bastion host
Web
Server
Three-legged configuration
LAN
Perimeter
Network
LAN
Back-to-back configuration
Perimeter
Network
LAN
About Network Templates
Bastion host
Web
Server
Three-legged configuration
Perimeter
Network
LAN
Deploy the Edge
Firewall template
Deploy the 3-Leg
Perimeter template
Deploy the
Front-End
or Back-End
template
LAN
Back-to-back configuration
Perimeter
Network
LAN
Deploy the Single Network Adapter template for proxy and caching only
How to Use the Network Template Wizard
How to Use the Network Template Wizard cont.
Modifying Rules Applied by Network Templates
You may need to modify the rules applied by a network
template to:
Modify Internet access based on user or
computer sets
Modify Internet access based on protocols
Modify network rules to change network relationships
You can either change the properties of one of the rules
configured by the network template, or you can create
a new access rule to apply a specific setting
Lesson: Configuring System Policies
What Is System Policy?
System Policy Settings
How to Modify System Policy Settings
What Is System Policy?
System policy is:
A default set of access rules applied to the
TMG Server to enable management of the server
A set of predefined rules that you can enable or disable
as required
Modify the default set of rules provided by the system
policy to meet your organization’s requirements.
Disable all functionality that is not required
System Policy Settings
System policy settings include:
Network Services
Authentication Services
Remote Management
TMG Client
Diagnostic Services
Logging and Monitoring
SMTP
Scheduled Download Jobs
Allowed Sites
How to Modify System Policy Settings
Practice: Modifying System Policy
Examining and modifying the default
system policy
Testing the modified system policy
TMG-XX
Internet
Clientxx
About Intrusion Prevention Configuration Options
Intrusion Prevention on Forefront TMG:
NIS Signature can now be update dynamically.
Detects well-known protocols attack: HTTP, DNS, SMB,
NetBIOS, MSRPC, SMTP, POP3, IMAP4 and MIME
Work together with Microsoft Malware Protection to
newly discovery threats.
Example: IPS for TMG
How to Configure Intrusion Prevention
About Intrusion Detection Configuration Options
Intrusion detection on Forefront TMG:
Compares network traffic and log entries to
well-known attack methods and raises an alert
when an attack is detected
Detects well-known IP attacks
Includes application filters for DNS and POP that
detect intrusion attempts at the application level
Example: IDS for TMG
How to Configure Intrusion Detection
Using Update Center
Module 5:
Configuring Access
to Internal Resources
Overview
Introduction to Publishing
Configuring Web Publishing
Configuring Secure Web Publishing
Configuring Server Publishing
Configuring TMG Server Authentication
Lesson: Introduction to Publishing
Multimedia: Using Forefront TMG to Enable Access
to Internal Network Resources
What Are Web Publishing Rules?
What Are Server Publishing Rules?
DNS Configuration for Web and Server Publishing
What Are Web Publishing Rules?
Web publishing rules provide the following features:
Publish HTTP or HTTPS
content
Application-layer filtering
Path mapping
User authentication
Content caching
Publish multiple Web
sites with one IP address
Link translation
Logging client IP address
Secure Web publishing rules enable the use of SSL to
encrypt network traffic between client and server
TMG Server
What Are Non-Web Server Publishing Rules?
Server publishing rules provide the following features:
Support for encryption
Publish content using
multiple protocols
Logging client IP address
Application layer filtering
for protocols with
application filters
Non-Web Server publishing rules forward requests to
internal servers based on protocol and port number
TMG Server
DNS Configuration for Web and Non-Web Server
Publishing
Perimeter Network
www.cohovineyard.com
DNS
Server
DNS
Server
4
1
2
TMG
Server
3
Internet
Internal Network
Lesson: Configuring Web Publishing
Web Publishing Rules Configuration Components
How to Configure Path Mapping
How to Configure Web Listeners
How to Configure Link Translation
How to Configure a New Web Publishing Rule
Web Publishing Rules Configuration Components
Web publishing rules configuration:
•
Action
•
Name
•
Users
•
Traffic source
•
Public name
•
Web listener
•
Path mappings
•
Bridging
•
Link Translation
How to Configure Path Mapping
http://www.demo.com/hr
Virtual Directories
Sales
Human Resources
Online Store
TMG
Server
http://www.demo.com/shop
Example Path Mapping
How to Configure Multiple Web Publishing
Web1
http://www.cohovineyard.com
Web2
TMG
Server
http://www.acme.com
Example Multiple Web Publishing
Same web listener
How to Configure Web Listeners
Anonymous Web listener
http://www.cohovineyard.com
CohoVineyard Web Site
Private Web Site
TMG
Server
http://private.cohovineyard.com
Authenticated Web listener
How to Configure a New Web Publishing Rule
Web Publishing Rule Wizard configuration:
Action
Published Website
Public name
Web listener
User Sets
Practice: Configuring Web Publishing
Configuring a New Web Listener
Configuring a New Web Publishing Rule
Testing the Web Publishing Rule
DMZxx
Web
TMG-XX
Internet-xx
Web
DNS
Internet
Clientxx
Server-xx
DC
DNS
DHCP
Lesson: Configuring Secure Web Publishing
What Is Secure Sockets Layer?
How to Prepare TMG Server for SSL
How SSL Bridging Works
How SSL Tunneling Works
How to Configure a New Secure Web Publishing Rule
What Is Secure Sockets Layer?
Server Authentication
Client Authentication
Encrypted SSL
Connection
Web
Server
How to Prepare TMG Server for SSL
www.demo.com
Import
Web
Server
www.demo.com
TMG
Server
How SSL Bridging Works
TMG
Server
How to Configure a New Secure Web Publishing Rule
SSL Web Publishing Rule Wizard configuration:
Publishing Mode
Action
Bridging Mode
Published Website
Public name
Web listener
User Sets
Practice: Configuring Secure Web Publishing
Enabling Access to the Certificate
Authority Web Site
Installing a Server Certificate
Configuring a New Secure Web
Publishing Rule
Testing the Secure Web Publishing Rule
InternalWeb-01
InternetWeb-01
TMG-xx
Internet
DC-xx
Lesson: Configuring Non-Web Server Publishing
Server Publishing Configuration Options
How Non-Web Server Publishing Works
How to Configure a Non-Web Server Publishing Rule
How to Troubleshoot Web and Non-Web Server
Publishing
Non-Web Server Publishing Configuration Options
Server publishing rules configuration:
Action
Traffic
Traffic source
Traffic destination
Networks
Schedule
How Non-Web Server Publishing Works
Media Publishing Rule: Port 1755
mms://media.demo.com
Demo Media Site
Demo FTP Site
TMG
Server
ftp://ftp.demo.com
FTP Publishing Rule: Port 21
How to Configure a Non-Web Server Publishing Rule
Non-Web Server Publishing Rule Wizard configuration:
Select server
to publish
Select protocol
Select IP addresses
where clients
will connect
Practice: Configuring Non-Web Server Publishing
Configuring a New Non-Web Server Publishing Rule
Testing the Non-Web Server Publishing Rule
InternalWeb-01
InternetWeb-01
TMG-xx
Internet
Server-xx
FTP
How to Troubleshoot Web and Non-Web Server
Publishing
To troubleshoot Web and server publishing issues:
Check the resource availability
Check the DNS records
Check the error message
Check which ports the TMG Server is listening on
for connections
Check the publishing rule configuration
Check the SSL configuration and certificates
Lesson: Configuring TMG Server Authentication
How Authentication and Web Publishing Rules Work
TMG Server Web Publishing Authentication Scenarios
Using RADIUS for Authentication
How to Implement RADIUS Server for ISA Authentication
How Authentication and Web Publishing Rules Work
Together
TMG Server uses authentication to grant access to
publishing rules:
When the publishing rule specifies a user set other
than the All Users group
Based on the Web listener authentication methods
specified for a Web publishing or secure Web
publishing rule
By processing the firewall rules in order of priority.
When a firewall rule matches, but requires
authentication, TMG Server will prompt for
user credentials
TMG Server Web Publishing Authentication Scenarios
Web Server
authentication
TMG Server
authentication
TMG
Server
TMG Server and Web server
authentication
Using RADIUS for Authentication
RADIUS Server
Domain
Controller
RADIUS Client
TMG
Server
Using RADIUS for authentication means that TMG Server can
authenticate users based on their Active Directory credentials
without requiring that the computer running TMG Server be a
member of an Active Directory domain
How to Implement RADIUS Server for TMG
Authentication
To implement RADIUS authentication:
1
Install and configure NPS to use Active Directory
for authentication and configure the TMG Server
as a RADIUS client
2
Configure the Active Directory user accounts or
configure remote access policies to enable dial-in
access
3
Configure TMG Server to use the RADIUS server
and configure a Web listener to use RADIUS
authentication
Lab: Configuring Access to Internal Resources
Exercise 1: Configuring TMG Server
Authentication and Secure Publishing
Exercise 2: Testing the TMG
Server Configuration
InternalWeb-01
InternetWeb-01
TMG-xx
Internet
DC-xx
Module 6: Configuring
Virtual Private Network
Access for Remote Clients
and Networks
Overview
Virtual Private Networking Overview
Configuring Virtual Private Networking for
Remote Clients
Configuring Virtual Private Networking for Remote Sites
Configuring VPN Quarantine Control Using
Forefront TMG
Lesson: Virtual Private Networking Overview
What Is Virtual Private Networking?
VPN Protocol Options
VPN Authentication Protocol Options
VPN Quarantine Control
Virtual Private Networking Using Routing and
Remote Access
Virtual Private Networking Using Forefront TMG
Benefits of Using TMG Server for
Virtual Private Networking
What Is Virtual Private Networking?
TMG
Server
Branch Office
VPN Protocol Options
Factor
PPTP advantages
and disadvantages
L2TP/IPSec
advantages and
disadvantages
Client operating
systems
supported
Windows 2000,
Windows XP, Windows Server 2003,
Windows NT Workstation 4.0,
Windows ME, or Windows 98
Windows 2000 up
Certificate
support
Requires a certificate infrastructure
only for EAP-TLS authentication
Requires a certificate
infrastructure or a
pre-shared key
Security
NAT support
Provides data encryption
Does not provide data integrity
To locate PPTP-based VPN clients
behind a NAT, the NAT should
include an editor that can translate
PPTP
Provides data
encryption, data
confidentiality, data origin
authentication, and
replay protection
To locate L2TP/IPSec–
based clients or servers
behind a NAT, both client
and server must support
IPSec NAT-T
VPN Authentication Protocol Options
Authentication
protocol
PAP
SPAP
CHAP
MS-CHAP
MS-CHAPv2
EAP-TLS
Considerations
Uses plaintext passwords and is the least secure
authentication protocol
Uses a reversible encryption mechanism employed by
Shiva
Requires passwords stored by using reversible encryption
Compatible with Macintosh and UNIX-based clients
Data cannot be encrypted
Does not require that passwords be stored by using
reversible encryption
Encrypts data
Performs mutual authentication
Data is encrypted by using separate session keys for
transmitted and received data
Most secure remote authentication protocol
Enables multifactor authentication
VPN ต้ องมีการ Authentication
PAP ใช้ รหัสผ่ านตรวจสอบอย่ างเดียว
SPAP กลไกการตรวจสอบรหัสผ่ านแบบ Reversible
CHAP ต้ องการรหัสผ่ านทีเ่ ก็บ และใช้ แบบ Reversible encryption
MS-CHAP เป็ นเทคนิคการ Reversible ของ Microsoft
MS-CHAPv2 เป็ นเทคนิคการทา Mutual authentication
EAP-TLS เป็ นความปลอดภัยทีอ่ าศัยหลากหลายกลไก
187
PAP & SPAP
S1
รหัสผ่าน PAP
S2
SPAP
นารหัสผ่านตรวจสอบผูล้ อ็ กออน
Positive
188
CHAP, MSCHAP
pass1
A
S1
CHAP
นาชื่อผูใ้ ช้+รหัสผ่าน
S2
ตอบ Ack
Algorithm A
เข้ารหัสด้วยเทคนิค
MS-CHAP
Algorithm A
นาชื่อผูใ้ ช้+รหัสผ่าน ถอดรหัสด้วยเทคนิค
A pass1
B pass2
C pass3
ตอบ Ack
189
MSCHAP v2
Mutual Authentication
A + pass1
MS-CHAP v 2
นาชื่อผูใ้ ช้ A
Validation Key (Server)
Validation Key (Login)
เข้ารหัสด้วยเทคนิค
Validation Key
ถอดรหัสด้วยเทคนิค
A pass1
B pass2
C pass3
ถ้า Validation Key จาก Login กับ Server ตรงกันยอมให้ผา่ น
190
EAP-TLS (Extensible Authentication protocolTransport layer Security)
Multi Factor Authentication
A+pass1 + MD5 หรื อ Smart card
A pass1 smartcard
B pass2 smartcard
C pass3 smartcard
A+pass1
เข้ารหัสในการขนส่ งระหว่างติดต่อ
191
VPN Quarantine Control
VPN Quarantine Control:
Enables screening of VPN client machines
before granting them access to the organization’s
network
Uses a client script that analyzes the security
configuration of the remote access client
VPN clients connecting to TMG Server with approved
security configurations are moved from the VPN
Quarantine network to the VPN Clients network
Virtual Private Networking Using Routing and Remote
Access
RRAS supports:
Remote access policies that define remote access
connections and connection parameters
Connection Manager components to simplify the
configuration of remote access clients
RADIUS servers for authentication and the
centralization of remote access policies
VPN quarantine control to restrict network access to
quarantined clients
Packet filtering for securing VPN and network
quarantine connections
Virtual Private Networking Using Forefront TMG
TMG Server enables VPN access:
Including remote client VPN access for individual
clients and site-to-site VPN access to connect
multiple sites
By enabling VPN-specific networks including:
 VPN Clients network
 Quarantined VPN Clients network
 Remote-site networks
By using network and access rules to limit network
traffic between the VPN networks and the other
networks with servers running TMG Server
By extending RRAS functionality
Benefits of Using TMG Server for Virtual Private
Networking
Benefits
Connection
security
Explanation
TMG Server uses firewall access policies to inspect
and filter all traffic from VPN clients
Quarantine control
for Windows 2000
TMG Server is optimized to enforce complex security
requirements on VPN connections
VPN quarantine is not available in Windows 2000
RRAS but can be enabled with TMG Server 2004 on
Windows 2000
Logging and
monitoring
TMG Server can log all VPN connections and
enables live monitoring of VPN connections
IPSec tunnel-mode
stateful inspection
Enables stateful inspection to enforce user/group,
site, computer, protocol, and application-layer access
controls for IPSec tunnel-mode traffic
Enhanced
protection
TMG Server is protected via firewall access policy on
all interfaces
Performance
Lesson: Configuring Virtual Private Networking for
Remote Clients
VPN Client Access Configuration Options
How to Enable and Configure VPN Client Access
Default VPN Client Access Configuration
How to Configure VPN Address Assignment
How to Configure VPN Authentication
How to Configure Authentication Using RADIUS
How to Configure User Accounts for VPN Access
How to Configure VPN Connections from
Client Computers
VPN Client Access Configuration Options
Click the
Virtual Private
Networks
(VPN) node to
access the
VPN client
access
configuration
options
How to Enable and Configure VPN Client Access
Use user mapping is to apply firewall policies to users who do not
use Windows authentication
Default VPN Client Access Configuration
Component
Default Configuration
System policy rules
System policy rule that allows the use of
PPTP, L2TP, or both is enabled
VPN access network
TMG Server will listen for VPN client
connections only on the External network
VPN protocols
Only PPTP is enabled for VPN client access
Network rules
A route relationship between the VPN Clients
network and the Internal network
A NAT relationship between the VPN Clients
network and the External network
Firewall access rules
No firewall access rules are enabled
Remote access policy
Default policy requires MS-CHAP
v2 authentication
How to Configure VPN Address Assignment
Configure DNS and WINS servers
using DHCP or manually
Configure static IP address
assignment or DHCP
How to Configure VPN Authentication
Accept default for
secure authentication
Configure EAP for
additional security
Configure less secure
options only if required
for client compatibility
How to Configure Authentication Using RADIUS
Enable RADIUS for authentication
and accounting, and then
configure a RADIUS server
How to Configure User Accounts for VPN Access
Configure dial-in and
VPN access permissions
How to Configure VPN Connections from Client Computers
Practice: Configuring VPN Access for Remote Clients
Configuring VPN access on TMG Server
Configuring user account
dial-in permissions
Configuring and testing a VPN
client configuration
Client-XX
TMG-XX
Den-DC-01
Internet
What Is SSTP VPN?
New Feature VPN on TMG Server for tunnels PPP
connections over an SSL encrypted HTTP connection.
SSTP provides:
Enhance connectivity channel — no need to use only
PPTP and L2TP/IPSec
Ease of Manage Firewall Policy (only allow Port 80/443 )
Client requirement:
Vista SP1 and above.
Need to Place CA Certificate in Trust Root CA.
How to Set SSTP VPN?
SSTP VPN Server Require:
Only Windows 2008 or Windows 2008 R2
TMG need to request Web Server Certificate.
Web Listener is configured to allow anonymous connections.
Give dedicated IP Address for the Web listener.
Can not use together with Web listener that’ use for pre-authen
published Web servers.
If use Internal CA: need to publish CRL (Certificate Revocation
List) to client by http channel.
Lesson: Configuring Virtual Private Networking for
Remote Sites
Site-to-Site VPN Access Configuration Components
About Choosing a VPN Tunneling Protocol
How to Configure a Remote-Site Network
Network and Access Rules for Site-to-Site VPNs
How to Configure the Remote-Site VPN Gateway Server
How to Configure Site-to-Site VPNs Using IPSec
Tunnel Mode
Site-to-Site VPN Access Configuration Components
Component
Default Configuration
Choose a
VPN protocol
Choose the appropriate protocol-based
security requirements and the VPN gateway
servers
Configure a remotesite network
The remote-site network includes all IP
addresses in the remote site
Configure VPN
client access
VPN client access must be enabled in order to
enable site-to-site access
Configure network
rules and access
rules
Use access rules or publishing rules to make
internal resources accessible to remote office
users
Configure the
remote-site VPN
gateway
Configure the remote office VPN server to
connect TMG Server and to accept
connections from TMG Server
About Choosing a VPN Tunneling Protocol
Protocol
Use to
Comments
IPSec Tunnel
Mode
Connect to nonMicrosoft VPN
gateways
Only option if you are
connecting to a non-Microsoft
VPN server
Requires certificates or
pre-shared keys
L2TP over
IPSec
Connect to TMG
Server or Windows
RRAS VPN
gateways
Requires user name and
password and certificates or
pre-shared keys for
authentication
PPTP
Connect to TMG
Server or Windows
RRAS VPN
gateways
Requires user name and
password for authentication
Less secure than L2TP over
IPSec
About Choosing a VPN Tunneling Protocol
How to Configure a Remote-Site Network
Configuration Option
Explanation
VPN protocol
Choose the tunneling protocol that you will
use to connect to the remote site
Remote VPN server
Enter the server name or IP address for
the VPN gateway server in the remote site
Remote authentication
Enter a user name and password that will
be used to initiate a VPN connection to the
remote-site VPN gateway server
L2TP/IPSec
authentication
If required, configure a pre-shared key that
will be used to authenticate the computers
when creating the tunnel
Network address
Configure the IP address range for all of
the computers in the remote-site network
Network and Access Rules for Site-to-Site VPNs
To enable network traffic across a site-to-site VPN:
Two system policy rules are enabled:
 Allow VPN site-to-site traffic to TMG Server
 Allow VPN site-to-site traffic from TMG Server
Create a network rule for remote-site networks
Configure access rules or publishing rules enabling or
restricting network access
 For full access, allow all protocols through
TMG Server
 For limited access, configure access rules or
publish rules that define allowed network traffic
How to Configure the Remote-Site VPN Gateway Server
To configure the remote site VPN gateway server:
Configure the remote-site VPN gateway to use the same
tunneling protocol
Configure the connection to the main-site VPN gateway
Configure network routing rules that enable or restrict
the flow of network traffic between networks
How to Configure Site-to-Site VPNs Using IPSec Tunnel
Mode
To configure site-to-site VPNs using IPSec tunnel mode:
Configure a local VPN gateway IP address used by the
computer running TMG Server to listen for VPN
connections
Configure the VPN gateways to use a certificate or a
pre-shared key for authentication
Configure advanced IPSec settings to optimize
VPN security
Lesson: Configuring Quarantine Control Using Forefront
TMG
How Does Network Quarantine Control Work?
About Quarantine Control on TMG Server
How to Prepare the Client-Side Script
How to Configure VPN Clients Using
Connection Manager
How to Prepare the Listener Component
How to Enable Quarantine Control
How to Configure Internet Authentication Service
for Quarantine Control
How to Configure Quarantine Access Rules
How Does Network Quarantine Control Work?
VPN Clients Network
Domain
Controller
Web
Server
Quarantine script
Quarantine remote
access policy
RQC.exe
TMG
ISA
Server
DNS
Server
File
Server
VPN Quarantine
Clients Network
How to Enable VPN Clients Quarantine
About Quarantine Control on TMG Server
To implement quarantine control on TMG Server:
1
Create a client-side script that validates
client configuration
2
Use CMAK to create a CM profile for remote
access clients
3
Create and install a listener component
4
Enable quarantine control on TMG Server
5
Configure network rules and access rules for the
Quarantined VPN Clients network
How to Prepare the Client-Side Script
The client-side script:
Can be an executable file, a script, or a simple
command file
Contains a set of tests to ensure that the remote
access client complies with network policy
Runs Rqc.exe if all of the tests specified in the script
are successful
Command for running Rqc.exe
rqc ConnName TunnelConnName TCPPort Domain
UserName ScriptVersion
How to Configure VPN Clients Using Connection Manager
To configure VPN clients using Connection Manager:
Configure a quarantine VPN client profile
that includes:
 A post-connect action that runs the
client-side script
 A client-side script that checks the client security
configuration
 A notification component
Distribute and install the client profile on all remote
clients that require quarantined VPN access
How to Prepare the Listener Component
Command for running ConfigureRQSforISA.vbs
Cscript ConfigureRQSForISA.vbs /install
SharedKey1\0SharedKey2 pathtoRQS.exe
ConfigureRQSforISA.vbs:
Installs RQS as a Network Quarantine Service
Creates an access rule that allows communication on
port 7250 from the VPN Clients and Quarantined VPN
Clients networks to the Local Host network
Modifies registry keys on the computer running TMG
Server so that RQS will work with TMG Server
Starts the RQS service
Module 7:
Implementing Caching
Overview
Caching Overview
Configuring General Cache Properties
Configuring Cache Rules
Configuring Content Download Jobs
Lesson: Caching Overview
What Is Caching?
How Caching Works for Requests for New Objects
How Caching Works for Requests for Cached Objects
How Content Download Jobs Work
How Caching Is Implemented in TMG Server 2004
Web Proxy Chaining and Caching
What Is Caching?
TMG Server caching stores a copy of requested Web
content in the server memory or on the hard disk
TMG Server caching provides:
Improved performance — information is stored on the
computer running TMG Server
Reduced bandwidth usage — no additional Internet
network traffic
TMG Server caching scenarios include:
Forward caching — Internet Web servers
Reverse caching — internal Web servers
How Caching Works for Requests for New Objects
Server
RAM
Server
hard disk
6
www.contoso.com
4
1
2
3
5
http://www.contoso.com
TMG
Server
How Caching Works for Requests for Cached Objects
Server
RAM
Server
hard disk
www.contoso.com
2
1
3
http://www.contoso.com
TMG
Server
How Content Download Jobs Work
Server
RAM
Server
hard disk
www.contoso.com
4
1
2
3
5
http://www.contoso.com
TMG
Server
How Caching Is Implemented in Forefront TMG
TMG Server caching optimizes Web caching
performance by:
Using RAM and disk caching
Maintaining the RAM cache in physical memory
Maintaining a directory of cached items
Using a single cache file
Providing quick recovery
Using efficient cache updates
Providing automatic cleanup
Web Proxy Chaining and Caching
4
Internet
35
2
Branch Office
Branch Office
Head Office
6
1
Lesson: Configuring General Cache Properties
Caching Configuration Components
How to Enable Caching and Configure Cache Drives
How to Configure Cache Settings
Caching Configuration Components
Component
Explanation
Define cache drives
Enables caching by configuring a cache
drive for storing the cached content
Configure caching
settings
Modifies the default TTL and types of
cached content
Configure caching
rules
Enables unique caching policies for
specific Web content
Configure content
download jobs
Enables the prefetch of content before
clients request the content
How to Enable Caching and Configure Cache Drives
Enable Caching
How to Enable Caching and Configure Cache Drives cont.
Caching is disabled
by default on
Forefront TMG.
When you enable
caching, TMG Server
creates a file with an
initial size equal to
the size you chose
for the maximum
cache size on the
hard disk
Practice: Configuring General Cache Properties
Enabling Web Caching on TMG Server
Configuring Web caching on TMG Server
TMG-XX
Internet
Lesson: Configuring Cache Rules
What Are Cache Rules?
How to Create a Cache Rule
Managing Cache Rules
การกาหนดค่ ารายละเอียดใน Caching
โดยทัว่ ไปจะมี Default Cache
ดีฟอลท์ จะกาหนด To: All Network
กาหนดค่ าของ HTTP และ FTP
กาหนดการดาวน์ โหลดอัตโนมัติ
กาหนดค่ าขนาดของไฟล์ ที่เก็บแคชของ HTTP
กาหนดขนาดไฟล์ ของ FTP
239
What Are Cache Rules?
Cache rule options
Define the destination set that
the rule applies to
Define how content is returned
to the user
Define whether content is
stored in the cache
Default cache rule
Applies to all Web content
Returns non-expired content
to the user
Caches the default
cacheable objects
Define whether to cache HTTP,
FTP, or both types of content
Enables caching of both
HTTP and FTP content
Define the maximum size for
cached objects
Does not apply any size
restrictions to cached objects
Define whether to cache
SSL content
Caches SSL content
How to Create a Cache Rule
Cache Rule
Wizard Page
Cache Rule
Destinations
Content Retrieval
Cache Content
Cache Advanced
Configuration
HTTP Caching
FTP Caching
Configuration Options
Use destination sets to define the Web
content that this rule applies to
Defines how TMG Server responds to
client requests if the content is or is not in
cache
Defines the types of content TMG Server
will cache
Defines maximum size for caching objects
and SSL response caching
Enables and configures TTL settings for
HTTP content
Enables and configures TTL settings for
FTP content
Managing Cache Rules
Managing cache rules includes:
Modifying the cache rule configuration after creating
the rule
Modifying the cache rule order to evaluate cache
rules for specific Web sites before cache rules for
all Web sites
Disabling or deleting cache rules that are no
longer required
Exporting the cache rule configuration before
modifying the cache rules in case the modification is
not successful
กาหนดแคชใน HTTP
243
HTTP Cache (Case 1)
Web Client
`
1
Web Server
2
HTTP Header
Ex: 1 Days
3
1 Days
Set 20% of TTL >> 24/5 = 4.8 Hours (Interval update)
Set 50% of TTL >> 24/2 = 12 Hours
Set Min & Max 1 Hours & 24 Hours
Select 4.8 Hours for 20%
Select 12 Hours for 50%
244
HTTP Cache (Case 2)
Web Client
`
1
Web Server
2
HTTP Header
Ex: 1 Week
3
1 Days
Set 20% of TTL >> 7*24/5 = 33.6 Hours (Interval update)
Set 50% of TTL >> 7*24/2 = 86 Hours
Set Min & Max 1 Hours & 24 Hours
Select 24 Hours for 20%
Select 24 Hours for 50%
245
HTTP Cache (Case 3)
Web Client
`
1
Web Server
2
HTTP Header
Ex: 2.5 Days
3
1 Days
Set 20% of TTL >> 2.5*24/5 = 12 Hours (Interval update)
Set 50% of TTL >> 2.5*24/2 = 30 Hours
Set Min & Max 1 Hours & 24 Hours
Select 12 Hours for 20%
Select 24 Hours for 50%
246
Content Retrieval
ถ้ ามีแคชอยู่ และยังไม่ หมดอายุ ถ้ าไม่
มีจะวิง่ ไปทีเ่ ว็บภายนอก
ถ้ ามีแคชไม่ ว่าจะหมดอายุหรือไม่ จะ
ตอบกลับให้ ถ้ าไม่ มีจะวิง่ ไปที่เว็บ
ภายนอก
ใช้ เฉพาะกรณีที่มเี ก็บไว้ ในแคช ถ้ าไม่
มีไม่ ยอมให้ ติดต่ อออกภายนอก
247
Practice: Configuring Cache Rules
Configuring cache rules on TMG Server
TMG-XX
Internet
Lesson: Configuring Content Download Jobs
What Are Content Download Jobs?
How to Create a Content Download Job
Managing Content Download Jobs
What Are Content Download Jobs?
Content download jobs:
Allow you to schedule content for download at a
specific time even if no user on the network has
requested the content
Improve Internet access performance
Can be used to download content to the branch
office during nonworking hours
Can be used to ensure access to critical Internet
content even when the Internet connection is
not available
How to Create a Content Download Job
Content Download
Job Wizard Page
Download
Frequency
Configuration Options
Defines a schedule for when the content
download will occur
Defines the content that will
be downloaded
Content Download
Content Caching
Includes maximum links, objects,
and concurrent connections used
for downloads
Defines what types of content to cache
Defines the TTL for cached content
Managing Content Download Jobs
Managing content download jobs includes:
Modifying the content download job configuration
after creating the job
Starting content download jobs outside the
scheduled time or stopping content download jobs
that are running
Disabling or deleting content download jobs that are
no longer required
Practice: Configuring Content Download Jobs
Creating a Content Download Job
Internet-Web-XX
TMG-XX
Internet
Module 8: Monitoring
Forefront TMG
Overview
Monitoring Overview
Configuring Alerts
Configuring Session Monitoring
Configuring Logging
Configuring Reports
Monitoring Connectivity
Monitoring Services and Performance
Lesson: Monitoring Overview
Why Implement Monitoring?
TMG Server Monitoring Components
Designing a Monitoring and Reporting Strategy
Using the TMG Server Dashboard for Monitoring
Why Implement Monitoring?
Use monitoring to:
Monitor traffic between networks to ensure that only
legitimate traffic passes between networks
Troubleshoot network connectivity between TMG
Server clients, servers, and networks
Collect information about attacks and to detect attacks
as they occur
Plan future modifications to the TMG Server or Internet
access infrastructure
TMG Server Monitoring Components
Components
Explanation
Alerts
Monitors TMG Server for configured events and
then performs actions when the specified events
occur
Sessions
Provides information on the current client sessions
Logging
Reports
Connectivity
Performance
Provides detailed archived information about the
Web Proxy, Microsoft Firewall service, or SMTP
Message Screener
Summarizes information about the usage patterns
on TMG Server
Monitors connections from TMG Server to any other
computer or URL on any network
Monitors server performance in real time, create a
log file of server performance or configure
performance alerts
Designing a Monitoring and Reporting Strategy
When:
Determine:
Which events should trigger an alert
Monitoring realtime information
The event threshold before the alert is triggered
Collecting longterm information
The information you need to monitor server
usage
The information that you need to monitor server
performance
The information you need to monitor server
performance over time
The information you need to monitor security
events
Developing a
response
strategy
How to respond to the critical events that occur
on the TMG Server
Using the TMG Server Dashboard for Monitoring
Monitor
Session
Monitor
Alert
Monitor
update
Monitor
Service
Monitor
Performance
Lesson: Configuring Alerts
What Is an Alert?
How to Configure Alert Definitions
How to Configure Alert Events and Conditions
How to Configure Alert Actions
Alert Management Tasks
What Is an Alert?
An alert is:
A notification of an event or action that has occurred
on TMG Server
Triggered according to the conditions and trigger
thresholds specified for the event associated with
the alert
When a server event takes place and records an alert:
The TMG Server Management console displays the
alert in the Alerts view
An entry appears in the alerts view that lists column
headings such as type of alert, the date and time,
status, and category
How to Configure Alert Definitions
How to Configure Alert Category and Actions
Alert Management Tasks
Alerts are managed by performing the following tasks:
Acknowledge registered alerts
Reset registered alerts
When you configure an alert to stop the TMG Server
Firewall Service, TMG Server goes into a lockdown
mode. While in lockdown mode, TMG Server blocks
most network traffic
Practice: Configuring and Managing Alerts
Creating a New Alert Definition
Modifying an Existing Alert Definition
TMG-XX
Internet
Lesson: Configuring Session Monitoring
What Is Session Monitoring?
About Managing Sessions
How to Configure Session Filtering
What Is Session Monitoring?
Session monitoring:
Provides real-time information about client sessions
hosted through TMG Server
Includes information on:
 When the session was established
 The session type
 The source network
 The client user name and computer name
Provides the ability to immediately stop any unwanted
sessions
About Managing Sessions
Right click session
to disconnect
Use these options
to manage sessions
How to Configure Session Filtering
Add multiple filters
Configure
filters to view
specific sessions
Practice: Configuring Session Monitoring
Monitoring Sessions
Applying a Session Filter
Internet-Web-XX
TMG-XX
Internet
ClientXX
DC-01
Lesson: Configuring Logging
What Is Logging?
Log Storage Options
How to Configure Logging
How to View TMG Server Logs
How to Configure Log Filter Definitions
What Is Logging?
The logging feature:
Provides extended log storage to generate reports,
analyze trends, or investigate security issues
Can be configured to provide Firewall logging, Web
proxy logging, and SMTP message screener logging
Provides a log viewer to assist in monitoring and
analyzing server activity for MSDE-based logs
Log Storage Options
Log storage option:
Explanation:
Logs can be viewed in the log viewer
MSDE
Default format for Web proxy and
Firewall Service logs
Logs can be stored on separate server
SQL database
Logs can be analyzed by using
database tools
Logs can be stored in W3C or TMG
Server format
File
Only available format for SMTP
message screener logs
The MSDE and log files are stored by default in the ISALogs folder,
which is located in the TMG Server installation folder
How to Configure Logging
Configure log
storage format
Configure the
information
captured in the logs
How to View TMG Server Logs
How to Configure Log Filter Definitions
Load/Save filters
Configure filters
to view specific log entries
Lesson: Configuring Reports
What Are Reports?
How to Configure the Report Summary Database
How to Generate a Report
How to Create a Recurring Report Job
How to View Reports
How to Publish Reports
What Are Reports?
Use reporting to summarize and analyze:
Who is accessing the Internet, as well as which web
sites are being accessed
Which protocols and applications are being used most
often
General traffic patterns
The cache hit ratio
Reports can be generated immediately
Reports need to be scheduled to generate on a
recurring basis
How to Configure the Report Summary Database
Select to enable
log summaries
Configure summary
files location
Configure number
of saved summaries
How to Generate a Report
Configure
the content
to include in
the report
Configure the
time period
included in
the report
Configure where
the report will
be stored
How to Create a Recurring Report Job
Configure the
content to include
in the recurring report
Configure when
the recurring
report will run
How to View Reports
Reports can be viewed:
 Only on the computer running TMG
Server Management
 By double-clicking the report name
in the Report view of
TMG Server Management
How to Publish Reports
You can publish reports to a shared folder where users without
TMG Server Management installed can view the reports
Practice: Configuring Reports
Generating a Report
Creating a Recurring Report Job
Internet-Web-XX
TMG-XX
Internet
ClientXX
DC-01
Lesson: Monitoring Connectivity
How Does Connectivity Monitoring Work?
Configuring Connectivity Monitoring
How Does Connectivity Monitoring Work?
Connectivity monitoring:
Uses connectivity verifiers to monitor connections
from TMG Server to other servers or URLs
Can be configured to use any of the following in
connection methods:
 Ping to check for simple network connectivity
 TCP connection to verify that a service is running on
the destination server
 HTTP GET request to verify that a Web server is
running on the destination server
Configuring Connectivity Monitoring
Configure the URL
or server to connect to
Configure the method
used to test connectivity
Practice: Configuring Connectivity Monitoring
Configuring Connectivity Monitoring
TMG-XX
Internet
Lesson: Monitoring Services and Performance
Monitoring TMG Server Services
Performance Monitoring with TMG Server
Monitoring TMG Server Services
Performance Monitoring with TMG Server
Performance Objects
TMG Server Package
Engine
TMG Server Cache
TMG Server Firewall
Service
TMG Server Web Proxy
Service
Explanation
Includes performance counters to monitor
connections and throughput for the firewall
engine
Includes performance counters to monitor the
memory, disk, and URL activity associated with
the cache as well as cache performance
Includes counters to monitor Firewall service
connections and associated services such as
DNS. This object monitors only TMG Client
connections
Includes counters to monitor the number of
users and the rate at which TMG Server
transfers data for Web Proxy clients to remote
and upstream servers
Monitoring the TMG Server counters as well as other performance
counters to determine server performance and bottlenecks
Example: Performance Monitoring with TMG Server
You can monitor TMG Resource separate counter and
object.
Lab: Monitoring TMG Server
Exercise 1: Testing the Alerts Feature
Exercise 2: Testing the Reporting Feature
Exercise 3: Testing the Connectivity
Monitoring Feature
TMG-XX
Internet
THANK YOU