Transcript Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with
TMG
6NPS – Session 3
Objectives
• Create policy elements, access rules, and
connection limits. Policy elements include
schedule, protocols, user groups, and network
objects
What is Secure Access to Internet Resources?
• Every organization defines secure access slightly
different
• A Internet usage policy needs to be developed, defining
how users can use the Internet
• What is secure access to the Internet?
– Users can access the resources that they need, web,
email
– Secure Internet connection, not revealing any information
about the internal system
– Secure data transfers, credit card information, client data
– Block downloading of malicious programs
Guidelines for Designing an Internet Usage
Policy
• Internet usage policy defines what actions users are allowed
to perform while connected to the Internet
• This is the basis for configuring the TMG settings
• Internet usage policies should do the following;
– Describe the need for an Internet usage policy. Why is it being
created, legal reasons, confidential client information
– Describe what the policy covers. Details description of what is
acceptable and unacceptable
– Identify the people within the organization who are responsible
for creating and enforcing the policy
– Define how violations are handled. Disciplinary actions
How TMG Enables Secure Access to
Internet Resources
• TMG provides the following functionality to enable secure
access:
– Implementing TMG as a multilayer firewall
– Implementing TMG as a proxy server
– Using TMG to implement the organization's Internet usage
policy
•
•
•
•
•
Restrictions based on users and groups
Restrictions based on computers
Restrictions based on protocols
Restrictions based on Internet destinations
Restrictions based on content being downloaded from the
Internet
How TMG Enables Secure Access to
Internet Resources
Is the …
User allowed
access?
Computer allowed
access?
Protocol allowed?
Destination
allowed?
Content allowed?
TMG
Proxy
Server
Web
Server
What is a Proxy Server?
• A proxy server is a server that is situated
between a client application and a server to
which the client connects
• A proxy server can provide enhanced security
and performance
• Proxy servers make the Internet connection
more secure in the following ways:
–
–
–
–
–
–
User Authentication
Filtering client requests
Content inspection
Logging user access
Hiding the internal network details
Improve Internet access performance
Why Use a Proxy Server?
TMG
Improved Internet access security:
User authentication
Filtering client requests
Content inspection
Logging user access
Hiding the internal network details
Improved Internet access performance
Web Server
How Does a Forward Web
Proxy Server Work?
• Proxy servers can be used to secure both
inbound and outbound Internet access
• When used to secure outbound Internet access,
it is configured as a forwarding proxy server
How Does a Forward Web
Proxy Server Work?
Is the …
User allowed access?
3
1
6
Protocol allowed?
Destination allowed?
5
2
4
TMG
Web
Server
How Does a Reverse Web
Proxy Server Work?
• Operates in much the same way as a forward
Web proxy server
• Reverse proxy makes internal resources
accessible to external clients
What Is a Reverse Web
Proxy Server?
Is the …
Request allowed?
Web
Server
Protocol allowed?
3
Destination allowed?
DNS
Server
4
5
2
TMG
1
6
How to Configure TMG as a Proxy
Server
DNS Configuration for Internet Access
If no internal DNS server is available to resolve Internet
addresses, configure the TMG clients to use an Internet
DNS server
Configure TMG clients to use an internal DNS server if
the DNS server can resolve Internet addresses
TMG can proxy DNS requests for Web proxy and
Forefront TMG clients but not for SecureNET clients
TMG includes a DNS cache that caches the results of
all DNS lookups performed through TMG
How to Configure Web Chaining
Internet
Branch Office
Branch Office
Head Office
How to Configure Dial-Up Connections
Enable dial-up
for connections
to this network
Use this dial-up
connection
Logon using
this account
Practice: Configure TMG as a Proxy Server
• Configuring the proxy server settings
on TMG
TMG
Internet
DC
What Are Access Rule Elements?
Access Rule Element
Protocols
Users
Content Types
Used to Configure
The protocols that will be allowed or
denied by an access rule
The users that will be allowed or denied by
an access rule
The content type that will be allowed or
denied by an access rule
Schedules
The time of day when Internet access will
be allowed or denied by an access rule
Network Objects
The computers or destinations that will be
allowed or denied by an access rule
How to Configure Protocol Elements
How to Configure User Elements
How to Configure Content
Type Elements
Define the MIME
types and file
extensions to include
How to Configure
Schedule Elements
Define the times
when this schedule
is active or inactive
How to Configure Domain
Name Sets and URL Sets
Use this to configure
access to an entire
domain
Use this to configure
access to a URL
Practice: Configuring Firewall Rule Elements
•
•
•
•
Configuring a new user set
Configuring a new content type element
Configuring a new schedule element
Configuring a new URL set
TMG
Internet
DC
Configuring TMG Authentication
• Authentication and TMG Clients
• Authentication Methods
– Basic authentication – plaintext, least secure
– Digest authentication – hashing, must use Active
Directory with reversible encryption, less secure than
AD default
– Integrated Windows authentication – Kerberos v5 or
NTLM protocol, default authentication method for
windows
– Digital certificates authentication
– RADIUS authentication
– RSA SecureID authentication
Practice: Configuring TMG Server
Authentication
• Enabling Authentication
TMG
Internet
Client1
DC
What Are Access Rules?
Access rules always define:
Allow
Deny
User
Protocol
IP Port/Type
Destination Network
Destination IP
Destination Site
Source network
Source IP
Schedule
Content Type
How Network Rules and
Access Rules Are Applied
Network
Rules
3
5
4
Access
Rules
1
2
TMG
Domain
Controller
6
Web
Server
How to Configure Access Rules
How to Configure HTTP Policy
Configure maximum
header length
Configure maximum
payload length
Configure maximum
URL and query
length
Configure
additional
filtering options
Practice: Managing Access Rules
• Creating a DNS Lookup Rule
• Creating a Managers Access
Rule
• Testing Internet Access
TMG
Internet
Client1
DC
How to Troubleshoot Access to Internet
Resources
To troubleshoot Internet access issues:
Check for DNS name resolution
Determine the extent of the problem
Review access rule objects and access rule configuration
Review access rule order
Check access rule authentication
Use TMG logging to determine which access rule is
granting or denying access
Lab: Enabling Access to Internet Resources
• Exercise 1: Configuring TMG Access Rule
Elements
• Exercise 2: Configuring TMG Access Rules
• Exercise 3: Testing TMG Access Rules