Forefront Threat
Management Gateway 2010
Introduction to Forefront TMG
Forefront TMG Value Proposition
Firewall – Control network policy access at the
edge
Comprehensive
Secure Web Gateway – Protect users from
Web browsing threats
Secure E-mail Relay – Protect users from
e-mail threats
Integrated
Remote Access Gateway – Enable users to
remotely access corporate resources
Intrusion Prevention – Protect desktops and
servers from intrusion attempts
Simplified
Features Summary
• VoIP traversal
• Enhanced NAT
• ISP link
redundancy
Firewall
• NAP integration
with client VPN
• SSTP integration
Remote
Access
• HTTP antivirus/
antispyware
• URL filtering
• HTTPS forward
inspection
Secure Web
Access
• Exchange Edge
integration
• Antivirus
• Antispam
E-mail
Protection
• Array management
• Change tracking
• Enhanced reporting
• W2K8, native 64-bit
Deployment and
Management
• Network
inspection
system
Intrusion
Prevention
• Malware protection
• URL filtering
• Intrusion
prevention
Subscription
Services
Deployment Scenarios
Networks
DMZ Internal
External
DMZ External
DMZ EXT
Internet
ISP 1
DMZ INT
ISP 2
TMG
LAN 1
Local Host
VPN client
VPN Clients
LAN 2
Branch
LAN 3
Internal
5
Deployment Scenarios
Network Sets
DMZ Networks
DMZ EXT
Internet
ISP 1
DMZ INT
ISP 2
TMG
VPN client
LAN 1
LAN 2
Branch
LAN 3
Deployment Scenarios
Single Adapter
Local Host
Internet
TMG
LAN 1
LAN 2
LAN 3
VPN Client
VPN Clients
Internal
7
Forefront TMG as a Secure Web Gateway
Array Support,
Load balancing
Scalable
Logging &
Reporting
Support
New reports,
log fields
Competitive
Feature Set
URL Filtering,
Malware
Inspection, NIS
Easily
Manageable
Web Access
Wizard, Task
Oriented
Integrated
Policy Management,
Directory Services
Integration,
Licensing
8
Secure Web Gateway Layered Security
Unifies inspection
technologies to:
Malware Inspection
URL Filtering
Application
Layer Proxy
Network
Inspection
System
HTTPS Inspection
Logging & Reporting
Windows Server® 2008 / R2
Protect against
multi-channel threats
Simplify deployment
Keeps security up to date
with updates to:
Web antimalware
URL filtering
Network Inspection
System
HTTPS Inspection
How HTTPS Inspection Works
 Enable HTTPS inspection
 Generate trusted root certificate
Install trusted root certificate
on clients
contoso.com
https://contoso.com
https://contoso.com
SIGNED
BY
VERISIGN
SIGNED
BY TMG
1.
2.
3.
4.
5.
6.
7.
8.
Contoso.com
Contoso.com
Intercept HTTPS traffic
Validate contoso.com server certificate
Generate contoso.com server proxy certificate on TMG
Copy data from the original server certificate to the proxy certificate
Sign the new certificate with TMG trusted root certificate
[TMG manages a certificate cache to avoid redundant duplications]
Pretend to be contoso.com for client
Bridge HTTPS traffic between client and server
11
HTTPS Traffic Inspection Process
URL Filtering
Malware
Inspection
Network
Inspection
System
Internet
SIGNED
BY
VERISIGN
SIGNED
BY TMG
Contoso.com
Contoso.com
HTTPS Inspection terminates the SSL traffic at the proxy for both
ends, and inspects the traffic against different threats
Trusted certificate generated by proxy matching the URL expected by
the client
12
HTTPS Inspection Notifications
Notification provided by
Forefront TMG client
Notify user of inspection
History of recent
notifications
Management of Notification
Exception List
May be a legal
requirement in some
geographies
13
HTTPS Inspection Notification
User Experience
14
URL Filtering
URL Filtering
Microsoft Reputation
Service
• 91 built-in categories
• Predefined and administrator
defined category sets
• Integrates leading URL database
providers
• Subscription-based
• Customizable, per-rule,
deny messages
URL DB
Internet
TMG
•
•
•
•
URL category override
URL category query
Logging and reporting support
Web Access Wizard integration
URL Filtering Benefits
Control user web access based on URL categories
Protect users from known malicious sites
Reduce liability risks
Increase productivity
Reduce bandwidth and Forefront TMG resource
consumption
Analyze Web usage
Utilizes Microsoft Reputation Service
How TMG Uses Microsoft Reputation Service
Multiple Vendors
Federated
Query
Combines with
Telemetry Data
MRS
Telemetry Path
(also SSL)
SSL
Cache
Fetch
URL
Query (URL)
Categorizer
Policy
• Cache:
Feedback
Fetch on cache
•mechanism
miss
Persistent on
• •Category
SSL
In-memory
for auth
overrides
&
•privacy
Weighted TTL
• No PII
What Makes MRS Compelling?
Existing URL filtering solutions
Single vendor cant be expert in all categories
Categorization response time
MRS unique architecture
MRS merges URL databases from multiple sources/vendors
Multi-vendor AV analogy
Based on Microsoft internal sources as well as collaboration with
third party partners
Scalable
Ongoing collaborative effort
Recently announced an agreement with Marshal8e6
More announcements to follow
URL Filtering Categories
Security
Liability
Productivity
Per-rule Customization
TMG administrator can
customize denial
message displayed to
the user on a per-rule
basis
Add custom text or
HTML
Redirect the user to a
specific URL
URL Category Override
Administrator can override
the categorization of a URL
Feedback to MRS
via Telemetry
22
User Experience
User Experience
HTML tags
24
24
Malware Inspection
HTTP Malware Inspection
MU or WSUS
• Integrates Microsoft Antivirus engine
• Signature and engine updates
• Subscription-based
Third party plug-ins can be used
(native Malware inspection must
be disabled)
Content delivery methods
by content type
Signatures
DB
Internet
TMG
• Source and destination exceptions
• Global and per-rule inspection options
(encrypted files, nested archives, large
files…)
• Logging and reporting support
• Web Access Wizard integration
Content Trickling
Firewall Service
GET msrdp.cab
200 OK
Web Proxy
Malware Inspection
Filter
GET msrdp.cab
200 OK
Request Context
Accumulated Content
Scanner
27
Malware Scanner Behavior
High
Normal
Low
• Partial inspection for Standard Trickling
• Final inspection for files smaller than 1 MB when
Progress Page is not used
• Partial inspection for Fast Trickling
• Final inspection for files larger than 1 MB but
smaller than 50 MB when Progress Page is not used
• Final inspection when Progress Page is used
• Final inspection for files larger than 50 MB
Low Priority Queue
Normal Priority Queue
High Priority Queue
Antimalware Engine
28
Malware Inspection Per-rule Overrides
29
User Experience
Content Blocked
User Experience
Progress Notification
31
Network Inspection System (NIS)
Network Inspection System (NIS)
Protocol decode-based traffic inspection system that uses
signatures of known vulnerabilities
Vulnerability-based signatures (vs. exploit-based signatures used
by competing solutions)
Detects and potentially block attacks on network resources
NIS helps organizations reduce the vulnerability window
Protect machines against known vulnerabilities until patch can be
deployed
Signatures can be released and deployed much faster than
patches, concurrently with patch release, closing the vulnerability
window
Integrated into Forefront TMG
Synergy with HTTPS Inspection
33
New Vulnerability Use Case
Vulnerability is discovered
Response team prepares and tests the vulnerability signature
Signature released by Microsoft and deployed through distribution
service, on security patch release
All un-patched hosts behind Forefront TMG are protected
Corporate Network
Vulnerability
Discovered
Signature Authoring
Team
Signature
Authoring
Signature
Distribution
Service
TMG
Testing
34
Network Inspection System Architecture
Design Time
Protocol Parsers
Signatures
Microsoft
Update
Run Time
NIS Engine
Telemetry
and Portal
35
NIS Response Process
Threat
Identification
Signature
Release
Threat
Research
Targeting 4 hours
Encyclopedia
Write-up
Signature
Development
Signature
Testing
Other Network Protection Mechanisms
Common OS attack detection
DNS attack filtering
IP option filtering
Flood mitigation
37
DNS Attack Filtering
Enables the following
checks in DNS traffic:
DNS host name overflow –
DNS response for a host
name exceeding 255 bytes
DNS length overflow – DNS
response for an IPv4 address
exceeding 4 bytes
DNS zone transfer – DNS
request to transfer zones from
an internal DNS server
38
IP Options Filtering
Forefront TMG can
block IP packets based
on the IP options set
Deny all packets with any
IP options
Deny packets with the
selected IP options
Deny packets with all
except selected IP
options
Forefront TMG can also
block fragmented IP
packets
39
Flood Mitigation
Forefront TMG flood
mitigation mechanism
uses: Custom
Limit
Limit
Connection limits that
600
6000
are used
to identify and
160
400
block malicious
traffic
80
Logging of flood
mitigation
600
6000events
1000
Alerts that are triggered
when a connection limit
160
is exceeded
600
400
TMG comes with
default configuration
settings
Exceptions can be set
per computer set
40
Forefront TMG 2010 vs. Forefront™ Unified Access
Gateway (UAG)
Product Positioning
Forefront TMG 2010
Enables users to safely and productively use the Internet without
worrying about malware and other threats
Forefront UAG
Comprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing
remote access
Forefront TMG 2010 still provides support for remote access
features, but not the recommended solution
Server Publishing
Non-HTTP Server Publishing
Allows map requests for non-Web servers in one of the
TMG 2010 networks
Clients can be either on the Internet or on a different internal
network
Can be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a
NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging
to Forefront TMG
If behind a route relationship, TMG 2010 listens for requests on the
IP address of the non-Web server
The published server should be configured as a SecureNAT
client with a default gateway pointing to TMG 2010
Sample Server Publishing Scenario
DNS Server Publishing
192.168.0.100
DG: 192.168.0.3
`
DNS Server
203.16.4.1
10.0.0.3
192.168.0.254
192.168.0.3
TMG
1. DNS request
203.16.4.1 > 10.0.0.3
2. Check rule match
192.168.0.101
DG: 192.168.0.254
FTP Server
Check Publishing Rule Match
45
Non-HTTP Server Publishing
Things to consider when planning Server Publishing
No authentication support
Access restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configuration
Client source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverage
SMTP, POP3, DNS, etc.
46
Web Publishing
Provides secure access to Web content to users from the
Internet
Web content may be either on internal networks on in a DMZ
Supports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:
Mapping requests to specific internal paths in specific servers
Allows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)
Inspection of incoming HTTPS requests using SSL bridging
Load balancing of client requests among Web servers in a server
farm
Accessing Web Resources
OWA
RPC/HTTP(S)
ActiveSync
HTTPS
Exchange
Server
HTTPS
`
HTTP
HTTPS
HTTP
Internet
Web
Server
HTTP
SharePoint
Server
Forefront TMG 2010 can publish multiple internal Web
servers, using multiple external IP addresses and protocols
Securing SSL Traffic
SSL Bridging:
1. Client on Internet encrypts communications
2. TMG 2010 decrypts and inspects traffic
3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
Authentication Process
1.
Client credentials received
2&3. Credentials validated
4.
Credentials delegated to
internal server
5.
Server send response
6.
Response forwarded to
client
Single Sign On
Sample Scenario – Two Published Web Sites requiring AuthN
With
Single
Signon
Without
Single
Signon:
1. User Prompted for authentication
2. User Clicks Link to SharePoint
3. User NOT
Prompted
for authentication
Prompted
for authentication
again
Exchange.Company.Com
FBA
SharePoint.Company.Com
`
51
Forefront TMG Virtual Private Networking (VPN)
Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:
Remote Access VPN
Site-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN
technology
Implements support for Secure Socket Tunneling Protocol (SSTP)
Implements support for Network Access Protection (NAP)
Secure Socket Tunneling Protocol (SSTP)
New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers
to exchange encapsulated IPv4 or IPv6 packets
Support for unauthenticated Web proxies
Support for Network Access Protection (NAP)
Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
Network Access Protection (NAP)
Windows Policy Validation and Enforcement Platform
Policy
Validation
Determines whether the computers are compliant with the company’s
security policy. Compliant computers are deemed healthy.
Network
Restriction
Restricts network access to computers based on their health.
Remediation
Provides necessary updates to allow the computer to get healthy.
Once healthy, the network restrictions are removed.
Ongoing
Compliance
Changes to the company’s security policy or to the computers’ health
may dynamically result in network restrictions.
NAP Support in Forefront TMG 2010
Enforces compliance and provides remediation for clients
connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services
(RQS) supported in ISA Server 2006
NAP validates health status of the remote client at
connection time
VPN network access limitation is done through IP packet
filters applied to the VPN connection
Access limited to resources on the restricted network
NAP with Forefront TMG Walkthrough
Restricted Network
Remediation
Servers
Corporate Network
System Health
Servers
Unhealthy SHA performs
remediation against
remediation servers
VPN QEC
SoH
VPNpasses
QEC
queries
NAPAgent
collects
Responses
back
to
NAPAgent
for
SOHs
new SoH and passes
NAPAgent
to VPN QEC
Ongoing policy
updates to Network
Policy Server
Here is the fix you need.
EAP messages
PEAP
Can I pleaseHere
haveisaccess
to the network?
my SOH
VPNPEAP
Session
Request
messages
EAP -Here
Response/Identity
is my SOH
Client
PEAP
PEAP
Message
Message
EAP
- Request/Identify
State:
State:
Full Access – Send SOH
EAP
–Quarantine
Request/Start
SOH
SOH
Responses
Responses
Forefront TMG
2010
EAP - Request/Identify
RADIUS
Access-Accept
EAP – Request/Start
– Send
According
to policy, the
clientSOH
is
not up to date.
up toQuarantine
date.
client.
Restrict
Grantclient
access
to –10.10.10.0/24
no filters
Network Policy
Server
NAP Components
Platform
Components
Enforcement
Components
Health
Components
System
Health
Agents
= Declare
(patch
state,
virusnetwork
signature,
system
configuration,
Quarantine
Agent
(QA)(SHA)
=Clients
Reports
client
health
status,
coordinates
between
SHA
and
QEC.
Quarantine
Enforcement
(QEC)
=health
Negotiate
access
with
access
device(s);
etc.).
DHCP, VPN, 1X, IPSec QECs.
Quarantine
Server
(QS) =
Restricts
client’s
network
access
based
on what
SHV certifies.
System
Health
Validators
(SHV)
= Certify
declarations
made
byendpoints.
health
agents.
Network
Access
Devices
=
Provide
network
access to
healthy
System
Health Servers
= Define
health certificates
requirements
for system
on the client.
Health Registration
Authority
= Issues
to clients
that components
pass health checks.
Remediation Servers = Install necessary patches, configurations, applications.
Bring clients to healthy state.
Remediation Servers
System Health Servers
Health policy
Updates
Client
Health
Statements
SHA<n>
Quarantine
Agent
QEC
1
QEC
2
Network
Access
Requests
Health Result
Network
Policy
Server
SHV<n>
Network Access Device
(Forefront TMG 2010)
Quarantine Server
Mail Protection
Mail Protection – Forefront Threat
Management Gateway
Full featured SMTP hygiene
Exchange Edge Transport for SMTP stack
Requires valid license
Integrated with Microsoft® Forefront™ Protection 2010 for
Exchange Server
Antimalware
Antispam
Antiphishing
Also supports generic SMTP mail servers
E-mail Threats
~98% of all e-mail is
spam/malicious
Over 400 billion unwanted
e-mails in H2 2008
Estimated cost is $130 billion
in 2009
Causes 90% of NDRs
Risk of software vulnerabilities
Percentage of incoming messages filtered by Forefront Online Protection for
Exchange, 1H06-2H08
100%
80%
60%
40%
20%
0%
1H06 2H06
1H07
2H07
1H08
2H08
61
The Solution
Filter unwanted e-mail as early as possible
100%
80%
60%
40%
20%
0%
1H06
Edge Filtered
2H06
1H07
Content Filtered
2H07
1H08
Unfiltered
2H08
Percentage of incoming messages blocked by Forefront™ Protection for
Exchange using edge-blocking and content filtering, 1H06-2H08
62
E-mail Protection Features
Protection at the edge
Protects mail at the edge of the organization with Forefront
Protection 2010 for Exchange Server
Advanced protection and premium antispam
Multiple scan engines to protect against malware and provide a
premium antispam solution
Integrated management
Easy management of Microsoft Exchange Server Edge role and
Forefront Protection 2010 for Exchange Server through Forefront
TMG
Array deployment
Support for managing and load balancing traffic among multiple
servers
Solution Components
Microsoft Products
Forefront Protection 2010 for
Exchange Server
Microsoft® Exchange Server® 2007
(or 2010) Edge Transport
Forefront Threat Management
Gateway
Windows Server® 2008 x64
64
Mail Protection – Forefront Threat
Management Gateway
Anti-virus Engines
Forefront Security for Exchange (FSE)
Multi-layer Filters
Multi-layer Filters
Exchange Edge Role
Receive Connector
Send Connector
Network Inspection System (NIS)
TMG Filter Driver
Internal Network
External Network
``
Typical Deployment Topology
Any
SMTP
Servers
Forefront TMG
Array
myorg.com
Internal SMTP
Server
Internal
Network
SMTP
Traffic
Internet
Partner
SMTP
Server
MX pointing to Forefront
TMG external IP address
SMTP Traffic
EdgeSync
(Exchange Server Only)
66
Configure SMTP Routes
Defines how Forefront TMG routes traffic from and to the
organization SMTP servers
At least two routes required:
Internal_Mail_Servers define the IP addresses and SMTP domains
of the internal mail servers
External_Mail_Servers define which mail is allowed to enter the
organization and the external FQDN/IP address that will receive
mail
Configure Spam Filtering
Defines spam filtering policy
Connection-level filtering
IP Allow List
IP Allow List Providers
IP Block List
Block List Providers
Protocol-level filtering
Configuring Recipient Filtering
Configuring Sender Filtering
Configuring Sender ID
Configuring Sender Reputation
Content-level filtering
Spam Filtering
Connection-level Filtering
69
Virus and Content Filtering
Configures antivirus, file attachment, and message body
filtering
Virus filter – Engine selection policy and remediation actions
File filters – Unwanted file attachments based on file type,
filename, and prefix
Message body filters – Identify unwanted e-mail messages by
applying keyword lists to the contents of the message body
Virus and Content Filtering
Replicating Configuration to Exchange Server
and FPE
FPE
Service
1. TMG UI
4. Configure services
using PowerShell API
Administrator
2. Store
to DB
3. Array
members load
new
configuration
Exchange
Edge Service
72
Design Options
Single purpose and location, no high availability
Forefront TMG 2010 Standard Edition
Single purpose and location, high availability
Forefront TMG 2010 Enterprise Edition in stand-alone array
Multiple purposes and/or locations, high availability
Enterprise Management Server
Single Purpose and Location
Forefront TMG 2010 Standard Edition (SE)
Light and medium traffic
All-in-one solution
No high availability
requirements
Internet
Forefront TMG
Standard Edition
74
Single Purpose and Location
Forefront TMG 2010 Enterprise Edition (EE):
Stand-alone array
Shared configuration
High traffic solution
Simple upgrade to EE
Data maintained
EE license key
Provides high availability
and scale out
Internet
Stand-alone
Array
75
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or
trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because
Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee
the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.