p**x
advertisement
Implementing Microsoft Forefront Threat Management Gateway Server ® Course Outline Module 1: Overview of Microsoft Forefront TMG Module 2: Installing and Maintaining TMG Server Module 3: Enabling Access to Internet Resources Module 4: Configuring TMG Server as a Firewall Module 5: Configuring Access to Internal Resources Course Outline (continued) Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks Module 7: Implementing Caching Module 8: Monitoring Forefront TMG Module 1: Overview of Microsoft Forefront TMG Overview Introducing Microsoft Forefront TMG Deployment Scenarios for Forefront TMG Lesson: Introducing Forefront TMG What Are the Benefits of Forefront TMG? Multimedia: Overview of Forefront TMG Functionality Forefront TMG Management Interface Forefront TMG Enterprise Edition Features Differences Between TMG Server 2000 and Forefront TMG What Are the Benefits of Forefront TMG? Advanced Protection Ease of Use Enhanced Performance Multi-layer packet inspection Unified firewall and VPN server Multi-networking Application-layer filtering Efficient management tools Network templates Product integration Ease of use for clients Optimized for performance Integrated functionality Scalability Web caching Differences Between ISA Server 2006 and Forefront TMG Simplified management (Deployment) Protect users from web browsing threats (Web Access Policy) with Malware and HTTPS inspection Protect users from E-mail threats (Email Policy) with Antispam and Antivirus Protect desktops and servers from intrusion attempts with Network Inspection System (NIS) as IPS Using Active Directory Lightweight Directories Services as ADAM New Dashboard for Monitoring Differences Between ISA Server 2006 and Forefront TMG cont. Support VoIP New VPN Service with SSTP VPN Redundancy and Load Balancing ISP Lesson: Deployment Scenarios for Forefront TMG How TMG Server Works as an Internet Edge Firewall How TMG Server Works as a Back-End Firewall How TMG Server Works as a Branch Office Firewall How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server How TMG Server Works as a Proxy- and Caching-Only Server How TMG Server Works as an Internet Edge Firewall Use TMG Server to: Block all Internet traffic unless explicitly allowed Publish internal servers such as Web or Exchange servers Provide a VPN gateway for remote users Provide proxy and caching services LAN Web Server TMG Server VPN Web Server Internet Server User Exchange Server Remote User How TMG Server Works as a Back-End Firewall Use TMG Server to: Securely publish Exchange servers Securely publish other internal Web servers Provide proxy and caching services LAN Web Server Web Server TMG Server Server Firewall Web Server Internet User Exchange Server Remote User How TMG Server Works as a Branch Office Firewall Use TMG Server to: Create an IPSec tunnel-mode VPN between offices Create a PPTP or L2TP with IPSec VPN between offices Inspect and filter all traffic between offices Provide secure access to the Internet at the branch office LAN TMG Server LAN TMG Server or other VPN gateway VPN Tunnel Branch Office Server Internet User Corporate Headquarters How TMG Server Works as an Integrated Firewall, Proxy, and Caching Server Use TMG Server to: Provide proxy and caching services to conserve Internet bandwidth Configure dial-up connections to the Internet Block all inbound network traffic Provide secure configurations using network templates and server publishing wizards LAN ISP Server TMG Server Server Internet Web Server User How TMG Server Works as a Proxy- and Caching-Only Server Use TMG Server with a single network adapter to provide proxy and caching services Deploying TMG Server with a single network adapter means that it does not provide additional security functionality LAN TMG Server Web Server Server Firewall User Internet Module 2: Installing and Maintaining TMG Server Overview Installing Forefront TMG Choosing TMG Server Clients Installing and Configuring TMG Clients Advanced TMG Client Configuration Securing Forefront TMG Maintaining Forefront TMG Lesson: Installing Forefront TMG System and Hardware Requirements for Forefront TMG Installation Types and Components Configuration Choices During Installation How to Perform an Unattended Installation of Forefront TMG How to Verify an Installation of Forefront TMG Default Configuration for Forefront TMG How to Modify the TMG Server Installation Upgrade Options from TMG Server 2000 to Forefront TMG Preparation TMG TMG will only run on 64-bit Windows Server 2008. There will be a 32bit demo version after the TMG goes RTM, but there won’t be any beta versions that run on 32-bit Windows TMG requires at least 2 GB of memory (it will probably run on less, but not very quickly) 2.5 GB of disk space At least one NIC (although I always recommend two or more NICs to provide true security) You must install to the default folder on the C: drive TMG will install IIS 7 on your machine in order to support SQL reporting services. If you remove TMG from the machine, II7 will not be removed for you and you will need to do that manually Services and driver files for the TMG are installed in the TMG installation folder System and Hardware Requirements for Forefront TMG RAM Windows Server 2008 64 bits CPU 2 GB 1.8 GHZ(2core) Hard Disk Format Hard Disk Space NTFS 2.5 GB Internal External Hardware Requirements for Forefront TMG System Requirements for Forefront TMG System Requirements for Forefront TMG cont. Installation Types and Components Practice: Installing Forefront TMG Installing Forefront TMG TMG-XX Internet How to Verify an Installation of Forefront TMG Verify that the TMG Server services are installed and started Verify that the MSDE services are installed and started Review the setup log files Check the Application Log in the Event Viewer Check for TMG Server Alerts Verify after installation: Service TMG Service Verify after installation: Service cont. MSSQL Service Default Configuration for Forefront TMG Only Administrators can modify firewall policies Caching is disabled Web Proxy requests will be retrieved directly from the Internet but network, access the rules VPNdeny Quarantine all network network, traffic and through the installation share is configured if you install the other networks Traffic between the Internal network, the VPN network, the VPN Internal network the Internet will Server useand network address TMGTMG Client installation files Quarantine network, the Internet will usetranslation network address System Traffic between policy permits the Internal access network, toand the TMG the VPN Server A rule enabling access to the TMG Client is routed between the TMG Server and allthe No servers are published Traffic is routed between the TMG Server all other networks Traffic is routed between the VPN network and Only Administrators can modify firewall policies translation Traffic is routed between the VPN network and the Internal network System policy permits access to the TMG Server but access rules deny all network traffic through the TMG Server No servers are published Web Proxy requests will be retrieved directly from the Internet Caching is disabled A rule enabling access to the TMG Client installation share is configured if you install the TMG Client installation files Example: Default Configuration Example: Default Configuration Example Default Firewall Policy โดย Default จะ Deny ทุกกรณี Practice: Verifying the Installation and Default Configuration of Forefront TMG Verifying the successful installation of Forefront TMG Examining the default installation of Forefront TMG TMG-XX Internet Migration Options from ISA Server to Forefront TMG Migration Extract the ISA Server 2006 configuration Import the ISA Server Configuration ISA Server 20006 Install Forefront TMG Remark: ISA Server 2006 cannot upgrade to TMG directly due to 64 bits platform Lesson: Choosing TMG Server Clients Types of TMG Server Clients How to Configure a SecureNAT Client How to Configure Web Proxy Clients Guidelines for Choosing an TMG Server Client Types of TMG Server Clients Does not require you to deploy client software Internet SecureNAT Client TMG Server Web Proxy Client Improves the performance of Web requests for internal clients TMG Client Allows internet access only for authenticated users Guidelines for Choosing an TMG Server Client If you need to… Then use… Avoid deploying client software SecureNAT clients Use TMG Server only for forward caching SecureNAT or Web Proxy clients Allow access only for authenticated clients TMG Clients or Web Proxy clients Publish servers on your internal network SecureNAT clients Improve Web performance for non-Windows operating systems SecureNAT or Web Proxy clients How to Configure a SecureNAT Client SecureNAT clients do not require client installation or client configuration On a single subnet network, configure the IP address of the internal network interface as the SecureNAT client default gateway On a multiple subnet network, configure the IP address of the router as the SecureNAT client default gateway How to Configure Web Proxy Clients Monitoring Session on TMG Practice: Configuring SecureNAT and Web Proxy Clients Configuring TMG Server to log client connections Configuring and testing a SecureNAT client Configuring and testing a Web Proxy client TMG-XX Internet-xx Internet Clientxx Lesson: Installing and Configuring TMG Clients How to Configure TMG Client Settings The TMG Client Installation and Configuration Process Options for Automating the TMG Client Installation How to Configure TMG Client Settings The TMG Client Installation and Configuration Process The TMG Client: Uses a common Winsock service provider that other Winsock applications use to connect to application servers Intercepts Winsock client application calls for remote application servers and redirects the request to TMG Server Install the TMG Client: From the TMG Client share on computer running TMG Server or another network share Practice: Installing the TMG Client Configuring the TMG Client settings on TMG Server Installing the TMG Client TMG-XX Internet-xx Web Internet Clientxx Step for Setup TMG Client เรียกจากแผ่ นติดตั้ง Step for Setup TMG Client cont. ทาการ Setup ตามขั้นตอน Wizard ระบุ TMG Server Step for Setup TMG Client cont. เมือ่ เสร็จแล้ วให้ ทาการ restart add record ของ TMG เข้ าไปใน host file. Step for Setup TMG Client cont. Step for Setup TMG Client cont. Automatic Setting Step for Setup TMG Client cont. Options for Automating the TMG Client Installation Software package distributed using Group Policies Unattended installation SMS package distributed to specific clients using SMS Configuring Administrative Roles TMG Server Administrative Roles Role Forefront TMG Auditor Description Full Access Monitoring Read only ISA Configuration Restricted Access Monitoring Forefront TMG Monitoring Auditor View Session, Query Service Status View and Reset Alerts Forefront TMG Administrator Can perform all administrative tasks Example for Delegate Job for ISA Role Properties of TMG Server Best Practices for Securing the Server Securing TMG Server Do Not Install TMG Server on a Domain Controller Avoid Installing an Internet Edge Server on a Domain Member Rename the Administrator Account Disable Unused Functionality Apply Window Server Security Best Practices Lesson: Maintaining Forefront TMG About Exporting and Importing the ISA Server Configuration About Backing Up and Restoring the ISA Server Configuration Remote Administration Options for TMG Server About Exporting and Importing the TMG Server Configuration Use export and import to clone an TMG Server or to save a configuration for troubleshooting or to roll back a configuration change You can export the entire TMG Server configuration, or any individual or group of configuration settings Importing a configuration overwrites all settings from the exported file About Backing Up and Restoring the TMG Server Configuration Use back up to create a configuration file that can be used for disaster recovery Back up creates a file with the entire TMG Server configuration Restoring a back up overwrites all TMG Server settings Remote Administration Options for TMG Server Use remote administration to manage physically secured servers or servers in other offices Use Remote Desktop or Terminal Services to manage all settings on the server running TMG Server Use the TMG Server Management MMC to manage TMG Server settings remotely Configure the server running TMG Server to enable Remote Desktop and configure System Policy to enable remote MMC management Practice: Remote Management for TMG Using Remote Desktop for remote management Using MMC for remote management TMGxx Clientxx Module 3: Enabling Access to Internet Resources Overview Forefront TMG as a Proxy Server Configuring Multi-Networking on TMG Server Configuring Access Rule Elements Configuring Access Rules for Internet Access Lesson: Forefront TMG as a Proxy Server How TMG Server Enables Secure Access to Internet Resources Why Use a Proxy Server? How Does a Forward Web Proxy Server Work? What Is a Reverse Web Proxy Server? How to Configure TMG Server as a Proxy Server DNS Configuration for Internet Access How to Configure Web Chaining How to Configure Dial-Up Connections How TMG Server Enables Secure Access to Internet Resources Is the … User allowed access? Computer allowed access? Protocol allowed? Destination allowed? Content allowed? TMG Server Web Server Proxy Server Why Use a Proxy Server? TMG Server Improved Internet access security: User authentication Filtering client requests Content inspection Logging user access Hiding the internal network details Improved Internet access performance Web Server How Does a Forward Web Proxy Server Work? Is the … User allowed access? 3 1 6 Protocol allowed? Destination allowed? 5 2 TMG Server 4 Web Server What Is a Reverse Web Proxy Server? Is the … Request allowed? Web Server Protocol allowed? 3 Destination allowed? DNS Server 4 5 2 TMG Server 1 6 How to Configure TMG Server as a Proxy Server DNS Configuration for Internet Access If no internal DNS server is available to resolve Internet addresses, configure the TMG Server clients to use an Internet DNS server Configure TMG Server clients to use an internal DNS server if the DNS server can resolve Internet addresses TMG Server can proxy DNS requests for Web proxy and TMG Clients but not for SecureNAT clients TMG Server includes a DNS cache that caches the results of all DNS lookups performed through TMG Server DNS Request by Client Secure NAT - Client จะเป็ นคนถาม DNS Server เอง Web Proxy Client, TMG Client - TMG จะเป็ นคนถาม DNS Server เอง ( Proxy DNS Request) Practice: Configuring DNS Configure Client use Internal DNS Configure Internal DNS by Internal Technique Configure Internal DNS by Internet Technique TMG-XX Internet-xx Web DNS Internet Clientxx SV-xx DC DNS DHCP How to Configure Web Chaining Internet Branch Office Branch Office Head Office Example Web Chaining Practice: Configuring TMG Server as a Web Proxy Server Configuring the proxy server settings on TMG Server Internet-xx Web TMG-XX DNS Internet Clientxx SV-xx DC DNS Server DHCP Server Lesson: Configuring Multi-Networking on TMG Server How Does Forefront TMG Support Multiple Networks? Default Networks Enabled in TMG Server About Network Objects How to Create and Modify Network Objects What Are Network Rules? How Does Forefront TMG Support Multiple Networks? Support any Number of Networks VPN Networks Represented as Networks Internet VPN Dynamic Network Membership Per Network Rules Perimeter1 Per Network Policies Network Sets LAN1 LAN2 Perimeter2 Default Networks Enabled in TMG Server Default Network Includes Local Host The TMG Server Default External All IP addresses not associated with another network Internal All IP addresses specified as internal during installation VPN Clients All IP addresses for currently connected VPN clients Quarantined VPN Clients All IP addresses of connected VPN clients that have not cleared quarantine Example Default Network on ISA2006 About Network Objects Network Object Includes Subnet All computers connected to a single network interface One or more networks A single computer identified by an IP address All computers included in specified computer, subnet or address range objects All computers identified by continuous IP addresses All computers on a specified subnet URL Set All specified URLs Domain Name Set All specified domain names The IP address on which the TMG Server listens for connections Network Network Set Computer Computer Set Address Range Web Listener How to Create and Modify Network Objects Click Firewall Policy, Toolbox, then Network Objects Click Networks, then Networks or Network Sets What Are Network Rules? Route connection: A route relationship is bidirectional If a routed relationship is defined from network A to network B, a routed relationship also exists from network B to network A NAT connection: A NAT relationship is directional Addresses from the source network are always translated when passing through TMG Server Practice: Managing Network Objects Configuring a new network on TMG Server Configuring a new network rule on TMG Server Configuring a new computer network object on TMG Server TMG-XX Internet Lesson: Configuring Access Rule Elements What Are Access Rule Elements? How to Configure Protocol Elements How to Configure User Elements How to Configure Content Type Elements How to Configure Schedule Elements How to Configure Domain Name Sets and URL Sets What Are Access Rule Elements? Access Rule Element Protocols Users Content Types Used to Configure The protocols that will be allowed or denied by an access rule The users that will be allowed or denied by an access rule The content type that will be allowed or denied by an access rule Schedules The time of day when Internet access will be allowed or denied by an access rule Network Objects The computers or destinations that will be allowed or denied by an access rule ***Example Policy *** How to Configure Protocol Elements How to Configure User Elements How to Configure User Elements การอนุญาต เฉพาะ User ทีต่ ้ องการใช้ ระบบ 1. ไม่ support protocol เรื่องเกีย่ วกับการ ping 2. กรณีเป็ น HTTPทีใ่ ช้ งานผ่ าน browser จาเป็ นต้ องเป็ น client 2 ประเภท คือ Web Proxy, TMG Client โดย 2.1 ถ้ ามี user ที่ตรงกับรายชื่อ user ใน TMG จะดูว่าตกลงใน policy สามารถเข้ าใช้ งานได้ หรือเปล่ า (windows integrated) 3. 2.2 ถ้ ามี user ไม่ ตรงกับรายชื่อ user ใน ISA จะทาการ popup เพือ่ ระบุ user logon กรณีที่เป็ น protocol อืน่ ๆ จาเป็ นต้ องเป็ น TMG Client เท่ านั้นและต้ องมี รายชื่อของ ทั้ง Client และ TMG ตรงกันด้ วย Remark ยกเว้ น DNS กรณีทใี่ ช้ Web Proxy หรือ TMG Client จะใช้ DNS ของ ISA โดยตรง.. ( ไม่ มกี าร authen ) Summary กฏทีใ่ ช้ ในการ assign ใน Firewall Policy ถ้ า user ทีร่ ะบุไว้ เป็ นสมาชิกทั้ง 2 กลุ่ม แต่ ขดั แย้ งกันจะเชื่อ except ก่ อนเสมอ somchai หมดสิ ทธิ เข้ าใช้ งาน !!!! How to Configure Content Type Elements ( ทาได้ เฉพาะ HTTP เท่ านั้น ) Define the MIME types and file extensions to include Example Content Types If not allow All Image in policy See result like this ( work only HTTP Traffic ) How to Configure Schedule Elements Define the times when this schedule is active or inactive How to Configure Domain Name Sets and URL Sets Use this to configure access to an entire domain Use this to configure access to a URL Example Block Bad Website การกาหนด firewall policy ควรกาหนด - URL ที่ไม่ อนุญาต - - IP ของ Server ที่ไม่ อนุญาต Example Block Bad Website cont. Logic ในการคิด Firewall Policy การอ่าน Policy จะทาการอ่านจากบนลงไปล่ าง ถ้ าเกิดเข้ า กฏตัวไหน ก่อนจะ apply ทันที โดยจะไม่ ไปอ่านกฏอืน่ ๆ อีก อ่ านจากบนลงล่ าง เจอตัวไหนก่ อน ทาทันที Practice: Configuring Firewall Rule Elements Configuring a new user set Configuring a new content type element Configuring a new schedule element Configuring a new URL set TMG-XX Internet-xx Web DNS Internet Clientxx SV-xx DC DNS Server DHCP Server Lesson: Configuring Access Rules for Internet Access What Are Access Rules? How Network Rules and Access Rules Are Applied About Authentication and Internet Access How to Configure Access Rules How to Configure HTTP Policy How to Troubleshoot Access to Internet Resources What Are Access Rules? Access rules always define: Allow Deny User Destination Network Destination IP Destination Site action on traffic from user from source to destination with conditions Protocol IP Port/Type Source network Source IP Schedule Content Type How Network Rules and Access Rules Are Applied Network Rules 3 5 4 Access Rules 1 2 Domain Controller TMG Server 6 Web Server About Authentication and Internet Access Authentication and TMG Server Clients Authentication Methods Basic authentication Digest authentication Integrated Windows authentication Digital certificates authentication RADIUS authentication RSA SecureID authentication How to set Authentication. Type of Standard Authentication Basic Authentication - จะมีการส่ ง password โดยแบบ clear text ควรใช้ ร่วมกับ SSL - ใช้ งานร่ วมกับ Client ส่ วนใหญ่ ได้ - ไม่ support single sign-on Example Basic Authentication Most support for Browser Not encryption ****** Basic Clear text. Type of Standard Authentication Digest Authentication - มีการส่ งค่ า password โดยใช้ Hashing - ใช้ กบั user ทีม่ รี ายชื่ออยู่ภายใต้ Active Directory เท่ านั้น Example Digest Authentication Send user and Password By use Hashing Work only Domain Account Type of Standard Authentication Integrated with Windows Authentication - User ไม่ จาเป็ นต้ องใส่ ค่า user และ password - server จะทาการคุยกับ client computer ด้ วยตัวเองว่ า user ทีท่ าการ logon อยู่ทเี่ ครื่องคือใคร - กรณี account ไม่ ตรงกันจะ pop up authen ขึน้ มา - Encryption Example Windows Integrated Integrated with windows account จะใช้ window account ทาการ logon อัตโนมัติ กรณี account ไม่ ตรงกันจะ pop up authen ขึน้ มา Encryption How to Configure Access Rules Practice: Integrated TMG with NPS (Radius Server) Installing NPS Server Set Radius Server, Radius Client Configure Firewall Policy with Radius TMG-XX Internet-xx Web DNS Internet Clientxx SV-xx DC DNS Server NPS How to Troubleshoot Access to Internet Resources To troubleshoot Internet access issues: Check for DNS name resolution Determine the extent of the problem Review access rule objects and access rule configuration Review access rule order Check access rule authentication Use TMG Server logging to determine which access rule is granting or denying access What Are Web Access Policy? New Feature of TMG: A new wizard based tool Focus only HTTP/HTTPS Functionality like malware inspection Include HTTPS Outbound Inspection Use malware inspection can update definition directly with update center (Microsoft Update or WSUS) How to use Web Access Policy How to use Web Access Policy: Web Destinations How to use Web Access Policy: Malware Inspection How to use Web Access Policy: HTTPS Inspection Lab: Enabling Access to Internet Resources Exercise 1: Configuring TMG Server Access Rule Elements Exercise 2: Configuring TMG Server Access Rules Exercise 3: Testing TMG Server Access Rules Module 4: Configuring TMG Server as a Firewall Overview Using TMG Server as a Firewall Examining Perimeter Networks and Templates Configuring System Policies Configuring Intrusion Detection and IP Preferences Lesson: Using TMG Server as a Firewall What Is a TCP/IP Packet? What Is Packet Filtering? What Is Stateful Filtering? What Is Application Filtering? What Is Intrusion Detection? How Forefront TMG Filters Network Traffic Implementing Forefront TMG as a Firewall What Is a TCP/IP Packet? Network Interface Layer Internet Layer Transport Layer Application Layer Destination Address: 0003FFD329B0 Source Address: 0003FFFDFFFF Destination: 192.168.1.1 Source: 192.168.1.10 Protocol: TCP Destination Port: 80 Source Port: 1159 Sequence: 3837066872 Acknowledgment: 2982470625 HTTP Request Method: Get HTTP Protocol Version: =HTTP/1.1 HTTP Host: =www.contoso.com Physical payload IP payload TCP payload What Is Packet Filtering? Is the … Source address allowed? Destination address allowed? Web Server Protocol allowed? Destination port allowed? TMG Server Packet Filter What Is Stateful Filtering? Connection Rules Create connection rule Is packet part of a connection? Web Server Web Server TMG Server What Is Application Filtering? Get www.contoso.com Get method allowed? Respond to client Web Server TMG Server Does the response contain only allowed content and methods? What Is Intrusion Detection? Alert the administrator Port scan limit exceeded TMG Server All ports scan attack Implementing Forefront TMG as a Firewall To configure TMG Server as a firewall: Determine perimeter network configuration Configure networks and network rules Configure system policy Configure intrusion detection Configure access rule elements and access rules Configure server and Web publishing Lesson: Examining Perimeter Networks and Templates What Is a Perimeter Network? Why Use a Perimeter Network? Network Perimeter Configurations About Network Templates How to Use the Network Template Wizard Modifying Rules Applied by Network Templates What Is a Perimeter Network? Perimeter Network Firewall Firewall Internet Internal Network Why Use a Perimeter Network? A perimeter network provides an additional layer of security: Between the publicly accessible servers and the internal network Between the Internet and confidential data or critical applications stored on servers on the internal network Between potentially nonsecure networks such as wireless networks and the internal network Use defense in depth in addition to perimeter network security Network Perimeter Configurations Bastion host Web Server Three-legged configuration LAN Perimeter Network LAN Back-to-back configuration Perimeter Network LAN About Network Templates Bastion host Web Server Three-legged configuration Perimeter Network LAN Deploy the Edge Firewall template Deploy the 3-Leg Perimeter template Deploy the Front-End or Back-End template LAN Back-to-back configuration Perimeter Network LAN Deploy the Single Network Adapter template for proxy and caching only How to Use the Network Template Wizard How to Use the Network Template Wizard cont. Modifying Rules Applied by Network Templates You may need to modify the rules applied by a network template to: Modify Internet access based on user or computer sets Modify Internet access based on protocols Modify network rules to change network relationships You can either change the properties of one of the rules configured by the network template, or you can create a new access rule to apply a specific setting Lesson: Configuring System Policies What Is System Policy? System Policy Settings How to Modify System Policy Settings What Is System Policy? System policy is: A default set of access rules applied to the TMG Server to enable management of the server A set of predefined rules that you can enable or disable as required Modify the default set of rules provided by the system policy to meet your organization’s requirements. Disable all functionality that is not required System Policy Settings System policy settings include: Network Services Authentication Services Remote Management TMG Client Diagnostic Services Logging and Monitoring SMTP Scheduled Download Jobs Allowed Sites How to Modify System Policy Settings Practice: Modifying System Policy Examining and modifying the default system policy Testing the modified system policy TMG-XX Internet Clientxx About Intrusion Prevention Configuration Options Intrusion Prevention on Forefront TMG: NIS Signature can now be update dynamically. Detects well-known protocols attack: HTTP, DNS, SMB, NetBIOS, MSRPC, SMTP, POP3, IMAP4 and MIME Work together with Microsoft Malware Protection to newly discovery threats. Example: IPS for TMG How to Configure Intrusion Prevention About Intrusion Detection Configuration Options Intrusion detection on Forefront TMG: Compares network traffic and log entries to well-known attack methods and raises an alert when an attack is detected Detects well-known IP attacks Includes application filters for DNS and POP that detect intrusion attempts at the application level Example: IDS for TMG How to Configure Intrusion Detection Using Update Center Module 5: Configuring Access to Internal Resources Overview Introduction to Publishing Configuring Web Publishing Configuring Secure Web Publishing Configuring Server Publishing Configuring TMG Server Authentication Lesson: Introduction to Publishing Multimedia: Using Forefront TMG to Enable Access to Internal Network Resources What Are Web Publishing Rules? What Are Server Publishing Rules? DNS Configuration for Web and Server Publishing What Are Web Publishing Rules? Web publishing rules provide the following features: Publish HTTP or HTTPS content Application-layer filtering Path mapping User authentication Content caching Publish multiple Web sites with one IP address Link translation Logging client IP address Secure Web publishing rules enable the use of SSL to encrypt network traffic between client and server TMG Server What Are Non-Web Server Publishing Rules? Server publishing rules provide the following features: Support for encryption Publish content using multiple protocols Logging client IP address Application layer filtering for protocols with application filters Non-Web Server publishing rules forward requests to internal servers based on protocol and port number TMG Server DNS Configuration for Web and Non-Web Server Publishing Perimeter Network www.cohovineyard.com DNS Server DNS Server 4 1 2 TMG Server 3 Internet Internal Network Lesson: Configuring Web Publishing Web Publishing Rules Configuration Components How to Configure Path Mapping How to Configure Web Listeners How to Configure Link Translation How to Configure a New Web Publishing Rule Web Publishing Rules Configuration Components Web publishing rules configuration: • Action • Name • Users • Traffic source • Public name • Web listener • Path mappings • Bridging • Link Translation How to Configure Path Mapping http://www.demo.com/hr Virtual Directories Sales Human Resources Online Store TMG Server http://www.demo.com/shop Example Path Mapping How to Configure Multiple Web Publishing Web1 http://www.cohovineyard.com Web2 TMG Server http://www.acme.com Example Multiple Web Publishing Same web listener How to Configure Web Listeners Anonymous Web listener http://www.cohovineyard.com CohoVineyard Web Site Private Web Site TMG Server http://private.cohovineyard.com Authenticated Web listener How to Configure a New Web Publishing Rule Web Publishing Rule Wizard configuration: Action Published Website Public name Web listener User Sets Practice: Configuring Web Publishing Configuring a New Web Listener Configuring a New Web Publishing Rule Testing the Web Publishing Rule DMZxx Web TMG-XX Internet-xx Web DNS Internet Clientxx Server-xx DC DNS DHCP Lesson: Configuring Secure Web Publishing What Is Secure Sockets Layer? How to Prepare TMG Server for SSL How SSL Bridging Works How SSL Tunneling Works How to Configure a New Secure Web Publishing Rule What Is Secure Sockets Layer? Server Authentication Client Authentication Encrypted SSL Connection Web Server How to Prepare TMG Server for SSL www.demo.com Import Web Server www.demo.com TMG Server How SSL Bridging Works TMG Server How to Configure a New Secure Web Publishing Rule SSL Web Publishing Rule Wizard configuration: Publishing Mode Action Bridging Mode Published Website Public name Web listener User Sets Practice: Configuring Secure Web Publishing Enabling Access to the Certificate Authority Web Site Installing a Server Certificate Configuring a New Secure Web Publishing Rule Testing the Secure Web Publishing Rule InternalWeb-01 InternetWeb-01 TMG-xx Internet DC-xx Lesson: Configuring Non-Web Server Publishing Server Publishing Configuration Options How Non-Web Server Publishing Works How to Configure a Non-Web Server Publishing Rule How to Troubleshoot Web and Non-Web Server Publishing Non-Web Server Publishing Configuration Options Server publishing rules configuration: Action Traffic Traffic source Traffic destination Networks Schedule How Non-Web Server Publishing Works Media Publishing Rule: Port 1755 mms://media.demo.com Demo Media Site Demo FTP Site TMG Server ftp://ftp.demo.com FTP Publishing Rule: Port 21 How to Configure a Non-Web Server Publishing Rule Non-Web Server Publishing Rule Wizard configuration: Select server to publish Select protocol Select IP addresses where clients will connect Practice: Configuring Non-Web Server Publishing Configuring a New Non-Web Server Publishing Rule Testing the Non-Web Server Publishing Rule InternalWeb-01 InternetWeb-01 TMG-xx Internet Server-xx FTP How to Troubleshoot Web and Non-Web Server Publishing To troubleshoot Web and server publishing issues: Check the resource availability Check the DNS records Check the error message Check which ports the TMG Server is listening on for connections Check the publishing rule configuration Check the SSL configuration and certificates Lesson: Configuring TMG Server Authentication How Authentication and Web Publishing Rules Work TMG Server Web Publishing Authentication Scenarios Using RADIUS for Authentication How to Implement RADIUS Server for ISA Authentication How Authentication and Web Publishing Rules Work Together TMG Server uses authentication to grant access to publishing rules: When the publishing rule specifies a user set other than the All Users group Based on the Web listener authentication methods specified for a Web publishing or secure Web publishing rule By processing the firewall rules in order of priority. When a firewall rule matches, but requires authentication, TMG Server will prompt for user credentials TMG Server Web Publishing Authentication Scenarios Web Server authentication TMG Server authentication TMG Server TMG Server and Web server authentication Using RADIUS for Authentication RADIUS Server Domain Controller RADIUS Client TMG Server Using RADIUS for authentication means that TMG Server can authenticate users based on their Active Directory credentials without requiring that the computer running TMG Server be a member of an Active Directory domain How to Implement RADIUS Server for TMG Authentication To implement RADIUS authentication: 1 Install and configure NPS to use Active Directory for authentication and configure the TMG Server as a RADIUS client 2 Configure the Active Directory user accounts or configure remote access policies to enable dial-in access 3 Configure TMG Server to use the RADIUS server and configure a Web listener to use RADIUS authentication Lab: Configuring Access to Internal Resources Exercise 1: Configuring TMG Server Authentication and Secure Publishing Exercise 2: Testing the TMG Server Configuration InternalWeb-01 InternetWeb-01 TMG-xx Internet DC-xx Module 6: Configuring Virtual Private Network Access for Remote Clients and Networks Overview Virtual Private Networking Overview Configuring Virtual Private Networking for Remote Clients Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine Control Using Forefront TMG Lesson: Virtual Private Networking Overview What Is Virtual Private Networking? VPN Protocol Options VPN Authentication Protocol Options VPN Quarantine Control Virtual Private Networking Using Routing and Remote Access Virtual Private Networking Using Forefront TMG Benefits of Using TMG Server for Virtual Private Networking What Is Virtual Private Networking? TMG Server Branch Office VPN Protocol Options Factor PPTP advantages and disadvantages L2TP/IPSec advantages and disadvantages Client operating systems supported Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 Windows 2000 up Certificate support Requires a certificate infrastructure only for EAP-TLS authentication Requires a certificate infrastructure or a pre-shared key Security NAT support Provides data encryption Does not provide data integrity To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP Provides data encryption, data confidentiality, data origin authentication, and replay protection To locate L2TP/IPSec– based clients or servers behind a NAT, both client and server must support IPSec NAT-T VPN Authentication Protocol Options Authentication protocol PAP SPAP CHAP MS-CHAP MS-CHAPv2 EAP-TLS Considerations Uses plaintext passwords and is the least secure authentication protocol Uses a reversible encryption mechanism employed by Shiva Requires passwords stored by using reversible encryption Compatible with Macintosh and UNIX-based clients Data cannot be encrypted Does not require that passwords be stored by using reversible encryption Encrypts data Performs mutual authentication Data is encrypted by using separate session keys for transmitted and received data Most secure remote authentication protocol Enables multifactor authentication VPN ต้ องมีการ Authentication PAP ใช้ รหัสผ่ านตรวจสอบอย่ างเดียว SPAP กลไกการตรวจสอบรหัสผ่ านแบบ Reversible CHAP ต้ องการรหัสผ่ านทีเ่ ก็บ และใช้ แบบ Reversible encryption MS-CHAP เป็ นเทคนิคการ Reversible ของ Microsoft MS-CHAPv2 เป็ นเทคนิคการทา Mutual authentication EAP-TLS เป็ นความปลอดภัยทีอ่ าศัยหลากหลายกลไก 187 PAP & SPAP S1 รหัสผ่าน PAP S2 SPAP นารหัสผ่านตรวจสอบผูล้ อ็ กออน Positive 188 CHAP, MSCHAP pass1 A S1 CHAP นาชื่อผูใ้ ช้+รหัสผ่าน S2 ตอบ Ack Algorithm A เข้ารหัสด้วยเทคนิค MS-CHAP Algorithm A นาชื่อผูใ้ ช้+รหัสผ่าน ถอดรหัสด้วยเทคนิค A pass1 B pass2 C pass3 ตอบ Ack 189 MSCHAP v2 Mutual Authentication A + pass1 MS-CHAP v 2 นาชื่อผูใ้ ช้ A Validation Key (Server) Validation Key (Login) เข้ารหัสด้วยเทคนิค Validation Key ถอดรหัสด้วยเทคนิค A pass1 B pass2 C pass3 ถ้า Validation Key จาก Login กับ Server ตรงกันยอมให้ผา่ น 190 EAP-TLS (Extensible Authentication protocolTransport layer Security) Multi Factor Authentication A+pass1 + MD5 หรื อ Smart card A pass1 smartcard B pass2 smartcard C pass3 smartcard A+pass1 เข้ารหัสในการขนส่ งระหว่างติดต่อ 191 VPN Quarantine Control VPN Quarantine Control: Enables screening of VPN client machines before granting them access to the organization’s network Uses a client script that analyzes the security configuration of the remote access client VPN clients connecting to TMG Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network Virtual Private Networking Using Routing and Remote Access RRAS supports: Remote access policies that define remote access connections and connection parameters Connection Manager components to simplify the configuration of remote access clients RADIUS servers for authentication and the centralization of remote access policies VPN quarantine control to restrict network access to quarantined clients Packet filtering for securing VPN and network quarantine connections Virtual Private Networking Using Forefront TMG TMG Server enables VPN access: Including remote client VPN access for individual clients and site-to-site VPN access to connect multiple sites By enabling VPN-specific networks including: VPN Clients network Quarantined VPN Clients network Remote-site networks By using network and access rules to limit network traffic between the VPN networks and the other networks with servers running TMG Server By extending RRAS functionality Benefits of Using TMG Server for Virtual Private Networking Benefits Connection security Explanation TMG Server uses firewall access policies to inspect and filter all traffic from VPN clients Quarantine control for Windows 2000 TMG Server is optimized to enforce complex security requirements on VPN connections VPN quarantine is not available in Windows 2000 RRAS but can be enabled with TMG Server 2004 on Windows 2000 Logging and monitoring TMG Server can log all VPN connections and enables live monitoring of VPN connections IPSec tunnel-mode stateful inspection Enables stateful inspection to enforce user/group, site, computer, protocol, and application-layer access controls for IPSec tunnel-mode traffic Enhanced protection TMG Server is protected via firewall access policy on all interfaces Performance Lesson: Configuring Virtual Private Networking for Remote Clients VPN Client Access Configuration Options How to Enable and Configure VPN Client Access Default VPN Client Access Configuration How to Configure VPN Address Assignment How to Configure VPN Authentication How to Configure Authentication Using RADIUS How to Configure User Accounts for VPN Access How to Configure VPN Connections from Client Computers VPN Client Access Configuration Options Click the Virtual Private Networks (VPN) node to access the VPN client access configuration options How to Enable and Configure VPN Client Access Use user mapping is to apply firewall policies to users who do not use Windows authentication Default VPN Client Access Configuration Component Default Configuration System policy rules System policy rule that allows the use of PPTP, L2TP, or both is enabled VPN access network TMG Server will listen for VPN client connections only on the External network VPN protocols Only PPTP is enabled for VPN client access Network rules A route relationship between the VPN Clients network and the Internal network A NAT relationship between the VPN Clients network and the External network Firewall access rules No firewall access rules are enabled Remote access policy Default policy requires MS-CHAP v2 authentication How to Configure VPN Address Assignment Configure DNS and WINS servers using DHCP or manually Configure static IP address assignment or DHCP How to Configure VPN Authentication Accept default for secure authentication Configure EAP for additional security Configure less secure options only if required for client compatibility How to Configure Authentication Using RADIUS Enable RADIUS for authentication and accounting, and then configure a RADIUS server How to Configure User Accounts for VPN Access Configure dial-in and VPN access permissions How to Configure VPN Connections from Client Computers Practice: Configuring VPN Access for Remote Clients Configuring VPN access on TMG Server Configuring user account dial-in permissions Configuring and testing a VPN client configuration Client-XX TMG-XX Den-DC-01 Internet What Is SSTP VPN? New Feature VPN on TMG Server for tunnels PPP connections over an SSL encrypted HTTP connection. SSTP provides: Enhance connectivity channel — no need to use only PPTP and L2TP/IPSec Ease of Manage Firewall Policy (only allow Port 80/443 ) Client requirement: Vista SP1 and above. Need to Place CA Certificate in Trust Root CA. How to Set SSTP VPN? SSTP VPN Server Require: Only Windows 2008 or Windows 2008 R2 TMG need to request Web Server Certificate. Web Listener is configured to allow anonymous connections. Give dedicated IP Address for the Web listener. Can not use together with Web listener that’ use for pre-authen published Web servers. If use Internal CA: need to publish CRL (Certificate Revocation List) to client by http channel. Lesson: Configuring Virtual Private Networking for Remote Sites Site-to-Site VPN Access Configuration Components About Choosing a VPN Tunneling Protocol How to Configure a Remote-Site Network Network and Access Rules for Site-to-Site VPNs How to Configure the Remote-Site VPN Gateway Server How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode Site-to-Site VPN Access Configuration Components Component Default Configuration Choose a VPN protocol Choose the appropriate protocol-based security requirements and the VPN gateway servers Configure a remotesite network The remote-site network includes all IP addresses in the remote site Configure VPN client access VPN client access must be enabled in order to enable site-to-site access Configure network rules and access rules Use access rules or publishing rules to make internal resources accessible to remote office users Configure the remote-site VPN gateway Configure the remote office VPN server to connect TMG Server and to accept connections from TMG Server About Choosing a VPN Tunneling Protocol Protocol Use to Comments IPSec Tunnel Mode Connect to nonMicrosoft VPN gateways Only option if you are connecting to a non-Microsoft VPN server Requires certificates or pre-shared keys L2TP over IPSec Connect to TMG Server or Windows RRAS VPN gateways Requires user name and password and certificates or pre-shared keys for authentication PPTP Connect to TMG Server or Windows RRAS VPN gateways Requires user name and password for authentication Less secure than L2TP over IPSec About Choosing a VPN Tunneling Protocol How to Configure a Remote-Site Network Configuration Option Explanation VPN protocol Choose the tunneling protocol that you will use to connect to the remote site Remote VPN server Enter the server name or IP address for the VPN gateway server in the remote site Remote authentication Enter a user name and password that will be used to initiate a VPN connection to the remote-site VPN gateway server L2TP/IPSec authentication If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel Network address Configure the IP address range for all of the computers in the remote-site network Network and Access Rules for Site-to-Site VPNs To enable network traffic across a site-to-site VPN: Two system policy rules are enabled: Allow VPN site-to-site traffic to TMG Server Allow VPN site-to-site traffic from TMG Server Create a network rule for remote-site networks Configure access rules or publishing rules enabling or restricting network access For full access, allow all protocols through TMG Server For limited access, configure access rules or publish rules that define allowed network traffic How to Configure the Remote-Site VPN Gateway Server To configure the remote site VPN gateway server: Configure the remote-site VPN gateway to use the same tunneling protocol Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict the flow of network traffic between networks How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode To configure site-to-site VPNs using IPSec tunnel mode: Configure a local VPN gateway IP address used by the computer running TMG Server to listen for VPN connections Configure the VPN gateways to use a certificate or a pre-shared key for authentication Configure advanced IPSec settings to optimize VPN security Lesson: Configuring Quarantine Control Using Forefront TMG How Does Network Quarantine Control Work? About Quarantine Control on TMG Server How to Prepare the Client-Side Script How to Configure VPN Clients Using Connection Manager How to Prepare the Listener Component How to Enable Quarantine Control How to Configure Internet Authentication Service for Quarantine Control How to Configure Quarantine Access Rules How Does Network Quarantine Control Work? VPN Clients Network Domain Controller Web Server Quarantine script Quarantine remote access policy RQC.exe TMG ISA Server DNS Server File Server VPN Quarantine Clients Network How to Enable VPN Clients Quarantine About Quarantine Control on TMG Server To implement quarantine control on TMG Server: 1 Create a client-side script that validates client configuration 2 Use CMAK to create a CM profile for remote access clients 3 Create and install a listener component 4 Enable quarantine control on TMG Server 5 Configure network rules and access rules for the Quarantined VPN Clients network How to Prepare the Client-Side Script The client-side script: Can be an executable file, a script, or a simple command file Contains a set of tests to ensure that the remote access client complies with network policy Runs Rqc.exe if all of the tests specified in the script are successful Command for running Rqc.exe rqc ConnName TunnelConnName TCPPort Domain UserName ScriptVersion How to Configure VPN Clients Using Connection Manager To configure VPN clients using Connection Manager: Configure a quarantine VPN client profile that includes: A post-connect action that runs the client-side script A client-side script that checks the client security configuration A notification component Distribute and install the client profile on all remote clients that require quarantined VPN access How to Prepare the Listener Component Command for running ConfigureRQSforISA.vbs Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 pathtoRQS.exe ConfigureRQSforISA.vbs: Installs RQS as a Network Quarantine Service Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network Modifies registry keys on the computer running TMG Server so that RQS will work with TMG Server Starts the RQS service Module 7: Implementing Caching Overview Caching Overview Configuring General Cache Properties Configuring Cache Rules Configuring Content Download Jobs Lesson: Caching Overview What Is Caching? How Caching Works for Requests for New Objects How Caching Works for Requests for Cached Objects How Content Download Jobs Work How Caching Is Implemented in TMG Server 2004 Web Proxy Chaining and Caching What Is Caching? TMG Server caching stores a copy of requested Web content in the server memory or on the hard disk TMG Server caching provides: Improved performance — information is stored on the computer running TMG Server Reduced bandwidth usage — no additional Internet network traffic TMG Server caching scenarios include: Forward caching — Internet Web servers Reverse caching — internal Web servers How Caching Works for Requests for New Objects Server RAM Server hard disk 6 www.contoso.com 4 1 2 3 5 http://www.contoso.com TMG Server How Caching Works for Requests for Cached Objects Server RAM Server hard disk www.contoso.com 2 1 3 http://www.contoso.com TMG Server How Content Download Jobs Work Server RAM Server hard disk www.contoso.com 4 1 2 3 5 http://www.contoso.com TMG Server How Caching Is Implemented in Forefront TMG TMG Server caching optimizes Web caching performance by: Using RAM and disk caching Maintaining the RAM cache in physical memory Maintaining a directory of cached items Using a single cache file Providing quick recovery Using efficient cache updates Providing automatic cleanup Web Proxy Chaining and Caching 4 Internet 35 2 Branch Office Branch Office Head Office 6 1 Lesson: Configuring General Cache Properties Caching Configuration Components How to Enable Caching and Configure Cache Drives How to Configure Cache Settings Caching Configuration Components Component Explanation Define cache drives Enables caching by configuring a cache drive for storing the cached content Configure caching settings Modifies the default TTL and types of cached content Configure caching rules Enables unique caching policies for specific Web content Configure content download jobs Enables the prefetch of content before clients request the content How to Enable Caching and Configure Cache Drives Enable Caching How to Enable Caching and Configure Cache Drives cont. Caching is disabled by default on Forefront TMG. When you enable caching, TMG Server creates a file with an initial size equal to the size you chose for the maximum cache size on the hard disk Practice: Configuring General Cache Properties Enabling Web Caching on TMG Server Configuring Web caching on TMG Server TMG-XX Internet Lesson: Configuring Cache Rules What Are Cache Rules? How to Create a Cache Rule Managing Cache Rules การกาหนดค่ ารายละเอียดใน Caching โดยทัว่ ไปจะมี Default Cache ดีฟอลท์ จะกาหนด To: All Network กาหนดค่ าของ HTTP และ FTP กาหนดการดาวน์ โหลดอัตโนมัติ กาหนดค่ าขนาดของไฟล์ ที่เก็บแคชของ HTTP กาหนดขนาดไฟล์ ของ FTP 239 What Are Cache Rules? Cache rule options Define the destination set that the rule applies to Define how content is returned to the user Define whether content is stored in the cache Default cache rule Applies to all Web content Returns non-expired content to the user Caches the default cacheable objects Define whether to cache HTTP, FTP, or both types of content Enables caching of both HTTP and FTP content Define the maximum size for cached objects Does not apply any size restrictions to cached objects Define whether to cache SSL content Caches SSL content How to Create a Cache Rule Cache Rule Wizard Page Cache Rule Destinations Content Retrieval Cache Content Cache Advanced Configuration HTTP Caching FTP Caching Configuration Options Use destination sets to define the Web content that this rule applies to Defines how TMG Server responds to client requests if the content is or is not in cache Defines the types of content TMG Server will cache Defines maximum size for caching objects and SSL response caching Enables and configures TTL settings for HTTP content Enables and configures TTL settings for FTP content Managing Cache Rules Managing cache rules includes: Modifying the cache rule configuration after creating the rule Modifying the cache rule order to evaluate cache rules for specific Web sites before cache rules for all Web sites Disabling or deleting cache rules that are no longer required Exporting the cache rule configuration before modifying the cache rules in case the modification is not successful กาหนดแคชใน HTTP 243 HTTP Cache (Case 1) Web Client ` 1 Web Server 2 HTTP Header Ex: 1 Days 3 1 Days Set 20% of TTL >> 24/5 = 4.8 Hours (Interval update) Set 50% of TTL >> 24/2 = 12 Hours Set Min & Max 1 Hours & 24 Hours Select 4.8 Hours for 20% Select 12 Hours for 50% 244 HTTP Cache (Case 2) Web Client ` 1 Web Server 2 HTTP Header Ex: 1 Week 3 1 Days Set 20% of TTL >> 7*24/5 = 33.6 Hours (Interval update) Set 50% of TTL >> 7*24/2 = 86 Hours Set Min & Max 1 Hours & 24 Hours Select 24 Hours for 20% Select 24 Hours for 50% 245 HTTP Cache (Case 3) Web Client ` 1 Web Server 2 HTTP Header Ex: 2.5 Days 3 1 Days Set 20% of TTL >> 2.5*24/5 = 12 Hours (Interval update) Set 50% of TTL >> 2.5*24/2 = 30 Hours Set Min & Max 1 Hours & 24 Hours Select 12 Hours for 20% Select 24 Hours for 50% 246 Content Retrieval ถ้ ามีแคชอยู่ และยังไม่ หมดอายุ ถ้ าไม่ มีจะวิง่ ไปทีเ่ ว็บภายนอก ถ้ ามีแคชไม่ ว่าจะหมดอายุหรือไม่ จะ ตอบกลับให้ ถ้ าไม่ มีจะวิง่ ไปที่เว็บ ภายนอก ใช้ เฉพาะกรณีที่มเี ก็บไว้ ในแคช ถ้ าไม่ มีไม่ ยอมให้ ติดต่ อออกภายนอก 247 Practice: Configuring Cache Rules Configuring cache rules on TMG Server TMG-XX Internet Lesson: Configuring Content Download Jobs What Are Content Download Jobs? How to Create a Content Download Job Managing Content Download Jobs What Are Content Download Jobs? Content download jobs: Allow you to schedule content for download at a specific time even if no user on the network has requested the content Improve Internet access performance Can be used to download content to the branch office during nonworking hours Can be used to ensure access to critical Internet content even when the Internet connection is not available How to Create a Content Download Job Content Download Job Wizard Page Download Frequency Configuration Options Defines a schedule for when the content download will occur Defines the content that will be downloaded Content Download Content Caching Includes maximum links, objects, and concurrent connections used for downloads Defines what types of content to cache Defines the TTL for cached content Managing Content Download Jobs Managing content download jobs includes: Modifying the content download job configuration after creating the job Starting content download jobs outside the scheduled time or stopping content download jobs that are running Disabling or deleting content download jobs that are no longer required Practice: Configuring Content Download Jobs Creating a Content Download Job Internet-Web-XX TMG-XX Internet Module 8: Monitoring Forefront TMG Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring Reports Monitoring Connectivity Monitoring Services and Performance Lesson: Monitoring Overview Why Implement Monitoring? TMG Server Monitoring Components Designing a Monitoring and Reporting Strategy Using the TMG Server Dashboard for Monitoring Why Implement Monitoring? Use monitoring to: Monitor traffic between networks to ensure that only legitimate traffic passes between networks Troubleshoot network connectivity between TMG Server clients, servers, and networks Collect information about attacks and to detect attacks as they occur Plan future modifications to the TMG Server or Internet access infrastructure TMG Server Monitoring Components Components Explanation Alerts Monitors TMG Server for configured events and then performs actions when the specified events occur Sessions Provides information on the current client sessions Logging Reports Connectivity Performance Provides detailed archived information about the Web Proxy, Microsoft Firewall service, or SMTP Message Screener Summarizes information about the usage patterns on TMG Server Monitors connections from TMG Server to any other computer or URL on any network Monitors server performance in real time, create a log file of server performance or configure performance alerts Designing a Monitoring and Reporting Strategy When: Determine: Which events should trigger an alert Monitoring realtime information The event threshold before the alert is triggered Collecting longterm information The information you need to monitor server usage The information that you need to monitor server performance The information you need to monitor server performance over time The information you need to monitor security events Developing a response strategy How to respond to the critical events that occur on the TMG Server Using the TMG Server Dashboard for Monitoring Monitor Session Monitor Alert Monitor update Monitor Service Monitor Performance Lesson: Configuring Alerts What Is an Alert? How to Configure Alert Definitions How to Configure Alert Events and Conditions How to Configure Alert Actions Alert Management Tasks What Is an Alert? An alert is: A notification of an event or action that has occurred on TMG Server Triggered according to the conditions and trigger thresholds specified for the event associated with the alert When a server event takes place and records an alert: The TMG Server Management console displays the alert in the Alerts view An entry appears in the alerts view that lists column headings such as type of alert, the date and time, status, and category How to Configure Alert Definitions How to Configure Alert Category and Actions Alert Management Tasks Alerts are managed by performing the following tasks: Acknowledge registered alerts Reset registered alerts When you configure an alert to stop the TMG Server Firewall Service, TMG Server goes into a lockdown mode. While in lockdown mode, TMG Server blocks most network traffic Practice: Configuring and Managing Alerts Creating a New Alert Definition Modifying an Existing Alert Definition TMG-XX Internet Lesson: Configuring Session Monitoring What Is Session Monitoring? About Managing Sessions How to Configure Session Filtering What Is Session Monitoring? Session monitoring: Provides real-time information about client sessions hosted through TMG Server Includes information on: When the session was established The session type The source network The client user name and computer name Provides the ability to immediately stop any unwanted sessions About Managing Sessions Right click session to disconnect Use these options to manage sessions How to Configure Session Filtering Add multiple filters Configure filters to view specific sessions Practice: Configuring Session Monitoring Monitoring Sessions Applying a Session Filter Internet-Web-XX TMG-XX Internet ClientXX DC-01 Lesson: Configuring Logging What Is Logging? Log Storage Options How to Configure Logging How to View TMG Server Logs How to Configure Log Filter Definitions What Is Logging? The logging feature: Provides extended log storage to generate reports, analyze trends, or investigate security issues Can be configured to provide Firewall logging, Web proxy logging, and SMTP message screener logging Provides a log viewer to assist in monitoring and analyzing server activity for MSDE-based logs Log Storage Options Log storage option: Explanation: Logs can be viewed in the log viewer MSDE Default format for Web proxy and Firewall Service logs Logs can be stored on separate server SQL database Logs can be analyzed by using database tools Logs can be stored in W3C or TMG Server format File Only available format for SMTP message screener logs The MSDE and log files are stored by default in the ISALogs folder, which is located in the TMG Server installation folder How to Configure Logging Configure log storage format Configure the information captured in the logs How to View TMG Server Logs How to Configure Log Filter Definitions Load/Save filters Configure filters to view specific log entries Lesson: Configuring Reports What Are Reports? How to Configure the Report Summary Database How to Generate a Report How to Create a Recurring Report Job How to View Reports How to Publish Reports What Are Reports? Use reporting to summarize and analyze: Who is accessing the Internet, as well as which web sites are being accessed Which protocols and applications are being used most often General traffic patterns The cache hit ratio Reports can be generated immediately Reports need to be scheduled to generate on a recurring basis How to Configure the Report Summary Database Select to enable log summaries Configure summary files location Configure number of saved summaries How to Generate a Report Configure the content to include in the report Configure the time period included in the report Configure where the report will be stored How to Create a Recurring Report Job Configure the content to include in the recurring report Configure when the recurring report will run How to View Reports Reports can be viewed: Only on the computer running TMG Server Management By double-clicking the report name in the Report view of TMG Server Management How to Publish Reports You can publish reports to a shared folder where users without TMG Server Management installed can view the reports Practice: Configuring Reports Generating a Report Creating a Recurring Report Job Internet-Web-XX TMG-XX Internet ClientXX DC-01 Lesson: Monitoring Connectivity How Does Connectivity Monitoring Work? Configuring Connectivity Monitoring How Does Connectivity Monitoring Work? Connectivity monitoring: Uses connectivity verifiers to monitor connections from TMG Server to other servers or URLs Can be configured to use any of the following in connection methods: Ping to check for simple network connectivity TCP connection to verify that a service is running on the destination server HTTP GET request to verify that a Web server is running on the destination server Configuring Connectivity Monitoring Configure the URL or server to connect to Configure the method used to test connectivity Practice: Configuring Connectivity Monitoring Configuring Connectivity Monitoring TMG-XX Internet Lesson: Monitoring Services and Performance Monitoring TMG Server Services Performance Monitoring with TMG Server Monitoring TMG Server Services Performance Monitoring with TMG Server Performance Objects TMG Server Package Engine TMG Server Cache TMG Server Firewall Service TMG Server Web Proxy Service Explanation Includes performance counters to monitor connections and throughput for the firewall engine Includes performance counters to monitor the memory, disk, and URL activity associated with the cache as well as cache performance Includes counters to monitor Firewall service connections and associated services such as DNS. This object monitors only TMG Client connections Includes counters to monitor the number of users and the rate at which TMG Server transfers data for Web Proxy clients to remote and upstream servers Monitoring the TMG Server counters as well as other performance counters to determine server performance and bottlenecks Example: Performance Monitoring with TMG Server You can monitor TMG Resource separate counter and object. Lab: Monitoring TMG Server Exercise 1: Testing the Alerts Feature Exercise 2: Testing the Reporting Feature Exercise 3: Testing the Connectivity Monitoring Feature TMG-XX Internet THANK YOU
