4. tmg 2010 e uag 2010
DESCRIPTION
4. TMG 2010 e UAG 2010 Seminario TMG e UAG presso Microsoft (Roma)TRANSCRIPT
![Page 1: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/1.jpg)
TMG 2010 e UAG 2010 per la pubblicazione di applicazioni web
![Page 2: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/2.jpg)
TMG - Remote Access Gateway
![Page 3: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/3.jpg)
Forefront™ Unified Access Gateway – Le Basi
Forefront UAG is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate serversWhile it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionalityUAG is designed to enable remote access in two primary roles: application publishing and VPN
![Page 4: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/4.jpg)
Tipologie di connettivitàForefront TMG 2010
Connectivity Method Goal
Example Usage Scenario
Non-HTTP server Publishing
Connectivity to specific internal non-HTTP servers
Access to internal e-mail (SMTP) server
Web server publishing Connectivity to internal Web servers
Access to Outlook Web application
Virtual Private Network Full connectivity to the corporate network
Access for employees connecting from home or at a customer site
![Page 5: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/5.jpg)
Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)
Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats
Forefront UAGComprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing remote access
Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
Product Positioning
![Page 6: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/6.jpg)
Pubblicazione di Non-HTTP Server
![Page 7: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/7.jpg)
Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks
Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server
The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
![Page 8: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/8.jpg)
8
Gestione delle porte di pubblicazione
![Page 9: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/9.jpg)
9
Pubblicazione porte interne
![Page 10: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/10.jpg)
10
Network Inspection System (NIS) Filters
![Page 11: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/11.jpg)
Wizard disponibiliAvailable from Firewall Policy Tasks
Publish common non-Web protocolsPublish mail (SMTP) servers
![Page 12: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/12.jpg)
12
Non-HTTP Server PublishingThings to consider when planning Server Publishing
No authentication supportAccess restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configurationClient source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.
![Page 13: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/13.jpg)
Web Publishing
![Page 14: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/14.jpg)
Web PublishingProvides secure access to Web content to users from the Internet
Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm
![Page 15: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/15.jpg)
Accesso a risorse Web
HTTPS
Internet
`HTTPS
ExchangeServer
WebServer
SharePointServer
OWARPC/HTTP(S)ActiveSync
HTTP
HTTPS
HTTP
HTTP
Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
![Page 16: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/16.jpg)
16
Configurazione1. Define web listeners
IP addresses and ports that will listen for Web requestsAuthentication method used (client to TMG 2010)Server certificates and SSL optionsNumber of client connections allowed
2. Create other rule elementsSource addressesWeb farmsUser setsSchedules
3. Run appropriate wizard
![Page 17: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/17.jpg)
Configurazione di Web Listeners
![Page 18: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/18.jpg)
Configurazione di Web ListenersAssigning Certificate to Web Listener
Showing Invalid Certificates
Private Key not Installed
Certificate Missing
![Page 19: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/19.jpg)
Gestione di traffico SSL SSL Bridging:
1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
![Page 20: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/20.jpg)
Processo di autenticazione
1. Client credentials received
2&3. Credentials validated4. Credentials delegated to
internal server5. Server send response6. Response forwarded to
client
![Page 21: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/21.jpg)
Credential Types:Username and PasswordUsername and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
Authentication Providers:Basic
Active DirectoryLDAPRADIUS
DigestActive Directory only
IntegratedActive Directory only
Authentication Providers:Active Directory only
Fallback to:BasicDigestIntegrated
Configurazione di Web ListenersClient Authentication Methods
Credential Types:Username and PasswordUsername and PasscodeUsername, Password and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
![Page 22: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/22.jpg)
Delega di autenticazione
None – client cannot authenticate directlyNone – client canauthenticate directlyBasic authenticationNTLM authenticationNegotiate
Kerberos/NTLM
Kerberos Constrained Delegation
SPN required for KerberosForefront TMG 2010 needs to be in the same domain as the published server
Authentication Methods
![Page 23: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/23.jpg)
Authentication Method
Authentication Provider Delegation Method
Basic Forms-based
Authentication (password only)
Active Directory LDAP RADIUS
Basic NTLM Negotiate (Kerberos/NTLM) Kerberos Constrained
Delegation
Forms-based Authentication (passcode only)
SecurID RADIUS OTP
SecurID Kerberos Constrained
Delegation
Forms-based Authentication (password & passcode)
SecurID RADIUS OTP
SecurID Basic NTLM Negotiate (Kerberos/NTLM)
Digest Integrated Client Certificate
Active Directory®
Kerberos Constrained Delegation
Delega di autenticazioneAuthentication Methods x Delegation Support
Matrix
None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods
![Page 24: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/24.jpg)
Web Publishing WizardsPublish Web sitesPublish SharePoint sitesPublish Exchange Web client access
Outlook® Web AccessOutlook® AnywhereExchange ActiveSync®Outlook® Mobile Access
Microsoft® Exchange Server® 2003
![Page 25: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/25.jpg)
Web Publishing Rules
![Page 26: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/26.jpg)
Web Publishing Rules
Define membership to user group
Across different authentication namespacesUsed for authorization at Forefront TMG 2010 level
![Page 27: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/27.jpg)
Configure Web rule schedule
Define access hours for accessing the Web site
Configure link translation
Translates internal names in links to public names of the Web sites
Web Publishing Rules
![Page 28: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/28.jpg)
Virtual Private Networking (VPN)
![Page 29: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/29.jpg)
Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN technology
Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)
![Page 30: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/30.jpg)
Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
![Page 31: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/31.jpg)
Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform
PolicyValidation
Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.
NetworkRestriction
Restricts network access to computers based on their health.Restricts network access to computers based on their health.
Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.
OngoingCompliance
Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.
![Page 32: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/32.jpg)
NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006
NAP validates health status of the remote client at connection time
VPN network access limitation is done through IP packet filters applied to the VPN connection
Access limited to resources on the restricted network
![Page 33: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/33.jpg)
Unified Access Gateway 2010
![Page 34: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/34.jpg)
Caratteristiche
SSL VPNSSTPRemote Desktop Gateway on the UAG itselfDirectAccess
![Page 35: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/35.jpg)
35
Sicurezza integrataOverlay granular access control to specific sites and/or features within sitesBuilt-in endpoint security policies (integrated with NAP)Expanded authentication and authorization capabilitiesSession clean-up and information leakage preventionIntegrated network security
![Page 36: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/36.jpg)
Gestione SemplificataSimplifies deployment and ongoing tasks through wizards and built-in policies
Simplifies user experience, reducing support costs
Consolidates remote access infrastructure
14
Step 1:Choose
the type of application you wish to publish
Step 2:Provide the internal
name of the SharePoint Server
Provide the external name
Step 3:Configure the same external name on your
SharePoint server
AllDone!
![Page 37: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/37.jpg)
APPLICATION PUBLISHING
Granular application filtering
Session cleanup and removal
Endpoint health detection
INTEGRATION
Integrated with NAP policies
Remote Desktop and RemoteApp integration
Extends and simplifies DirectAccess deployments
SCALE AND MANAGEMENT
From IAG to UAG
37
Built-in load balancing
Array management capabilities
Enhanced monitoring and management (SCOM)
IAG
New
New
New
New
New
New
UAG
Improved
Improved
![Page 38: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/38.jpg)
38
Architettura di UAG
Data Center or Corporate
Network
Business Partners /Subcontractors
Internet
AD, ADFS,RADIUS, LDAP,
etc.
HTTPS (443)
UAGHome / Friend /
Kiosk
Employee-Managed Machines
Mobile
•Exchange•CRM•SharePoint• LoB• IBM, SAP, Oracle
TS / RDS
Non-Web
HTTPS /
HTTP
Direct Access
![Page 39: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/39.jpg)
39
Forefront TMG and UAGForefront TMG is installed during Forefront UAG setup
TMG acts as a firewall protecting the UAG server
UAG leverages TMG array management and monitoring functionality
Supported Forefront TMG configurationsCreating access rules when deploying UAG for VPN access
Monitoring via the TMG console
Configuring system policy rules for controlling access to and from the UAG server
Publishing some Exchange and OCS protocols using TMG
No other Forefront TMG functionality is supportedIntrusion prevention, malware inspection, and forward and reverse Web proxying, etc.
![Page 40: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/40.jpg)
Trunks and Portals
![Page 41: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/41.jpg)
41
Forefront UAG TrunksTransfer channels that make internal resources and applications available to remote endpoints
A Forefront UAG server can have multiple trunksTrunks can be either HTTP or HTTPS
Types of trunksPortal trunks
Presents a Web portal to the user with multiple associated applications and resources
Active Directory® (AD) FS trunksUsed to publish AD FS servers
Redirection trunksRedirect HTTP requests to HTTPS trunk
![Page 42: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/42.jpg)
42
Trunk SettingsThe following settings are configured per trunk:
IP address and portServer certificatePortal homepageAuthentication methodsSession settingsEndpoint policy requirementsTraffic inspectionHTTP compression
![Page 43: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/43.jpg)
43
Forefront UAG User AuthenticationSupported Authentication Schemes
Authentication Protocol
Identity Repository
Passthrough (no authentication)
User authenticates directly with the back-end application
Active Directory Uses Active Directory for authentication and authorization
LDAP Active Directory, Active Directory Lightweight Directory Services (AD LDS), Netscape Directory server, Notes Directory Server, Novell Directory Service
LDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP service for authorization
NT Domain Windows® NT and SAMBA domains
RADIUS Uses a RADIUS server (such as the Windows® Network Policy Server) for authentication
TACACS Uses a TACACS authentication server (such as NTTacPlus)
RSA SecurID One-time password (OTP) authentication using the RSA ACE/Server
WinHTTP Assigns a Web page that require users to authenticate
![Page 44: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/44.jpg)
44
Creating a TrunkUse the Create Trunk
Wizard1. Select trunk type2. Define host name,
IP address, and port3. Configure authentication
servers4. Select server certificate5. Select endpoint security
policies
![Page 45: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/45.jpg)
45
Types of ApplicationOnce a portal trunk has been setup, be it an HTTP or HTTPS trunk you can start publishing applications on it
Applications are published using a wizard, which includes approximately 40 types of application templates
The top-level type list is divided into the following categories of applications:
• Built-in services• Web (applications)• Client/Server and Legacy• Browser-embedded• Terminal Services and Remote Desktop
![Page 46: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/46.jpg)
46
Forefront UAG PortalThe portal is the front-end Web application for a portal trunk
Authenticate users and provide access to the published applications and resources
It allows users to view, search for, and run applications published by the administratorNew application, completely remade for Forefront UAG using Microsoft® ASP.NET™ and AJAX
![Page 47: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/47.jpg)
47
Forefront UAG Portal – Premium PC Interface
![Page 48: 4. tmg 2010 e uag 2010](https://reader036.vdocuments.mx/reader036/viewer/2022062307/556bf9bfd8b42a6d768b4843/html5/thumbnails/48.jpg)
Nuove funzionalità TMG SP1
ReportingUrl Filtering User OverrideBranch Offfice SupportPublishing Sharepoint 2010