3. Forefront™ Unified Access Gateway – Le Basi
Forefront UAG is fundamentally a router. It has an external
side that would be the access point for connecting clients
from the internet, and an internal side through which the
server can fetch data from internal corporate servers
While it is theoretically possible to use the server with a
single network card, this option is not supported, and will
not work for most of UAG's functionality
UAG is designed to enable remote access in two primary
roles: application publishing and VPN
4. Tipologie di connettività
Forefront TMG 2010
Connectivity Example
Method Goal Usage Scenario
Non-HTTP server Connectivity to specific Access to internal e-mail
Publishing internal non-HTTP servers (SMTP) server
Web server publishing Connectivity to internal Access to Outlook Web
Web servers application
Virtual Private Network Full connectivity to the Access for employees
corporate network connecting from home or
at a customer site
5. Forefront TMG 2010 vs. Forefront™ Unified Access
Gateway (UAG)
Product Positioning
Forefront TMG 2010
Enables users to safely and productively use the Internet without
worrying about malware and other threats
Forefront UAG
Comprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing
remote access
Forefront TMG 2010 still provides support for remote access
features, but not the recommended solution
7. Non-HTTP Server Publishing
Allows map requests for non-Web servers in one of the
TMG 2010 networks
Clients can be either on the Internet or on a different internal
network
Can be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a
NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging
to Forefront TMG
If behind a route relationship, TMG 2010 listens for requests on the
IP address of the non-Web server
The published server should be configured as a SecureNAT
client with a default gateway pointing to TMG 2010
11. Wizard disponibili
Available from Firewall Policy Tasks
Publish common non-Web protocols
Publish mail (SMTP) servers
12. Non-HTTP Server Publishing
Things to consider when planning Server Publishing
No authentication support
Access restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configuration
Client source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverage
SMTP, POP3, DNS, etc.
12
14. Web Publishing
Provides secure access to Web content to users from the
Internet
Web content may be either on internal networks on in a DMZ
Supports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:
Mapping requests to specific internal paths in specific servers
Allows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)
Inspection of incoming HTTPS requests using SSL bridging
Load balancing of client requests among Web servers in a server
farm
15. Accesso a risorse Web
OWA
RPC/HTTP(S)
HTTPS ActiveSync
Exchange
Server
HTTPS
HTTP
` HTTP
HTTPS
Web
Internet Server
HTTP
SharePoint
Server
Forefront TMG 2010 can publish multiple internal Web
servers, using multiple external IP addresses and protocols
16. Configurazione
1. Define web listeners
IP addresses and ports that will listen for Web requests
Authentication method used (client to TMG 2010)
Server certificates and SSL options
Number of client connections allowed
2. Create other rule elements
Source addresses
Web farms
User sets
Schedules
3. Run appropriate wizard
16
18. Configurazione di Web Listeners
Assigning Certificate to Web Listener
Showing Invalid Certificates
Private Key not Installed
Certificate Missing
19. Gestione di traffico SSL
SSL Bridging:
1. Client on Internet encrypts communications
2. TMG 2010 decrypts and inspects traffic
3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
20. Processo di autenticazione
1. Client credentials received
2&3. Credentials validated
4. Credentials delegated to
internal server
5. Server send response
6. Response forwarded to
client
21. Configurazione di Web Listeners
Client Authentication Methods
Authentication Providers:
Credential Types:
Credential Types:
AuthenticationPassword
Basic
Username and Password
Username and
Username and Passcode
Active Directory
Username and Passcode
Providers:
LDAP
Username, Password and
Active Directory only
RADIUS
Passcode
Fallback to: Providers:
Authentication Providers:
Digest
Authentication
BasicActiveDirectory only
Active Directory
Active Directory
Digest server
Integrated
LDAP server
LDAP
Integrated Directory only
RADIUS
Active
RADIUS
RADIUS OTP
RADIUS OTP
RSA SecurID
RSA SecurID
Fallback to Basic
Fallback to Basic
Password Management
Password Management
22. Delega di autenticazione
Authentication Methods
None – client cannot
authenticate directly
None – client can
authenticate directly
Basic authentication
NTLM authentication
Negotiate
Kerberos/NTLM
Kerberos Constrained
Delegation
SPN required for Kerberos
Forefront TMG 2010 needs to be
in the same domain as the
published server
26. Web Publishing Rules
Define membership to
user group
Across different
authentication
namespaces
Used for authorization at
Forefront TMG 2010 level
27. Web Publishing Rules
Configure Web rule
schedule
Define access hours for
accessing the Web site
Configure link translation
Translates internal names in
links to public names of the
Web sites
29. Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:
Remote Access VPN
Site-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN
technology
Implements support for Secure Socket Tunneling Protocol (SSTP)
Implements support for Network Access Protection (NAP)
30. Secure Socket Tunneling Protocol (SSTP)
New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers
to exchange encapsulated IPv4 or IPv6 packets
Support for unauthenticated Web proxies
Support for Network Access Protection (NAP)
Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
31. Network Access Protection (NAP)
Windows Policy Validation and Enforcement Platform
Policy Determines whether the computers are compliant with the company’s
Validation security policy. Compliant computers are deemed healthy.
Network Restricts network access to computers based on their health.
Restriction
Provides necessary updates to allow the computer to get healthy.
Remediation Once healthy, the network restrictions are removed.
Ongoing Changes to the company’s security policy or to the computers’ health
Compliance may dynamically result in network restrictions.
32. NAP Support in Forefront TMG 2010
Enforces compliance and provides remediation for clients
connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services
(RQS) supported in ISA Server 2006
NAP validates health status of the remote client at
connection time
VPN network access limitation is done through IP packet
filters applied to the VPN connection
Access limited to resources on the restricted network
34. Caratteristiche
SSL VPN
SSTP
Remote Desktop Gateway on the UAG itself
DirectAccess
35. Sicurezza integrata
Overlay granular access control to specific sites and/or
features within sites
Built-in endpoint security policies (integrated with NAP)
Expanded authentication and authorization capabilities
Session clean-up and information leakage prevention
Integrated network security
35
36. Gestione Semplificata
Simplifies deployment and ongoing tasks through wizards and
built-in policies
Simplifies user experience, reducing support costs
Consolidates remote access infrastructure
Step 1: Step 3:
Choose the Configure the same
type of external name on your
application SharePoint server
you wish to
publish
Step 2:
Provide the internal name All
of the SharePoint Server
Done!
Provide the external name
14
37. From IAG to UAG
IAG UAG
APPLICATION PUBLISHING
Granular application filtering Improved
Session cleanup and removal
Endpoint health detection Improved
INTEGRATION
Integrated with NAP policies New
Remote Desktop and RemoteApp integration New
Extends and simplifies DirectAccess deployments New
SCALE AND MANAGEMENT
Built-in load balancing New
Array management capabilities New
Enhanced monitoring and management (SCOM) New
38. Architettura di UAG
• Exchange
• CRM
• SharePoint
Mobile
• LoB
• IBM, SAP,
Home / Friend /
UAG Oracle
Kiosk
HTTPS (443) TS / RDS
Internet
Direct Access
Non-Web
Business Partners / AD, ADFS,
Subcontractors RADIUS, LDAP, etc.
Data Center or
Employee-Managed
Machines Corporate Network
38
39. Forefront TMG and UAG
Forefront TMG is installed during Forefront UAG setup
TMG acts as a firewall protecting the UAG server
UAG leverages TMG array management and monitoring
functionality
Supported Forefront TMG configurations
Creating access rules when deploying UAG for VPN access
Monitoring via the TMG console
Configuring system policy rules for controlling access to and from
the UAG server
Publishing some Exchange and OCS protocols using TMG
No other Forefront TMG functionality is supported
Intrusion prevention, malware inspection, and forward and reverse
Web proxying, etc.
39
41. Forefront UAG Trunks
Transfer channels that make internal resources and
applications available to remote endpoints
A Forefront UAG server can have multiple trunks
Trunks can be either HTTP or HTTPS
Types of trunks
Portal trunks
Presents a Web portal to the user with multiple associated applications
and resources
Active Directory® (AD) FS trunks
Used to publish AD FS servers
Redirection trunks
Redirect HTTP requests to HTTPS trunk
41
42. Trunk Settings
The following settings are configured per trunk:
IP address and port
Server certificate
Portal homepage
Authentication methods
Session settings
Endpoint policy requirements
Traffic inspection
HTTP compression
42
43. Forefront UAG User Authentication
Supported Authentication Schemes
Authentication Protocol Identity Repository
Passthrough (no authentication) User authenticates directly with the back-end application
Active Directory Uses Active Directory for authentication and authorization
LDAP Active Directory, Active Directory Lightweight Directory Services (AD
LDS), Netscape Directory server, Notes Directory Server, Novell
Directory Service
LDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP
service for authorization
NT Domain Windows® NT and SAMBA domains
RADIUS Uses a RADIUS server (such as the Windows® Network Policy Server)
for authentication
TACACS Uses a TACACS authentication server (such as NTTacPlus)
RSA SecurID One-time password (OTP) authentication using the RSA ACE/Server
WinHTTP Assigns a Web page that require users to authenticate
43
44. Creating a Trunk
Use the Create Trunk Wizard
1. Select trunk type
2. Define host name,
IP address, and port
3. Configure authentication
servers
4. Select server certificate
5. Select endpoint security
policies
44
45. Types of Application
Once a portal trunk has been setup, be it an HTTP or HTTPS trunk
you can start publishing applications on it
Applications are published using a wizard, which includes
approximately 40 types of application templates
The top-level type list is divided into the following categories of
applications:
• Built-in services
• Web (applications)
• Client/Server and Legacy
• Browser-embedded
• Terminal Services and Remote Desktop
45
46. Forefront UAG Portal
The portal is the front-end Web application for a portal
trunk
Authenticate users and provide access to the published
applications and resources
It allows users to view, search for, and run applications
published by the administrator
New application, completely remade for Forefront UAG
using Microsoft® ASP.NET™ and AJAX
46
48. Nuove funzionalità TMG SP1
Reporting
Url Filtering User Override
Branch Offfice Support
Publishing Sharepoint 2010
Editor's Notes
The Web listener is used to:Indicate the IP address and port to which a client makes a connection. Enable TMG 2010 to pre-authenticate the connection. Web listeners can be used by more than one Web publishing rule.