TMG 2010 e UAG 2010 per la pubblicazione di applicazioni web
Jun 01, 2015
TMG 2010 e UAG 2010 per la pubblicazione di applicazioni web
TMG - Remote Access Gateway
Forefront™ Unified Access Gateway – Le Basi
Forefront UAG is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate serversWhile it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionalityUAG is designed to enable remote access in two primary roles: application publishing and VPN
Tipologie di connettivitàForefront TMG 2010
Connectivity Method Goal
Example Usage Scenario
Non-HTTP server Publishing
Connectivity to specific internal non-HTTP servers
Access to internal e-mail (SMTP) server
Web server publishing Connectivity to internal Web servers
Access to Outlook Web application
Virtual Private Network Full connectivity to the corporate network
Access for employees connecting from home or at a customer site
Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)
Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats
Forefront UAGComprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing remote access
Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
Product Positioning
Pubblicazione di Non-HTTP Server
Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks
Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server
The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
8
Gestione delle porte di pubblicazione
9
Pubblicazione porte interne
10
Network Inspection System (NIS) Filters
Wizard disponibiliAvailable from Firewall Policy Tasks
Publish common non-Web protocolsPublish mail (SMTP) servers
12
Non-HTTP Server PublishingThings to consider when planning Server Publishing
No authentication supportAccess restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configurationClient source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.
Web Publishing
Web PublishingProvides secure access to Web content to users from the Internet
Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm
Accesso a risorse Web
HTTPS
Internet
`HTTPS
ExchangeServer
WebServer
SharePointServer
OWARPC/HTTP(S)ActiveSync
HTTP
HTTPS
HTTP
HTTP
Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
16
Configurazione1. Define web listeners
IP addresses and ports that will listen for Web requestsAuthentication method used (client to TMG 2010)Server certificates and SSL optionsNumber of client connections allowed
2. Create other rule elementsSource addressesWeb farmsUser setsSchedules
3. Run appropriate wizard
Configurazione di Web Listeners
Configurazione di Web ListenersAssigning Certificate to Web Listener
Showing Invalid Certificates
Private Key not Installed
Certificate Missing
Gestione di traffico SSL SSL Bridging:
1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
Processo di autenticazione
1. Client credentials received
2&3. Credentials validated4. Credentials delegated to
internal server5. Server send response6. Response forwarded to
client
Credential Types:Username and PasswordUsername and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
Authentication Providers:Basic
Active DirectoryLDAPRADIUS
DigestActive Directory only
IntegratedActive Directory only
Authentication Providers:Active Directory only
Fallback to:BasicDigestIntegrated
Configurazione di Web ListenersClient Authentication Methods
Credential Types:Username and PasswordUsername and PasscodeUsername, Password and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
Delega di autenticazione
None – client cannot authenticate directlyNone – client canauthenticate directlyBasic authenticationNTLM authenticationNegotiate
Kerberos/NTLM
Kerberos Constrained Delegation
SPN required for KerberosForefront TMG 2010 needs to be in the same domain as the published server
Authentication Methods
Authentication Method
Authentication Provider Delegation Method
Basic Forms-based
Authentication (password only)
Active Directory LDAP RADIUS
Basic NTLM Negotiate (Kerberos/NTLM) Kerberos Constrained
Delegation
Forms-based Authentication (passcode only)
SecurID RADIUS OTP
SecurID Kerberos Constrained
Delegation
Forms-based Authentication (password & passcode)
SecurID RADIUS OTP
SecurID Basic NTLM Negotiate (Kerberos/NTLM)
Digest Integrated Client Certificate
Active Directory®
Kerberos Constrained Delegation
Delega di autenticazioneAuthentication Methods x Delegation Support
Matrix
None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods
Web Publishing WizardsPublish Web sitesPublish SharePoint sitesPublish Exchange Web client access
Outlook® Web AccessOutlook® AnywhereExchange ActiveSync®Outlook® Mobile Access
Microsoft® Exchange Server® 2003
Web Publishing Rules
Web Publishing Rules
Define membership to user group
Across different authentication namespacesUsed for authorization at Forefront TMG 2010 level
Configure Web rule schedule
Define access hours for accessing the Web site
Configure link translation
Translates internal names in links to public names of the Web sites
Web Publishing Rules
Virtual Private Networking (VPN)
Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN technology
Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)
Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform
PolicyValidation
Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.
NetworkRestriction
Restricts network access to computers based on their health.Restricts network access to computers based on their health.
Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.
OngoingCompliance
Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.
NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006
NAP validates health status of the remote client at connection time
VPN network access limitation is done through IP packet filters applied to the VPN connection
Access limited to resources on the restricted network
Unified Access Gateway 2010
Caratteristiche
SSL VPNSSTPRemote Desktop Gateway on the UAG itselfDirectAccess
35
Sicurezza integrataOverlay granular access control to specific sites and/or features within sitesBuilt-in endpoint security policies (integrated with NAP)Expanded authentication and authorization capabilitiesSession clean-up and information leakage preventionIntegrated network security
Gestione SemplificataSimplifies deployment and ongoing tasks through wizards and built-in policies
Simplifies user experience, reducing support costs
Consolidates remote access infrastructure
14
Step 1:Choose
the type of application you wish to publish
Step 2:Provide the internal
name of the SharePoint Server
Provide the external name
Step 3:Configure the same external name on your
SharePoint server
AllDone!
APPLICATION PUBLISHING
Granular application filtering
Session cleanup and removal
Endpoint health detection
INTEGRATION
Integrated with NAP policies
Remote Desktop and RemoteApp integration
Extends and simplifies DirectAccess deployments
SCALE AND MANAGEMENT
From IAG to UAG
37
Built-in load balancing
Array management capabilities
Enhanced monitoring and management (SCOM)
IAG
New
New
New
New
New
New
UAG
Improved
Improved
38
Architettura di UAG
Data Center or Corporate
Network
Business Partners /Subcontractors
Internet
AD, ADFS,RADIUS, LDAP,
etc.
HTTPS (443)
UAGHome / Friend /
Kiosk
Employee-Managed Machines
Mobile
•Exchange•CRM•SharePoint• LoB• IBM, SAP, Oracle
TS / RDS
Non-Web
HTTPS /
HTTP
Direct Access
39
Forefront TMG and UAGForefront TMG is installed during Forefront UAG setup
TMG acts as a firewall protecting the UAG server
UAG leverages TMG array management and monitoring functionality
Supported Forefront TMG configurationsCreating access rules when deploying UAG for VPN access
Monitoring via the TMG console
Configuring system policy rules for controlling access to and from the UAG server
Publishing some Exchange and OCS protocols using TMG
No other Forefront TMG functionality is supportedIntrusion prevention, malware inspection, and forward and reverse Web proxying, etc.
Trunks and Portals
41
Forefront UAG TrunksTransfer channels that make internal resources and applications available to remote endpoints
A Forefront UAG server can have multiple trunksTrunks can be either HTTP or HTTPS
Types of trunksPortal trunks
Presents a Web portal to the user with multiple associated applications and resources
Active Directory® (AD) FS trunksUsed to publish AD FS servers
Redirection trunksRedirect HTTP requests to HTTPS trunk
42
Trunk SettingsThe following settings are configured per trunk:
IP address and portServer certificatePortal homepageAuthentication methodsSession settingsEndpoint policy requirementsTraffic inspectionHTTP compression
43
Forefront UAG User AuthenticationSupported Authentication Schemes
Authentication Protocol
Identity Repository
Passthrough (no authentication)
User authenticates directly with the back-end application
Active Directory Uses Active Directory for authentication and authorization
LDAP Active Directory, Active Directory Lightweight Directory Services (AD LDS), Netscape Directory server, Notes Directory Server, Novell Directory Service
LDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP service for authorization
NT Domain Windows® NT and SAMBA domains
RADIUS Uses a RADIUS server (such as the Windows® Network Policy Server) for authentication
TACACS Uses a TACACS authentication server (such as NTTacPlus)
RSA SecurID One-time password (OTP) authentication using the RSA ACE/Server
WinHTTP Assigns a Web page that require users to authenticate
44
Creating a TrunkUse the Create Trunk
Wizard1. Select trunk type2. Define host name,
IP address, and port3. Configure authentication
servers4. Select server certificate5. Select endpoint security
policies
45
Types of ApplicationOnce a portal trunk has been setup, be it an HTTP or HTTPS trunk you can start publishing applications on it
Applications are published using a wizard, which includes approximately 40 types of application templates
The top-level type list is divided into the following categories of applications:
• Built-in services• Web (applications)• Client/Server and Legacy• Browser-embedded• Terminal Services and Remote Desktop
46
Forefront UAG PortalThe portal is the front-end Web application for a portal trunk
Authenticate users and provide access to the published applications and resources
It allows users to view, search for, and run applications published by the administratorNew application, completely remade for Forefront UAG using Microsoft® ASP.NET™ and AJAX
47
Forefront UAG Portal – Premium PC Interface
Nuove funzionalità TMG SP1
ReportingUrl Filtering User OverrideBranch Offfice SupportPublishing Sharepoint 2010