50357 a enu-module03

Module 3: Remote Access Gateway

© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.

Module Overview

Remote Access Gateway overview

Server publishing

Web publishing

Virtual Private Networking (VPN) connectivity

Remote Access Gateway overview

Server publishing

Web publishing

Virtual Private Networking (VPN) connectivity

Lesson 1 – Remote Access Gateway Overview

Remote Access Connectivity OptionsForefront TMG 2010

Connectivity Method Goal

Example Usage Scenario

Non-HTTP server Publishing

Connectivity to specific internal non-HTTP servers

Access to internal e-mail (SMTP) server

Web server publishing Connectivity to internal Web servers

Access to Outlook Web application

Virtual Private Network Full connectivity to the corporate network

Access for employees connecting from home or at a customer site

Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)

Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats

Forefront UAGComprehensive, secure remote access to corporate resources

Forefront UAG is the preferred solution for providing remote access

Forefront TMG 2010 still provides support for remote access features, but not the recommended solution

Product Positioning

Lesson 2 – Non-HTTP Server Publishing

Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks

Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol

Behavior depends on whether non-Web server is behind a NAT relationship or not

If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server

The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010

Sample Server Publishing ScenarioDNS Server Publishing

`

TMG

10.0.0.3

192.168.0.3

192.168.0.100DG: 192.168.0.3

203.16.4.1

192.168.0.101DG: 192.168.0.254

192.168.0.254

DNS Server

FTP Server

1. DNS request203.16.4.1 > 10.0.0.3

2. Check rule match

9

Check Publishing Rule Match

`

TMG

10.0.0.3

192.168.0.3

192.168.0.100DG: 192.168.0.3

203.16.4.1

192.168.0.101DG: 192.168.0.254

192.168.0.254

DNS Server

FTP Server

1. DNS request203.16.4.1 > 10.0.0.3

2. Check rule match3. Rule matched4. Check rule action

Sample Server Publishing ScenarioDNS Server Publishing

11

Check Rule Action

`

TMG

10.0.0.3

192.168.0.3

192.168.0.100DG: 192.168.0.3

203.16.4.1

192.168.0.101DG: 192.168.0.254

192.168.0.254

DNS Server

FTP Server

1. DNS request203.16.4.1 > 10.0.0.3

2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters

Sample Server Publishing ScenarioDNS Server Publishing

13

Evaluate Network Inspection System (NIS) Filters

14

Evaluate Application Filters

`

TMG

10.0.0.3

192.168.0.3

192.168.0.100DG: 192.168.0.3

203.16.4.1

192.168.0.101DG: 192.168.0.254

192.168.0.254

DNS Server

FTP Server

1. DNS request203.16.4.1 > 10.0.0.3

2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters7. Request OK8. Forward request

203.16.4.1 > 192.168.0.100

9. Server response192.168.0.100 > 203.16.4.1

Sample Server Publishing ScenarioDNS Server Publishing

`

TMG

10.0.0.3

192.168.0.3

192.168.0.100DG: 192.168.0.3

203.16.4.1

192.168.0.101DG: 192.168.0.254

192.168.0.254

DNS Server

FTP Server

1. FTP request203.16.4.1 > 10.0.0.3

2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters7. Request OK8. Forward request to FTP

192.168.0.3 > 192.168.0.101

9. FTP server response192.168.0.101 > 192.168.0.3

10. TMG response10.0.0.3 > 203.16.4.1

Sample Server Publishing ScenarioFTP Server Publishing

Server Publishing WizardsAvailable from Firewall Policy Tasks

Publish common non-Web protocolsPublish mail (SMTP) servers

18

Non-HTTP Server PublishingThings to consider when planning Server Publishing

No authentication supportAccess restriction by network elements only

Networks, subnets, or IP addresses

No support in single adapter configurationClient source IP address preserved

Behavior can be changed using rule setting

Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.

Lesson 3 – Web Publishing

Web PublishingProvides secure access to Web content to users from the Internet

Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections

Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level

Allow delegation of user credentials after TMG authentication

Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm

Accessing Web Resources

HTTPS

Internet

`HTTPS

ExchangeServer

WebServer

SharePointServer

OWARPC/HTTP(S)ActiveSync

HTTP

HTTPS

HTTP

HTTP

Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols

22

Configuring1. Define web listeners

IP addresses and ports that will listen for Web requestsAuthentication method used (client to TMG 2010)Server certificates and SSL optionsNumber of client connections allowed

2. Create other rule elementsSource addressesWeb farmsUser setsSchedules

3. Run appropriate wizard

Configuring Web Listeners

Configuring Web ListenersAssigning Certificate to Web Listener

Showing Invalid Certificates

Private Key not Installed

Certificate Missing

Securing SSL TrafficSSL Bridging:

1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,

re-encrypting it if required

Authentication Process

1. Client credentials received

2&3. Credentials validated4. Credentials delegated to

internal server5. Server send response6. Response forwarded to

client

Credential Types:Username and PasswordUsername and Passcode

Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID

Fallback to BasicPassword Management

Authentication Providers:Basic

Active DirectoryLDAPRADIUS

DigestActive Directory only

IntegratedActive Directory only

Authentication Providers:Active Directory only

Fallback to:BasicDigestIntegrated

Configuring Web ListenersClient Authentication Methods

Credential Types:Username and PasswordUsername and PasscodeUsername, Password and Passcode

Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID

Fallback to BasicPassword Management

Authentication Delegation

None – client cannot authenticate directlyNone – client canauthenticate directlyBasic authenticationNTLM authenticationNegotiate

Kerberos/NTLM

Kerberos Constrained Delegation

SPN required for KerberosForefront TMG 2010 needs to be in the same domain as the published server

Authentication Methods

Authentication Method

Authentication Provider Delegation Method

Basic Forms-based

Authentication (password only)

Active Directory LDAP RADIUS

Basic NTLM Negotiate (Kerberos/NTLM) Kerberos Constrained

Delegation

Forms-based Authentication (passcode only)

SecurID RADIUS OTP

SecurID Kerberos Constrained

Delegation

Forms-based Authentication (password & passcode)

SecurID RADIUS OTP

SecurID Basic NTLM Negotiate (Kerberos/NTLM)

Digest Integrated Client Certificate

Active Directory®

Kerberos Constrained Delegation

Authentication DelegationAuthentication Methods x Delegation Support

Matrix

None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods

30

Single Sign OnSample Scenario – Two Published Web Sites requiring

AuthN

`

Exchange.Company.Com

SharePoint.Company.Com

Without Single Signon:1. User Prompted for authentication2. User Clicks Link to SharePoint3. User Prompted for authentication again

FBA

With Single Signon1. User Prompted for authentication2. User Clicks Link to SharePoint3. User NOT Prompted for authentication

Configuring Web ListenersSingle Signon

Web Publishing WizardsPublish Web sitesPublish SharePoint sitesPublish Exchange Web client access

Outlook® Web AccessOutlook® AnywhereExchange ActiveSync®Outlook® Mobile Access

Microsoft® Exchange Server® 2003

Web FarmsDistributes requests evenly among available Web servers

Detect offline servers and implement consistent failoverAllow the draining, removal, and addition of servers without disrupting current connectionsMethods for monitoring connectivity include HTTP GET, PING request, or TCP connection to a given portSupports IP or cookie-based affinity

Web Publishing Rules

Web Publishing Rules

Define membership to user group

Across different authentication namespacesUsed for authorization at Forefront TMG 2010 level

Configure Web rule schedule

Define access hours for accessing the Web site

Configure link translation

Translates internal names in links to public names of the Web sites

Web Publishing Rules

Lesson 4 – Virtual Private Networking (VPN) Connectivity

Forefront TMG Virtual Private Networking (VPN)

TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN

TMG 2010 implements Windows Server® 2008 VPN technology

Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)

Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol

HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1

No plans to backport SSTP to previous versions

Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform

PolicyValidation

Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.

NetworkRestriction

Restricts network access to computers based on their health.Restricts network access to computers based on their health.

Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.

OngoingCompliance

Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN

Supports all VPN protocols, including SSTP

Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006

NAP validates health status of the remote client at connection time

VPN network access limitation is done through IP packet filters applied to the VPN connection

Access limited to resources on the restricted network

Network PolicyServer

ClientForefront TMG

2010

Remediation Servers

Ongoing policy updates to

Network Policy Server

RADIUS Access-AcceptAccording to policy, the client is not up to date. Quarantine

client.Restrict client to 10.10.10.0/24

Corporate NetworkRestricted Network

System Health Servers

RADIUS Access-AcceptAccording to policy, the client

is up to date. Grant access – no filters

NAP with Forefront TMG Walkthrough

VPN QEC queries NAPAgent for SOHs

EAP - Request/IdentifyEAP – Request/Start – Send SOH

VPN Session RequestEAP - Response/Identity

PEAP MessageState: Full AccessSOH Responses

Unhealthy SHA performs remediation against remediation

servers

Here is the fix you need.

VPN QEC passes SoH Responses

back to NAPAgent

NAPAgent collects new SoH and

passes to VPN QEC

EAP messagesCan I please have access to the

network?

EAP - Request/IdentifyEAP – Request/Start – Send

SOH

PEAP MessageState: QuarantineSOH Responses

PEAP messagesHere is my SOH

PEAP messagesHere is my SOH

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.

Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.

NAP Components

NetworkPolicy Server

Quarantine Server

Client

QuarantineAgent

Health policyUpdates

HealthStatements

NetworkAccess

Requests

System Health Servers Remediation Servers

Health Components

System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.

Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.

Enforcement Components

Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.

Health Registration Authority = Issues certificates to clients that pass health checks.

Platform Components

System Health Servers = Define health requirements for system components on the client.

Health Result

Network Access Device(Forefront TMG 2010)

Network Access Devices = Provide network access to healthy endpoints.

SHA<n>

SHV<n>

QEC1

QEC2

Comparing NAP to RQS/RQCRemote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC)

Supports all versions of Windows®

Requires configuration of scripts for policy evaluation and remediation

Requires the use of Connection Manager

Supports only remote access (VPN or dial up) connections

Network Access Protection (NAP)Supports Microsoft Windows XP® Service Pack 3 or newer operating systems

Requires System Health Agents (SHAs) for policy evaluation and remediation

Supports any kind of network connection, with no requirements for Connection Manager usage

Both methods are supported by Forefront TMG 2010

Configuring Forefront TMG with NAP1. Install Windows Server® 2008 or Windows

Server® 2008 R2 Network Policy Server (NPS) rolePreferably in a separate server from Forefront TMG 2010

2. Configure Forefront TMG 2010 as a RADIUS client3. Configure remote access policies at NPS server

Configure System Health Validators (SHVs) and health policiesCreate network policiesCreate connection request policiesDefine remediation servers

4. Configure NAP clientsEnable NAP service and EAP quarantine agentConfigure SHAs

Questions

Lab 3: Remote Access Gateway Lab

In this lab, you will:

Use Web Publishing to publish Exchange Web Services

Lab 3 - Exercise 6Estimated completion time: 45 min

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.