Module 3: Remote Access Gateway © 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
Module 3: Remote Access Gateway
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
Module Overview
Remote Access Gateway overview
Server publishing
Web publishing
Virtual Private Networking (VPN) connectivity
Remote Access Gateway overview
Server publishing
Web publishing
Virtual Private Networking (VPN) connectivity
Lesson 1 – Remote Access Gateway Overview
Remote Access Connectivity OptionsForefront TMG 2010
Connectivity Method Goal
Example Usage Scenario
Non-HTTP server Publishing
Connectivity to specific internal non-HTTP servers
Access to internal e-mail (SMTP) server
Web server publishing Connectivity to internal Web servers
Access to Outlook Web application
Virtual Private Network Full connectivity to the corporate network
Access for employees connecting from home or at a customer site
Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)
Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats
Forefront UAGComprehensive, secure remote access to corporate resources
Forefront UAG is the preferred solution for providing remote access
Forefront TMG 2010 still provides support for remote access features, but not the recommended solution
Product Positioning
Lesson 2 – Non-HTTP Server Publishing
Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks
Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol
Behavior depends on whether non-Web server is behind a NAT relationship or not
If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server
The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010
Sample Server Publishing ScenarioDNS Server Publishing
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. DNS request203.16.4.1 > 10.0.0.3
2. Check rule match
9
Check Publishing Rule Match
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. DNS request203.16.4.1 > 10.0.0.3
2. Check rule match3. Rule matched4. Check rule action
Sample Server Publishing ScenarioDNS Server Publishing
11
Check Rule Action
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. DNS request203.16.4.1 > 10.0.0.3
2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters
Sample Server Publishing ScenarioDNS Server Publishing
13
Evaluate Network Inspection System (NIS) Filters
14
Evaluate Application Filters
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. DNS request203.16.4.1 > 10.0.0.3
2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters7. Request OK8. Forward request
203.16.4.1 > 192.168.0.100
9. Server response192.168.0.100 > 203.16.4.1
Sample Server Publishing ScenarioDNS Server Publishing
`
TMG
10.0.0.3
192.168.0.3
192.168.0.100DG: 192.168.0.3
203.16.4.1
192.168.0.101DG: 192.168.0.254
192.168.0.254
DNS Server
FTP Server
1. FTP request203.16.4.1 > 10.0.0.3
2. Check rule match3. Rule matched4. Check rule action5. Action is allow6. Evaluate filters7. Request OK8. Forward request to FTP
192.168.0.3 > 192.168.0.101
9. FTP server response192.168.0.101 > 192.168.0.3
10. TMG response10.0.0.3 > 203.16.4.1
Sample Server Publishing ScenarioFTP Server Publishing
Server Publishing WizardsAvailable from Firewall Policy Tasks
Publish common non-Web protocolsPublish mail (SMTP) servers
18
Non-HTTP Server PublishingThings to consider when planning Server Publishing
No authentication supportAccess restriction by network elements only
Networks, subnets, or IP addresses
No support in single adapter configurationClient source IP address preserved
Behavior can be changed using rule setting
Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.
Lesson 3 – Web Publishing
Web PublishingProvides secure access to Web content to users from the Internet
Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections
Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level
Allow delegation of user credentials after TMG authentication
Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm
Accessing Web Resources
HTTPS
Internet
`HTTPS
ExchangeServer
WebServer
SharePointServer
OWARPC/HTTP(S)ActiveSync
HTTP
HTTPS
HTTP
HTTP
Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols
22
Configuring1. Define web listeners
IP addresses and ports that will listen for Web requestsAuthentication method used (client to TMG 2010)Server certificates and SSL optionsNumber of client connections allowed
2. Create other rule elementsSource addressesWeb farmsUser setsSchedules
3. Run appropriate wizard
Configuring Web Listeners
Configuring Web ListenersAssigning Certificate to Web Listener
Showing Invalid Certificates
Private Key not Installed
Certificate Missing
Securing SSL TrafficSSL Bridging:
1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,
re-encrypting it if required
Authentication Process
1. Client credentials received
2&3. Credentials validated4. Credentials delegated to
internal server5. Server send response6. Response forwarded to
client
Credential Types:Username and PasswordUsername and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
Authentication Providers:Basic
Active DirectoryLDAPRADIUS
DigestActive Directory only
IntegratedActive Directory only
Authentication Providers:Active Directory only
Fallback to:BasicDigestIntegrated
Configuring Web ListenersClient Authentication Methods
Credential Types:Username and PasswordUsername and PasscodeUsername, Password and Passcode
Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID
Fallback to BasicPassword Management
Authentication Delegation
None – client cannot authenticate directlyNone – client canauthenticate directlyBasic authenticationNTLM authenticationNegotiate
Kerberos/NTLM
Kerberos Constrained Delegation
SPN required for KerberosForefront TMG 2010 needs to be in the same domain as the published server
Authentication Methods
Authentication Method
Authentication Provider Delegation Method
Basic Forms-based
Authentication (password only)
Active Directory LDAP RADIUS
Basic NTLM Negotiate (Kerberos/NTLM) Kerberos Constrained
Delegation
Forms-based Authentication (passcode only)
SecurID RADIUS OTP
SecurID Kerberos Constrained
Delegation
Forms-based Authentication (password & passcode)
SecurID RADIUS OTP
SecurID Basic NTLM Negotiate (Kerberos/NTLM)
Digest Integrated Client Certificate
Active Directory®
Kerberos Constrained Delegation
Authentication DelegationAuthentication Methods x Delegation Support
Matrix
None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods
30
Single Sign OnSample Scenario – Two Published Web Sites requiring
AuthN
`
Exchange.Company.Com
SharePoint.Company.Com
Without Single Signon:1. User Prompted for authentication2. User Clicks Link to SharePoint3. User Prompted for authentication again
FBA
With Single Signon1. User Prompted for authentication2. User Clicks Link to SharePoint3. User NOT Prompted for authentication
Configuring Web ListenersSingle Signon
Web Publishing WizardsPublish Web sitesPublish SharePoint sitesPublish Exchange Web client access
Outlook® Web AccessOutlook® AnywhereExchange ActiveSync®Outlook® Mobile Access
Microsoft® Exchange Server® 2003
Web FarmsDistributes requests evenly among available Web servers
Detect offline servers and implement consistent failoverAllow the draining, removal, and addition of servers without disrupting current connectionsMethods for monitoring connectivity include HTTP GET, PING request, or TCP connection to a given portSupports IP or cookie-based affinity
Web Publishing Rules
Web Publishing Rules
Define membership to user group
Across different authentication namespacesUsed for authorization at Forefront TMG 2010 level
Configure Web rule schedule
Define access hours for accessing the Web site
Configure link translation
Translates internal names in links to public names of the Web sites
Web Publishing Rules
Lesson 4 – Virtual Private Networking (VPN) Connectivity
Forefront TMG Virtual Private Networking (VPN)
TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN
TMG 2010 implements Windows Server® 2008 VPN technology
Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)
Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol
HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1
No plans to backport SSTP to previous versions
Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform
PolicyValidation
Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.
NetworkRestriction
Restricts network access to computers based on their health.Restricts network access to computers based on their health.
Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.
OngoingCompliance
Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.
NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN
Supports all VPN protocols, including SSTP
Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006
NAP validates health status of the remote client at connection time
VPN network access limitation is done through IP packet filters applied to the VPN connection
Access limited to resources on the restricted network
Network PolicyServer
ClientForefront TMG
2010
Remediation Servers
Ongoing policy updates to
Network Policy Server
RADIUS Access-AcceptAccording to policy, the client is not up to date. Quarantine
client.Restrict client to 10.10.10.0/24
Corporate NetworkRestricted Network
System Health Servers
RADIUS Access-AcceptAccording to policy, the client
is up to date. Grant access – no filters
NAP with Forefront TMG Walkthrough
VPN QEC queries NAPAgent for SOHs
EAP - Request/IdentifyEAP – Request/Start – Send SOH
VPN Session RequestEAP - Response/Identity
PEAP MessageState: Full AccessSOH Responses
Unhealthy SHA performs remediation against remediation
servers
Here is the fix you need.
VPN QEC passes SoH Responses
back to NAPAgent
NAPAgent collects new SoH and
passes to VPN QEC
EAP messagesCan I please have access to the
network?
EAP - Request/IdentifyEAP – Request/Start – Send
SOH
PEAP MessageState: QuarantineSOH Responses
PEAP messagesHere is my SOH
PEAP messagesHere is my SOH
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies.
Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC.
NAP Components
NetworkPolicy Server
Quarantine Server
Client
QuarantineAgent
Health policyUpdates
HealthStatements
NetworkAccess
Requests
System Health Servers Remediation Servers
Health Components
System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.).System Health Validators (SHV) = Certify declarations made by health agents.
Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state.
Enforcement Components
Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs.
Health Registration Authority = Issues certificates to clients that pass health checks.
Platform Components
System Health Servers = Define health requirements for system components on the client.
Health Result
Network Access Device(Forefront TMG 2010)
Network Access Devices = Provide network access to healthy endpoints.
SHA<n>
SHV<n>
QEC1
QEC2
Comparing NAP to RQS/RQCRemote Access Quarantine Service (RQS) and Remote Access Quarantine Client (RQC)
Supports all versions of Windows®
Requires configuration of scripts for policy evaluation and remediation
Requires the use of Connection Manager
Supports only remote access (VPN or dial up) connections
Network Access Protection (NAP)Supports Microsoft Windows XP® Service Pack 3 or newer operating systems
Requires System Health Agents (SHAs) for policy evaluation and remediation
Supports any kind of network connection, with no requirements for Connection Manager usage
Both methods are supported by Forefront TMG 2010
Configuring Forefront TMG with NAP1. Install Windows Server® 2008 or Windows
Server® 2008 R2 Network Policy Server (NPS) rolePreferably in a separate server from Forefront TMG 2010
2. Configure Forefront TMG 2010 as a RADIUS client3. Configure remote access policies at NPS server
Configure System Health Validators (SHVs) and health policiesCreate network policiesCreate connection request policiesDefine remediation servers
4. Configure NAP clientsEnable NAP service and EAP quarantine agentConfigure SHAs
Questions
Lab 3: Remote Access Gateway Lab
In this lab, you will:
Use Web Publishing to publish Exchange Web Services
Lab 3 - Exercise 6Estimated completion time: 45 min
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.