TMG 2010 e UAG 2010 per la pubblicazione di applicazioni web

TMG - Remote Access Gateway

Forefront™ Unified Access Gateway – Le Basi

Forefront UAG is fundamentally a router. It has an external side that would be the access point for connecting clients from the internet, and an internal side through which the server can fetch data from internal corporate serversWhile it is theoretically possible to use the server with a single network card, this option is not supported, and will not work for most of UAG's functionalityUAG is designed to enable remote access in two primary roles: application publishing and VPN

Tipologie di connettivitàForefront TMG 2010

Connectivity Method Goal

Example Usage Scenario

Non-HTTP server Publishing

Connectivity to specific internal non-HTTP servers

Access to internal e-mail (SMTP) server

Web server publishing Connectivity to internal Web servers

Access to Outlook Web application

Virtual Private Network Full connectivity to the corporate network

Access for employees connecting from home or at a customer site

Forefront TMG 2010 vs. Forefront™ Unified Access Gateway (UAG)

Forefront TMG 2010Enables users to safely and productively use the Internet without worrying about malware and other threats

Forefront UAGComprehensive, secure remote access to corporate resources

Forefront UAG is the preferred solution for providing remote access

Forefront TMG 2010 still provides support for remote access features, but not the recommended solution

Product Positioning

Pubblicazione di Non-HTTP Server

Non-HTTP Server PublishingAllows map requests for non-Web servers in one of the TMG 2010 networks

Clients can be either on the Internet or on a different internal networkCan be used to publish most TCP and UDP protocol

Behavior depends on whether non-Web server is behind a NAT relationship or not

If behind NAT, clients will then connect to an IP address belonging to Forefront TMGIf behind a route relationship, TMG 2010 listens for requests on the IP address of the non-Web server

The published server should be configured as a SecureNAT client with a default gateway pointing to TMG 2010

8

Gestione delle porte di pubblicazione

9

Pubblicazione porte interne

10

Network Inspection System (NIS) Filters

Wizard disponibiliAvailable from Firewall Policy Tasks

Publish common non-Web protocolsPublish mail (SMTP) servers

12

Non-HTTP Server PublishingThings to consider when planning Server Publishing

No authentication supportAccess restriction by network elements only

Networks, subnets, or IP addresses

No support in single adapter configurationClient source IP address preserved

Behavior can be changed using rule setting

Application Layer Filter and NIS signature coverageSMTP, POP3, DNS, etc.

Web Publishing

Web PublishingProvides secure access to Web content to users from the Internet

Web content may be either on internal networks on in a DMZSupports HTTP and HTTPS connections

Forefront TMG 2010 Web Publishing features:Mapping requests to specific internal paths in specific serversAllows authentication and authorization of users at TMG level

Allow delegation of user credentials after TMG authentication

Caching of the published content (reverse caching)Inspection of incoming HTTPS requests using SSL bridgingLoad balancing of client requests among Web servers in a server farm

Accesso a risorse Web

HTTPS

Internet

`HTTPS

ExchangeServer

WebServer

SharePointServer

OWARPC/HTTP(S)ActiveSync

HTTP

HTTPS

HTTP

HTTP

Forefront TMG 2010 can publish multiple internal Web servers, using multiple external IP addresses and protocols

16

Configurazione1. Define web listeners

IP addresses and ports that will listen for Web requestsAuthentication method used (client to TMG 2010)Server certificates and SSL optionsNumber of client connections allowed

2. Create other rule elementsSource addressesWeb farmsUser setsSchedules

3. Run appropriate wizard

Configurazione di Web Listeners

Configurazione di Web ListenersAssigning Certificate to Web Listener

Showing Invalid Certificates

Private Key not Installed

Certificate Missing

Gestione di traffico SSL SSL Bridging:

1. Client on Internet encrypts communications2. TMG 2010 decrypts and inspects traffic3. TMG 2010 sends allowed traffic to published server,

re-encrypting it if required

Processo di autenticazione

1. Client credentials received

2&3. Credentials validated4. Credentials delegated to

internal server5. Server send response6. Response forwarded to

client

Credential Types:Username and PasswordUsername and Passcode

Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID

Fallback to BasicPassword Management

Authentication Providers:Basic

Active DirectoryLDAPRADIUS

DigestActive Directory only

IntegratedActive Directory only

Authentication Providers:Active Directory only

Fallback to:BasicDigestIntegrated

Configurazione di Web ListenersClient Authentication Methods

Credential Types:Username and PasswordUsername and PasscodeUsername, Password and Passcode

Authentication Providers:Active DirectoryLDAP serverRADIUSRADIUS OTPRSA SecurID

Fallback to BasicPassword Management

Delega di autenticazione

None – client cannot authenticate directlyNone – client canauthenticate directlyBasic authenticationNTLM authenticationNegotiate

Kerberos/NTLM

Kerberos Constrained Delegation

SPN required for KerberosForefront TMG 2010 needs to be in the same domain as the published server

Authentication Methods

Authentication Method

Authentication Provider Delegation Method

Basic Forms-based

Authentication (password only)

Active Directory LDAP RADIUS

Basic NTLM Negotiate (Kerberos/NTLM) Kerberos Constrained

Delegation

Forms-based Authentication (passcode only)

SecurID RADIUS OTP

SecurID Kerberos Constrained

Delegation

Forms-based Authentication (password & passcode)

SecurID RADIUS OTP

SecurID Basic NTLM Negotiate (Kerberos/NTLM)

Digest Integrated Client Certificate

Active Directory®

Kerberos Constrained Delegation

Delega di autenticazioneAuthentication Methods x Delegation Support

Matrix

None, client can authenticate directly and None, client cannot authenticate directly options apply to all methods

Web Publishing WizardsPublish Web sitesPublish SharePoint sitesPublish Exchange Web client access

Outlook® Web AccessOutlook® AnywhereExchange ActiveSync®Outlook® Mobile Access

Microsoft® Exchange Server® 2003

Web Publishing Rules

Web Publishing Rules

Define membership to user group

Across different authentication namespacesUsed for authorization at Forefront TMG 2010 level

Configure Web rule schedule

Define access hours for accessing the Web site

Configure link translation

Translates internal names in links to public names of the Web sites

Web Publishing Rules

Virtual Private Networking (VPN)

Forefront TMG Virtual Private Networking (VPN)

TMG 2010 supports two types of VPNs:Remote Access VPNSite-to-site VPN

TMG 2010 implements Windows Server® 2008 VPN technology

Implements support for Secure Socket Tunneling Protocol (SSTP)Implements support for Network Access Protection (NAP)

Secure Socket Tunneling Protocol (SSTP)New SSL-based VPN protocol

HTTP with SSL session (TCP 443) between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packetsSupport for unauthenticated Web proxiesSupport for Network Access Protection (NAP)Client support in Windows Vista® SP1

No plans to backport SSTP to previous versions

Network Access Protection (NAP)Windows Policy Validation and Enforcement Platform

PolicyValidation

Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed healthy.

NetworkRestriction

Restricts network access to computers based on their health.Restricts network access to computers based on their health.

Remediation Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.Provides necessary updates to allow the computer to get healthy. Once healthy, the network restrictions are removed.

OngoingCompliance

Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions.

NAP Support in Forefront TMG 2010Enforces compliance and provides remediation for clients connecting remotely through Remote Access VPN

Supports all VPN protocols, including SSTP

Different solution than the Remote Access Quarantine Services (RQS) supported in ISA Server 2006

NAP validates health status of the remote client at connection time

VPN network access limitation is done through IP packet filters applied to the VPN connection

Access limited to resources on the restricted network

Unified Access Gateway 2010

Caratteristiche

SSL VPNSSTPRemote Desktop Gateway on the UAG itselfDirectAccess

35

Sicurezza integrataOverlay granular access control to specific sites and/or features within sitesBuilt-in endpoint security policies (integrated with NAP)Expanded authentication and authorization capabilitiesSession clean-up and information leakage preventionIntegrated network security

Gestione SemplificataSimplifies deployment and ongoing tasks through wizards and built-in policies

Simplifies user experience, reducing support costs

Consolidates remote access infrastructure

14

Step 1:Choose

the type of application you wish to publish

Step 2:Provide the internal

name of the SharePoint Server

Provide the external name

Step 3:Configure the same external name on your

SharePoint server

AllDone!

APPLICATION PUBLISHING

Granular application filtering

Session cleanup and removal

Endpoint health detection

INTEGRATION

Integrated with NAP policies

Remote Desktop and RemoteApp integration

Extends and simplifies DirectAccess deployments

SCALE AND MANAGEMENT

From IAG to UAG

37

Built-in load balancing

Array management capabilities

Enhanced monitoring and management (SCOM)

IAG

New

New

New

New

New

New

UAG

Improved

Improved

38

Architettura di UAG

Data Center or Corporate

Network

Business Partners /Subcontractors

Internet

AD, ADFS,RADIUS, LDAP,

etc.

HTTPS (443)

UAGHome / Friend /

Kiosk

Employee-Managed Machines

Mobile

•Exchange•CRM•SharePoint• LoB• IBM, SAP, Oracle

TS / RDS

Non-Web

HTTPS /

HTTP

Direct Access

39

Forefront TMG and UAGForefront TMG is installed during Forefront UAG setup

TMG acts as a firewall protecting the UAG server

UAG leverages TMG array management and monitoring functionality

Supported Forefront TMG configurationsCreating access rules when deploying UAG for VPN access

Monitoring via the TMG console

Configuring system policy rules for controlling access to and from the UAG server

Publishing some Exchange and OCS protocols using TMG

No other Forefront TMG functionality is supportedIntrusion prevention, malware inspection, and forward and reverse Web proxying, etc.

Trunks and Portals

41

Forefront UAG TrunksTransfer channels that make internal resources and applications available to remote endpoints

A Forefront UAG server can have multiple trunksTrunks can be either HTTP or HTTPS

Types of trunksPortal trunks

Presents a Web portal to the user with multiple associated applications and resources

Active Directory® (AD) FS trunksUsed to publish AD FS servers

Redirection trunksRedirect HTTP requests to HTTPS trunk

42

Trunk SettingsThe following settings are configured per trunk:

IP address and portServer certificatePortal homepageAuthentication methodsSession settingsEndpoint policy requirementsTraffic inspectionHTTP compression

43

Forefront UAG User AuthenticationSupported Authentication Schemes

Authentication Protocol

Identity Repository

Passthrough (no authentication)

User authenticates directly with the back-end application

Active Directory Uses Active Directory for authentication and authorization

LDAP Active Directory, Active Directory Lightweight Directory Services (AD LDS), Netscape Directory server, Notes Directory Server, Novell Directory Service

LDAP Client Certificate Authenticates by validating the certificate, then querying an LDAP service for authorization

NT Domain Windows® NT and SAMBA domains

RADIUS Uses a RADIUS server (such as the Windows® Network Policy Server) for authentication

TACACS Uses a TACACS authentication server (such as NTTacPlus)

RSA SecurID One-time password (OTP) authentication using the RSA ACE/Server

WinHTTP Assigns a Web page that require users to authenticate

44

Creating a TrunkUse the Create Trunk

Wizard1. Select trunk type2. Define host name,

IP address, and port3. Configure authentication

servers4. Select server certificate5. Select endpoint security

policies

45

Types of ApplicationOnce a portal trunk has been setup, be it an HTTP or HTTPS trunk you can start publishing applications on it

Applications are published using a wizard, which includes approximately 40 types of application templates

The top-level type list is divided into the following categories of applications:

• Built-in services• Web (applications)• Client/Server and Legacy• Browser-embedded• Terminal Services and Remote Desktop

46

Forefront UAG PortalThe portal is the front-end Web application for a portal trunk

Authenticate users and provide access to the published applications and resources

It allows users to view, search for, and run applications published by the administratorNew application, completely remade for Forefront UAG using Microsoft® ASP.NET™ and AJAX

47

Forefront UAG Portal – Premium PC Interface

Nuove funzionalità TMG SP1

ReportingUrl Filtering User OverrideBranch Offfice SupportPublishing Sharepoint 2010