Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mohit SaxenaSr Technical LeadMicrosoft CorporationSEC 380
Secure Web Gateway (SWG)
Web Client Protection Scenario
HTTP Malware Inspection
HTTPS Traffic Inspection
URL Filtering
HTTPS Traffic Inspection
Contoso.com
SIGNED
BY TMG
Internet
Contoso.com
SIGNED
BY
VERISIGN
• Proxy Certificates generation/import and customization.
• Exclusion list (Validate only option)• Logging Support• Web Access Wizard integration
Deployment options (via Group Policy or via Export)
Client notifications about HTTPS inspection (via Firewall Client)
Certificate validation (Revocation, Trusted, Expiration validation, ..)
Microsoft Confidential
URL Filtering Topology
www.contso.com/somepath/anotherpath
• com• contoso.com• www.contoso.com• www.contoso.com/somepath• www.contoso.com/somepath/anotherpath• General business
• Phishing
• com - unknown• contoso.com – “general business” • www.contoso.com – unknown• www.contoso.com/somepath - “gambling” (Not inherited)• www.contoso.com/somepath/anotherpath - “phishing”
• Phishing• General business
URL category usage
URL category information is used forRules (Allow/Deny rules according to category)
Log
EMP exclusion list
HTTPS exclusion list
MRS – Microsoft Reputation Services
Aggregate reputation data from multiple vendors
“In the cloud” delivery service to return reputation data
Use telemetry in order to improve data accuracy
MRS
IE Security
iFilter
Marshal 8e6
Data Quality
Currently URLF data comes fromiFilter
IE security data
Marshal8e6
Caching
Stored at ISA_INSTALL_DIR\UrlFiltering\UrlfCache.bin
Read when service starts
Persisted when service goes down
If erased will start with empty cache
Max size is 200 MB
What is included in RC
Change protocol with MRS
Will improve the cache hit ratio of unknowns
Will decrease network overhead
Telemetry package
Collect URL samples
Collect user overrides list
Collect coverage data
Alerts
Diagnostic Logging
Licensing
Microsoft Confidential
Feature Overview
High availability of Internet connectivityEnsure Internet connectivity is not lost even when one Internet service provider (ISP) is down
Scenarios:
FailoverUse a pay-by-traffic connection as backupBackup link should be used only when primary link is unavailable
Load balancingUse a fixed price connectionUse the aggregated links to mutually back up each other in cases where one of the ISPs loses Internet connectivity
How does ISP-R work
Administrator identifies the two ISP gateways
Organization signs up with two different ISP linksAn ISP link is identified by the ISP gateway and the gateway subnet
This enables TMG to support array configuration, since it doesn’t require a per server configuration.This implies each server should have an external local IP on each of the GWs subnets.
TMG Server uses the ISP subnet information to direct traffic to each of the ISPs
Points to Remember
ISP Redundancy configuration is only supported on the “Default External” network
We assume the feature is used for high availability to the internet
The existing wizard is mainly targeted for a configuration in which each ISP has a dedicated NIC on the TMG server.
Requires to have 2 subnets on the external NIC for it to function.Need unique IP address on External NICDefault route to each ISP must existOnly works for NAT relation
How Routing is Enforced
Routing Enforcement
Enforces ISP routes will be used instead of default TCP/IP routing
ISP routing configuration is implemented in 2 phases:
When a new connection is established TMG chooses the link which will be used for the new connection. The new connection uses the NAT address associated with the ISP link. TMG takes into account:
Link availability
Stickiness (client-server traffic will prefer reuse of the same link)
At NDIS (L2) layer TMG enforces the routing to the associated link (overriding TCP/IP routing decisions)
This implies ISP Redundancy is supported only for NAT relationship. Local host traffic will not benefit from ISP Redundancy.
Problematic mainly for integration with SMTP Edge protection.
HTTP traffic is intercepted by the proxy (which enforces NAT). As result HTTP traffic will benefit from ISP Redundancy.
Link Availability
Using root DNS servers to verify Internet connection
Try UDP connection to port 53
Round robin root DNS servers
High/Low watermarks are use to assure stability periods
It’s possible to configure other servers via scripting.
ISP Link Availability TestingTime between consecutive link poll – 60 sec
Time period TMG waits for once link is down –300 sec
Number of tries to check for failure or success -3
Troubleshooting Scenarios
ISP Redundancy misconfiguration –2 separate subnets for each ISP
2 local IPs on the external associated with each ISP
Default route to the external must exist
ISP Redundancy is only functional for NAT relationship
Testing from the local host will not work and an admin may fail to understand why.
Feature Overview
‘Small’ enhancement for NAT network rule definition to enable specifying the NAT address which should be used.Targets scenarios in which the NAT address is important:
Publishing multiple SMTP servers (not via Edge Protection)IP based paid services
Highly requested by many customers
SMTP Scenario
HELO
SMTP.DX.COM
SMTP.DX.COM
100.100.100.100
SMTP Scenario – ISA Server 2006
HELO
SMTP.DY.COMSMTP.DY.COM
200.200.200.200
SMTP Scenario - TMG
HELO
SMTP.DY.COMSMTP.DY.COM
200.200.200.200
Feature Components
Configuration
An additional tab for NAT relationship configuration.
Enables configuring a default IP, a single IP or multiple IPs
Core integration:
Supports kernel/user mode data pumps
Interops with application filters
NLB integration – supported only for TCP/UDP
Microsoft Forefront TMG Administrator’s Companion
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions
• Beyond the Perimeter - Evolving from a Firewall to a UTM Solution (SEC354)
• Forefront Protection Manager 2010: Integrated Monitoring, Investigation and Protection (SEC375)
• TMG with Forefront codename "Stirling": Integrated Security (SEC343)
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.