Embed Size (px)
DESCRIPTION
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | [email protected] | www.sevecek.com |. Web Application Proxy vs. TMG. Web Application Proxy. Threat Management Gateway vs. WAP. Threat Management Gateway. - PowerPoint PPT Presentation
Citation preview
WEB APPLICATION PROXYVS. TMG
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
THREAT MANAGEMENT GATEWAY VS. WAP
Web Application Proxy
Threat Management Gateway
Forward HTTP/S proxy Kerberos SSO authentication user/group based rules and logging HTTPS inspection
Reverse HTTP/S proxy TLS/SSL endpoint HTTPS inspection Basic, Forms, TLS certificate, AD FS authentication Kerberos constrained delegation
Stateful firewall IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP
Web Application Proxy
Forward HTTP/S proxy Kerberos SSO authentication user/group based rules and logging HTTPS inspection
Reverse HTTP/S proxy TLS/SSL endpoint HTTPS inspection Basic, Forms, TLS certificate, AD FS authentication Kerberos constrained delegation
Stateful firewall IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP
HTTP/S Client
TMG forward proxyHTTP/SServer
TMGProxy
DCHTTP/SClient
HTTP/SClient
NATHTTP/SClient
Exchange
OWA
TMG/WAP reverse proxyBrowserHTTP/S Client
TMG
DCWeb
CRM
SharePoint
GUIHTTP/S Client
NAT
TLS Cert
TLS Cert
TLS Cert
TLS Cert
Exchange
OWA
Perimeter authentication+ auth. forwarding Browser
HTTP/S Client
TMG
DCWeb
CRM
SharePoint
GUIHTTP/S Client
NAT
TLS client certificate authentication
TLS session establishes first Without client certificate no HTTP
inside No password guessing Certificates mapped to user accounts
REMOTE ACCESS COMPAREDWeb Application Proxy
Network Access Technologies VPN
SMB/SQL/LDAP/DCOM sensitive to RTT Remote Desktop
no clipboard, no file proliferation limited malware surface
802.1x WiFi or Ethernet no encryption, authorization only
DirectAccess GPO managed IPSec tunnel over IPv6
Web Application Proxy HTTPS reverse proxy for web applications
RDP
VPN ScenarioVPN
Client
VPN Gatewa
y
DC FSSQL
RADIUS
NATSharePoint
RDP
DA ScenarioDA
Client
DA Server
DC FSSQL
RADIUS
NATSharePoint
WksWks
RDP
RDP ScenarioRDP
Client
RDP Gatewa
y
DC FSSQL
RADIUS
NATSharePoint
Wks
RDP
802.1x WiFi Scenario
WiFiClient
DC FSSQL
RADIUS
WiFi AP
SharePoint
RDP
802.1x Ethernet Scenario
Wks
DC FSSQL
RADIUS
Switch
SharePoint Wks
Printer
AD FS Proxy
Exchange
WAP ScenarioWeb
Browser or GUI client
Web Application Proxy
DC
Web
Lync
AD FS
NAT
SharePoint
VPN ComparedProtocol Transport Client RRAS Server
Server Requirements
PPTP TCP 1723IP GRE
MS-DOS and newer NT 4.0 and newer -
-
L2TPUDP 500, 4500IP ESP
NT 4.0, 98and newer 2000 and
newer
IPSec certificatepublic namePublic IPIPSec machine
certificate
SSTP TCP 443TLS
Vista/2008 and newer 2008 and
newerTLS certificatepublic name-
IKEv2UDP 500, 4500IP ESP
7/2008 R2 and newer 2008 R2 and
newer
IPSec certificatepublic namePublic IP
IPSec machine certificate
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
RD Gateway
TCP 443TLS
RDP Client 6.0and newer 2008 and
newerTLS certificatepublic name
-
DirectAccess
IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4
7/2008 R2 EntepriseIPv6 enabled, GPO 2012 and
newer
IPSec certificateTLS certificatepublic nameIPSec machine
certificate
Web Application Proxy
HTTPSweb browserGUI web client (office)
2012 R2 and newer WAP and AD FS server
TLS certificatepublic nameTLS certificate for AD FS public name
WEB APPLICATION PROXYWeb Application Proxy
AD FS Proxy
Names and certificatesWeb
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
http://intranet
https://adfs.gopas.cz
https://adfs.gopas.cz
https://intranet.gopas.cz
NAT
AD FS Proxy
Service accountsWeb
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
sp-intranet-web
Network Service
svc-adfs
Network Service
NAT
AD FS Proxy
Windows authenticationwith passwords - overview Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Forms
BasicPOST
Cookie
NAT
Kerberos
Exchange
AD FS Proxy
Windows authenticationwith passwords - #1 Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Exchange
NAT
Redirect 307
AD FS Proxy
Windows authenticationwith passwords - #2 Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Exchange
Forms
BasicPOST
NAT
AD FS Proxy
Windows authenticationwith passwords - #3 Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Exchange
NAT
Claims
ClaimsRedirect
302
AD FS Proxy
Windows authenticationwith passwords - #4 Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Exchange
NAT
Claims
Kerberos
Cookie
AD FS Proxy
Windows authenticationwith passwords - #5 Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Exchange
NAT200 OK
200 OK
CookieCookie
AD FS Proxy
Windows authenticationwith TLS client certificate Web
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Cookie
NAT
TLS Client Certificate
Kerberos
Exchange
TLS Client Certificate
TCP 49443
TCP 49443
AD FS Proxy
Claims authenticationWeb
Browser or GUI client
Web Application Proxy
DC
AD FS
SharePoint
Forms
Cookie NAT
Claims
Exchange
BasicPOST
TLS Client Certificate
CookieClaims
LONG JOURNEY?Web Application Proxy
Long journey yet?
Basic only with pass-through deprecated since AD FS 2.0 no Basic fallback (GUI clients)
No selection intranet/extranet No persistent cookies
always the web page regardless of client (GUI) AD FS native support since Exchange 2013
SP1 AD FS native support since SharePoint 2010
no WebDAV support No inspection
