نمایش نتایج: از شماره 1 تا 5 از مجموع 5
سپاس ها 1سپاس

موضوع: Overview of New Features in TMG Beta 2

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Overview of New Features in TMG Beta 2

    کد:
    http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part1.html
    PART-1

    Introduction

    If you missed the news, here it is: the TMG Beta 2 software was recently released to the public! This is major advance over the Beta 1 version of the TMG, which felt more like ISA 2006 R2. I told you when Beta 1 was released that you should not be disappointed, because you are going to see a lot more when the next beta is released. Microsoft did not disappoint! TMG Beta 2 includes a bevy of new features and functionality that I know you will like.
    In this article series I will provide you a high level overview of some of the major new features included with the TMG Beta 2 firewall. To really get the most out of this series, you will need to be relatively well acquainted with ISA 2006. If you are not an expert on ISA 2006, you can still get some value out of this overview, but keep in mind that I am focusing on the improvements, not all the features included in TMG. To get that information, you will need to get our book when it comes out. You can keep tabs on the progress of our book by visiting http://www.mstmgbook.org.
    After we finish this high level overview series, I will begin a series of deep-dive articles on each of the new features discussed in the overview. Keep in mind that these series are covering the Beta versions of the TMG firewall to help you with your testing of the beta TMG firewall. We will update the articles after the product is released, and make sure to get the book too, so that you will have a board exposure to the TMG firewall covering all its features, not just the new ones that I will be focusing on.
    Before getting started, be aware that a major new requirement for TMG firewalls is that they must be installed on 64bit versions of Windows Server 2008. The fact that TMG will run on a 64 bit operating system should not be underestimated. A 64bit OS enables you to take advantage of the massive increases in hardware support. Just imagine the speed gains you will see in an 8-way TMG firewall with 16 GB of memory and 10Gbps NICs using the networking improvements seen with the Windows Server 2008 Next Generation TCP/IP stack. Just the improvements in the amount of non-paged pool memory means that resource exhaustion could very well be a thing of the past. This support for 64bit Windows means that performance specs for TMG firewalls going forward have the ability to far outstrip anything you can imagine in comparably based stateful packet and application layer inspection firewalls.
    To give you an idea of the power of 64bit Windows computing, just check out the specs in the table below.

    Figure 1
    The approach I will take in this series (which will probably go three or four parts) will be to look at what is new and improved in each node in the TMG firewall console. You can see each of the nodes included in the left pane of the TMG firewall console in the figure below.

    Figure 2
    The first thing you will notice is that the left pane of the firewall console has been streamlined. Now there is only a single level of sub-nodes under the server or array sub-node. You will also notice that some names of the nodes have been changed and that there are new sub-nodes. The Virtual Private Networks node is now named Remote Access Policy (VPN). New nodes include:

    • Web Access Policy
    • E-mail Policy
    • Intrusion Prevention System
    • System
    • Logs & Reports
    • Update Center

    In the course of the article series we will look at what is new in all the nodes. Let us get started by looking at the array/server node.
    The Array Node

    When you click the array node in the left pane of the TMG firewall console, you will see some new entries in the Tasks tab of the Task Pane on the right side of the console. These new options are:

    • Launch Getting Started Wizard
    • Join Array
    • Connect to Forefront codename Stirling

    You can see these new options in the figure below.

    Figure 3
    The Getting Started Wizard is a new feature included in the TMG Beta 2 firewall. The Getting Started Wizard is first exposed during installation. However, you have the option to run it again if you like by clicking the Launch Getting Started Wizard link in the Tasks tab. Here you can configure network settings, system settings and deployment options. The Getting Started Wizard greatly simplifies some of the grunt work required to getting the TMG Beta 2 firewall up and running.

    Figure 4
    A major change seen in with the TMG firewall compared to the ISA firewall is that all installations use ADAM based storage, now referred to as Active Directory Lightweight Directories Services in Windows Server 2008. ISA 2006 used Registry based storage for configuration with the Standard Edition of the ISA firewall, while ADAM was used for ISA 2006 Enterprise edition. There would not be a Standard Edition and Enterprise edition of the TMG firewall. There will be a single edition with the same features and capabilities, however there will be different functionality based on whether you attach the TMG firewalls to an Enterprise Management Server (EMS). I will talk about EMS later in this article series.
    When you click the Join Array link, you see the Join Array Wizard. The Join Array Wizard makes it very easy to join a TMG firewall to an array. You will also see something else: a new type of array called a “standalone” array. A standalone array allows you to quickly set up an array of TMG firewalls without requiring an Enterprise Management Server. This is a nice option to have when you do not need to manage multiple arrays and just want to set up a single array for your organization. Of course, if you want the functionality you had with ISA 2006 Enterprise edition, you can deploy an Enterprise Management Server and manage multiple arrays.

    Figure 5
    When you click the Connect to Forefront Codename Stirling link, you will expose the Forefront codename Stirling Integration Wizard. Of course, the name of this wizard will change when Stirling gets its actual name. This wizard will make it easy to connect your TMG firewall or firewall array to the Stirling security management system. If you do not know about Stirling, now is a good time to get started. What Stirling will do is enable you connect all your Forefront security products so that they can report to Stirling. Stirling then takes the information obtained from each of the Forefront products and enables the use of proactive response policies based on critical security information obtained from each of the Forefront products. Since the TMG firewall is a member of the Forefront security suite, you’ll be able to configure policies that trigger incident response actions when TMG detects a potential threat.

    Figure 6
    The Monitoring Node

    The Monitoring node has seen some improvements. The first thing you will notice is that the System Performance area now works (something that stopped working in ISA 2006). Not only does it work, but it reports new information. Now you will see information that is more useful, such as CPU Usage (Percentage) and Available Memory (Mbytes). While a small change, I think it’s a good and useful one.
    You will also notice some new panes on the Dashboard. The Update Services pane is new, as is the ISP redundancy pane. Here you will see new alerts related to updates to the number of different services, such as the anti-malware for Web and e-mail protection, as well as upcoming updates to the URL filtering database (not available in Beta 2 but will be available in future releases). The ISP redundancy pane will report valuable information such as how long the links have been up, the status of each of your ISP links, and the bytes/sec for each of the links.

    Figure 7
    Click on the Alerts tab in the Monitoring node and click on the Configure Alert Definitions link in the Task Pane. There you will see a tremendous increase in the number of alerts available in the TMG firewall compared to those available in ISA 2006. When you look through all of the alerts, you will find something interesting – the nature and comprehensiveness of these alerts are consistent with what I will call a “behavioral IDS”. Just take a look at them yourself and see what you think. You will be impressed at the wide array of firewall status conditions that are covered by the enhanced alert definitions found in the TMG firewall.

    Figure 8
    Click the Services tab. Here you will see a variety of new services that were not used by the ISA 2006 firewall. Notice the following:

    • SQL Server (ISARS)
    • SQL Server Reporting Services (ISARS)
    • World Wide Web Publishing Service
    • SQL Server Express
    • Forefront TMG Managed Control Service

    Notice that the Remote Access Service is no longer on the list. I am not sure why they removed it. Maybe it appears when you enable VPN, which was not enabled on this machine. SQL Server Express replaces the MSDE database that was used by ISA 2006. One thing you might wonder about is why the World Wide Publishing Service is installed on the TMG firewall. This is required for SQL Reporting Services. But do not worry, no one can access the WWW service except the TMG firewall, it’s not accessible to users outside the firewall.

    Figure 9
    Click the Configuration node. This was not available in the ISA 2006 Standard Edition firewall, since configuration information was stored in the Registry. As I mentioned earlier, there are no longer separate editions, and the single edition uses ADAM based storage. On the Configuration tab you will see synchronization status with ADAM (Active Directory LDS).

    Figure 10
    Summary

    In this, part 1 of a multipart series on what’s new and improved with the TMG Beta 2 firewall, we took a look at new and improved features highlighted in the server/array node and the monitoring node. In the second part of this series we will take a look at a number of improvements and new features exposed in the Firewall Policy, Web Access Policy and E-mail Policy nodes. See you soon! –Tom.






    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part2.html
    PART-2

    Introduction

    In part 1 of this series on what’s new in the TMG Beta 2 firewall, we took a look at what’s new and cool in the Array and Monitoring nodes. This week we’ll look at the Firewall Policy and Web Access Policy nodes.
    Firewall Policy Node

    The Firewall Policy node has always been my favorite. Here you create the Access Rules and Publishing Rules that form the heart of the TMG firewall’s functionality. When you click on the Firewall Policy node in the left pane of the console, click the Tasks tab in Task Pane on the right side of the console. There you will see what appears in the figure below.
    Notice that there are a number of new options and relocation of options that used to be placed in other areas of the firewall console in previous versions of the ISA firewall.


    Figure 1
    One of the new options you see in the Task Pane is the Configure VoIP entry. When you click that link you will see the SIP Configuration Wizard as seen in the figure below. Using the SIP Deployment Wizard, you can configure the TMG firewall to protect an IP PBX that uses the SIP protocol, a feature that wasn’t included in previous versions of the ISA firewall.
    Note in the SIP Configuration Wizard that we support three primary scenarios:

    • External IP PBX
    • Internal IP PBX connected to a PSTN gateway
    • Internal IP PBX connected to an external IP PBX server

    In a future article I will go through the configuration wizard and explain how to use the TMG to protect your SIP PBX deployments.

    Figure 2
    When you click the Configure VoIP Settings link in the Task Pane, you will see the VoIP Settings dialog box. Here you can enable internal SIP clients to register with an external SIP server. Other settings available here are:

    • Default external registration port for SIP
    • Base port for SIP external registration after the default port
    • Number of registration ports for SIP in addition to the default port

    In addition, you can configure SIP Quotas by clicking the Configure SIP Quotas button.
    This will bring up the Flood Mitigation dialog box and land you on the SIP Quotas tab. On the SIP Quotas tab you can configure the following:

    • Global max number of registrations on the filter
    • Max number of registrations for specific IP address
    • Global max number of calls on the filter
    • Max number of calls for specific IP address

    As you probably have gathered at this point, each of these entries is aimed at protecting against flood attacks against the SIP filter.

    Figure 3
    The Web Access Policy Node

    Let us move on to the Web Access Policy node, found in the left pane of the firewall console. Click on the Web Access Policy node and then click the Tasks tab in the Task Pane on the right side of the console. There you will find something that looks very much like what you see in the figure below.
    Given that the Web Access Policy node is all new, you would suspect that all the entries on the Tasks tab for this node would also be all new. In fact, a number of familiar configuration options are now found here, having either been moved from other locations of the firewall console or duplicated here to make them easy to access. These updates to the firewall console are intuitive, since all the tasks found here are related to the Web Proxy filter component and features of the TMG firewall.
    The Configure Web Access Policy link is new. When you click that the Web Access Policy Wizard will start. In addition, the Configure Malware Inspection and Configure HTTPS Inspection options are also new, as they represent two new feature sets included in the TMG firewall that were not available in previous versions.

    Figure 4
    The figure below shows a page from the Web Access Policy Wizard. The Web Access Policy Wizard enables you to quickly and easily configure Access Rules that apply only to HTTP and HTTPS connections, and then groups them together to make them easier to manage in the totality of firewall policy. At least that’s the design goal. In a future article we will spend a lot of time on the Web Access Policy Wizard and the results of its configuration. At that time I will leave it up to you to determine if the Web Access Policy Wizard makes things easier than configuring Access Rules on your own, or if it makes it more confusing. At this point I am on the fence, and leaning toward feeling that it is easier just to create Access Rules individually and bypass the wizard. YMMV
    Notice in the figure below that the Wizard allows you to create two general types of policy:

    • A simple policy for all Web proxy clients in the organization
    • A customized policy that enables per user, per group and per computer access controls

    Most security minded organizations are going to use the latter option, but I suspect most organizations that are new to the TMG firewall are going to use the former option until they are comfortable with the TMG’s security model. Seasoned ISA firewall pros will probably not use the wizard at all, or will use it first out of curiosity and then go back to creating Access Rules manually. It will be interesting to see how Web Access Rules are created by TMG firewall admins after the product is released later this year.

    Figure 5
    One of the best improvements included with the Forefront TMG firewall is the new malware inspection feature. In previous versions of the firewall, you had to go to a 3rd party to get anti-malware inspection for Web access. No longer! Now it comes built into the TMG firewall. When you click the Configure Malware Inspection link in the Task Pane, you’ll see the Malware Inspection dialog box as seen in the figure below.
    Notice the large number of configuration option tabs available with this new feature:

    • General – here you enable or disable malware inspection and tell TMG how to handle and empty malware inspection engine (TMG is installed without a malware inspection engine, it must be downloaded after the firewall is installed and connected to the Internet)
    • Destination Exceptions – allows you to configure create a list of sites that are exempts from inspection
    • Source Exceptions – allows you to configure a list of network entities that are exempt from inspection
    • Inspection Settings – allows you to set granular inspection settings, such as blocking encrypted files and blocking “suspicious” files
    • License Details – provides information about the anti-malware licensing on the firewall (details of licensing aren’t settled at this time)
    • Update Configuration – allows you to set the type of automatic update actions and how often to poll for anti-malware updates
    • Storage – TMG creates a folder to temporarily store files for malware inspection, on this tab you can customize the folder location for this activity
    • Content Delivery – allows you to configure standard or fast trickling content and allows you to set content-specific exceptions, such as use download progress notifications instead of the default method (fast or standard trickling) for specific content types and use fast tricking instead of the default method (fast or standard trickling) for the selected content types

    In a future article we will go through all the details of the Malware Inspection dialog box and take a look at some of the features that might not be clear to you, like the differences between fast and standard trickling and the inspection settings.

    Figure 6
    When you click the Configure HTTPS Inspection link you will see the HTTPS Outbound Inspection dialog box. This exposes a long sought after feature – the ability to inspection content hidden inside SSL tunnels. Previous versions of the firewall did not support outbound HTTPS inspection, and you needed the excellent ClearTunnel software from Collective Software to get this level of security (www.collectivesoftware.com). With the TMG Beta 2, this feature is built in. Outbound SSL inspection will allow all of the TMG firewall’s application layer inspection features to be applied to the contents of SSL connections, thus enabling a major improvement in your organization’s security posture.
    There are four tabs:

    • General – here is where you enable outbound SSL inspection and set what CA that will issue the certificates generated to impersonate the destination SSL sites
    • Exceptions – here is where you configure sites that are exempt from SSL inspection. These should be trusted sites that you are sure will not contain malware (do such sites exist?)
    • Certificate Validations – here is where you set the certificate validation policy that applies to all clients making SSL connection request through the TMG firewall; examples include how long to wait to block expired certificates and whether or not you want to check for server certificate revocation.
    • Client Notification – here you set whether or not users are notified that their SSL connections are being inspected. Note that this will require that the Firewall client be installed on the client systems, since this is the vehicle through which the notifications are delivered.

    I will do a very nice deep dive for you on SSL inspection in the near future. In fact, this will the subject of my presentation at this year’s TechEd – outbound SSL inspection! I expect you to be there so that you can take the quiz.

    Figure 7
    Moving away from the dialog box, if you take a look at the middle pane after creating a Web Access Policy, you’ll see useful information about your Web proxy configuration, such as Web Proxy, Authentication, HTTP Compressions, Malware Inspection, Web Caching and HTTP Inspection status information, as shown in the figure below.

    Figure 8
    Summary

    In this, part 2 of our multipart article series on some of the new and interesting features included in the TMG Beta 2 firewall, we took a look at some of the new options and features exposed in the Firewall Policy and Web Access Policy nodes. In part three, we’ll see what’s new in the E-mail Policy, Intrusion Prevention System and Remote Access Policy (VPN) nodes. Also, remember to register for TechEd 2009 in Los Angeles! I will present on the outbound SSL inspection feature and demo some cool things you can do with it. See you then!







  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part3.html
    PART-3


    Introduction

    In the first two parts of this multipart series on what’s new and improved in the TMG Beta 2 firewall, we covered features exposed in the Monitoring, Firewall Policy and Web Access Policy nodes. In this, part 3 of the series, we’ll cover what’s available in the E-mail Policy, Intrusion Prevention System, and Remote Access Policy (VPN) notes.
    E-mail Policy

    One of the most significant improvements in the TMG Beta 2 firewall is the addition of the e-mail protection feature. ISA had a history of providing some level of SMTP protection, such as that included with the SMTP filter and SMTP Message Screener. The SMTP Message Screener was included with the ISA 2004 firewall, but was dropped with the ISA 2006 firewall, in anticipation of a more comprehensive e-mail protection solution that would be part of the upcoming TMG firewall.
    It was worth the wait. With the TMG Beta 2 firewall, you have comprehensive e-mail protection, enabled by both the Exchange Edge server and Forefront Security for Exchange. These two components work in concern to provide robust anti-spam and anti-malware protection. And what is especially nice about integrating these two products into the TMG Beta 2 firewall is that the complexities of configuration are abstracted away from the Forefront and Exchange consoles and bubbled up into the TMG Beta 2 firewall console.
    I guarantee, you are going to like it.
    There is one downside to the e-mail protection feature. With earlier versions of the TMG firewall (prior to Beta 2), the Exchange Edge component was installed with the TMG installation. Because of some licensing issues, you now need to install the Exchange Edge component before you install TMG. In a later article I will go through a detailed explanation of what you need to do to enable comprehensive e-mail protection with TMG and how to configure it in detail.
    Let us get started with the E-Mail Policy node. Click on the node in the left pane of the TMG firewall console.

    Figure 1
    This exposes the middle pane of the console. At the top of the middle pane you will see the status of several features. Before you configure the SMTP protection feature, you will see the following in the status pane at the top of the middle pane of the TMG firewall console:

    • SMTP Protection: Disabled
    • Signature Updates: Enabled
    • Exchange Edge Subscription: Disabled
    • Virus and Content Filtering: Disabled
    • Spam Filtering: Disabled
    • Licenses: Valid until 4/4/2010

    Note:
    For the Beta 2 release of the TMG firewall, the Edge Subscription feature does not work. If you’re working with the Beta 2, do not try to enable Edge Subscription.

    Figure 2
    Let us see what the SMTP setup process is like. In the right pane of the TMG firewall console, click the Configure Server to Server Mail Protection link.

    Figure 3
    This brings up the Welcome to the E-mail Protection Wizard page. Click Next.

    Figure 4
    On the Internal Mail Servers Configuration page, you specify internal mail servers and SMTP domains for which you want to accept incoming mail.
    In the Please configure your internal servers section, click the Add button. This brings up the Computer dialog box. In the Computer dialog box, enter a name for the SMTP server. Note that this can be an Exchange Hub Transport server, or any other inbound SMTP server, such as an inbound SMTP relay. The point I want to make is that you don’t have to use Exchange as the internal SMTP server.
    Enter the IP address of the internal SMTP server in the Computer IP Address text box, and then enter a description of this machine in the Description (optional) text box. Click OK. While it looks like this creates a Computer object that you can reuse for other rules, that is not the case. This object is available only to the SMTP protection feature.

    Figure 5
    In the Accepted domains section, click the Add button. In the Add Address space dialog box, enter a name for an e-mail domain for which you want to accept incoming mail. You can add multiple domains if you want to accept mail for multiple domains. Incoming mail sent to domains that are not included in this list will be rejected by the TMG firewall’s SMTP protection mechanisms (as part of the Exchange Edge component). Click OK to save the domain.

    Figure 6
    Click Next on the Internal Mail Servers Configuration page.

    Figure 7
    On the Internal Listeners Configuration page, select the network on which you want the TMG firewall to accept outbound mail from your internal SMTP server. In most cases (but not all, as each deployment has its own characteristics), this will be default Internal Network, which appears in the graphic as Internal.
    If you have multiple IP addresses bound to the interface, you can select the IP address that you want to use, as seen in the Internal Network Listener IP Selection dialog box.
    Click Next.

    Figure 8
    On the External Mail Routing Configuration dialog box, in the Specify FQDN the listener associated with the server will provide in response to HELO or EHLO text box, enter the name you want the TMG firewall to use in the HELO or EHLO responses. This is an important setting, as you need this name to be returned on a reverse DNS lookup for the IP address on the external interface of the ISA firewall that is accepting the connection. While this is not a technical requirement, it will help avoid problems with certain implementations of anti-spam solutions in use on the Internet.
    In the Please configure how your organization will receive mail from Internet section, select the Network on which the incoming mail will be received. In most cases (but again, not all, since each implementation will vary), this will be the default External Network. If you have multiple IP addresses on the external interface, you can select the specific IP address, as seen in the figure below.
    Click Next.

    Figure 9
    On the Mail Protection Configuration page, put checkmarks in the Enable Anti-Spam Features and Enable Anti-Virus Features checkboxes. As the checkboxes imply, enabling these selections turns on the anti-spam and anti-virus capabilities in Exchange Edge and Forefront Security for Exchange.
    Click Next.

    Figure 10
    Review the information on the Completing the Server to Server E-mail Protection Wizard page and click Finish.

    Figure 11
    Notice that after you click Finish, a Microsoft Forefront Threat Management Gateway Beta dialog box will appear informing you that system policy rule for SMTP should be enabled, and that it will enable them for you if you click Yes. You should click yes, so that System Policy Rules can be enabled that allow external SMTP servers to send mail to the Local Host Network and internal SMTP Server can send mail to the Local Host Network.

    Figure 12
    Click Apply to save the changes and update the firewall policy. Click OK in the Saving Configuration Changes dialog box.
    After you apply the changes, you will see that the status section in the E-mail Policy tab in the middle pane of the console has changed, showing the following settings:

    • SMTP Protection: Enabled
    • Signature Updates: Enabled
    • Exchange Edge Subscription: Disabled
    • Virus and Content Filtering: Enabled
    • Spam Filtering: Enabled
    • License: 4/4/2010

    You will also see under the status pane a list of Internal_Mail_Servers and Internet_Mail_Servers. If you click on either one of those, you will see detailed settings regarding incoming and outbound SMTP configurations.

    Figure 13
    Click on the Spam Filtering tab. Here you see the available spam filtering options. These include:

    • IP Allow List
    • IP Allow List Providers
    • IP Block List
    • IP Block List Providers
    • Content Filtering
    • Recipient Filtering
    • Sender Filtering
    • Sender ID
    • Sender Reputation

    In a later article I’ll go through each of this options with you.

    Figure 14
    On the Virus and Content Filtering page, you have three options:

    • File Filtering
    • Antivirus
    • Message Body Filtering


    Figure 15
    As you can see from this high level overview of the SMTP protection feature, the TMG firewall provides a very robust platform for protecting your e-mail infrastructure. And it does this without having to deploy a second machine dedicated to e-mail hygiene, giving you centralized configuration and reduced power consumption. Say goodbye to that Barracuda box!
    Intrusion Prevention System

    Another new and major improvement included in the TMG Beta 2 firewall is the Intrusion Prevention System, which goes by the name of Network Inspection System or NIS. This new feature is based on GAPA, the Generic Application Protocol Analyzer. GAPA is able to intercept network traffic and look for suspicious communications based on signatures. Signatures used by NIS are based on exploits described in Microsoft security bulletins, as you can see in the figure below.
    The NIS IPS is a major advance for the TMG firewall. In previous incarnations of the ISA firewall, we had a very rudimentary IDS/IPS based on well known network level exploits. While that feature set is still included in the TMG Beta 2 firewall, the NIS is much more powerful and provides a more comprehensive protection.
    Click on the Intrusion Prevention System node in the left pane of the console and you will see what appears in the figure below in the middle pane. This is a list of exploits that NIS will protect you against. Notice that you can group these exploits based on a number of parameters. These include:

    • Attention Required
    • Response
    • Business Impact
    • Category
    • Data Published
    • Severity
    • Fidelity
    • Protocol
    • Status
    • None


    Figure 16
    In the right pane of the console, you’ll see a number of new options related to this feature.

    Figure 17
    When you click the Define NIS Exceptions link, you will see the dialog box seen in the figure below. Here you can enter a network entity that is excluded from NIS scanning. If there are sites that you implicitly trust, you would enter them here.

    Figure 18

    When you click the Set All NIS Responses to Microsoft Defaults, you will see what appears in the figure below. When you select this option, you enable the TMG firewall to use the Microsoft recommended default action, which might be either block or detect. These default actions are part of the signature that Microsoft provides for the particular exploit.

    Figure 19
    When you click the Set All NIS Responses to Detect Only, you enable the TMG firewall to only detect and report on malicious traffic and events that are detected by the NIS. The TMG firewall will not block the traffic.
    Note:
    For both options, you have the option enable the Change the signature update settings for newly downloaded signatures as well. This enforces the NIS response policy for new signatures, which might override the default setting on the signature itself.

    Figure 20
    When you double click on one of the signature, you can see interesting details about what that signature is detecting, as seen in the figure below. In the details of the signature, you can see the details of the exploit and the configuration for the signature, either Microsoft recommended or Custom. If you select custom, then you can enable or disable the signature, and if you enable it, you can choose either Detect only or Block.

    Figure 21
    On the Details tab you can see even more information about the signature, as seen in the figure below. Details include:

    • Affected Applications
    • Business Impact
    • Category
    • CVE Numbers
    • Date Published
    • Default Response
    • Default Status
    • Fidelity
    • Protocol
    • Related Bulletins
    • Severity
    • Vendor

    In addition, you can add your own Administrator Notes.

    Figure 22
    Remote Access Policy (VPN)

    The Remote Access Policy (VPN) node is the replacement for the Virtual Private Networking (VPN) node we saw in previous versions of the firewall. You will see very few changes to the VPN networking features.

    Figure 23
    The only visible change at this time is support for NAP in the VPN Quarantine feature. However, there is no documentation at this time on how to make this feature work, so I can not give you much insight into how NAP is integrated into the Quarantine feature. Hopefully, it will be easier to implement than the old Quarantine feature, which was more of a platform for VPN Quarantine than an actual feature that the firewall administrator could use out of the box.

    Figure 24
    There is a possibility that SSTP will be integrated into this solution. If it is, I hope the TMG team will consider all the aspects required to get it working, including an interface that helps us manage the certificates used by the SSTP VPN server and publishing the CRL. If you have not worked with SSTP, you know that managing the SSTP certificates can be a real bear, and any investments the TMG team puts in this direction will be highly appreciated by the TMG firewall community. I think we would even put our money together and buy David Cross a bouquet of flowers and a fruit basket
    Summary

    In this, part 3 of our series on what is new and improved in the TMG Beta 2 firewall, we went over the options in the E-mail Policy, Intrusion Prevention System and Remote Access Policy (VPN) nodes. We went into a bit more detail in the SMTP protection section since this is a very compelling addition to the TMG firewall and significantly increases the value that the TMG firewall provides, compared to previous iterations of the firewall. The IDS feature also represents a major advance in the firewall’s IDS/IPS capabilities and finally instantiates a real network intrusion and prevention system that has the potential of being a game changer, as NIS signature could protect you in a way that no other firewall in the market can, since Microsoft has access to these signatures before anyone else. The VPN features are essentially unchanged, except for the suggestion that NAP is integrated.
    In the next article we will finish up the series with the Networking, System, Logs and Reports, Update Center and Troubleshooting sections. See you then! –Tom.





  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part4.html
    PART-4

    Introduction

    We continue this week with part 4 of my series on the new features included with the Beta 2 of the TMG firewall. I thought that this would be the last article in the series, but then I realized that there was too much going on in the Networking Node in the TMG firewall console to fit anything else into the article this week. So we will confine our attention to the Networking Node this week and see if we can finish up the series next week.
    The Networking Node

    Let us take a look at the Networking Node in the left pane of the console. If it is not already open, open up the TMG firewall console, expand the server name and then click on the Networking node. In the middle pane of the console, you will see the following tabs:

    • Networks
    • Networks Sets
    • Network Rules
    • Network Adapters
    • Routing
    • Web Chaining
    • ISP Redundancy

    Some of these we have seen in previous versions of the firewall, but some of them are new. I will call out the new ones, new features and capabilities as we look at each one in more detail.
    The Networks Tab

    The Networks tab was seen in previous versions of the firewall and includes all the networks defined on this firewall or firewall array. The default TMG Firewall Networks include:

    • External
    • Internal
    • Local Host
    • Quarantined VPN Clients
    • VPN Clients

    These are the same default Networks seen in previous versions of the firewall, so not much new happening here. When you double click on one of the Networks, you will see a Properties dialog box similar to what you saw in previous versions of the firewall. However, one thing that is different is that you will see options for CARP and NLB. Since there is no Standard and Enterprise edition available for the Beta 2, it is not clear if these features will be available in all versions of the RTM TMG firewall. In fact, it is not clear if there will be different versions by the time the product is released.

    Figure 1
    The Network Sets Tab

    The Network Sets tab includes the groups of TMG Firewall Networks that comprise the default TMG Network Sets. The default Network Sets are:

    • All Networks (and Local Host)
    • All Protected Networks
    • Forefront codename Stirling Monitored Networks

    If you are an experienced ISA firewall admin, you probably noticed the new Network Set, the Forefront codename Stirling Monitored Networks set. The description of this network is; “This predefined network set includes the networks monitored by Forefront codename Stirling” – nice tautological description, eh?
    I checked the Help file and unfortunately there is no mention of the Stirling Network Set. I am looking forward to some guidance in this area in the future, but by then, Stirling will probably have a product name and the name of this Network Set will change.

    Figure 2
    The Network Rules Tab

    Click on the Network Rules tab and you will see the default Network Rules. The default Network Rules defined on the Beta 2 of the TMG firewall include:

    • Local Host Access
    • VPN Clients to Internal
    • Internet Access

    This is pretty much what we saw in previous versions of the firewall. But there are some big changes in this area. Double click on the Internet Access Network Rule to see where those changes lie.

    Figure 3
    In the Properties dialog box for the default Internal Network, you can see a new tab, NAT Address Selection. The NAT Address Selection tab allows you to choose what IP address on the external interface is used as the source IP address for connections that trigger the Network Rule. This is a feature we have been hoping to see for a long time, and this is a great first step in the right direction. No, it is not the “static NAT” feature that a lot of ISA firewall admins were looking for, but it solves some problems that we have had in the past, where we were limited to always using the default IP address on the external interface as the source IP address for all outbound connections.

    Figure 4
    Let us now take a look at this feature in a little more detail. In the right pane of the TMG firewall console, click the Create a New Network Rule link. This brings up the Welcome to the New Network Rule Wizard page. We will enter a name in the Network rule name text box, in this case we will name it Mail-1, representing an outbound mail server on our internal network. Click Next.

    Figure 5
    On the Network Traffic Sources page, click the Add button and in the Add Network Entities dialog box, select the Mail Server 1 Computer Object that was created earlier.

    Figure 6
    The Mail Server 1 Computer Object appears in as a source on the Network Traffic Sources page. Click Next.

    Figure 7
    On the Network Traffic Destinations page we select the destination for this Network Rule. In this case, we want to set the destination as the default External Network, so we click Add and then select External in the Add Network Entities dialog box.

    Figure 8
    The default External Network appears in the Network Traffic Destinations page. Click Next.

    Figure 9
    On the Network Relationship page, select the Network Address Translation (NAT) option and click Next.

    Figure 10
    The NAT Address Selection page is new. Here you can choose from the following:

    • Always use the default IP address – this option will set the source IP address of the outbound connection to be the default IP address on the external interface of the firewall. This is the same behavior seen in previous versions of the firewall
    • Use the selected IP address – this option allows you to choose an IP address on the external interface of the firewall that will be presented as the source IP address based on the source and destination set for this rule.
    • Use selected IP addresses for each network – this option can be used when you have multiple NICs on the firewall, or when you have multiple members of a firewall array and you are not using NLB. This option allows you to choose specific IP addresses on each NIC, so that all outbound connections, through all potential interfaces, have a source IP address that you can control.

    In this example we will select the Use the selected IP address option and select the IP address 192.168.1.175, and click Next.

    Figure 11
    On the Completing the New Network Rule Wizard page, review the settings and click Finish. Then click Apply at the top of the middle pane of the console to save the changes.

    Figure 12
    At this point you can see the new Network Rule in the middle pane of the console, and a new column for this rule, the NAT Addresses column. This lets you know what the source IP address will be for outbound connections that trigger this rule.

    Figure 13
    The Network Adapters Tab

    The Network Adapters tab is an entirely new tab, not seen in previous versions of the firewall. The Tasks tab for the Network Adapters tab appears in the figure below. Here you can manipulate some of the NIC settings from within the TMG firewall console.

    Figure 14
    In the middle pane of the console you see a list of NICs installed on this TMG firewall computer. Columns include:

    • Name – the name assigned to the NIC
    • Type – whether the NIC uses Static or DHCP addressing (dynamic)
    • IP Addresses – the IP address or addresses assigned to the NIC
    • Subnets – the subnet mask or masks (if IP addresses from different network IDs are assigned to the NIC)
    • Status – either connected or disconnected

    That’s some handy information that you had to go somewhere else to find in the past.

    Figure 15
    But wait! There is more. Double click on one of the NICs and you will see a Properties dialog box that allows you to do a few more things. Here you can configure the NIC to use static or dynamic addressing. This includes IP addressing, subnet mask, default gateway, and DNS servers.

    Figure 16
    The Routing Tab

    This is another new tab not seen in previous versions of the firewall. On the Routing tab you can see the routing table entries on the TMG firewall computer. This is pretty handy, as missing routing table entries are a major offender in many ISA and TMG firewall troubleshooting scenarios.
    There is a curious link on in the Tasks tab in the Task Pane. The link is Create an Array Topology Route. Wow! That sounds really cool. An Array Topology Route. I wonder what that is? I clicked the link and it brought up the Array Topology Route dialog box. It looks like a way to create a routing table entry, so I entered route for network ID 172.16.5.0. You can see that route in the Active Server Routes list in the figure below, as well as on the top in the list of Array Topology Routes.

    Figure 17
    However, I was still curious about this Network Topology Routething. It sounds sort of exotic, doesn’t it? Just to make sure that it was not just a fancy name for a routing table entry, I opened a command prompt and did a route print. What I saw is seen in the figure below. Looks like Network Topology Routes are just garden variety routing table entries. Oh well. Maybe I am just missing something.

    Figure 18
    The Web Chaining Tab

    This tab was available in previous versions of the firewall. However, there are some new options that weren’t available in the Tasks tab in the Task Pane of this tab in previous versions. The new options here are:

    • Create Web Access Rules required for Web chaining – when you click this, it takes you to the Firewall Policy node were you can create Access Rules.
    • Specify Dial-up Preferences – here you can configure dial-up configuration if you are using a dial-up connection on your TMG firewall


    Figure 19

    Other than those two options, not much else new is going on with this tab.
    The ISP Redundancy Tab

    Last but definitely not least is the ISP Redundancy tab. This is new with the TMG firewall, and represents a new TMG firewall feature that allows you to use up to two ISPs with a single TMG firewall or TMG firewall array.
    In the Tasks tab of the ISP Redundancy Task Pane, you will see a link for Enable ISP Redundancy. Click that to get started.

    Figure 20
    This brings up the Welcome to the ISP Redundancy Configuration Wizard page. Click Next.

    Figure 21
    On the ISP Redundancy Method page, you have two choices:

    • Failover using a primary and backup link – this option allows you to use one ISP link, and if that link goes down, the TMG firewall will switch over to a second ISP. The TMG firewall will continue to check on the status of the primary ISP and when that link comes back online, TMG will switch back to using that one.
    • Load balancing between two ISP links – this option allows you to use both ISP connections at the same time, and it automatically balances connections between the two connections, based on the relative weighting you give to each of the links.

    In this example we will select the Load balancing between two ISP links option and click Next.

    Figure 22
    On the ISP Link 1 page there are a number of options:

    • ISP Link name – this is where you configure the friendly name for the link.
    • ISP Subnet Definition – in this section you configure the IP address of the default gateway used by this link. You can either enter the IP addressing information manually or you can select the NIC that connects to that ISP.
    • Explicit Route Destinations – this option allows you to configure routes that will always use this ISP and not use the second ISP. This provides a route based, policy-based routing configuration.
    • Link connectivity – gives you three options: Determine automatically, Presume the link is up and Presume the link is down. In most cases you’re going to want the TMG firewall to determine if the link is up or down automatically.

    In this example I’ve named the link Verizon and used the Select Adapter option to populate the IP addressing information for the default gateway. Click Next.

    Figure 23
    On the ISP Link 2 page, you do the same thing, but this time you put in the configuration options for the second ISP connection. In this example, I manually entered the IP addressing information for the default gateway for the Comcast ISP link.
    Click Next.

    Figure 24
    On the Load Balancing Factor page, you set a relative weight for how much you want each of the connections to be used. The default value is to have each of the ISPs used equally.
    Click Next.

    Figure 25
    Check your settings on the Completing the ISP Redundancy Configuration Wizard page and click Finish.

    Figure 26
    Depending on your configuration and environment, it may take several minutes before you see both ISPs being used, and you might see connectivity stop for clients behind the TMG firewall during this time. Do not worry, be patient. After the configuration becomes active, you will see a graphic indicating the state of the connections. In the example below, it shows that the connection to one of the ISPs is down, as indicated by the red line between the ISP and the cloud.
    Also, I have got to hand out props to the TMG team for using a firewall icon in this graphic, instead of the typical Web proxy icon (computer with a tiny firewall icon next to it). It only took ten years, but the message that this product is primarily a firewall seems to be getting out (at least to the product team )

    Figure 27
    Note:
    You can use the ISP Redundancy feature either by putting multiple IP addresses from different network IDs on the same NIC, or you can dedicate a NIC for each ISP.
    I consider it somewhat unfortunate that the TMG team decided to implement the feature in this way, as I suspect most users of this feature will be putting the TMG firewall behind CPE devices provided by their broadband providers, and not connecting the TMG firewall’s NICs directly to each ISP.
    It would have been a better design to allow a single NIC or IP address to switch between gateways on the same network ID which would be the IP addresses on the LAN interfaces of the CPE devices, rather than having to create a bogus second network ID to support the second ISP. No, it is not a lot of work, nor is it complicated to implement things to work using the approach they used, but it would have been more elegant to use a “dead gateway detection” like method instead of the approach they use now.
    Nevertheless, the feature works well, and failover and failback are smooth and fast.
    Summary

    In this, the fourth part of our article series on what’s new and improved in the TMG firewall, we covered the options available in the Network node in the left pane of the TMG firewall console. Most significant improvement were the ability to control the source IP address used by the TMG firewall when sending outbound connections, and the new ISP redundancy feature. Next week I hope we’ll be able to finish up by talking about System, Log and Reports, Update Center and Troubleshooting nodes. See you then! –Tom.






  5. #5
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part5.html
    PART-5


    Introduction

    I can not believe we are here! This is the last in our series on what’s new and improved in the Beta 2 of the TMG firewall. This could not have come too soon! Why? Because it would not be more than a few weeks before we will see the next version of the TMG firewall, which will be the Beta 3. No, I would not go through another 5 part series on the Beta 3 of the TMG firewall, but I will go over in detail some of the new features, such as the return of URL filtering.
    In this, the last part of the series, we will go over the System, the Logs & Reports, the Update Center and the Troubleshooting nodes. Let us get started.
    The System Node

    In the left pane of the TMG firewall console, click the System node, as seen in the figure below.

    Figure 1
    In the middle pane of the TMG firewall console, on the Servers tab, you will see the name of your firewall and its host ID number and CARP load factor. If you have run the Enterprise edition of the ISA firewall, you will probably find this information familiar. Double click on the server name and you will see what appears on the General tab. Notice the TMG version is version 7.x. I found this interesting as it does not seem to be in line with the versioning used for the ISA firewall. I do not have an answer to why their starting with version 7, but I will let you know when I find out.

    Figure 2
    Click on the Application Filters tab in the middle pane of the console. Here you will see your list of application filters installed on the TMG firewall, similar to what you saw on your ISA firewalls. However, if you look closely, you will see two new filters that are included right out of the box. These are the SIP Access Filter and the TFTP Access Filter. Both SIP and TFTP are complex protocols, thus, in order for SecureNET clients to work with these protocols, they need the help of an application filter. Of course, if you have the Firewall client installed on the computer who needs to use these protocols, application filters are not required. But because it is most likely servers who will need to use these protocols, it is a good idea to have an application filter, since you rarely if ever install the Firewall client on a server.

    Figure 3
    Click the Web Filters tab in the middle pane. Here you will find the list of Web filters installed on the TMG firewall, similar to what appears in previous versions of the firewall. However, if you look closely, you will see two new entries here, included right out of the box. These are the Generic Web Protocol Analyzer Filter and Malware Inspection Filter. Now this brings up and interesting question – if the GAPA filter is implemented a Web Filter and not an application filter, does that mean that only Web connections are analyzed by GAPA for IDS/IPS? That would seem to make sense, but if everything made sense, we’d never have to read the documentation. Unfortunately, there really is no useful documentation on the Network Inspection System at this time, so any assessments I might try to make at this time would be nothing more than a guess.

    Figure 4
    The Logs & Reports Node

    Click on the Logs & Reports node in the left pane. Then take a look at the Tasks tab in the Task Pane in the right side of the console. Here you’ll see some new and some familiar settings that were formerly available on the Logging tab in the Monitoring node of the ISA firewall console.

    Figure 5
    If you click the Configure Log Queue link, you will see the Log Queue Storage Folder dialog box. Here you can define where you want the TMG firewall to store the log queue. When the TMG firewall logs information faster than they can be formatted by the firewall, the log records will be stored in the log queue until they can be attended to, when the firewall is less busy. This enables the firewall to continue running without stopping due to logging failures, something we used to see with the ISA firewall.

    Figure 6
    If you click the View Log Status link, you can see the Log Status dialog box. Here you can see the logging status and whether or not the log queue is in use. If the queue is being used, you will see how long it is in this dialog box.

    Figure 7
    The Logging tab in the Logs & Reports node is similar to the logging tab we had with previous versions of the firewall. There’s not too much in terms of new features here, except for the options available in the area of what you can filter on. In the figure below you can see a number of new fields on which you can filter. This is very nice, but my single compliant here is that some of the entries are unreadable because you cannot make the dialog box wider. Maybe this is something they can fix before the product goes RTM.

    Figure 8
    The Update Center Node

    The Update Center node is a completely new one. The reason for this is because in previous versions of the firewall wasn’t an antimalware, anti-spam, and Network Inspection System to update. Click on the Update Center node in the left and you’ll see in the middle pane something similar to what appears in the figure below. There are four main features that benefit from updates. These include:

    • E-mail Antivirus
    • Malware Inspection
    • Antispam Filtering
    • Network Inspection System


    Figure 9
    When you right click one of these entries, you will see a context sensitive menu that will be different depending on which of the entries you right click on. In the example in the figure below, I have right clicked on the Malware Inspection entry. Here you see that you have the following options:

    • Check and Install New Definitions
    • Check for New Definitions
    • Import Definitions from File
    • Override Current Definitions
    • Properties


    Figure 10
    When you check the Tasks tab in the Task Pane, you will see similar options as those seen in the context menu. These will change based on which entry you’ve selected in the middle pane.

    Figure 11
    When you double click on one of the update entries in the middle pane, you will see the Properties dialog box for that update. What’s interesting here is that for some of these options, you’re not just presented with the update options, but with the entire configuration interface for the feature. For example, if you check the figure below. Regarding the update options, you can see that you can set the automatic update action and the polling frequency for the update.

    Figure 12
    You can also focus on the update properties in the Update Center Properties dialog box. Here you have three tabs, with the Definition Updates tab being the default. Here you can set the update action and polling frequency for each of the Protection mechanisms.

    Figure 13
    On the Microsoft Updates tab, you can choose to Use the Microsoft Update service to check for updates (recommended) or I do not want to use the Microsoft Update service. Note that in order to receive updates, you must use Microsoft Update. What I make out of this is that you would not be able to use WSUS to obtain these updates. This is most likely due to the fact that WSUS can not check your TMG firewall’s license status for the updates that require licensing.

    Figure 14
    On the Microsoft Update Service tab, you have the following options:

    • Use machine default service (Microsoft Update or WSUS Server)
    • Use Microsoft Update directly
    • Use machine default service but fallback to Microsoft Update

    The default settings is to use the machine default service, but fallback to Microsoft Update. This allows you to use WSUS for TMG and operating system updates, but if the WSUS is not available, the firewall will be able to fallback and use Microsoft Update directly. A System Policy Rule is in place that allows the firewall to receive the updates directly from Microsoft if required.

    Figure 15
    The Troubleshooting Node

    Click the Troubleshooting node in the left pane of the console and you will see what appears in the figure below in the middle pane. Note that at this time there is nothing new here. However, I expect that in the next version of the TMG firewall, which will be Beta 3, there will be some significant enhancements so that you’ll have the features and capabilities similar to those available in the ISA 2006 supportability update.

    Figure 16
    Summary

    In this, the last part in our series on what’s new and improved in the TMG firewall, we went over the new features included in the System, Logs & Reports, Update Center and Troubleshooting nodes. I hope you enjoyed this series and that you saw some things that you like. Next week we will go into a deep dive on the outbound SSL inspection feature, which is one of the most impressive features included with the TMG firewall. After that, we will do a deep dive into the E-mail protection feature, including the Exchange configuration. See you then! –Tom.





    katsi_ppp سپاسگزاری کرده است.

کلمات کلیدی در جستجوها:

1

Report Server Windows Service (ISARS) cannot connect to the report server database.

Report Server Windows Service (ISARS) cannot connect to the report server database

policy based routing tmg

TMG policy based traffic routing

microsoft tmg policy based routing

6

Microsoft tmg Report Server Windows Service (ISARS) cannot connect to report server databasehttp://forum.persiannetworks.com/f80/t30726.htmlMicrosoft Forefront Client Security Serverdefault gateway comcasttmg ems forefront quarantine incident viewISP Redundancy standalone arrayisp redundancy with tmg enterprise standalone arrayreport server (isars) cannot connect to the report server database.analyzing routing tablejoin کردن آیزا به سرورгде лежит reportserverisarstmg report server windows service (isars) cannot connect toExplicit Route Destinations buttons in tmgtmg route table analyzethis security database on the server does not have a computer for this workstation trust relationshipforefront tmg policy based routingtmg the software protection service entered the stopped statetmg how to expose a sqlserver

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •