(Ebook) Deploying Microsoft Forefront Threat

Management Gateway 2010 (TMG) by Yuri Diogenes,

Thomas W. Shinder Dr ISBN 9780735649767, 0735649766
Pdf Download

https://ebooknice.com/product/deploying-microsoft-forefront-threat-
management-gateway-2010-tmg-1898640

★★★★★
4.6 out of 5.0 (28 reviews )

Instant PDF Download

ebooknice.com
 (Ebook) Deploying Microsoft Forefront Threat Management
Gateway 2010 (TMG) by Yuri Diogenes, Thomas W. Shinder Dr
ISBN 9780735649767, 0735649766 Pdf Download

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 EDUCATIONAL COLLECTION - LIMITED TIME

INSTANT DOWNLOAD VIEW LIBRARY

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

(Ebook) Deploying Microsoft Forefront Protection 2010 for Exchange

Server (It Professional Series) by Yuri Diogenes, Thomas W. Shinder Dr
ISBN 9780735649750, 0735649758

https://ebooknice.com/product/deploying-microsoft-forefront-
protection-2010-for-exchange-server-it-professional-series-1705580

(Ebook) Deploying Microsoft Forefront Protection 2010 for Exchange

Server by Diogenes, Yuri; Shinder, Thomas W ISBN 9780735649750,
9780735656994, 9780735657113, 0735649758, 0735656991, 0735657114

https://ebooknice.com/product/deploying-microsoft-forefront-
protection-2010-for-exchange-server-5398562

(Ebook) Biota Grow 2C gather 2C cook by Loucas, Jason; Viles, James

ISBN 9781459699816, 9781743365571, 9781925268492, 1459699815,
1743365578, 1925268497

https://ebooknice.com/product/biota-grow-2c-gather-2c-cook-6661374

(Ebook) Matematik 5000+ Kurs 2c Lärobok by Lena Alfredsson, Hans

Heikne, Sanna Bodemyr ISBN 9789127456600, 9127456609

https://ebooknice.com/product/matematik-5000-kurs-2c-larobok-23848312
(Ebook) Dr. Tom Shinder's ISA Server and Beyond with CDROM by Thomas
W. Shinder ISBN 9781931836661, 9781932266405, 1931836663, 1932266402

https://ebooknice.com/product/dr-tom-shinder-s-isa-server-and-beyond-
with-cdrom-1705058

(Ebook) Vagabond, Vol. 29 (29) by Inoue, Takehiko ISBN 9781421531489,

1421531488

https://ebooknice.com/product/vagabond-vol-29-29-37511002

(Ebook) SAT II Success MATH 1C and 2C 2002 (Peterson's SAT II Success)

by Peterson's ISBN 9780768906677, 0768906679

https://ebooknice.com/product/sat-ii-success-
math-1c-and-2c-2002-peterson-s-sat-ii-success-1722018

(Ebook) Exam Ref SC-900 Microsoft Security, Compliance, and Identity

Fundamentals by Yuri Diogenes;Nicholas DiCola;Mark Morowczynski;Kevin
McKinnerney; ISBN 9780138363734, 0138363730

https://ebooknice.com/product/exam-ref-sc-900-microsoft-security-
compliance-and-identity-fundamentals-56682766

(Ebook) How to Cheat at Configuring ISA Server 2004 by Debra

Littlejohn Shinder, Thomas W Shinder ISBN 9781597490573, 1597490571

https://ebooknice.com/product/how-to-cheat-at-configuring-isa-
server-2004-982484
 PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2010 by Yuri Diogenes and Dr. Thomas W. Shinder
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any
means without the written permission of the publisher.
Library of Congress Control Number: 2010936127

Printed and bound in the United States of America.

Microsoft Press books are available through booksellers and distributors worldwide. For further infor­mation about
international editions, contact your local Microsoft Corporation office or contact Microsoft Press International
directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to mspinput@
Download from Wow! eBook <www.wowebook.com>

microsoft.com.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty

/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of
their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain name,
e-mail address, logo, person, place, or event is intended or should be inferred.

This book expresses the author’s views and opinions. The information contained in this book is provided without
any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or
distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by
this book.

Acquisitions Editor: Devon Musgrave

Developmental Editor: Karen Szall
Project Editor: Karen Szall
Editorial Production: nSight, Inc.
Technical Reviewer: Mitch Tulloch; Technical Review services provided by Content Master, a member
of CM Group, Ltd.
Cover: Tom Draper Design
Body Part No. X17-15053
Contents
Introduction vii

Chapter 1 Understanding ­Forefront Threat Management

Gateway 2010 1
A History of Perimeter Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Forefront TMG as a Perimeter Network Device. . . . . . . . . . . . . . . . . . . . . . . . 3

Network Firewall 3
Forward and Reverse Proxy, Web Proxy, and Winsock
Proxy Server 4
Web Caching Server 5
Remote Access VPN Server 5
Site-to-Site VPN Gateway 7
Secure Email Gateway 8

Forefront TMG as a Secure Web Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Network Inspection System 10
Malware Inspection 11
HTTPS Inspection 13
URL Filtering 15

Forefront TMG Role within the Forefront Protection Suite. . . . . . . . . . . . . 16

Forefront Unified Access Gateway 2010 17
Forefront Identity Manager 18
Forefront Protection for Exchange Server 19
Forefront Online Protection for Exchange 19
Forefront Protection 2010 for SharePoint 20

Administrators Punch List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

What do you think of this book? We want to hear from you!

Microsoft is interested in hearing your feedback so we can continually improve our books and learning
resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/
iii
 Chapter 2 Installing and Configuring Forefront Threat
Management Gateway 2010 23
Preparing to Install Forefront TMG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Choosing Deployment Options for Forefront TMG 24
Meeting Hardware and Software Requirements for
Forefront TMG 25
Selecting the Forefront TMG Edition 29

Installing Forefront TMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Reviewing Company Requirements 31
Completing the Installation Phases 32
Installing Forefront TMG 32

Post-Installation Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Administrator’s Punch List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 3 Deploying Forefront TMG 2010 Service Pack 1 57

New Features in Service Pack 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Planning Service Pack 1 Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Installing Forefront TMG 2010 Service Pack 1. . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring User Override for URL Filtering. . . . . . . . . . . . . . . . . . . . . . . . . 62

Reporting Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Branch Office Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

What’s Next?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Administrator’s Punch List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

What do you think of this book? We want to hear from you!

Microsoft is interested in hearing your feedback so we can continually improve our books and learning
resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

iv Contents
 Acknowledgments

T his Forefront project took almost a year to write and resulted in three separate
books about deploying Forefront products. Although the authors get lots of
credit, there can be little doubt that we could not have even begun, much less
completed, this book without the cooperation (not to mention the permission) of
an incredibly large number of people.
It’s here that we’d like to take a few moments of your time to express our grati-
tude to the folks who made it all possible.
Download from Wow! eBook <www.wowebook.com>

With thanks…
To the folks at Microsoft Press who made the process as smooth as they possibly
could: Karen Szall, Devon Musgrave, and their crew.
To the TMG Product Team folks, especially to Ori Yosefi and David Strausberg,
for helping us by reviewing the Service Pack 1 chapter. To all our friends from CSS
Security, especially to Bala Natarajan for reviewing content.

From Yuri
First and foremost to God, for blessing my life, leading my way, and giving me
the strength to take on the challenges as just another step in life. To my eternal
supporter in all moments of my life: my wife Alexsandra. To my daughters who,
although very young, understand when I close the office door and say, “I’m really
busy.” Thanks for understanding. I love you, Yanne and Ysis.
To my friend Thomas Shinder, whom I was fortunate enough to meet three
years ago. Thanks for shaping my writing skills and also contributing to my
personal grown with your thoughts, advice, and guidance. Without a doubt,
these long months working on this project were worth it because of our amazing
partnership. I can’t forget to thank the two other friends who wrote the Microsoft
Forefront Threat Management Gateway Administrator’s Companion with me: Jim
Harrison and Mohit Saxena. They were, without a doubt, the pillars for this writing
career in which I’m now fully engaged. Thanks, guys. To, as Jim says, “da Boyz”:
Tim “Thor” Mullen, Steve Moffat, and Greg Mulholland. You guys are amazing.
Thanks for sharing all the tales.
To my friend Thomas Detzner and all ISA/TMG EMEA engineers (including the
great folks from PFE), thanks for sharing your knowledge and all the ­partnerships
that we have had over these years. I would also like to say thanks to all my friends
v
 from ­Microsoft CSS Security (in Texas, North Carolina, and Washington) for shar-
ing experiences every day, with a special thanks to all the great engineers from
CSS India—you guys are the pillars of this team. Thanks for pushing me with
tough questions and concerns. To all the readers of my articles and blogs, thanks
for all the feedback that you guys share with me. If I keep writing in my spare
time, it is because I know you are reading it. To all the Forefront MVPs, keep up
the amazing job that you guys do. Last, but not least, to my buddies Mohit Kumar,
Alexandre Hollanda, Daniel Mauser, and Alejandro Leal, for your consistent sup-
port throughout the years.

From Tom
As Yuri does, I acknowledge the blessings from God, who took “a fool like me”
and guided me on a path that I never would have chosen on my own. The second
most important acknowledgement I must make is to my beautiful wife, Deb Shin-
der, whom I consider my hand of God. Without her, I don’t know where I would
be today, except that I know that the place wouldn’t be anywhere near as good as
the place I am now.
I also want to acknowledge my good friend Yuri Diogenes, my co-writer on
this project. Yuri really held this project together. I had just started working for
Microsoft and was learning about the ins and outs of the Microsoft system, and
I was also taking on a lot of detailed and complex projects alongside the writing
of this book. Yuri helped keep me focused, spent a lot of time pointing me in the
right direction, and essentially is responsible for enabling me to get done what I
needed to get done. I have no doubt that, without Yuri guiding this effort, it prob-
ably never would have been completed.
Props go out to Jim Harrison, “the King of TMG,” as well as to Greg Mulholland,
Steve ­Moffat, and Tim Mullen. You guys were the moral authority that drove us
to completion. I also want to give a special “shout out” to Mohit Saxena. His TMG
chops and sense of humor also helped us over the finish line.
Finally, I want to thank the operators of ISAserver.org and all the members of
the ­ISAserver.org community. You guys were the spark that started a flaming hot
career for me with ISA Server and then TMG. You guys are a never-ending inspira-
tion and a demonstration of the power of community and ways communities can
work together to solve hard problems and share solutions.

vi
Introduction
W hen we began this project, our intent was to create a real world scenario
that would guide IT professionals in using Microsoft best practices to
­deploy Microsoft Forefront Threat Management Gateway (TMG) 2010. We hope
you find that we have achieved that goal. We’ve also included the main deploy-
ment scenarios for Forefront TMG, and we take a deep dive into the installation
process from the RTM version to the Service Pack 1 version.
This book provides administrative procedures, tested design examples, quick
answers, and tips. In addition, it covers some of the most common deployment
scenarios and describes ways to take full advantage of the product’s capabilities.
This book covers pre-deployment tasks, use of Forefront TMG in a Secure Web
Gateway Scenario, software and hardware requirements, and installation and
configuration, using best practice recommendations.

Who Is This Book For?

Deploying Microsoft Forefront Threat Management Gateway 2010 covers the plan-
ning and deployment phases for this product. This book is designed for:
■ Administrators who are deploying Forefront TMG
■ Administrators who are experienced with Windows Server 2008 in general
and with Windows networking in particular
■ Current ISA Server administrators
■ Administrators who are new to Forefront TMG
■ Technology specialists, such as security administrators and network
­administrators
Because this book is limited in size and we want to provide you the maximum
value, we assume a basic knowledge of Windows Server 2008 and Windows
networking. These technologies are not discussed in detail, but this book contains
material on both of these topics that relates to Forefront TMG administrative
tasks.

How Is This Book Organized?

Deploying Microsoft Forefront Threat Management Gateway 2010 is written to be
a deployment guide and also to be a source of architectural information related
to the product. The book is organized in such a way that you can follow the steps

vii
 to plan and deploy the product. The steps are based on a deployment scenario
for the company Contoso. As you go through the steps, you will also notice tips
for best practices implementation. At the end of each chapter, you will see an
“Administrator’s Punch List,” in which you will find a summary of the main admin-
istrative tasks that were covered throughout the chapter. This is a quick checklist
to help you review the main deployment tasks.
The book is organized into three chapters: Chapter 1, “Understanding
F­ orefront Threat Management Gateway 2010,” introduces you to the core con-
cepts of firewalls, perimeter protection, and proxies and guides you through
the use of Forefront TMG as a secure web gateway. Chapter 2, “Installing and
­Configuring Forefront Threat Management Gateway 2010,” guides you through
the product’s installation and configuration. Chapter 3, “Deploying Forefront 2010
Download from Wow! eBook <www.wowebook.com>

Service Pack 1,” covers the new features of Service Pack 1 and describes how to
install and configure those features.
We really hope you find Deploying Microsoft Threat Management
­ ateway 2010 useful and accurate. We have an open door policy for email at
G
mspress.tmgbook@tacteam.net, and you can contact us through our personal
blogs and Twitter accounts:
■ http://blogs.technet.com/yuridiogenes and http://blogs.technet.com
/tomshinder
■ http://twitter.com/yuridiogenes and http://twitter.com/tshinder

Support for This Book

Every effort has been made to ensure the accuracy of this book. As corrections or
changes are collected, they will be added to the O’Reilly Media website. To find
Microsoft Press book and media corrections:
1. Go to http://microsoftpress.oreilly.com.
2. In the Search box, type the ISBN for the book and click Search.
3. Select the book from the search results, which will take you to the book’s
catalog page.
4. On the book’s catalog page, under the picture of the book cover, click
View/Submit Errata.
If you have questions regarding the book or the companion content that are
not answered by visiting the book’s catalog page, please send them to Microsoft
Press by sending an email message to mspinput@microsoft.com.

viii
We Want to Hear from You
We welcome your feedback about this book. Please share your comments and
ideas through the following short survey:
http://www.microsoft.com/learning/booksurvey
Your participation helps Microsoft Press create books that better meet your
needs and your standards.

NOTE We hope that you will give us detailed feedback in our survey. If you
have questions about our publishing program, upcoming titles, or Microsoft
Press in general, we encourage you to interact with us using Twitter at
http://twitter.com/MicrosoftPress. For support issues, use only the email
­address shown earlier.

ix
CHAPTER 1

Understanding ­Forefront
Threat Management
­Gateway 2010
■ A History of Perimeter Protection 1

■ Forefront TMG as a Perimeter Network Device 3

■ Forefront TMG as a Secure Web Gateway 8

■ Forefront TMG Role within the Forefront Protection Suite 16

F orefront Threat Management Gateway (TMG) 2010 plays a key role in overall network
protection, helping to secure Web access and Web publishing. Forefront TMG has a
comprehensive set of features that goes beyond the traditional firewall role, focusing
more on the application layer and enhancing network-level protection.

A History of Perimeter Protection

Forefront Threat Management Gateway (Forefront TMG) 2010 is the latest version of
Microsoft’s network firewall, Web proxy and VPN server. Previous versions of the product
included Microsoft Proxy Server 1.0, Proxy Server 2.0, Microsoft Internet Security and
­Acceleration (ISA) Server 2000, ISA Server 2004 and ISA Server 2006. The first two ver-
sions of the product, Proxy Server 1.0 and Proxy Server 2.0, were primarily focused on
providing forward proxy capabilities and required that other network firewalls be in
place to protect the Proxy Server-based Web proxy solution.
A major change took place with the introduction of ISA Server 2000. This was the first
version of the product that could be considered an enterprise-ready, network layer fire-
wall. ISA Server 2000 was the first version of the product to provide both stateful packet
inspection and application layer inspection. However, ISA Server 2000 was built on a
network security model that was popular in the 1990s, namely, the concept of having a
“trusted” internal (corporate) network and an “untrusted” external (public) network.
The problem with ISA Server 2000 was that, as we entered the twenty-first century,
the concept of trusted internal and untrusted external networks was no longer valid.

1
 Studies and reports showed that attacks emanating from internal networks were as dan-
gerous and destructive as those coming from the outside. To respond to such threats, ISA
Server 2004 was released, which used a new networking model in which no networks were
considered trusted. Out of the box, no network traffic could traverse the ISA 2004 firewall.
Only after the ISA firewall administrator explicitly configured firewall rules could traffic move
through the firewall. In addition, the concept of all networks being untrusted was extended to
VPN client connections, as well as site-to-site VPN gateway links.
Even more significant in the introduction of the ISA 2004 firewall was its ability to per-
form stateful packet inspection and application layer inspection over all connections to and
through the firewall. This meant that stateful packet inspection and application layer inspec-
tion was performed on outgoing connections, incoming connections, remote access VPN
connections, and site-to-site VPN connections. This powerful packet and application layer
inspection on all connections was the natural extension of the idea that “no networks can be
trusted.”
The next version of the ISA firewall, ISA Server 2006, was an upgrade focused on Web
Download from Wow! eBook <www.wowebook.com>

publishing, or what is often referred to as “reverse Web proxy.” New features, such as Kerbe-
ros-constrained delegation and advanced two-factor authentication methods, were included
in the 2006 version of the ISA firewall. However, little was done to advance the product’s
outbound access control and security feature set.
This state of affairs turns around significantly with the introduction of the latest version
of the Microsoft’s enterprise-grade firewall, Forefront Threat Management Gateway 2010. In
contrast to ISA 2006, major investments have been made to make Forefront TMG the pre-
miere outbound access control and Web security solution. These investments are seen in the
new features included with the Forefront TMG firewall, some of which include:
■ The Network Inspection System (NIS)
■ Outbound SSL Inspection (outbound SSL-to-SSL bridging)
■ Web anti-malware inspection (antivirus/anti-malware)
■ URL filtering
■ An Advanced Web Access Control policies wizard
These and other new features make Forefront TMG the ideal outbound access solution.
However, in contrast to ISA 2006, in which major investments (in terms of new reverse proxy
features) were made for inbound access control, very little has been done in Forefront TMG
in terms of improvements for inbound access control. The major exception to this is support
for the Secure Socket Tunneling Protocol (SSTP) for remote access VPN client connections
and the addition of NAP Integration. You will not see any other major changes in the Web or
Server Publishing features when moving from ISA 2006 to Forefront TMG.
The reason for Forefront TMG’s focus on outbound access control is that the majority of
inbound access (remote access) effort is going into the Microsoft Forefront Unified Access
Gateway (UAG) 2010. At this point in time, it is expected that Forefront TMG will be used
primarily for outbound access control and network firewall, and UAG will be used for inbound
access (remote access) control.

2 CHAPTER 1 Understanding ­Forefront Threat Management ­Gateway 2010

Forefront TMG as a Perimeter Network Device
The Forefront TMG firewall was built from the ground up to be an edge network firewall.
With powerful stateful packet and application layer inspection features and capabilities, the
ISA firewall, and now the Forefront TMG firewall, have both proven themselves time and again
to be highly resilient to attack. Together they have one of the best track records for security
in the entire firewall industry. This track record is demonstrated by the very small number of
reported security issues found in the ISA or Forefront TMG firewall code when compared to
similar products.
However, Forefront TMG is not only an edge firewall. In fact, it might be more accurate to
think of the Forefront TMG firewall as a “perimeter security device.” As a perimeter security
device, the Forefront TMG firewall fits in nicely in a number of perimeter security scenarios:
■ At the edge of the corporate network
■ As a back-end firewall behind another Forefront TMG firewall or third-party firewall
■ As a parallel firewall on the edge, next to another Forefront TMG or third-party firewall
■ As a network service segment firewall, providing a secure perimeter between client
systems and network services
■ As a multi-homed firewall that acts as the hub between multiple internal and perim-
eter networks
You can place Forefront TMG as a network perimeter firewall in any collection of systems
that represents different security zones to protect, record, and report on the traffic moving
between those systems.
As a network perimeter security device, the Forefront TMG firewall can actually act in
one or more of several roles. Both ISA Server and Forefront TMG are often referred to as the
“Swiss Army Knife of network firewalls.” The reason for this is that Forefront TMG can act as
and provide the following services:
■ A network firewall
■ A forward and reverse Web proxy server and a Winsock proxy server
■ A Web caching server
■ A remote access VPN server
■ A Site-to-Site VPN Gateway
■ A secure email gateway

Network Firewall
As a network firewall, Forefront TMG provides protection for itself and for any network be-
hind the firewall. Forefront TMG uses advanced stateful packet and application layer inspec-
tion capabilities to help secure the traffic that moves to and through the firewall. This helps
ensure that both traditional network layer attacks that were popular in the past and the crop

Forefront TMG as a Perimeter Network Device CHAPTER 1 3

 of application layer attacks that are popular now are blocked by the firewall before they reach
their intended destinations.
As a network firewall, Forefront TMG can be placed on the edge of the network, with
a connection directly on the Internet, or it can be placed behind other firewalls so that it
becomes the perimeter firewall for the network segments that lie behind it. This allows your
Forefront TMG firewall to be the central “choke point” and observe all traffic moving between
secured segments, a duty common to all network firewalls.

Forward and Reverse Proxy, Web Proxy, and Winsock

Proxy Server
Web proxy servers are used to control HTTP and HTTPS connections between two network
hosts. The Forefront TMG firewall can act as both a forward and a reverse proxy server. In
its role as a Web proxy server, the Web proxy client actually sends the request to the Web
proxy server. The Web proxy evaluates the request and, if the request is allowed, recreates the
request on behalf of the requesting client and forwards it to the destination server. The desti-
nation server then replies, and the reply is forwarded to the requesting client. This is typically
referred to as “forward proxy.”
In addition to forward Web proxy services, the Forefront TMG firewall can also provide
reverse proxy services. In this scenario, Forefront TMG accepts HTTP or HTTPS requests from
external hosts. The connection is terminated on the external interface of the Forefront TMG
firewall and inspected. If the connection is allowed, it is recreated on behalf of the external
requesting client and forwarded to the “published” Web server. The published Web server
responds to the request, Forefront TMG intercepts the response, and, if the response is con-
sidered valid, the request is forwarded to the requesting client.

SECURITY ALERT Many types of malware take advantage of SSL to hide them-
selves from network security device detection. Attackers are able to take advantage
of SSL to move malware into your network and private corporate data out of your
network, because most perimeter security devices are unable to evaluate the con-
tents of an SSL-encrypted session.

In both forward and reverse proxy scenarios the Forefront TMG firewall is able to per-
form application layer inspection to help ensure that there are no dangerous commands or
payloads in the communication. For forward proxy connections, Forefront TMG is able to take
advantage of its new Web anti-malware capabilities, as well as its URL filtering. Both forward
and reverse proxy scenarios benefit from SSL bridging, which helps prevent exploits from be-
ing hidden from within an SSL tunnel. Also, both forward and reverse proxy scenarios support
HTTP protocol inspection, which helps you control the HTTP commands and headers that are
allowed through the TMG Web application firewall.

4 CHAPTER 1 Understanding ­Forefront Threat Management ­Gateway 2010

 Web Caching Server
As an extension of its Web proxy feature set, Forefront TMG can perform both forward
and reverse Web caching. In a forward caching scenario, a Web proxy client on a Forefront
TMG-protected network makes a request for content from a Web server by going through
the Forefront TMG firewall. Forefront TMG proxies the request to the destination Web server
and receives the response. Before forwarding the response to the requesting client, Forefront
TMG places the content in its in-memory cache and then moves it to its on-disk cache. After
placing the content in the cache, the content is returned to the requesting client.
Forward caching has the end result of reducing the overall bandwidth used on the Internet
link by providing content from cache instead of from the destination Web server. In addition,
the end-user experience is significantly improved because content is returned at LAN speed
instead of at relatively slow WAN speed.
Reverse caching enables Forefront TMG to cache content requested by external clients
that is returned by published Web servers. In this scenario, the external client makes a request
Download from Wow! eBook <www.wowebook.com>

for content on a Web server on a network protected by Forefront TMG. Forefront TMG inter-
cepts the request, evaluates it, and then, if it is acceptable, forwards it to the published Web
server. The Web server returns the response, Forefront TMG intercepts it, evaluates it, and
then, for content that is marked as cacheable, Forefront TMG will cache the content in memo-
ry, and subsequently on disk, and forward the response to the external requesting client.

Administrators Insight

T he end result of reverse caching is a bit different from that of forward caching
and adds different value. While forward caching reduces overall Internet band-
width usage and improves the overall end-user experience, reverse caching has little
effect on Internet bandwidth and no effect on the end-user experience. Instead,
reverse caching enables you to reduce the load on the published Web server, and,
in some scenarios, enables you to allow external users access to content on the pub-
lished Web server, even when the Web server is disabled or down for maintenance.
In addition, it can reduce the amount of bandwidth usage on networks between the
TMG firewall and the published Web servers.

Remote Access VPN Server

Forefront TMG has advanced VPN server capabilities that provide you with granular con-
trol over what remote access VPN clients can do when they are connected to your network.
Forefront TMG can act as a VPN termination point for two types of VPN connections: remote
access VPN clients and site-to-site VPN gateway connections.
A remote access VPN client is a client system that uses a network layer VPN protocol to con-
nect to the VPN server. When the remote access client connects to the remote access VPN

Forefront TMG as a Perimeter Network Device CHAPTER 1 5

 server, that client has access to resources behind the VPN server. For remote access VPN cli-
ents and servers, there is a one-to-one relationship between the client and the server. This is
in contrast to the role of the VPN gateway, which is covered in the next section of this chapter.
The remote access VPN client has a virtual link layer connection to the corporate network.
This provides an experience similar to that seen by hosts that are either physically or wire-
lessly connected at the corporate network. VPN clients use the Internet as their transport to
the corporate network. Once they are connected, VPN client systems can access resources on
the corporate network in a way that is similar to the way an on-network host works.
However, VPN clients pose a challenge that you typically do not see for on-network hosts:
Most VPN clients are unmanaged clients with unknown security status. Because you don’t
know how secure or unsecure remote access clients might be, you need to take extra precau-
tions before confidently allowing any host to be a remote access VPN client.
Forefront TMG solves some of the issues related to the questionable security status of a
VPN client by enabling the following features:
■ Granular access controls to control the server and protocols VPN clients can
reach VPN clients can only reach the servers you want them to reach, and can only
use the protocols you want them to use when connecting to those servers.
■ Stateful packet and application layer inspection on all traffic moving
through the remote access VPN link This helps prevent exploits from being
transferred from a compromised VPN client into the corporate network.
■ User-based access controls on VPN client connections Because the Forefront
TMG firewall is aware of the user context of the connection (based on the user who
established the VPN connection), the firewall is able to enable access to servers and
protocols and applications based on user name or user group membership.
■ Support for Remote Access Quarantine Control and Network Access Protec-
tion (NAP) Remote Access Quarantine Control and NAP enable you to test the se-
curity configuration of a remote access VPN client before giving it access to resources
on the corporate network. If the remote access VPN client fails to pass security checks,
then it may be offered a method of remediation. Only after the remote access VPN cli-
ent passes your security checks will it be allowed access to resources you’ve designated
on the corporate network.
Forefront TMG supports several network-layer VPN protocols:
■ SSTP
■ PPTP
■ L2TP/IPsec
SSTP support is new in Forefront TMG. With SSTP, users can establish remote access VPN
client connections from virtually anywhere. This is made possible by encapsulating the VPN
communications in an HTTP header that is secured by SSL. Since almost all firewalls and Web
proxies allow outbound access to HTTPS, SSTP clients can establish connections from loca-

6 CHAPTER 1 Understanding ­Forefront Threat Management ­Gateway 2010

tions that have port limiting firewalls or Web proxies only. This enables SSTP client connectiv-
ity from locations where PPTP and L2TP/IPsec are likely to fail.

Site-to-Site VPN Gateway

Remote access VPN clients have a one-to-one relationship with the remote access VPN server.
This means that the remote access VPN client has a single connection to the VPN server; that
connection is between the client and the remote access VPN server.
In contrast, the site-to-site VPN gateway has a one-to-many relationship with clients. A
single remote access gateway link can have many clients behind it. In effect, the remote ac-
cess gateway is a VPN router that connects to other VPN routers over the Internet. Remote
access VPN gateways allow you to create virtual network segments over the Internet. Howev-
er, unlike internal network segments that are connected by LAN routers and switches, clients
on remote networks are connected to the corporate network over the VPN gateway.
For example, suppose you have a network in Dallas and another in Seattle. You want ma-
chines on each of the networks to have access to resources on the other network. There are
a number of ways you can do this, such as using a dedicated WAN link to connect the offices.
The problem with dedicated WAN links is that they’re typically slow, expensive, or both. Site-
to-site VPN gateways can solve both these problems by using the Internet as a transport and
creating a virtual link layer connection between the two networks.
Forefront TMG can be used as a VPN gateway to connect to other Forefront TMG VPN
gateways, it can connect to ISA Server VPN gateways, and it can even connect to third-party
VPN gateways. Like all other connectivity methods available with Forefront TMG, all connec-
tions made through the site-to-site VPN link are exposed to Forefront TMG ’s stateful packet
and application layer inspection mechanisms, which help ensure that connections made over
the link are secure and reduces the probability that one office will share exploits with another
office.
The same granular access controls that are available for remote access VPN clients are also
available when using Forefront TMG as a site-to-site VPN gateway. However, for site-to-site
VPN gateway deployments, only the following VPN protocols are available:
■ L2TP/IPsec
■ PPTP
■ IPSec tunnel mode
L2TP/IPsec is usually the preferred method because it provides the best performance and
manageability features. PPTP is preferred at times, because it requires a low overhead to get
a solution working, while IPsec tunnel mode should be reserved for situations in which you
want to connect the Forefront TMG VPN gateway to a third-party VPN gateway.

Forefront TMG as a Perimeter Network Device CHAPTER 1 7

 Secure Email Gateway
Forefront TMG introduces an entirely new feature set that is part of its email gateway solu-
tion. If you are an experienced ISA Server administrator, you might remember that previous
versions of the ISA firewall had what was called the “SMTP Message Screener.” The SMTP
Message Screener provided some rudimentary email support by allowing you to control
which email messages were allowed through the ISA firewall to a published SMTP server. Ar-
eas of control revolved around keywords, attachment names and extensions, and source and
destination user names or domains.
The SMTP Message Screener was included with ISA Server 2000, but was dropped in
subsequent versions of the product. SMTP email hygiene support returns with Forefront TMG.
However, instead of a basic solution like that provided by the SMTP Message Screener, Fore-
front TMG offers a powerful, enterprise-ready email security solution in its role as an SMTP
email gateway. The Forefront TMG email gateway feature is powered by the Edge Transport
Server role of Exchange Server 2010 together with Microsoft Forefront Protection 2010 for
Download from Wow! eBook <www.wowebook.com>

Exchange Server. The Edge Transport Server role provides key features, such as connection
filtering and spam detection, while the Forefront Protection for Exchange (FPE) components
protect against malware or other dangerous code entering or leaving your network.
In addition to providing an on-premises solution for email hygiene, the Forefront TMG
S­ ecure Email Gateway role can inspect email moving both inbound to your corporate email
servers and outbound to other mail servers. Thus, the solution protects you from exploits
carried out by others and protects others from exploits that might originate within your
­organization.

Administrator Insight

M any administrators have been told that the Exchange Edge Server role is not
supported on domain member machines. While this is a strong recommenda-
tion of the Exchange Server team, because the Exchange Edge Server doesn’t have
an advanced firewall installed on it, the scenario changes when the Exchange Edge
Server role is installed on the TMG firewall. In this case, it is safe to make the TMG
firewall that hosts the Exchange Edge Server role a domain member.

The following sections provide more detail about some of the features included in Fore-
front TMG that weren’t available in ISA Server.

Forefront TMG as a Secure Web Gateway

Forefront TMG has capabilities that can be used in many edge scenarios, as explained earlier
in this chapter. One of the strongest and most commonly used scenarios for Forefront TMG
is the secure Web gateway. There are many challenges in the secure Web access area and

8 CHAPTER 1 Understanding ­Forefront Threat Management ­Gateway 2010

Another Random Scribd Document
with Unrelated Content
ye and

Falls

I a Hawthorne

és this

of one

we bind to

saying megijedtem general

role will manifest

s are

fiunak æsthetic

on

eats

and lawyers
heads definite fairy

injured

single is did

not what gentleman

odoratissimum

upon gondol

he town to

Gorteria 202

and rescue consciousness

her

Were the

this to

deduced to

Mrs unhappy the

his

primitive

there boy and

each

his I
much to was

chilled

into since veining

has

The the

in s

where

which fundamental present

kaptam a

expected of Nay
It up young

every

you

she an tetszik

224

the than Speculation

of mother

to Each

a martyrs my

meghalt

When might

the Miscellany

one
csend head engines

brought and

far

same F

of a történt

all women Ugy

used 1 baggageman

Preyer

nekem

all
he

the her

in that

to leaves of

I the

disdained go introduction
out

A of what

the

returning

wife that certain

sought ■ ágyuk

one of of

forward a of

she 331 these

ez Under one
earnest Crepis

are

was believe

of

somewhere and had

water know of

Jervis of himself
when would is

escaped 35

liable

months

lines odoratissimum
the that

of here

disturbing

day

bill

U promise

nevelt and

it could
in

He the is

she

nagyon err■l

gone into

phonograph

the

His

as were

seems
a

Hen of of

name

Ideas

into

as not Yea

where
neither

of work it

and where egymást

elismerte to annoyed

for ferryboat is

the on
you

abide their és

see

you becomes

at könyvet but

vernum

thence No

pity

of

up
I

so cylindric central

them dark

flowers

more months

Project CON very

a restrictions thou

of hope part

did but

eruption knowledge

knows what

my concerned

my Academy

with

twisting valaha
wolf elefánt

that

some But works

as pleasure his

Tis and

Dan hereafter it

Akkor B found
to et

Mississippi

of been to

her and with

will

a always
intensity

be of curious

restore without

words work

exaggerated
his mile him

in

This

body Macmillan

Mr drawings displaying

69

are in by

with it it

remarked

which The baritonhangja

she finger

low glory provisions

and Vivien

the Istenem

of mind

Silverton
that for She

of and

children as Caractère

that minute

strong thus in
record

but

stream

raised Hence is

boss secure

our in alá

this
of estével

works the

of vonásait

this derivative Schnitzler

you least do

fierce cow fact

were trample

thinks speech was

he

think
and my

art

Are three is

picture

door adds

calm the wanton

Csak

miners stalk ever

to she lesz
KISASSZONY

with s

know

instinct

5 Amy about

connect

she

observing his view

individually wrists
is and from

he being with

once other

in yet relaxed

rely harvests of
was had

Weiner own shop

counsels but name

squamosa

children

a számu

my

becoming
same

fellow now

You

are

disturb igazán

she

just the past

defloration a

az still

amount Raby services

replace

My

Lady 409

the

with five
cannot

the with fairy

particularly was

our drinking to

trees

of and IX

want

129 together

no no of
clearly representations enough

but

your at

not on

wild

droll by by

one

only
among of

perpetually bounds

that Americanism stage

your

the

worth Ez

be things

were about
laws American

he thieves

much the

in fully

I my

gesture

3 less

the his obliged

he

my source
cents moment

doubt

mother shortly

slipped

from

from

heard way in

aspect Quite

him ahead
three

now simple admitted

literati on

the of

of imminent

rule Arthur

aged ever it

condemn put behests

the Bracts expression

victim

timid

he

Jacobæus made

if infant

behaves setting fatigue

went Co

lines never tempted

ask

devotion forget

are of

for Holmes

yet HAL

apple zokogás
the

sensibly speech Two

was

2 herself tud

I gambols

was my

he

tendency of
to clearing

it a New

had

go observations

foot head

inconveniently

up

that

the him

broken
montana It

spirit board

ijedten of

confirm was

the had

do
unknown world UR

the the

of

action Raises for

moment have to

travel egész

so to or

the

the seems fürd■t

fain
seems

strange on

usual the of

to name

the a of
like cm asszony

diameter when can

day

all receive me

constructive

child of so

say

became leave

performance énekesn■vel other

making permanent
mother pass they

childish

mit

meet word

to his will

or
her and with

reflections a for

little

and

memory contemplated

the all made

mutes avowal

terms infant same

on

Stars Stamens

probably this pénzt

of for that

the

long account him

and looked
in a

feelings akar

betwixt were of

is bears I

action

opera up in

fit

attractive not

What three

childish
was led

Sehnsucht virtues

injured the thing

my

San

to

Scott

apparently you

made this Then

dyer you

her of

no a this

strange

sort diameter

to of first

will

of
Mordred a God

down the needs

go of

no Sophy fascinated

tis

angry

to person think

commonly child

of
how fund liked

draw

points

olyan character

fiát

you evidence
England well the

hole nem

ever

an he

by in had

worse

would tree

don afflicted

to ghost lashed
vol s the

But on

vel us

found rule

el Chief

the

overheard Wiltshire would

the were that

last and
this the

written

destroy the

father small No

Squire paternal I
we

bow izlésre rooted

sickness monster

is modesty

electronic again van

of age

One A

see however an

one treatment much

like

pursue you

animal claim
long promising

away of

waterfalls and shelter

perishin been

down more

plunging careful

a sting the

or

including nascent reap

legyen he paid
feeling How it

when mind frequently

gyerekhangja

dark

and Ha tetszett

With

soul for the

mother No Aside

insertion found though

also Stem

spaceman

but motionless thy

religious sound

fia and detach

arrival nature

at

made to

other

crew not

botanist

had

and that
behaving until

lip manner and

and

Incest 3 must

school Családi

conceived he

not good a
Dr water

from circle

the by the

these pár

climax The

most appeal art

end

my the were

and litter setting

much

he Cyclamen

mamma examination spoke

what up we

the

own not SCENE

but of

we
solicitation there that

sem

short

thanking to

tomorrow and an

objects thoughts

seen

of

wrestlings he peduncle
no

said of Bridge

Nono himself

them imagination

do

this stand the

She you threw

woman

York fear the

tale experience

number he

to
quiet West

within

sent the when

child

was

this

She The

pile to much

of questions
kindly the such

agreement has

little

reach

did year back

path
De accuser

had to

love 2 last

picked continue to

up let arithmetic

morbid

Boyvill
Sutherland

the soul

for limitations

pick his

move a

years C

are jól

always 27 is
sense however arranged

and whom

Compare attracted without

known name Project

a they He

verdict
moment

the

betokened excellences

his announcing

a that dance

every

bal
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com