Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Secure Lync mobile Authentication
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.
1 SharePoint Momentum 17K+ Customers, 100M Licenses Leader in Gartner ® Magic Quadrants, Forrester Wave TM Continued Platform and Application Innovation.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
1 Enabling Secure Internet Access with ISA Server.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Clinic Security and Policy Enforcement in Windows Server 2008.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
Access Gateway Operation
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
70-411: Administering Windows Server 2012
StoneGate SSL VPN 1.2 Technical Overview
SUSE Linux Enterprise Desktop Administration Chapter 12 Administer Printing.
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Franklin Lo IT Pro Evangelist Microsoft Hong Kong Limited Remote Access to Applications: A Deep Dive into Intelligent Application Gateway 2007.
Name Company A Day in the Life… A Demonstration of Application Delivery.
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
How to create DNS rule that allow internal network clients DNS access Right click on Firewall Policy ->New- >Access Rule Right click on Firewall.
Network Edge Protection: A Technical Deep-Dive into Internet Security & Acceleration Server
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.
Security fundamentals Topic 10 Securing the network perimeter.
Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess)
Microsoft ® Internet Security and Acceleration Server 2006 Beta Technical Overview Steve Lamb Information Security Evangelist
Edge Security with Forefront Sandeep Modhvadia Security Specialist.
Objavljanje aplikacij preko UAG portala Varnost oddaljenih dostopov in Windows Security Gorazd Šemrov Microsoft Corporation.
Security fundamentals
Virtual Private Network Access for Remote Networks
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.
Stop Those Prying Eyes Getting to Your Data
Module 3: Enabling Access to Internet Resources
Securing the Network Perimeter with ISA 2004
Forefront Security ISA
Check Point Connectra NGX R60
Presentation transcript:

Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007

2 Introductions Presenter – Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos

3 Agenda History – SSL VPN SSL VPN Connections Web Non-Web “VPN” Portal / Applications Endpoint Policies Authentication / Authorization

4 A comprehensive line of business security products that helps you gain greater protection through deep integration and simplified management Edge Client and Server OSServer Applications Intelligent Application Gateway 2007

5 IAG - Appliance

6 IAG 2007 Supports all Applications with SSL VPN Web – Client/Server - File Access Homegrown or 3 rd party (Citrix, IBM, Lotus, SAP, PeopleSoft…) Designed for Managed and Unmanaged Users Devices Automatic detection of user system, software, configuration Access policies according to device “security state” Delete temp files and data traces from unmanaged locations Drives Productivity with Application Intelligence Apply policy at granular App Feature levels Dynamically control application data for desired functionality SSO with multiple directories, protocols, and formats Fully customizable portal and user interface

7 Allow secure remote access from trusted and untrusted client computers All connections over TCP port 443 (SSL) Access starts through a Web Portal Authenticates to AD Contains list of applications Click each application to access

8 Web Applications Normally uses port 80/443 Browser-based Port/socket forwarding Normally uses non-web ports, but is tunneled in 443 ActiveX control - browser-based Network Connector All protocols and all ports, but tunneled in 443 Real "VPN" - client receives new IP address

9 IAG client components check client computer security settings Client computer is called "endpoint" Based on endpoint state, you define Endpoint Policies to allow: Access to Web Portal Example: - Do not even ask for credentials on untrusted client computer Access to certain applications on Web Portal Example: - Hide Network Connector option on untrusted client computer Access to certain features of applications Examples: - Block SPS uploads - Disallow OWA attachment

10 A Little History The Problem: With the growing prevalence of internet connectivity, enterprises required platforms to provide remote access for employees, partners and customers in a secure way The Solution?: 1 st attempt: Dialup remote access  proving too costly, limited user experience. 2 nd attempt: Limited use of reverse proxies to publish web based applications. 3 rd attempt: IPSec VPN makes leap for user remote access IPSec VPN first developed for site to site connectivity.

Web Server DNS Server ISA Server Is the … Request allowed? Protocol allowed? Destination allowed? ISA Server calls this “Publishing” Reverse Proxy

Web Server DNS Server ISA Server Reverse Proxy Publishes web apps for use from anywhere. Handles pre-authentication, application filtering, SSL encryption at the edge. However Does not handle non-web (client/server) applications. Does not scale when publishing numerous web applications.

13 ActiveDirectory IPSec VPN Full network connectivity from authorized devices Quarantine features available for non-compliant clients Unmanaged clients have no access However Increasingly difficult to manage on a large scale given variety and complexity of IPSec clients Blocked by (outgoing) firewalls InternetCorpnet Remote User ISA IAS RADIUS Quarantine

14 Terminal Services Solution Built into Windows Server. Expandable with 3 rd party solutions (Citrix and others) Offer a complete desktop user experience or integrated applications. Centralized server-based solution. Typically limited deployments given server computing requirements. Central Location Mobile Worker In Airport Branch Office Home Office

15 A Little History - IPSec Dominates Introduces following limitations: Potential security exposure by extending network Limited functionality from firewall/NAT’ed networks Client grows to accommodate more security functionality (virus inspection, split tunneling control, etc.) Client becomes difficult to roll out: Requires administrative installation Clashes with other IPSec and security software Not very user friendly Result: Enterprises limit usage to “road warriors” and managed PCs TCO is high and ROI limited

16 A Little History - SSL VPN is Born Promises to offer similar functionality for: Any user Any location Any application Delivers on lower TCO Introduces new security considerations as clients are now unmanaged. First wave of development is focused on connectivity. Current wave is focused on Application Intelligence.

17 SSL VPN - Building Blocks SSL VPN solution comprised of: Tunneling – Transferring web and non-web application traffic over SSL; Client-Side Security – Security compliance check, cache cleaning, timeouts Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On Authorization – Allow/Deny access to applications Portal – User experience, GUI Applications Client Web Simple TCP Other non-Web Management Authentication Authorization Portal Tunneling Security SSL VPN Gateway

18 SSL VPN Tunneling (3x) Web applications That’s easy – just uses HTTPs Non-Web applications Port/socket Forwarding Uses SSL-Wrapper client component Example: Terminal Server – tunnel RDP in HTTPs Network Connector Full Network Access Uses Network Connection client component Client gets additional IP address Breadth of Locations “Anywhere” level Web Proxy Port/Socket Forwarder Corporate laptop Home PC Customer/ Partner PC Internet kiosk Network Connection

19 Demo Environment

20 Application Protection Access Policies Allow/deny functions within application (e.g. SharePoint attachments Upload/Download based on endpoint compliance) Application Firewall: Protecting the Application Predefined positive logic rule sets Single Sign On Knowledge about required application login methods Session Cleanup Agent Clears application specific cache (e.g. SharePoint Offline folder) Protecting the Network Session Ignore background polling command for timeout calculation, adds secure logoff button where absent

21 Endpoint Policies Checks health of Endpoint Policies Session policy Endpoint certification Privileged endpoint Application policy Access to applications (hide or disable on portal) Access to functionality within applications Example: Block SharePoint upload from unsafe client

22 Client High-Availability, Management, Logging, Reporting, Multiple Portals Authentication Authorization User Experience Tunneling Security Applications Knowledge Center OWA Citrix SharePoint Devices Knowledge Center PDA ….... Linux …….. Windows. ………... MAC …..... Specific Applications Web Client/Server Browser Embedded Exchange/ Outlook OWA SharePoint Citrix Generic Applications Application Aware Modules SSL VPN Gateway Application Aware Platform Application Definition Syntax/Language Application Modules Endpoint detection and application intelligence

23 Endpoint Detection Out of the box support for over 70 variables of detection including: Antivirus Antimalware Personal Firewall Desktop Search/Index Utilities And much more… Easy to configure GUI that allows simple management of policies. Extended GUI for manual editing and modification of policies. Leverage Windows Shell Scripting to create *any* policy and inspect for *any* client side variable.

24 Attachment Wiper Clears the browser’s cache upon session termination Process does not require user initiation Optimizers integrate logic to identify and scrub custom caches Supports custom scripts for custom file cleaning Removes Downloaded files and pages - Cookies AutoComplete form contents - History information AutoComplete URLs - Any user credentials Triggers User logoff- Browser crash Inactivity timeout- Browser closure Scheduled logoff- System shutdown Security Policy Allows for “Can’t Wipe – Can’t Download” policy Allows fall back policy to “no-cache” tag mechanism

25 Security Concerns Who are you? Authentication - Who are you? Are you really him/her? Strong Authentication – Are you really him/her? What can you access? Authorization – What can you access? Can they hear? Transport Security – Can they hear? Should you be doing that? Application Security – Should you be doing that? From there? End Point Security – From there? Should this be left around? Information Safeguard – Should this be left around? How long can you do this for? Session Security – How long can you do this for?

26 Single Sign-On No need for directory replication or repetition Alternative approaches require local repository Transparent Web authentication HTTP 401 request Static Web form Dynamic browser-sensitive Web form Integrates with … Password change management User repositories

27 User Specific Portal Manages access of employees, partners & customers from anywhere to corporate business applications More than one Portal page can be published per appliance Each is based on a unique IP and host name Each can present a completely unique user experience; including look and feel, applications, authentication and authorization Extends the business beyond the borders of the network Implements corporate policies without weakening security Leveraging existing investments in software infrastructure and applications Ensures maximum functionality based on endpoint profile Based on SSL VPN access platform Leverages the Web browser to allow universal access Provides a broad range of connectivity options IT Support Partners Employees Customers IT Support Center Username: Password: Token: Employee Portal Username: Password: Token: Partner Extranet Username: Password: e-Commerce Username: Password: support.xyz.com portal.xyz.com extranet.xyz.com shopping.xyz.com

28 How to Setup Setup appliance Create trunk Add applications Define endpoint policies Customize

29 Setup Appliance Unpack appliance and put into rack Attach external and internal network Define IP and DNS settings Add routes to internal network if needed Define ISA "Internal" network Join domain if needed Required for Kerberos Constrained Delegation (SP1)

30 Create Trunk Create trunk (= Web portal) Define IP address for Trunk Configure authentication server Import certificate for each trunk Create "redirect" trunk (= http to https)

31 Add Applications Add applications OWA SharePoint RDP VPN (network connector) Test access

32 Define Policies Define endpoint policies Assign to access and functions Test access

33 Customize Customize look and feel Change colors Change text on portal Or... Create advanced endpoint policies Define custom authentication Etc...

34

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.