Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor

Agenda 2  First session:  Module 1 – Overview  Module 2 – Setup & Deployments  Second session:  Module 3 – URL filtering (URL-F)  Module 4 – Edge Malware Protection (EMP)  Third session:  Module 5 – HTTPS Inspections  Module 6 – ISP Redundancy (ISP-R)  Module 8 – NAT Enhancement

Threat Management Gateway 2010 Module 1 - Overview

TMG & UAG Forefront Edge Security and Access products provide enhanced network edge protection and application-centric, policy-based access to corporate IT infrastructures Protection Access

TMG New Features HTTP Antivirus/ antimalware URL Filtering HTTPS forward inspection Secure Web Access VoIP traversal (SIP) Enhanced NAT ISP Link Redundancy Firewall Exchange Edge/FPE integration Anti-Virus Anti-spam Protection Network Inspection System (NIS) Security Assessment and Response (SAS) Intrusion Prevention NAP integration with VPN role SSTP Remote Access Array Management Scenario UI & Wizards Change tracking Enhanced reporting W2K8, native 64-bit Deployment & Management Update Center : HTTP: AV+URL Filtering AV+Anti-Spam NIS signatures Subscription Services 5

Network firewall Application firewall Internet access protection (proxy) Basic OWA & SharePoint publishing IPSec VPN (remote & site-to-site) Web caching, HTTP compression Web anti-virus, anti malware URL filtering anti-malware, anti-spam Network intrusion prevention TMG Features Summary ISA 2006 TMG 2010 New New New New Integration with codename “Stirling” New Enhanced UI, management, reporting New Exchange publishing (RPC over HTTP) Windows Server 2008, 64-Bit (only) New

Threat Management Gateway 2010 Module 2 – Setup & Deployments

TMG versioning

Upgrading from SE to EE  A valid EE product key is required

Setup

Deployments scenarios  Standalone server  Servers in a Standalone array Standalone array  Enterprise arrays FW storage FW storage FW Array manager EMS FW Array1 Array2 Array managed EMS

Standalone Server  This is the default deployment after a fresh install of TMG SE & EE  Uses the local configuration storage (AD LDS instance)  Keeps a local copy of storage (Registry)

Servers in a Standalone Array  New type of deployment introduced in TMG 2010  Configuration storage is located on the member designated as Array Manager.  The others members (array managed) access storage on the manager  Each Array members (manager & managed) keep a local copy of the storage (registry)  A standalone array cannot be managed by an EMS

Servers in Standalone Array  For recovery purpose, a managed Server can be designated as the new manager

Enterprise  An enterprise deployment includes one or more Arrays  The Enterprise configuration is stored in an Enterprise Management Server (EMS). The EMS is an AD LDS instance  EMS is not supported either on Domain Controller or TMG  For fault tolerance there can be multiple EMS Servers configured for replication, up to 15 (domain mode only)  In workgroup mode, there can be only one EMS (same limitation than ISA) using Server certificate (SSL)  Each Array member keeps a local copy of the storage (registry)

Transition States FW storage FW storage EMS FW storage Standalone Server Enterprise array Servers in Standalone array Standalone Server FW Setup Array manager Array managed Join array Disjoin array

Joining an Array  A TMG Server running Enterprise Edition can join an array (Standalone, EMS) at any time

Joining an Array (Standalone Array)  AD LDS will be disabled on TMG managed server

Joining an Array (EMS)  AD LDS will be disabled on TMG nodes.

Disjoining a server from an array  Disjoining a server from an array returns the server as a standalone server using its local storage (as if it was a fresh install)

Standalone server managed by EMS  Example of a standalone server managed by an EMS  Administrator can then define Enterprise or Array policies that will apply to the standalone

Demo

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.