Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Published byDustin Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com |

2 Web Application Proxy

3 Threat Management Gateway  Forward HTTP/S proxy  Kerberos SSO authentication  user/group based rules and logging  HTTPS inspection  Reverse HTTP/S proxy  TLS/SSL endpoint  HTTPS inspection  Basic, Forms, TLS certificate, AD FS authentication  Kerberos constrained delegation  Stateful firewall  IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

4 Web Application Proxy  Forward HTTP/S proxy  Kerberos SSO authentication  user/group based rules and logging  HTTPS inspection  Reverse HTTP/S proxy  TLS/SSL endpoint  HTTPS inspection  Basic, Forms, TLS certificate, AD FS authentication  Kerberos constrained delegation  Stateful firewall  IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

5 HTTP/S Client TMG forward proxy HTTP/S Server TMG Proxy DC HTTP/S Client HTTP/S Client NAT HTTP/S Client

6 Exchange OWA TMG/WAP reverse proxy Browser HTTP/S Client TMG DC Web CRM Share Point GUI HTTP/S Client NAT TLS Cert

7 Exchange OWA Perimeter authentication + auth. forwarding Browser HTTP/S Client TMG DC Web CRM Share Point GUI HTTP/S Client NAT

8 TLS client certificate authentication  TLS session establishes first  Without client certificate no HTTP inside  No password guessing  Certificates mapped to user accounts

9 Web Application Proxy

10 Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6  Web Application Proxy  HTTPS reverse proxy for web applications

11 RDP VPN Scenario VPN Client VPN Gateway DC FS SQL RADIUS NAT Share Point

12 RDP DA Scenario DA Client DA Server DC FS SQL RADIUS NAT Share Point

13 Wks RDP RDP Scenario RDP Client RDP Gateway DC FS SQL RADIUS NAT Share Point Wks

14 RDP 802.1x WiFi Scenario WiFi Client DC FS SQL RADIUS WiFi AP Share Point

15 RDP 802.1x Ethernet Scenario Wks DC FS SQL RADIUS Switch Share Point Wks Printer

16 AD FS Proxy Exchange WAP Scenario Web Browser or GUI client Web Application Proxy DC Web Lync AD FS NAT Share Point

17 VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newer IPSec certificate public name Public IP IPSec machine certificate SSTP TCP 443 TLS Vista/2008 and newer 2008 and newer TLS certificate public name - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate public name Public IP IPSec machine certificate

18 VPN Compared ProtocolTransportClientRRAS Server Server Requirements RD Gateway TCP 443 TLS RDP Client 6.0 and newer 2008 and newer TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO 2012 and newer IPSec certificate TLS certificate public name IPSec machine certificate Web Application Proxy HTTPS web browser GUI web client (office) 2012 R2 and newer WAP and AD FS server TLS certificate public name TLS certificate for AD FS public name

19 Web Application Proxy

20 AD FS Proxy Names and certificates Web Browser or GUI client Web Application Proxy DC AD FS Share Point http://intranet https://adfs.gopas.cz https://intranet.gopas.cz NAT

21 AD FS Proxy Service accounts Web Browser or GUI client Web Application Proxy DC AD FS Share Point sp-intranet-web Network Service svc-adfs Network Service NAT

22 AD FS Proxy Windows authentication with passwords - overview Web Browser or GUI client Web Application Proxy DC AD FS Share Point Forms Basic POST Cookie NAT Kerberos Exchange

23 AD FS Proxy Windows authentication with passwords - #1 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Redirect 307

24 AD FS Proxy Windows authentication with passwords - #2 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange Forms Basic POST NAT

25 AD FS Proxy Windows authentication with passwords - #3 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Claims Redirect 302

26 AD FS Proxy Windows authentication with passwords - #4 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Claims Kerberos Cookie

27 AD FS Proxy Windows authentication with passwords - #5 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT 200 OK Cookie

28 AD FS Proxy Windows authentication with TLS client certificate Web Browser or GUI client Web Application Proxy DC AD FS Share Point Cookie NAT TLS Client Certificate Kerberos Exchange TLS Client Certificate TCP 49443

29 AD FS Proxy Claims authentication Web Browser or GUI client Web Application Proxy DC AD FS Share Point Forms Cookie NAT Claims Exchange Basic POST TLS Client Certificate Cookie Claims

30 Web Application Proxy

31 Long journey yet?  Basic only with pass-through  deprecated since AD FS 2.0  no Basic fallback (GUI clients)  No selection intranet/extranet  No persistent cookies  always the web page regardless of client (GUI)  AD FS native support since Exchange 2013 SP1  AD FS native support since SharePoint 2010  no WebDAV support  No inspection

Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.

Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Defining Network Infrastructure and Security

Defining Network Infrastructure and Security
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.

Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.

Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.

Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.

Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Similar presentations

Ads by Google