Mohit SaxenaSr Technical LeadMicrosoft CorporationSEC 380

Secure Web Gateway (SWG)

Web Client Protection Scenario

HTTP Malware Inspection

HTTPS Traffic Inspection

URL Filtering

HTTPS Traffic Inspection

Contoso.com

SIGNED

BY TMG

Internet

Contoso.com

SIGNED

BY

VERISIGN

• Proxy Certificates generation/import and customization.

• Exclusion list (Validate only option)• Logging Support• Web Access Wizard integration

Deployment options (via Group Policy or via Export)

Client notifications about HTTPS inspection (via Firewall Client)

Certificate validation (Revocation, Trusted, Expiration validation, ..)

Microsoft Confidential

URL Filtering Topology

www.contso.com/somepath/anotherpath

• com• contoso.com• www.contoso.com• www.contoso.com/somepath• www.contoso.com/somepath/anotherpath• General business

• Phishing

• com - unknown• contoso.com – “general business” • www.contoso.com – unknown• www.contoso.com/somepath - “gambling” (Not inherited)• www.contoso.com/somepath/anotherpath - “phishing”

• Phishing• General business

URL category usage

URL category information is used forRules (Allow/Deny rules according to category)

Log

EMP exclusion list

HTTPS exclusion list

MRS – Microsoft Reputation Services

Aggregate reputation data from multiple vendors

“In the cloud” delivery service to return reputation data

Use telemetry in order to improve data accuracy

MRS

IE Security

iFilter

Marshal 8e6

Data Quality

Currently URLF data comes fromiFilter

IE security data

Marshal8e6

Caching

Stored at ISA_INSTALL_DIR\UrlFiltering\UrlfCache.bin

Read when service starts

Persisted when service goes down

If erased will start with empty cache

Max size is 200 MB

What is included in RC

Change protocol with MRS

Will improve the cache hit ratio of unknowns

Will decrease network overhead

Telemetry package

Collect URL samples

Collect user overrides list

Collect coverage data

Alerts

Diagnostic Logging

Licensing

Microsoft Confidential

Feature Overview

High availability of Internet connectivityEnsure Internet connectivity is not lost even when one Internet service provider (ISP) is down

Scenarios:

FailoverUse a pay-by-traffic connection as backupBackup link should be used only when primary link is unavailable

Load balancingUse a fixed price connectionUse the aggregated links to mutually back up each other in cases where one of the ISPs loses Internet connectivity

How does ISP-R work

Administrator identifies the two ISP gateways

Organization signs up with two different ISP linksAn ISP link is identified by the ISP gateway and the gateway subnet

This enables TMG to support array configuration, since it doesn’t require a per server configuration.This implies each server should have an external local IP on each of the GWs subnets.

TMG Server uses the ISP subnet information to direct traffic to each of the ISPs

Points to Remember

ISP Redundancy configuration is only supported on the “Default External” network

We assume the feature is used for high availability to the internet

The existing wizard is mainly targeted for a configuration in which each ISP has a dedicated NIC on the TMG server.

Requires to have 2 subnets on the external NIC for it to function.Need unique IP address on External NICDefault route to each ISP must existOnly works for NAT relation

How Routing is Enforced

Routing Enforcement

Enforces ISP routes will be used instead of default TCP/IP routing

ISP routing configuration is implemented in 2 phases:

When a new connection is established TMG chooses the link which will be used for the new connection. The new connection uses the NAT address associated with the ISP link. TMG takes into account:

Link availability

Stickiness (client-server traffic will prefer reuse of the same link)

At NDIS (L2) layer TMG enforces the routing to the associated link (overriding TCP/IP routing decisions)

This implies ISP Redundancy is supported only for NAT relationship. Local host traffic will not benefit from ISP Redundancy.

Problematic mainly for integration with SMTP Edge protection.

HTTP traffic is intercepted by the proxy (which enforces NAT). As result HTTP traffic will benefit from ISP Redundancy.

Link Availability

Using root DNS servers to verify Internet connection

Try UDP connection to port 53

Round robin root DNS servers

High/Low watermarks are use to assure stability periods

It’s possible to configure other servers via scripting.

ISP Link Availability TestingTime between consecutive link poll – 60 sec

Time period TMG waits for once link is down –300 sec

Number of tries to check for failure or success -3

Troubleshooting Scenarios

ISP Redundancy misconfiguration –2 separate subnets for each ISP

2 local IPs on the external associated with each ISP

Default route to the external must exist

ISP Redundancy is only functional for NAT relationship

Testing from the local host will not work and an admin may fail to understand why.

Feature Overview

‘Small’ enhancement for NAT network rule definition to enable specifying the NAT address which should be used.Targets scenarios in which the NAT address is important:

Publishing multiple SMTP servers (not via Edge Protection)IP based paid services

Highly requested by many customers

SMTP Scenario

HELO

SMTP.DX.COM

SMTP.DX.COM

100.100.100.100

SMTP Scenario – ISA Server 2006

HELO

SMTP.DY.COMSMTP.DY.COM

200.200.200.200

SMTP Scenario - TMG

HELO

SMTP.DY.COMSMTP.DY.COM

200.200.200.200

Feature Components

Configuration

An additional tab for NAT relationship configuration.

Enables configuring a default IP, a single IP or multiple IPs

Core integration:

Supports kernel/user mode data pumps

Interops with application filters

NLB integration – supported only for TCP/UDP

Microsoft Forefront TMG Administrator’s Companion

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

Breakout Sessions

• Beyond the Perimeter - Evolving from a Firewall to a UTM Solution (SEC354)

• Forefront Protection Manager 2010: Integrated Monitoring, Investigation and Protection (SEC375)

• TMG with Forefront codename "Stirling": Integrated Security (SEC343)

Complete an

evaluation on

CommNet and

enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.