How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

Placing a firewall in a corporate network puts you in commanding position to protect your organisation’s interest from intruder. Firewall also helps you to publish contents or share infrastructure or share data securely with eternal entity such as roaming client, business partners and suppliers. Simply, you can share internal contents without compromise security. For example, publishing Exchange Client Access Server, OCS 2007 and SharePoint front-end server in the perimeter.

More elaborately, the front-end and the back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end server (Example: CAS server) and that server interacts with a back-end Server (Example: HT server). In this exchange deployment scenario, users interact with a front-end CAS Web server placed in DMZ or perimeter to get Outlook Web Access for reading and sending email. That Web server must interact with the back-end mail server or HT server, but Internet users do not need to interact directly with the back-End HT server. The front-end and back-end server(s) does all these for you providing maximum security. visit Exchange 2010 deployment in different firewall scenario

In this article, I am going to illustrate Back-to-Back Firewall with DMZ. This topology adds content publishing to the back-to-back perimeter topology. By adding content publishing, sites and content that are developed inside the corporate network can be published to the server farm that is located in the perimeter network.

 

Advantages

1. Isolates customer-facing and partner-facing content to a separate perimeter network.
2. Content publishing can be automated.
3. If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.

Disadvantages

1. Requires more hardware to maintain two separate farms.
2. Data overhead is greater. Content is maintained and coordinated in two different farms and networks.
3. Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.

Assumptions: 

1. Internal IP range: 10.10.10.0/24
2. Perimeter IP Range: 192.168.100.0/24
3. Public IP:203.17.x.x/24

Note: In the production environment, perimeter IP must be public IP accessible from internet.

 

Computer	Internal NIC Configuration	External NIC Configuration
Back-End TMG 2010 (two NICs)	IP: 10.10.10.2 Mask:255.255.255.0 DG:Null DNS:10.10.10.5	IP:192.168.100.4 Mask:255.255.255.0 DG:192.168.100.5 DNS:Null
Front-End TMG 2010 (Two NICs)	IP:192.168.100.5 Mask:255.255.255.0 DG:null DNS:10.10.10.5 2nd DNS:203.17.x.x (public IP)	IP:203.17.x.x (public IP) Mask:255.255.255.0 DG:203.17.x.1 (public DG) DNS:203.17.x.x (public DNS)
DC	IP:10.10.10.5 Mask:255.255.255.0 DG:10.10.10.2 DNS:10.10.10.5	Not Applicable

Routing Relation:

Back-end TMG	Internal to PerimeterPerimeter to External Perimeter to Internal	RouteNAT (Default) Route
Front-End TMG	Internal to External (All TMG Default)	NAT (Default)

Persistent Routing in Front-End TMG and all servers placed in perimeter/DMZ: You must add following routing table in front-end TMG server and all other servers placed in perimeter in elevated command prompt. To do that, just log on as administrator, open command prompt and type following and hit enter.

Route ADD –P 10.10.10.0 MASK 255.255.255.0 192.168.100.4

Configure Back-End TMG Server:

Log on to TMG Server using Administrative credentials and define internal IP as shown on TCP/IP property.

Define Perimeter IP As shown on TCP/IP property

Now add TMG server as a domain member. Install Forefront TMG using Step by Step Guide Lines. Open TMG Management console, Launch Getting started Wizard. Configure network Settings. Select back Firewall.

Click Configure Systems Settings.

Click Define Deployment Options.

Click Close. Apply Changes and Click Ok.

Create connectivity with AD and DNS.

Add and Verify IP addresses of internal (10.10.10.0/24) and perimeter network (192.168.100.0/24).

Add Network Rules:

Create Network Rule. To do that click on Networking>Network Rules>Create a New Network Rule Wizard.

Here, Rules 1 to 4 will created by default while initial configuration as shown below. You have to  create rule 5 and 6 by repeating above steps.

   

Configure Firewall Rules:

Actions	Allow
Protocols	DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface)
Source	DC, Front-End TMG
Destination	DC, Front-End TMG
Conditions	All Users

Now Publish DNS for perimeter network.  Right Click on Firewall Policy, Click New, Click Access Policy, Name new access policy. On the selected protocol add DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface), Click next.

On the Access Rules Sources, Click Add, Select Computers, Click New, Type Netbios name of DC and Type IP, Click Ok. Select DC and Click Add. Repeat this process for Front-End TMG server i.e. add name and IP of front-end TMG server and Click Add.

On the Access Rule Destinations, Click Add, from the computers list add DC and front-End TMG servers. Click Next and Click Finish. Apply changes and click ok.

Create an Access Rule allowing all outbound traffic to go from internal to perimeter.

Actions	Allow
Protocols	All Outbound Traffic
Source	Internal
Destination	Perimeter
Conditions	All Users

Create another access rule allowing HTTP and HTTPS to go from internal to perimeter and external.

Actions	Allow
Protocols	HTTP, HTTPS
Source	Internal
Destination	External
Conditions	All Users

Configure Front-End Forefront TMG  Server:

Prepare another Windows Server 2008 x64 computer. Log on as an administrator. Define internal and external IP addresses as shown below.

Internal TCP/IP property:

External TCP/IP property

Open Command prompt>type following command to add persistent Routing:

c:\>Route Add –P DestinationIP  DestinationMask  SourceIP

 

c:\>Route Print

  

Add Front-End TMG as domain member. Follow same installation and initial configuration options shown in back-end TMG server.  There are only two differences while initial Network Settings configuration that are selecting internal (192.168.100.0/24) and external (203.17.x.x/24) network. Those are shown below.

Create Connectivity Verifier with AD, DNS and Web.

Networking>networks>internal>Add 10.10.10.0/24 and 192.168.100.0/24 as internal IP. Make sure internal IP and perimeter IP of back-end server are both internal IP of Front-end server. keep default routing rules in Front-End TMG. Configure property of internal network.

Verify Network Rules:

 

Configure firewall to allow HTTP/HTTPS : Firewall Policy>New>Access policy>Allow HTTP and HTTPS for all users. Do not Allow all outbound traffic to go from internal to external in Front-End Server. Only specific ports and protocols should be allowed. 

     

Test Firewall: Log on to a computer in internal network behind Back-End Firewall. Setup Proxy in IE as shown below and browse internet.

  

Placing Front-End Server(s) or a member server in DMZ:

One you have completed above steps, you are ready to place any Front-End server(s) such as Exchange CAS, OCS 2007 and SharePoint Servers  in DMZ/Perimeter. You need to import certificates from Enterprise Root CA placed in internal network (behind Back-End TMG) to Front-End TMG server to publish secure web sites such as OWA, Outlook Anywhere or OCS. All Publishing Rules Applied in Front-End TMG server. Here, I am not writing OWA or Anywhere because it would redundant for me to write again as I have shown all these in my previous posting. Visit the links mentioned below.

Prerequisite for placing a member server in DMZ: A member server must have following TCP/IP configuration to work in perimeter.

IP	192.168.100.0/24 (Perimeter IP Range)
DG	192.168.100.5 (Internal IP of Front-END TMG server)
DNS	10.10.10.5 (Internal DNS)
2nd DNS	203.17.x.x (Public DNS)
Routing	As Mentioned in Persistent Routing Section of this Blog

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Relevant Articles:

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

How to publish Exchange Anywhere in Forefront TMG 2010

How to publish Exchange ActiveSync in Forefront TMG 2010

Exchange 2010 deployment in different firewall scenario

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

How to create E-Mail protection Policy in Forefront TMG 2010

Forefront TMG 2010: Publishing Exchange server 2010

Share this

 

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step

In part 1 Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step, I illustrated how to configure Forefront EMS. In this second part, I will continue on additional configuration and verification required for a functional EMS.

Open Forefront TMG EMS Console, right click in the Forefront TMG Array, Click on Properties. Verify all the settings and Assigned Role. If you want you can add more members in administrator group.

Apply Changes, Click OK. Now create a Firewall Policy allowing HTTP and HTTPS traffic from internal to external network.

Create Connectivity verifiers for AD, DNS and Web as shown below.

 

Log on to a computer as a domain member in the internal network. Setup proxy in IE and test network.

Installation of certificates in TMG Servers:

Log on to Certificate Authority. Open CA management console. Right Click on Certificate Template, Click on Manage. Select Computer, Right click and Click on Properties. Click on Security Tab, Check Enrol. Then Apply and Click OK. Repeat the process for Web Server.

In the TMG server, open MMC console. Follow these screen shots.

Click on More Information…… you will be resented Certificate Properties. In the Name drop down list, select Common Name and Type a Name, Click Add and Type drop down Select DNS and Type FQDN of TMG server. Click Add. Apply and OK.

   

Now Export these certificate with Private Key.

 

Apply Changes. Click Ok.

Create Cache Drive preferably non systems partition. In this example, I am showing Cache drive in systems partition but in production environment you will have more then one partition in TMG server.

Further Study:

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Share this

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Forefront TMG 2010 provides standard and enterprise version. On an Enterprise version you can deploy Forefront TMG in a single server (standalone deployment) or multiple servers in Enterprise Management Array deployment. In an Enterprise deployment, one TMG server perform as an Enterprise Management Server in an Enterprise Management Array (EMS). And rest of the TMG servers join in that array. A Forefront TMG array is a collection of Forefront TMG servers that are managed centrally, via a single management interface. It provides better management capacity, redundancy, fault tolerance and High Availability in a organisation where HA is calculated by 99.9%. An Array stored following information in Enterprise Management Server.

1. Array configuration settings, which are relevant for, and shared by, all members of the array.
2. Server configuration settings, which are relevant only for a specific array member, for each of the array members.

Standalone—Depending on the selected load balancing method, a standalone array can have up to 50 Forefront TMG servers managed by one of the array members that acts as the array manager; for more information about load balancing. Use this type of array if Forefront TMG is deployed in a single logical location and handles a medium traffic load.

EMS-managed—An EMS-managed array can have up to 200 Forefront TMG arrays, each holding up to 50 Forefront TMG servers, that are managed by an Enterprise Manager Server (EMS). Once you have set up an EMS-managed array, you can replicate its settings and manage up to 15 EMS-managed arrays using the same settings, thus enabling central management of up to 150,000 Forefront TMG servers.

Load balancing Forefront TMG servers in an array

An integrated Network Load Balancing (NLB) Feature is available in Forefront TMG. It enables you to take advantage of the benefits of central management, configuration, maintenance, and troubleshooting, which are not available if you configure NLB directly via the Windows-based NLB tools. Load balancing serves to balance network traffic among array members, so that traffic is optimized across all available servers.

Installation of Forefront TMG 2010 EMS

Check invoke and Click Finish once installation is done.

To assign administrative roles for enterprise administrators

1. In the Forefront TMG Management console, in the tree, click the Enterprise node.

2. On the Tasks tab, click Assign Administrative Roles.

3. On the Assign Roles tab, click the upper Add button. Then, do the following:

1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of Active Directory Lightweight Directory Services (AD LDS), and monitor arrays in the domain.

2. In Role, select one of the following:

Forefront TMG Enterprise Administrator—Authorizes the specified group or user to perform all administrative tasks in the enterprise and arrays in the domain.

Forefront TMG Enterprise Auditor—Authorizes the specified group or user to perform monitoring tasks, and to view enterprise and array configuration.

4. When you have finished, click OK.

5. In the details pane, click the Apply button, and then click OK.

 

To assign administrative roles for array administrators

1. In the Forefront TMG Management console, in the tree, click the Forefront TMG node.

2. On the Tasks tab, click Assign Administrative Roles.

3. On the Assign Roles tab, click the upper Add button. Then, do the following:

1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of AD LDS.

2. In Role, select one of the following:

Forefront TMG Array Administrator—Authorizes the specified group or user to perform all administrative tasks in the array.

Forefront TMG Array Auditor—Authorizes the specified group or user to perform all monitoring tasks, and to view the array configuration.

Forefront TMG Array Monitoring Auditor—Authorizes the specified group or user to perform specific monitoring tasks.

4. When you are finished, click OK.

5. In the details pane, click the Apply button, and then click OK.

To enable Microsoft Update and activate licenses

1. In the Forefront TMG Management console, in the tree, click the server name node.
2. On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.
3. On the Microsoft Update Setup page, click Use the Microsoft Update service to check for updates (recommended).
4. On the Forefront TMG Protection Features Settings page, activate licenses for the protection features you want to enable. You can only download and install updated definitions for features that you have enabled.
5. If you activated the Network Inspection System (NIS) license, on the NIS Signature Update Settings page, select the automatic update action you desire.
6. Complete the wizard, and then click Finish. On the Apply Changes bar, click Apply.
7. For WSUS update visit this Link

To Create an Enterprise Array

1. On the EMS, in the Forefront TMG Management console, Right click on Arrays. In the task pane, click New Array.

2. In the New Array Wizard, on the Welcome to the New Array Wizard page, enter the name of the array.

       

3. On the Array DNS Name page, enter the Domain Name System (DNS) of the array.

4. On the Assign Enterprise Policy page, in the Select the Enterprise policy to apply to this new array list, click the enterprise policy to apply to the array.

5. On the Array Policy Rule Types page, select the types of rules that may be created for the array firewall policy.

6. Click Finish and Apply Changes.

Important! All internal networks must be able to ping DNS record mentioned in step3.

To join an enterprise array from second TMG server.

1. In the Forefront TMG Management console, click the server name node.

2. On the Tasks tab, click Join Array.

3. On the Join Membership Type page, click Join an array managed by an EMS server.

     

4. On the Enterprise Management Server Details page, enter the fully qualified domain name (FQDN) of the EMS server, and then click the user account form used to connect to the server.

5. On the Join EMS Managed Array page, select whether to join an existing EMS managed array, or to create a new EMS managed array.

6. If you selected to create a new EMS managed array, on the Create New Array page, enter the details of the new array or Select existing Array, Click next and Click Finish.

Configuring intra-array communication on array members

1. In the Forefront TMG Configuration console, in the tree, expand the ServerName of the array, and then click System.

2. On the Servers tab, select a server, then on the Task tab, click Configure Selected Server.

3. On the Communication tab, on the Intra-Array Communication dialog box, enter the IP address used to communicate with other array members.

Important! Apply changes after every configuration has been done in TMG EMS.

To Configure Network Topology

Forefront TMG supports unlimited network adapters. However, the following network types, you can specify an IP address range or select a network adapter associated with the network you are configuring:

• Internal network
• Perimeter network
• External network

IP addresses for network adapters associated with the same network should be identical on each array member.

Click on Enterprise Networks, Click Create a New Network Wizard or editing a selected network from Taskpad.

 

The list of network adapter settings configured in Windows Server is logged to the Network Adapters tab in the Networking node. You can edit the network adapter settings.

From the Taskpad, Click Create New Network Rule Wizard

   

Further Study:

Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Share this

Forefront TMG and BranchCache Hosted Cache deployed on the same host

BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

1. Install and configure TMG Server (Upstream Proxy)
2. Add FQDN of branch TMG server in DNS server
3. Prepare necessary routing for both TMG

Branch Office:

1. Install and configure TMG server
2. Create DFS share in Branch Office
3. Install and configure Branchcache File Server
4. Configure GPO for Branchcache
5. Validate hosted cache is working

By default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host. To allow BranchCache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules so that BranchCache clients and the BranchCache Hosted Cache must communicate. To allow this communication you must define two Forefront TMG policy rules:

1. Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server.
2. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client.

Step1: Connect Branch TMG (downstream TMG) with Head office TMG (Upstream TMG), Microsoft Active Directory and DNS.

1.Click on Monitoring, click Connectivity Verifiers, Click Create New Connectivity Verifier, Type the name of new connectivity verifier, Click Next.

2. Select Web Connectivity from drop down list, Type FQDN of Upstream proxy, Click Next and Click Finish.

3. Repeat step 1 and step 2 to create connectivity for Active Directory, and DNS.

4. Apply changes and Click ok.

Step 2: Write down which ports clients are actually configured to use

Choose any BranchCache client and check the registry. The registry keys below will contain the actual value if the defaults were modified.

• The Retrieval port registry key (if not specified, the default is 80):
  HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\

             DownloadManager\Peers\Connection

• The Hosted Cache port registry key (if not specified, the default is 443):
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection

Step 3: Define the Retrieval protocol

1. Select the Firewall Policy node.
2. Select the Toolbox tab.
3. Expand Protocols.
4. Click New and then select Protocol.
5. Enter the protocol definition name as “BranchCache -Retrieval” and click Next.
6. Click New and add the new protocol, as follows:
   1. Protocol Type: TCP
   2. Direction: Outbound
   3. Port Range: From 80 to 80 (replace 80 if otherwise identified in step 1)
   4. Click OK.

  Step 4: Define the Hosted Cache protocol

1. Select the Firewall Policy node.
2. Select the Toolbox tab.
3. Expand Protocols.
4. Click New and then select Protocol.
5. Enter the protocol definition name as “BranchCache -Advertise” and click Next.
6. Click New and add the new protocol, as follows:
   1. Protocol Type: TCP
   2. Direction: Outbound
   3. Port Range: From 443 To 443 (replace 443 if otherwise identified in step 1)
   4. Click OK.

 Step 5: Create a rule to allow Hosted Cache Inbound Connections

1. Select the Firewall Policy node.
2. Select the Tasks tab.
3. Click Create Access Rule.
4. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next.
5. On the Rule Action page, select Allow and then click Next.
6. On the This rule applies to page:
   1. Choose Selected Protocols from the list, and then click the Add button.
   2. In the Add Protocols dialog box, expand User-defined protocols.
   3. Select BranchCache -Retrieval protocol and click Add.
   4. Select BranchCache -Advertise protocol, click Add and then click Close.
   5. Click Next.
7. On the Access Rule Sources page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
   3. Click Next.
8. On the Access Rule Destinations page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
   3. Click Next.
9. On the User Sets page, click Next to apply the rule to all users.
10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 6: Create a rule to allow Hosted Cache Outbound Connections

1. Select the Firewall Policy tab.
2. Select the Tasks tab.
3. Click Create Access Rule.
4. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next.
5. On the Rule Action page, select Allow and then click Next.
6. On the This rule applies to page:
   1. Choose Selected Protocols from the list, and then click the Add button.
   2. In the Add Protocols dialog box, expand User-defined protocols.
   3. Select BranchCache -Retrieval protocol and click Add.
   4. Click Next.
7. On the Access Rule Sources page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
   3. Click Next.
8. On the Access Rule Destinations page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
   3. Click Next.
9. On the User Sets page, click Next to apply the rule to all users.
10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.
11. Click Apply to save the changes and update the configuration.

 Step 7: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic

NIS is a protocol decode-based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS,

This topic is not applicable if NIS is not enabled. To check if NIS is enabled:

1. Select the Intrusion Prevention System node.
2. On the Tasks pane, click Configure Properties.
3. On the General tab, verify that the Enable NIS check box is selected.

When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server.

In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue:

Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host.

The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons:

• NIS is applied to all other traffic, continuing to defend all internal un-patched machines. Forefront TMG itself, as an edge-located security device, is expected to be patched at all times, and thus protected from all known threats.
• By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols.
• Forefront TMG does not initiate outbound web-access. As a result, the vulnerability of the host itself to web-originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host.

To disable NIS for traffic destined explicitly to the host or originating from the host:

1.The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray

\Debug\IPS\IPS_LOCALHOST_INSPECTION_MODE

2. Re-apply the Forefront TMG policy:
Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply.

3.Change the BranchCache protocols default port numbers (from 80 and 443) to custom port numbers.
Explanation: By default NIS inspects only HTTP and HTTPS on localhost traffic. To retain that inspection without impacting BranchCache performance requires that BranchCache default ports be changed to any other available ports.

Branch Forefront TMG also provides:

• Secure web-access via anti-malware, URL filtering and HTTPS inspection.
• Firewall and Network Inspection System (NIS).
• Reverse proxy (web-publishing) of web-applications at the branch.
• Site-to-site VPN.
• Roaming-user VPN.

Step8: Installing BranchCache File Server on TMG

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Step 10: Use Group Policy to configure branch cache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Step 9: use registry editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Step 10: Setup branchcache support tag on a file server

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Step 11: Configure client using GPO

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Step 12: Validate the Hosted Cache is working properly

1. Choose any client on the Branch Office.
2. Open the Performance Monitor and track the BranchCache “Bytes from Cache” counter and take note of the current value
3. Open your Internet Browser. Clear the browser cache to make sure it is not utilized in this validation.

4. Instructions for clearing the cache using Internet Explorer 8:

   1. On the Tools menu, select Internet Options.
   2. On the General tab, in the Browsing History section, click the Delete… button.
   3. In the opened dialog box, select the Temporary Internet Files check box and clear the other check boxes, then click Delete.
   4. Wait for the operation to complete, and then close the dialog boxes.
5. Using the client, access or download an object with a known size from an HTTP/S application on a Windows 2008 R2 server.
6. Expected result:
   • If the object was never accessed from the Branch, the counter should increment by the object size on the third attempt to access it (between attempts, make sure you clear the browser cache).
   • If the object was already accessed from the Branch, the counter should increment by the object size on the first or second attempt.

Relevant Study:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

DFS Step-by-Step Guide for Windows Server 2008

How to configure DFS to use fully qualified domain names in referrals

How to configure Windows Server Update Services (WSUS) to use BranchCache

Share this

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Forefront TMG got inbuilt capabilities to work as an anti-spam, antivirus and content filter for E-Mail protection. TMG 2010 works hand to hand with Forefront Protection 2010 and Exchange Edge Transport Server to provide mail relay, anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work together, to reduce the spam that enters and exits an organization. When deploying the e-mail protection feature in Forefront TMG, install Exchange Edge Transport Role and Forefront Protection for Exchange Server on the Forefront TMG computer. Forefront technologies provides layers of protection for Exchange Messaging Technologies.

Protection on the Edge: Provide a complete inspection and scan of all emails entering and leaving from organisation.

Integrated: Forefront TMG, Forefront Protection and Edge Transport are integrated (installed) in a single point.

Extended management: TMG enterprise version works in a management  array. So that you can install and manage more then one TMG server.

Network Load Balancing (NLB): Using NLB and a virtual IP address, you can deploy an array of firewall using Forefront TMG servers at the entry point of your organisation, thereby processing each and every email entering in your organisation. By deploying multiple Forefront TMG servers, each running Exchange Edge Transport Role and Forefront Protection , you can more easily maintain a highly available (HA) and protected vital messaging technology in your organisation.

Compiling Mail Exchanger (MX) Record: MX Record registered with ISP and pointing external IP address of TMG server

To install the Exchange Server Edge Transport role

1. Run the Exchange Server Setup.exe file, and follow the steps in the Exchange Server Setup Wizard, including the installation of all the prerequisites.

2. On the Installation Type page, click Custom Exchange Server Installation.

3. On the Server Role Selection page, select Edge Transport Role, and click Next. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. Then, click Install to install Exchange.

4. On the Completion page, click Finish.

For more information about Edge Transport and FPES visit Step by Step Guide on Exchange Server 2010 Edge Transport Role and Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

To configure E-Mail protection, log on to TMG server as an administrator. Open TMG Management console>Click on E-Mail Protection>Enable entire protection systems on E-Mail Policy Tab.

Click on Spam filtering tab> Click on enable on IP Allowed List>Add all internal IP addresses in your network.

Once finish. Click on Apply and OK.

Click on Enabled on sender reputation>Select Enabled in general tab.on the Thresholds Tab, select reputation ratings starting from 0 to 9. Apply and Ok. 

 

Click on enable on content filtering. On the General Tab select enabled. Custom Words tab>Add blocked contents whatever you like. If you like you can add exceptions also on exception tab. Click SCL Thresholds tab>select desired options such blocked or quarantine email based reputation ratings.

 

Apply and OK once finish.

In the sender filtering option, you can block based on domain name. domain name must added as www format.

 

Click enabled on the file filter. Click file filter tab>click add button. Check enable this filter, select type of actions from drop down list. Purge will remove the content and deliver email only. Delete will delete the message with the contents. In the File Types tab, select preferred file types. You can add custom file types from File Name Tab. 

In the Antivirus configuration, select desired Antivirus engine that means the Antivirus you have installed in TMG server, preferred remediation method and Actions, TMG will take in-case TMG found virus.

Once all the configuration finished. Then Apply changes and click Finish.

 

Important! Don’t forget to backup TMG server after changes you made.

Definition and Engine Update: To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or Windows Server Update Services (WSUS), and that automatic installation of the latest signatures is enabled. For more information visit Install and configure WSUS 3.0 SP2 – Step-By-Step and Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

share

How to configure L2TP/IPSec VPN using Forefront TMG 2010

Pre-requisites:

1. Windows Active Directory and DNS
2. DHCP server or range of free IP addresses
3. Enterprise Root CA
4. Forefront TMG is a member server.
5. Computer certificate installed in TMG server
6. Public IP assigned in external NIC of TMG server

Configure L2TP/IPSec VPN

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Remote Access Policy>Click on Configure Address Assignment method. You will be presented with Remote Access Policy Property. Now follow the screenshots.

3. Add a range of IP addresses (Example:10.10.11.1-10.10.11.255) to be assigned by TMG server or assign internal DHCP server.

 

4. Check MSCHAPv2 Authentication and Check Enable EAP

  

5. Apply Changes. OK.

6. In the left pan click on Remote Access Policy, in the task pan>click on configure VPN Client Access. You will be presented with VPN Clients property. Check enable on general Tab.

7. In the Group Tab, Add Windows AD groups you allowed to access VPN.

8. In the Protocol Tab, Check Enable L2TP/IPSec

9. In the User mapping, Check enable User Mapping and provide internal domain name.

10. Click Apply and ok. Apply changes.

11.In the left pan click on Networking, Click network Rules Tab. From the task pan, run new Create Network Rules wizard. Create new network rules allowing VPN client access from external network to internal network. Select route relation between external and internal network.

12.  In the left pan right click on Firewall Policy>Click New>Click new access Policy. Follow the screenshots.

13. Apply changes.

14. make sure you allow remote access in AD user Dial-in property.

15. Now create a dialler in Windows 7 machine shown below link. Log on to that machine using domain credentials and test VPN.

Relevant Articles:

How to configure L2TP IPSec VPN using ISA Server

Windows 7: L2TP IPSec VPN dialler

Share this

Configure Forefront TMG as a Proxy Cache

A Proxy Server provides a number of useful functions in a company’s network infrastructure. Proxy Servers will go out and retrieve Web pages and content and return the Web pages to the internal network users. The fact that the proxy is retrieving the Web pages and not the actual clients adds an extra layer of protection to the clients because their internal IP addresses are hidden from the Internet. The proxy mechanism makes surfing external Web sites safer for internal clients.

If employees are constantly requesting pages from the same Web sites, the proxy server can store those requests locally on the server. When additional requests are made for content that has already been retrieved and stored locally, the proxy server will send the requesting client the copies of the pages from its stored cache. Utilizing this function, a proxy server will not have to go back out again and fetch the requested Web pages.

Forefront TMG 2010 can be configured to act as a proxy server in your environment to accelerate the performance of Internet access, as the name implies. In the following flow chart shows how TMG perform Proxy Cache.

Figure: Flow chart

Forefront TMG 2010 performs the following steps:

1. Forefront TMG 2010 checks whether the object is valid. If the object is valid, Forefront TMG 2010 retrieves the object from the cache and returns it to the user.

2. If the object is invalid, Forefront TMG 2010 checks the Web Chaining rules.
3. If a Web Chaining rule matches the request, Forefront TMG 2010 performs the action specified by the Web Chaining rule; for example, route the requested directly to a specified Web server, an upstream proxy, an alternate specified server.

4. If the Web Chaining rule is configured to route the request to a Web server, Forefront TMG 2010 determines whether the Web server is accessible.
5. If the Web server is not accessible, Forefront TMG 2010 determines whether the cache was configured to return expired objects. If the cache was configured to allow Forefront TMG 2010 to return an expired object as long as a specific maximum expiration time hasn’t passed, the object is returned from the cache to the end user.

6. If the Web server is available, Forefront TMG 2010 determines whether the object may be cached depending on whether the cache rule is set to cache the response. If it is, Forefront TMG 2010 caches the object and returns the object to the end user.

  Figure: Simple Visio diagram of proxy cache

Cache Storage:  Forefront TMG 2010 can store objects on the local hard disk, and for faster access can store most of the frequently requested objects on both the disk and the RAM. Cached pages
can be stored immediately in memory (RAM) to be accessed by end users requesting the Web content. A lazy-writer or buffered-writer approach is used to write pages to the disk. By default, 10 percent of physical memory is allocated for RAM caching. The cache file can be stored as follows:

1. Drive:\urcache\Dir1.cdat
2. Must be NTFS non system partition (Local disk)
3. Maximum cache size 64GB

Types of Cache:

Forward Caching: To cache all Internet traffic from external to internal.
That’s all Internet pages requested by internal users.

Reverse Caching: To cache all objects sent from internal to external. This
works with publishing to help offloading the published server.

Configuring Forefront TMG 2010 Web Proxy & Proxy Cache

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Web Access Policy

3.In the right pane under the Tasks tab, scroll down and click on Web Proxy. Check enable web proxy client connections for this network. Check Enable HTTP and type port 80 or if you want to use web proxy port 8080 then type port 8080.

4. Click on Authentication, Select integrated. Click ok.

5. Click on Advanced, select unlimited Click ok.

6. Now click on Apply and ok.

7. Click on Configure Web Caching , You’ll see the Cache Settings dialog box. Click the Cache Drives tab to access the Forefront TMG 2010 cache storage configuration.
3.Select the array member to enable the Configure button

3. Click Configure to define the cache size and location.

4.To define the cache location and size, select the non system partition where you want to store the cache file and enter the desired size of the cache file in the Maximum Cache Size (64000MB) text box. Click Set and then click OK to close the Cache Settings window.
6. click Apply to apply changes.

Add new cache Rule

1. Go back to Cache Settings mentioned above

2. Click on Cache Rules Tab, Click New button, you will be presented with Cache rule wizard

3. Type name of cache rule for example: Microsoft update Cache rule, click Next

4. You will see cache rule destination, Click Add>Click New>Click URL sets

5. Type Name of the URL sets (For Example Microsoft Update). Click on Add and type URL. Repeat it and the following urls.

• http://download.windowsupdate.com
• https://*.windowsupdate.microsoft.com
• http://*.windowsupdate.microsoft.com
• http://*.update.microsoft.com
• http://*.download.windowsupdate.com
• http://update.microsoft.com
• http://*.windowsupdate.com
• http://download.microsoft.com
• http://windowsupdate.microsoft.com
• http://ntservicepack.microsoft.com
• http://wustat.windows.com
• https://*.update.microsoft.com

6. Click Ok. Now you will see Microsoft Update URL set. Select Microsoft Update URL set. Click Add and Click close to close URL sets.

7. Click Next. Select “If a valid version of the object exist in the cache. If no valid version exists. Route the request to the server”. Click Next.

8. In the cache content window select “If source and request header indicate to the cache” You may also select dynamic contents. Click Next

9. In the Cache Advance Configuration Window, Check Do not cache object larger then 1GB or your preference but remember you have 64GB cache size. Check Cache SSL response. Click next.

10. In the HTTP caching window, keep default settings, Click next

11. In the FTP caching window, keep default or Modify, Click next

12. Click Finish. Apply Changes.

Relevant Articles:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010