Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and install Forefront Protection 2010 in a server that is assigned Microsoft Exchange Client Access Server (CAS) role. CAS is internet facing server placed in a perimeter (DMZ). To ensure comprehensive protection, Microsoft Forefront Protection 2010 for Exchange Server (FPE) can be deployed on Exchange Edge Transport, Hub Transport, Mailbox server, or combined Hub/Mailbox roles. Forefront Protection 2010 for Exchange Server can be install combined with Forefront TMG 2010 if TMG 2010 installed in an Edge Transport server. Systems requirement for Forefront Protection 2010 is similar to other Exchange Server Roles. You need additional 2GB free RAM and 2GB free disk space on top of all other requirements.

Installation of Forefront Protection 2010

 

Monitoring Configuration

Once you finish installation. Open Forefront Protection 2010 from start menu. Now configure monitoring of Incident, quarantine and notifications.

Policy Management Configuration

Now configure Policy Management. enable Edge Transport, Proxy, Antispam. Setup Engine, Setup internal and external scan. Place internal IP addresss in allow list.

Relevant Topics:

Download Forefront Protection 2010

Microsoft Forefront Protection 2010

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Share this on

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

 

Intrusion Prevention System

Log on to Forefront TMG server using admin credential. Open Forefront TMG 2010>Expand Forefront TMG>Intrusion Prevention System>Right Click>Configure Property

 

Add Network sets and web sites for exemptions

 

 

Forefront TMG 2010 Web Caching 

Open Forefront TMG 2010>Expand Forefront TMG>Web Access Policy>Task Pan>Click on Configure Web Caching

 

Apply>Close Cache Settings.

Apply Changes>ok.

Forefront TMG 2010 Log

Open Forefront TMG 2010>Expand Forefront TMG>Logs & Reports>Tasks Pan>Click on Configure Web Proxy Logging

 

Repeat these for TMG Firewall Logging.

Forefront TMG Reporting

 

Forefront TMG E-mail Policy (Adding Exchange Hub Transport Server)

Open Forefront TMG 2010>Expand Forefront TMG>E-Mail Policy>Configure E-mail Policy. Adding Exchange 2010 hut Transport Server will allow SMTP traffic to pass through among internal, perimeter and external networks.

 

Relevant Topics:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step Part I

Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Blogs on Microsoft ISA Server

Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Before start migrating…

1. Record Fully qualified domain name (FQDN) of the computer running ISA Server.
2. Record IP address, subnet mask, default gateway, and DNS server address of all the network adapters connected to the internal, external network (Internet) and perimeter (DMZ) network.
3. Install ISA Service Pack 3 if migrating from ISA 2004
4. Export complete ISA configuration
5. A complete backup of ISA server for peace of mind.

To export the ISA Server configuration

1. In the ISA Server Management console, in the tree, access the root node:

2. On an ISA Server computer, expand Microsoft Internet Security and Acceleration Server, and then click ServerName.

3. In the Tasks pane, click Export ISA Server Configuration to a File.

4. In the Export Wizard, on the Export Preferences page, select the following options:

5. Export confidential information. Specify a password of at least eight characters.

   When you export confidential information, the following are included in the exported data:

   Credentials that are used for alerts, logging, reports, report jobs, primary and backup routes, dial-up connections, and Web publishing.

   The shared secret that is specified if a RADIUS server is used.

   The preshared key that is specified for Internet Protocol security (IPsec) configuration.

   Confidential information is encrypted during the export process. The password is used to decrypt the information during the import process.

6. On the Export File Location page, specify a name and location for the exported backup file. If you intend to upgrade this computer to Windows Server 2008 and install Forefront TMG on it, copy the exported file to a network location, so that it won’t be deleted before the migration process is complete.

7. On the Apply Changes bar, click Apply. 

Important! To import the configuration into Forefront TMG, you must select the option Export confidential information, regardless of whether such information exists in the system. It is recommended that you export the entire configuration from the root node. The other option is to export only the specific nodes you want to migrate to Forefront TMG. Note that only the following nodes can be migrated individually: URLSet, DomainNameSet, ComputerSet, Computer, Subnet and AddressRange. If you are running any report in back ground you must stop it during export operation. You have to delete scheduled report that is running in ISA Server otherwise you will be prompted with error.

To move a machine certificate

To export a certificate, follow these steps:

1. From the computer where the certificate was installed, start Microsoft Management Console (MMC).
2. Add the Certificates snap-in to the console. When you are prompted, click My user account as the account to be managed.
3. In the MMC console, double-click Certificates – Current User, double-click Personal, and then click Certificates.
4. In the right pane, right-click the certificate that you want to export, point to All Tasks, and then click Export.
5. When the Certificate Export Wizard starts, click Next.
6. On the Export Private Key page, click Yes, export the private key.
   The private key is required for the encrypted messages to be read from the computer where the key will be imported.
7. On the Export File Format page, leave the default settings, and then click Next.
8. On the Password page, type password for the private key.
9. On the File to Export page, type the path and the name for the exported certificate file, and then click Next.
   The file name has a .pfx extension. This file is the .pfx file that is imported to other computers.
10. Click Finish.

To import a certificate, follow these steps:

1. On the computer that the certificate is to be imported to, locate the .pfx file that was exported in the procedure described earlier in this article.
2. Right-click the file, and then click Install PFX.
3. When the Certificate Import Wizard starts, click Next.
4. On the File to Import page, click Next.
5. On the Password page, type the password for the private key in the Password box, and then click Next.
   You do not have to select the option to make the key exportable, because you already have an exported copy.
6. On the Certificate Store page, click Automatically select the certificate store based on the type of certificate, and then click Next.
7. Click Finish.

Installation of Operating Systems

Perform a clean installation of Windows 2008 (SP2 64 bit or R2) on the computers. This applies both to new computers and the computers on which ISA Server was installed. In place upgrades from a 32 bit Windows 2003 to a 64 bit Windows 2008 are not supported however you can upgrade a 64 bit Windows Server 2003 . Join TMG server in the Active Directory Domain with same FQDN. Import Certificates as mentioned above.

To run Forefront TMG 2010 installation

1. Insert the Forefront TMG DVD into the DVD drive, or run autorun.hta from a shared network drive.

2. On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.

3. On the main setup page, click Run Preparation Tool to launch the Preparation Tool.

4. On the main setup page, click Run Installation wizard to launch the Forefront TMG Installation Wizard.

5. On the Installation Type page, click the Forefront TMG services and Management button.

6. On the Installation Path page, specify the Forefront TMG installation path.

7. On the Define Internal Network page, click Add, click Add Adapter or IP addresses to the internal network , and then select the adapter which is connected to the main corporate network.

8. On the Ready to Install the Program page, click Install.

9. Installation will take a while. Click Finish once Done.

Important! DO NOT RUN initial Configuration as you are going to import complete configuration.

To import the configuration into Forefront TMG

1. In the Forefront TMG Management console, in the tree, access the root node:

2. On a Forefront TMG computer, expand Microsoft Forefront Threat Management Gateway, and then click ServerName.

3. On an EMS computer, click Microsoft Forefront Threat Management Gateway.

4. On the Tasks tab, click Import (Restore) configuration.

5. In Look in, browse to the folder that contains the file you are importing.

6. In the Select the Import File step, in File name, specify the file name of the .xml file you are importing.

7. Specify the password required to decrypt the confidential information.

8. On the Apply Changes bar, click Apply.

Further References

How to install and configure Forefront TMG 2010 –step by step

Forefront Threat Management Gateway (TMG) 2010

ISA Server

Share this on

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010 has been built on top of the core capabilities delivered in Microsoft Internet Security and Acceleration (ISA) Server 2004/2006 in order to deliver a comprehensive, enhanced and integrated network security gateway. Forefront TMG provide additional protection capabilities to help secure the corporate network from external/Internet-based threats. Forefront TMG 2010 prevent abuse of networks from internal and external entity. Forefront provide more management capabilities in terms security and protection. Forefront TMG 2010 is available in Standard Edition and Enterprise Edition. Standard version does not support Array/NLB/CARP support and Enterprise Management. For E-mail Protection both version requires Exchange license. 

Forefront TMG 2010 provide the following enhanced protection capabilities:

Malware inspection

URL filtering

HTTP filtering

HTTPS inspection

E-mail protection

Network Inspection Systems (NIS)

Intrusion detection and prevention

Secure routing and VPN

Understanding Network Topology

The following Forefront TMG network topologies are available:

• Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).

    

• 3-Leg perimeter—This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network.

• Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.

• Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.

Functionality of a single network adapter topology

The single network adapter topology enables limited Forefront TMG functionality, that includes:

• Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
• Web caching for HTTP and CERN proxy FTP.
• Web publishing. HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
• Dial-in client virtual private network (VPN) access.

Limitations of a single network adapter topology

The following limitations apply when you use the single network adapter topology:

• Server publishing and site-to-site VPN are not supported.
• SecureNAT and Forefront TMG Client traffic are not supported.
• Access rules must be configured with source addresses that use only internal IP addresses.
• Firewall policies must not refer to the external network.

Hardware Requirements

Systems requirements depends on number of users and deployment scenario. Forefront TMG is a vital part in a ICT infrastructure. To achieve best performance, you must add best processing power and memory in TMG server however the following will give you an optimum performance.

Processor- Intel Xeon (Dual core/Quad-core/i7) or AMD Opteron (dual core/quad core). Intel Hyper-Threading Technology enabled in bios if Intel server board.

RAM-8GB

Disk Space –50GB systems partitions and 150GB logging +60GB-100GB Web caching in a separate partition. RAID 5 config would be highly recommended.

NIC- 2 Gigabit NIC with redundant config (number of NICs depends on deployment scenario)

Important! Forefront TMG has been built on 64 architecture.

Operating Systems and features

Windows Server 2008 SP2 64 bit or Windows Server 2008 R2

Microsoft .NET Framework 3.5 SP1

Windows Web Services API

Network Policy Server.

Routing and Remote Access Services.

Active Directory Lightweight Directory Services Tools.

Network Load Balancing Tools.

Windows Power Shell

Windows Installer 4.5

Important! It’s not recommended to install any application or programme in TMG server other then antivirus program. It must be a dedicated server for Forefront TMG. Disable unnecessary services after installing operating systems. Install Machine Certificate from Enterprise Root CA Authority before installing TMG. TMG server must be a member of Active Directory Domain.

Installation of Forefront TMG

Prepare a 64 bit Windows Server 2008. Insert Forefront TMG DVD into the server. Run preparation tools.

 

Click continue on UAC authorization prompt.

 

Check Launch TMG installation. Click finish.

Add ranges of internal IP address For example: 10.10.10.1 to 10.10.10.255. You can as many subnet ranges as you have for internal networks.

Open Forefront TMG Management from start menu. TMG will automatically prompt you for initial configuration.

Step1: Network Setup Wizard—Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. Note that you must have static IP address in all NIC of TMG server before you proceed for network settings.

This is highly important part of config because in this section you will mention what type of network topology you are going to use. Here, I am configuring De-militarized Zone (DMZ) or 3-Leg Perimeter. You have to select your desired config.

 

In this section, you have to select the behaviour of the traffic among internal, perimeter (DMZ) and external network. For example, My Forefront TMG 2010 server has been configured to route between internal and perimeter and NAT in between perimeter and external as I choose private networks in perimeter. So that I can hide IP addresses of my perimeter networks.

Step2: System Configuration Wizard—Use to configure operating system settings, such as computer name information and domain or workgroup settings

 

Step3: Deployment Wizard—Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service.

 

 

Networks, Proxy and Update Configuration

Open Forefront TMG Management.  On the left hand pan, Select Update Centre. Click configure settings on task pan. Set update policy. If you have Windows Server Update Services (WSUS) then you may select WSUS or use Microsoft update services.

 

Select networking>Select Networks Tab>Double click on Internal.  You will be presented with Internal Properties. Configure all the tabs as shown below.

 

In the domain tab, add internal domain(s). For example: *.wolverine.com.au

 

In the web browser tab, check Bypass Proxy… and Directly Access….

 

Verify all your internal IP addresses you added during installation. In this window you can add more internal IP addresses if you want.

 

Check Publish Automatic Discovery information for the network and use port 80 as default.

In Forefront TMG Client settings, Check Enable Forefront TMG client support for this network. un-check Automatically detect settings and Use automatic scripts.., Check Use a Web proxy server

In the Web Proxy Tab, Enable HTTP and use port 80 as default. However, you can use port 8080 if you want. Click on authentication and check integrated. Click on advanced and check unlimited. Now Apply and ok.

Apply changes.

Now repeat all these config for perimeter networks as you did for internal networks.

Connecting Active Directory, DNS and DHCP

Setup connectivity with Microsoft Active Directory, DNS and DHCP. Click on monitoring>click connectivity verifiers>Click Create New Connectivity Verifier. Create connectivity for Active Directory, DNS and DHCP.

Click Next and Finish. Repeat it for DNS and DHCP. If you have a upstream Proxy, connect to upstream proxy using similar method.

Create HTTP and HTTPS rule

By default all access rules are denied. Now Create web access rules for internal networks allowing HTTP and HTTPs traffic pass through from internal network to external and perimeter. Also allow HTTP and HTTPs traffic pass through from perimeter to external and internal. Click Firewall Policy>Click Create Access Rule on Task Pan.

 

Test Forefront TMG Setup

Now moment of truth. Log on to a computer using domain user credential in any internal network. Setup proxy in IE connections and browse internet.

 

Thumps UP.

Remote Management Console Installation

Forefront TMG is 64 bit but downloadable 32 bit TMG Admin Console available on this Microsoft link

Insert the Forefront TMG DVD into the DVD drive, or run autorun.hta from the shared network drive.

On the main setup page, click Run Installation Wizard.

On the Installation Type page, select Forefront TMG Management only.

On the Installation Path page, you can change the default installation path.

On the Ready to Install the Program page, click Install.

After the installation is complete, if you want to open Forefront TMG Management select Launch Forefront TMG Management when the wizard closes.

References:

Microsoft Forefront TMG 2010

Downloadable TMG Admin Console

Interoperability with BranchCache solution guide

Understanding Service Ports

Share this on

How to configure L2TP IPSec VPN using ISA Server

If you have roaming users who want to access internal/private network but you don’t want to spend money at all. Your existing infrastructure consist of Microsoft AD, DNS, DHCP and ISA as firewall. Same as the picture below. Well, you don’t need to spend money to accomplish this objective. It’s few mouse click away.

Figure: Microsoft ISA Edge Firewall, source: Microsoft Corp.

As I mention above, you need MS AD, DNS, DHCP, Active Directory Certificate Services and ISA server. If you don’t have certificate server, you can vertualize it following this instruction. Now you have to do following steps:

1. Check DNS, DHCP and AD connectivity in ISA server, make sure it is functioning properly.
2. Check/ping public IP configured in one of the NICs in ISA server (ISA got at least two NICs, internal-private IP and external-public IP)
3. Create a specific group in AD and add users who want VPN access
4. Install machine/computer certificate in ISA server
5. Configure VPN in ISA server
6. Create L2TP client access policy
7. Install user and machine certificates in VPN client machine
8. Create L2TP VPN dialler in client machine and test connection

The following the screen shots will definitely be helpful for you.

ISA Management console>VPN>VPN Property

 

ISA Management Console>VPN>VPN Clients property

 

ISA management Console>Firewall Policy>Create New Access Policy

ISA Management Console>Apply.

Further Study:

Microsoft Technet

Administrator’s Guide to Microsoft L2TP/IPSec VPN Client

Keywords: ISA Server, L2TP IPSec, VPN

How to block ports using ISA server

Here I will show an example, how to block port specific communication in an entire computer networks. You have to add an user defined protocol in ISA server to block those ports. you may ask now why so? Let me explain little bit.

A port is an application-specific or process-specific piece of software that serves as a communication endpoint used by transmission layer protocols of the internet protocol suite, such as TCP or UDP. The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023. The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535.

Sometimes these port are used for evil purposes such as spreading viruses in local area network. One example would be conficker virus. It communicate via netbios port 135-139. Here is the “how to” screen shots to block these ports.

Open ISA Management Console>Task pan>Tool Box>Protocols

Select user-defined>New>Protocol> Type W32.conficker, click next

  

   

ISA Management Console>Task pan>Tasks>Create New Policy

 

Add User-defined policy i.e. W32.Conficker .

 

Remove All Users and click next>ok

How to check ISA Server’s health

When did you run ISA best practice analyzer last time or you do not run at all? If both answer “negative” then its time to run run ISA best practice analyzer (BPA) in ISA server. It is always good to check health of ISA server whether it is running great or not. you can rectify any issues before get worse.

You can download ISA BPA from this link 

Install ISA BPA in ISA server and run as follows. select all tasks.

 

read the report carefully. You might have configured rules that necessary for you but ISA BPA might show warning. Don’t worry about it. For example, I configured ISA using single NIC scenario but BPA gives me warning. Its ok to ignore this warning. Look for other issues and verify with your policies you have configured.

Note: don’t jump to modify ISA server after reading BPA report.