back-to-back firewall – Blog by Raihan Al-Beruni

Forefront UAG 2010 Patching Order

I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.

You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.

The following the order of patching UAG before you start configuring UAG.

1. TMG-KB2555840-amd64-ENU

2. TMG-KB2689195-amd64-GLB

3. UAG-KB2288900-v4.0.1269.200-ENU

4. UAG-KB2585140-v4.0.1773.10100-ENU

5. UAG-KB2710791-v4.0.2095.10000-ENU

6. UAG-KB2744025-v4.0.3123.10000-ENU

UAG Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Love My Blog Stats

Total Stats

Blog Referrer

FF TMG 2010—Can future be altered?

I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the biggest admirer of Forefront Product lines.

Death of TMG? by Deb Shinder

What will happen with TMG?

The demise of Threat Management Gateway: Is Microsoft backing away from the edge?

I would like to voice my own opinion on this matter. I am sure I will find lots of similar minded techie out there who would love to share same opinion as me. I would like to send an open request to Microsoft Corp and MVPs to pursue for an advanced version of TMG that incorporate cloud security and address modern day security challenges.

I decided to write on a different perspective of TMG 2010 what I would like to see next service pack of Forefront Threat Management Gateway or in a future version if there is one. This is not an official account of Microsoft Corp. This is just my wish list. I hope and cross my finger that Microsoft will listen to those who are on the field working for a better and even bigger Microsoft community.

FF TMG 2010: Here is details of evolution of today’s TMG

TMG 2010 can be more advanced in terms Firewall Policy, Publishing Rules and Cloud Security. TMG 2010 may be available in Downloadable virtual Appliance build on Windows Server “Code name 8” and physical appliance through the Microsoft partners program. Microsoft declared TMG 2010 is in sustainable mode and will not invest on TMG for further development so my dream to administer TMG administration console via internet explorer and Silverlight will be just a dream. I would like to see TMG service pack as separate installed and TMG 2010+SP3 integrated together in a installer for those who wants to refresh TMG and adopt as a new customer.

Topology and Installation Changes: I would like to see a Hyper-V network incorporated into TMG. As you all know when installing TMG, TMG installer prompt you for subnets of Local area network. The new version will prompt you to add your cloud networks in an installation window. The installer will secure the local area network and private cloud network using default configuration which you will be able to modify and align later on with your desired topology and network layout.

Incorporating Cloud Security:

clients and partners have serious concern over the years about Service provides who sells cloud solutions. For example, service provider selling Exchange cloud, SharePoint cloud, Anti-Spam and Security Cloud Solution. There are questions to be asked when you buying public cloud solutions. This is not just having a hypervisor and virtual center. what about application security, identity and governance. How would to address your client’s concern of internal threat and external threat. How client will trust a provider when they place their data in somewhere service provider’s cloud.

Microsoft can/should/must address these issues by providing Security as a service. Forefront TMG can play a key role if Microsoft is willing take a step ahead to the bottom line.

Application security
Privacy
Legal issues
Availability
Identity management
Compliance
Business Continuity and data recovery
Data Security

Firewall Rules: New Publishing Tools in Tasks pan should include

Publish FTP Servers
Publish Lync Server
Publish Streaming Media Server
Secure Cloud Network

Configure IM and Social media policy: Web Access Policy Tasks Pan should include

Configure IM Access (Allow/Deny Skype/Lync/MSN/Yahoo Messenger)
Configure Social Media Access (Allow/Deny Social Media such as Twitter/FaceBook/Google+/Youtube)

Networks: Network rules incorporate a build-in cloud network and network rules establishing communication from LAN to Cloud network and External to Cloud network. During installation of TMG; allow rules to be configured automatically when selecting Hyper-V Server in DMZ.

Multicast NLB Configuration: NLB Properties should be added another check box to create firewall rule for Multicast NLB in a virtualized environment. That means Multicast NLB mac address can communicate within array members in a virtualized environment if there is strict security policy deployed through out the infrastructure.

List of New Protocol available: New Protocols includes following protocols and many more:

Cloud Protocols
Lync Protocol
Hyper-v Protocols

Generate offline Certificate request: There should be an option to generate offline certificate request in Systems>Tasks pan.

Integrating Bing Search with TMG 2014 Cache: Search result cached in TMG from Bing Search Engine and presented to client.

Bandwidth Management: TMG should be able to manage bandwidth by single user, multiple users, AD Security groups, IP address, Computer Name, Department, Site, Branch.

Configure Branch or Site TMG Server: Option can be selected during installation of TMG 2010+SP3 (integrated installer) whether TMG is a primary site or branch site. Selecting Branch Site will auto configure site server with site to site VPN (if selected) and even replicate with primary sites firewall rules and policies (depending on topology). when installing a branch TMG branch TMG will automatically create branch cache depending on selection of topology .

Reporting: Following are the examples of the reports will be available in TMG 2010 SP3. there will be many more.

User based report
AD Security Group Based report
Web Site Visited
IP Address visited
Web/Content Uses report
Download reports by users/Group/Department
Bandwidth Uses report
Caching report
Search Engine Visitor by Search Engine report
Real Time/Custom Traffic report
Traffic Trending report
Top 20 Net users
Top 20 Site Visited
Default Monthly report
Default Yearly report
TMG Health report

Audit and Change Management: TMG will include complete change manage and recording of Tasks/Events generated by role based user and systems itself.

Role based TMG management: TMG Workgroup Deployment and Domain Member deployment should include RBAC management.

Administrator
Organization Administrator (member of this group manages cluster of Arrays )
Backup operator (Commvault/Symantec Client/SCDPM client integrated)
Auditor/User (view permission)
Firewall Rules and Web Access Policy Operator
Single or Multiple array administrator

Tool Box: Pre-installed BPA, Troubleshooting, Monitoring & Capturing Real Time Traffic.

Learn more about TMG here .

Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:

Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
4 gigabytes (GB) or more of memory
2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
Two disk for system and TMG logging, and one for caching and malware inspection
3 network adapter (3-Leg Perimeter)

Assumptions:

you can add multiple internal network ranges such as 10.10.11.1/24 and 10.10.12.1/24 in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.

In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ.

Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.

Configure 3-leg perimeter :

Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.

Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.

Now configure system settings and define deployment options on the next steps.

Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.

DNS Configuration for Perimeter Network:

To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.

Type name of the policy>Click next>Click Allow>Click next

On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.

Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.

To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

Placing a firewall in a corporate network puts you in commanding position to protect your organisation’s interest from intruder. Firewall also helps you to publish contents or share infrastructure or share data securely with eternal entity such as roaming client, business partners and suppliers. Simply, you can share internal contents without compromise security. For example, publishing Exchange Client Access Server, OCS 2007 and SharePoint front-end server in the perimeter.

More elaborately, the front-end and the back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end server (Example: CAS server) and that server interacts with a back-end Server (Example: HT server). In this exchange deployment scenario, users interact with a front-end CAS Web server placed in DMZ or perimeter to get Outlook Web Access for reading and sending email. That Web server must interact with the back-end mail server or HT server, but Internet users do not need to interact directly with the back-End HT server. The front-end and back-end server(s) does all these for you providing maximum security. visit Exchange 2010 deployment in different firewall scenario

In this article, I am going to illustrate Back-to-Back Firewall with DMZ. This topology adds content publishing to the back-to-back perimeter topology. By adding content publishing, sites and content that are developed inside the corporate network can be published to the server farm that is located in the perimeter network.

Advantages

Isolates customer-facing and partner-facing content to a separate perimeter network.
Content publishing can be automated.
If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.

Disadvantages

Requires more hardware to maintain two separate farms.
Data overhead is greater. Content is maintained and coordinated in two different farms and networks.
Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.

Assumptions:

Internal IP range: 10.10.10.0/24
Perimeter IP Range: 192.168.100.0/24
Public IP:203.17.x.x/24

Note: In the production environment, perimeter IP must be public IP accessible from internet.

Computer	Internal NIC Configuration	External NIC Configuration
Back-End TMG 2010 (two NICs)	IP: 10.10.10.2 Mask:255.255.255.0 DG:Null DNS:10.10.10.5	IP:192.168.100.4 Mask:255.255.255.0 DG:192.168.100.5 DNS:Null
Front-End TMG 2010 (Two NICs)	IP:192.168.100.5 Mask:255.255.255.0 DG:null DNS:10.10.10.5 2nd DNS:203.17.x.x (public IP)	IP:203.17.x.x (public IP) Mask:255.255.255.0 DG:203.17.x.1 (public DG) DNS:203.17.x.x (public DNS)
DC	IP:10.10.10.5 Mask:255.255.255.0 DG:10.10.10.2 DNS:10.10.10.5	Not Applicable

Routing Relation:

Back-end TMG

Internal to PerimeterPerimeter to External

Perimeter to Internal

RouteNAT (Default)

Route

Front-End TMG

Internal to External
(All TMG Default)

NAT (Default)

Persistent Routing in Front-End TMG and all servers placed in perimeter/DMZ: You must add following routing table in front-end TMG server and all other servers placed in perimeter in elevated command prompt. To do that, just log on as administrator, open command prompt and type following and hit enter.

Route ADD –P 10.10.10.0 MASK 255.255.255.0 192.168.100.4

Configure Back-End TMG Server:

Log on to TMG Server using Administrative credentials and define internal IP as shown on TCP/IP property.

Define Perimeter IP As shown on TCP/IP property

Now add TMG server as a domain member. Install Forefront TMG using Step by Step Guide Lines. Open TMG Management console, Launch Getting started Wizard. Configure network Settings. Select back Firewall.

Click Configure Systems Settings.

Click Define Deployment Options.

Click Close. Apply Changes and Click Ok.

Create connectivity with AD and DNS.

Add and Verify IP addresses of internal (10.10.10.0/24) and perimeter network (192.168.100.0/24).

Add Network Rules:

Create Network Rule. To do that click on Networking>Network Rules>Create a New Network Rule Wizard.

Here, Rules 1 to 4 will created by default while initial configuration as shown below. You have to create rule 5 and 6 by repeating above steps.

Configure Firewall Rules:

Actions	Allow
Protocols	DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface)
Source	DC, Front-End TMG
Destination	DC, Front-End TMG
Conditions	All Users

Now Publish DNS for perimeter network. Right Click on Firewall Policy, Click New, Click Access Policy, Name new access policy. On the selected protocol add DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface), Click next.

On the Access Rules Sources, Click Add, Select Computers, Click New, Type Netbios name of DC and Type IP, Click Ok. Select DC and Click Add. Repeat this process for Front-End TMG server i.e. add name and IP of front-end TMG server and Click Add.

On the Access Rule Destinations, Click Add, from the computers list add DC and front-End TMG servers. Click Next and Click Finish. Apply changes and click ok.

Create an Access Rule allowing all outbound traffic to go from internal to perimeter.

Actions	Allow
Protocols	All Outbound Traffic
Source	Internal
Destination	Perimeter
Conditions	All Users

Create another access rule allowing HTTP and HTTPS to go from internal to perimeter and external.

Actions	Allow
Protocols	HTTP, HTTPS
Source	Internal
Destination	External
Conditions	All Users

Configure Front-End Forefront TMG Server:

Prepare another Windows Server 2008 x64 computer. Log on as an administrator. Define internal and external IP addresses as shown below.

Internal TCP/IP property:

External TCP/IP property

Open Command prompt>type following command to add persistent Routing:

c:\>Route Add –P DestinationIP DestinationMask SourceIP

c:\>Route Print

Add Front-End TMG as domain member. Follow same installation and initial configuration options shown in back-end TMG server. There are only two differences while initial Network Settings configuration that are selecting internal (192.168.100.0/24) and external (203.17.x.x/24) network. Those are shown below.

Create Connectivity Verifier with AD, DNS and Web.

Networking>networks>internal>Add 10.10.10.0/24 and 192.168.100.0/24 as internal IP. Make sure internal IP and perimeter IP of back-end server are both internal IP of Front-end server. keep default routing rules in Front-End TMG. Configure property of internal network.

Verify Network Rules:

Configure firewall to allow HTTP/HTTPS : Firewall Policy>New>Access policy>Allow HTTP and HTTPS for all users. Do not Allow all outbound traffic to go from internal to external in Front-End Server. Only specific ports and protocols should be allowed.

Test Firewall: Log on to a computer in internal network behind Back-End Firewall. Setup Proxy in IE as shown below and browse internet.

Placing Front-End Server(s) or a member server in DMZ:

One you have completed above steps, you are ready to place any Front-End server(s) such as Exchange CAS, OCS 2007 and SharePoint Servers in DMZ/Perimeter. You need to import certificates from Enterprise Root CA placed in internal network (behind Back-End TMG) to Front-End TMG server to publish secure web sites such as OWA, Outlook Anywhere or OCS. All Publishing Rules Applied in Front-End TMG server. Here, I am not writing OWA or Anywhere because it would redundant for me to write again as I have shown all these in my previous posting. Visit the links mentioned below.

Prerequisite for placing a member server in DMZ: A member server must have following TCP/IP configuration to work in perimeter.

IP	192.168.100.0/24 (Perimeter IP Range)
DG	192.168.100.5 (Internal IP of Front-END TMG server)
DNS	10.10.10.5 (Internal DNS)
2nd DNS	203.17.x.x (Public DNS)
Routing	As Mentioned in Persistent Routing Section of this Blog