Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

  • Pre-authentication—Only authenticated traffic can get into the corporate network.
  • Network Isolation—Incoming web traffic cannot directly access backend servers.
  • Selective Publishing—Only specific applications and paths within these applications are accessible.
  • DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.
  • Selective Ports- Apply deny ALL and allow selected ports. This policy will prevent SQL injection.
  • Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

  • Active Directory Domain Services (AD DS)
  • Internal Domain Naming System (DNS)
  • External DNS Name Resolver or ISP
  • Active Directory Federation Services (AD FS)
  • Active Directory Certificate Services (AD CS)
  • Web Application Proxy Server(s)
  • Public Certificate Authority
  • Internal Enterprise Certificate Authority
  • Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario Internal NIC External NIC
non-domain joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

  • Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.
  • External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

  • AD FS pre-authentication
  • Integrated Windows authentication
  • Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

  • Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.
  • Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

Configure FF TMG 2010 as SOCKS Proxy

In this article I am going write about SOCKS proxy and applications of SOCKS proxy in enterprise. lets begin with SOCKS proxy. Socket Secure (SOCKS) is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS servers will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded. SOCKS performs at Layer 5 of the OSI model—the session layer.

In simple terms, SOCKS is an IETF approved standard for TCP/IP based networking applications. The SOCKS proxy provides the capability to allow traffic to be handled by a proxy for those applications (IM, ICQ) that do not have the native ability to set proxy parameters.

Let me explain forward proxy or proxy server. A proxy server’s function is to receive a request from a web browser or client, to perform that request (possibly after authorization checks), and return the results to the browser or client.

image

Advantages of proxy is the IP addresses or names of the internal systems never appear on the Internet, internet see the address of the proxy server. So attackers cannot use the addresses to gain information about your internal system names and network structure. Requests for certain sites can be restricted or banned. Web proxy servers usually support many protocols, including HTTP, FTP, Gopher, HTTPS.

How does SOCKS server works? Proxy servers can themselves use the SOCKS protocol to provide additional security. SOCKS proxy add a layer of encapsulation into the request from the client and forward the encapsulated request to the destination.

image

Advantages:

  • Encapsulating any TCP protocol within the SOCKS protocol. On the client system, within the corporate network, the data packets to be sent to or from an external system will be put inside a SOCKS packet and sent to a SOCKS server.
  • Returning packets will be sent to the SOCKS server, which will encapsulate them similarly and pass on to the original client, which remove the SOCKS encapsulation, giving the required data.

Disadvantages:

  • The advantage of all this is that the firewall can be very simply configured, to allow any TCP/IP connection on any port, from the SOCKS server to the non-secure Internet, trusting it to disallow any connections which are initiated from the Internet.
  • The disadvantages are that browser configuration is more complex, the added data transfers can add an extra delay to page access, and sometimes proxies impose additional restrictions such as a time-out on the length of a connection, preventing very large downloads.

Microsoft FF TMG 2010 can perform itself as a SOCKS server or SOCKS Gateway or SOCKS Proxy. To configure Microsoft FF TMG 2010 as SOCKS gateway.

Log on to FF TMG 2010>Open TMG management console>Click on System>Click on Application Filter>Right Click SOCKS4 Filter>Click Enable

1

2

Apply Changes>Click OK.

3

4

Right Click SOCKS4 Filter>Click Enable>Click Property.

Keep Default Port number>Select the network where SOCKS request will originate. For example Internal Network.

5

Click Ok. Apply Changes>Click Ok.

Now create a firewall policy to allow SOCKS communication between a source and destination. For example here I created policy opening SOCKS port between internal network and SOCKS gateway that is my proxy server.

6

7

8

9

10

11

12

Apply changes. Click Ok.

13

The following are the screenshot shows ICQ protocol available in TMG 2010 Protocols. If you don’t see your desired protocol on the list. you can add user defined protocol by simply adding new protocol. for ICQ communication, you have to create a rule specifying source and destination and the protocol you are allowing.

14

To Configure FTP SOCKS connection configure global settings of cute FTP or individual connection settings in each connections shown as below.

15

16

To configure proxy settings in IE. Open IE>Click Tools>Click Internet options>Click Connections>Click LAN Settings>Click proxy Settings and add SOCKS gateway or SOCKS proxy server details. 

17

You can configure SOCKS proxy via GPO.

Create and Link a GPO with an OU> Right Click on GPO>Click Edit>navigate to User configurationwindows settingsinternet explorer maintenance

Expand internet explorer maintenance node, and in the connection section, double-click Proxy  settings. You can define Proxy setting for users.

18

19

To configure ICQ, Click on the Main button>Select Preferences>Click Connections. Click on the Firewall tab and select Socks4

  • Type Proxy IP address in the Host
  • Type in the proxy Port 1080
  • Type username and password in the Authentication
  • Apply and Click Ok

Forefront TMG 2010: Frequently Asked Questions (FAQ)

What is Forefront Threat Management Gateway?

Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats.  It provides multiple layers of continuously updated protections – including URL filtering, antimalware inspection, intrusion prevention, application  proxy, and HTTP/HTTPS inspection – that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security.  Forefront TMG enables organizations to perform highly accurate Web security enforcement by stopping employee access to dangerous site, based on reputation information from multiple Web security vendors and the technology that protects Internet Explorer 8 users from malware and phishing sites.

What features does Forefront Threat Management Gateway 2010 SP1 include? 

This service pack will include a number of improved features and enhancements, including:

Improved reporting features

  * New User activity reports to monitor Web surfing information
  * New look and feel for all TMG reports

Enhancements to URL filtering

  * User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy
  * Override for URL categorization on the enterprise level
  * Customized denial notification pages to fit an organization’s needs

Enhanced branch office support

  * Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache
     Server
  * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

Support for publishing SharePoint 2010

What is a secure Web gateway?

A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System.

How is Forefront Threat Management Gateway 2010 different than Microsoft ISA Server 2006?

Forefront Threat Management Gateway is different in four major ways:

Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic.

Improved Application Layer Defenses: Forefront Threat Management Gateway 2010 includes Network Inspection System, which enables protection against vulnerabilities found in Microsoft products and protocols.

Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall.

Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

How is Forefront Threat Management Gateway 2010 different than Forefront Threat Management Gateway, Medium Business Edition (TMG MBE)?

Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway 2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users.

Does Forefront Threat Management Gateway 2010 require 64-bit servers?

Yes, Forefront Threat Management Gateway 2010 runs on a server with a 64-bit processor. For more details, please see the system requirements.

How is TMG 2010 licensed?

See the How to Buy page.

Is Forefront TMG part of the Forefront Protection Suite and ECAL?

Forefront TMG Web Protection Service is part of Forefront Protection Suite and ECAL. Forefront TMG 2010 is not part of these suite offerings and must be licensed separately.

What is the Forefront Threat Management Gateway Web Protection Service?

The Forefront Threat Management Gateway Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.  

Does Forefront TMG 2010 include Forefront TMG Web Protection Service?

No. Forefront TMG Web Protection Service is licensed separately. It can be licensed stand-alone, as part of the Forefront Protection Suite, or Enterprise CAL.

Do Forefront TMG 2010 customers have downgrade rights to ISA 2006?

Yes.  Customers who purchase Forefront TMG have downgrade rights to Microsoft Internet Security and Acceleration Server 2006.

What is the difference between Forefront Threat Management Gateway 2010 Standard and Enterprise editions?

Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and provides extensive support for virtual environments.  The following chart outlines the differences between these editions:

Feature

Standard

Enterprise

Network Load Balancing

No

Yes

Cache Array Routing Protocol

No

Yes

Enterprise Management Console

No*

Yes

Support for unlimited virtual CPUs

No

Yes

Can I migrate ISA to TMG and change FQDN of new TMG?

Yes you can. See  Migrate ISA

Can I install TMG on a DC?

NO. Not a supported configuration.

Can I configure reverse proxy using single NIC configuration?

Single nic and reverse proxy not good idea. why not two nics? see this Reverse proxy for more info.

How many NICs I need to configure back to back TMG firewall?

Two nics in each TMG server.

What type of IP I use on 3-leg perimeter or DMZ?

Public IP is recommended.

Can I use TMG as a router?

Yes you can configure TMG as router.

What type of VPN TMG supports?

See the VPN config

How can I configure NLB on TMG?

See this link NLB step by step

How can I configure cluster of TMG?

See this link

Can I manage TMG from my admin pc?

Yes you can. Link

Can I configure TMG as proxy cache?

TMG proxy Cache step by step

How can I retrieve custom report from TMG server?

See built in TMG reporting and Proxy inspector

How can I configure reverse proxy using TMG?

See this Reverse proxy for more info

Can I configure a back end TMG server behind Cisco ASA firewall?

Yes you can.

How can I configure ISP redundancy?

Here is a guide for ISP redundancy

How can I reinstall TMG?

See this link for answer

Configure Forefront TMG as a Proxy Cache

A Proxy Server provides a number of useful functions in a company’s network infrastructure. Proxy Servers will go out and retrieve Web pages and content and return the Web pages to the internal network users. The fact that the proxy is retrieving the Web pages and not the actual clients adds an extra layer of protection to the clients because their internal IP addresses are hidden from the Internet. The proxy mechanism makes surfing external Web sites safer for internal clients.

If employees are constantly requesting pages from the same Web sites, the proxy server can store those requests locally on the server. When additional requests are made for content that has already been retrieved and stored locally, the proxy server will send the requesting client the copies of the pages from its stored cache. Utilizing this function, a proxy server will not have to go back out again and fetch the requested Web pages.

Forefront TMG 2010 can be configured to act as a proxy server in your environment to accelerate the performance of Internet access, as the name implies. In the following flow chart shows how TMG perform Proxy Cache.

image

Figure: Flow chart

Forefront TMG 2010 performs the following steps:

1. Forefront TMG 2010 checks whether the object is valid. If the object is valid, Forefront TMG 2010 retrieves the object from the cache and returns it to the user.

2. If the object is invalid, Forefront TMG 2010 checks the Web Chaining rules.
3. If a Web Chaining rule matches the request, Forefront TMG 2010 performs the action specified by the Web Chaining rule; for example, route the requested directly to a specified Web server, an upstream proxy, an alternate specified server.

4. If the Web Chaining rule is configured to route the request to a Web server, Forefront TMG 2010 determines whether the Web server is accessible.
5. If the Web server is not accessible, Forefront TMG 2010 determines whether the cache was configured to return expired objects. If the cache was configured to allow Forefront TMG 2010 to return an expired object as long as a specific maximum expiration time hasn’t passed, the object is returned from the cache to the end user.

6. If the Web server is available, Forefront TMG 2010 determines whether the object may be cached depending on whether the cache rule is set to cache the response. If it is, Forefront TMG 2010 caches the object and returns the object to the end user.

image  Figure: Simple Visio diagram of proxy cache

Cache Storage:  Forefront TMG 2010 can store objects on the local hard disk, and for faster access can store most of the frequently requested objects on both the disk and the RAM. Cached pages
can be stored immediately in memory (RAM) to be accessed by end users requesting the Web content. A lazy-writer or buffered-writer approach is used to write pages to the disk. By default, 10 percent of physical memory is allocated for RAM caching. The cache file can be stored as follows:

  1. Drive:\urcache\Dir1.cdat
  2. Must be NTFS non system partition (Local disk)
  3. Maximum cache size 64GB

Types of Cache:

Forward Caching: To cache all Internet traffic from external to internal.
That’s all Internet pages requested by internal users.

Reverse Caching: To cache all objects sent from internal to external. This
works with publishing to help offloading the published server.

Configuring Forefront TMG 2010 Web Proxy & Proxy Cache

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Web Access Policy

3.In the right pane under the Tasks tab, scroll down and click on Web Proxy. Check enable web proxy client connections for this network. Check Enable HTTP and type port 80 or if you want to use web proxy port 8080 then type port 8080.

4. Click on Authentication, Select integrated. Click ok.

5. Click on Advanced, select unlimited Click ok.

6. Now click on Apply and ok.

7. Click on Configure Web Caching , You’ll see the Cache Settings dialog box. Click the Cache Drives tab to access the Forefront TMG 2010 cache storage configuration.
3.Select the array member to enable the Configure button

3. Click Configure to define the cache size and location.

4.To define the cache location and size, select the non system partition where you want to store the cache file and enter the desired size of the cache file in the Maximum Cache Size (64000MB) text box. Click Set and then click OK to close the Cache Settings window.
6. click Apply to apply changes.

Add new cache Rule

1. Go back to Cache Settings mentioned above

2. Click on Cache Rules Tab, Click New button, you will be presented with Cache rule wizard

3. Type name of cache rule for example: Microsoft update Cache rule, click Next

4. You will see cache rule destination, Click Add>Click New>Click URL sets

5. Type Name of the URL sets (For Example Microsoft Update). Click on Add and type URL. Repeat it and the following urls.

6. Click Ok. Now you will see Microsoft Update URL set. Select Microsoft Update URL set. Click Add and Click close to close URL sets.

7. Click Next. Select “If a valid version of the object exist in the cache. If no valid version exists. Route the request to the server”. Click Next.

8. In the cache content window select “If source and request header indicate to the cache” You may also select dynamic contents. Click Next

9. In the Cache Advance Configuration Window, Check Do not cache object larger then 1GB or your preference but remember you have 64GB cache size. Check Cache SSL response. Click next.

10. In the HTTP caching window, keep default settings, Click next

11. In the FTP caching window, keep default or Modify, Click next

12. Click Finish. Apply Changes.

Relevant Articles:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine