Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
FIREWALL RULES
Firewall Rules
Access Rules
over route network relation
over NAT network relation from private to public side
Server Publishing Rules
over NAT network relation from public to private side
also called Port Forwarding or Port Address Translation
Firewall Rules
DMZ
Publishing (Port Forwarding)
NAT
LAN TMG Internet
DMZ
Rules
Ordered list
starts at the top
if the conditions are not met, proceeding with the next
rule
last rule Denies the rest
Allow/Deny the traffic
redirect/notify only for HTTP/S traffic
Default Rule
Rules Example
Threat Management Gateway 2010
Access Rules
TCP
first SYN – Initiated connection
after SYN/SYN-ACK/ACK – Estabilished connection
after RST/FIN – Closed connection
1440 minutes timeout
UDP/ICMP
first UDP packet – Initiated connection
1 minute timeout
Stateful inspection
Application filters
DNS, ICMP, ...
understands protocol internals
do not enable more replies if not expected
HTTP/S
although TCP based
URL/extensions/content-type filtering can happen
even later (GET, HTTP 200 OK)
Allowed/Denied connection
Conditions
Source/Destination IP addresses
Protocol
must use Outbound protocol definition
Inbound protocols are for publishing rules only
(mutually exclusive)
Custom Protocols
Lab
Lab
Some examples
TMG DNS Client Cache
Lab
URL Categories
URL Categories
Lab: Optional
HTTP GET
HTTP GET Response
Lab
Application filters
although the rule is Allow, the application filter can
sometimes deny the traffic anyway
HTTP, FTP, RPC
Authenticated rules
HTTP Filter Defaults
AUTHENTICATED TRAFFIC
Authenticated traffic
Client Protocols Pros Cons
VPN all traffic all traffic must be dialed manually
Web HTTP no must be configured on clients
Proxy HTTPS installation problems with WINHTTP, Java, .NET clients
FTP over Proxy on clients
Firewall TCP seamless, must be installed on clients
Client UDP permanent compatibility and troubleshooting problems
only for domain users on domain member
computers
Basic (RADIUS/LDAP)
very standard
clear-test (Base-64 encoded)
always pops-up user
Windows Authentication
open standard, about 2003
encrypted hashed (NTLM/Kerberos)
SSO possible
Digest
standard, RFC from 1997
always pops-up user
Authentication Selection
Non-Windows browsers
Basic + SSL
Windows browsers
Windows authentication + SSL
WEB PROXY
Proxy Server
Web Proxy
Web Proxy Client (per user)
PROXYCFG
NETSH WINHTTP SET PROXY
Web Proxy Client (WinHTTP)
URL/IP exemptions
Multiple TMG array members
CARP load balancing
Lab
Proxy Autoconfiguration
Can be published
on TMG on port
TCP 80
http://tmg/wpad.dat
Autoconfiguration script
Cached by clients
for 50 min.
To disable caching
see KB271361
Consider bypassing
local IPs and
domains
(not by default)
Bypassing IPs
requires DNS
resolution
Proxy Autoconfiguration
Web Server
DNS
DHCP WPAD.DAT
1
2
Proxy
3
Client
Proxy
Proxy Autoconfiguration
DHCP
primary means
client NIC must have DHCP turned on
DHCP Option 252
http://tmg.gopas.virtual/wpad.dat
DNS
secondary if DHCP method not available
DNS query for WPAD.[connection-specific-suffix]
Troubleshooting Autoproxy
Lab
Passive FTP
TCP 21
Client
FTP
Server
TCP ???
TMG
Active FTP
TCP 21
Client
FTP
TCP ??? Server
TMG
FTP protocol
TCP 21 for Secure NAT clients
can be authenticated only by VPN or Firewall Clients
FTP over HTTP protocol
TCP 8080 from client to proxy
normal HTTP proxy authentication
if you need authenticated access to the remote server
from IE, you must use
ftp://login:password@ftp.domain.com
Lab
Lab
Lab
GET Method
used to download a web page or files
HTML FORM query included in the URL after ? or # sign
can be bookmarked, is visible in history, has size limit
not suitable for logins/passwords etc.
POST Method
used to upload HTML FORM data and download the
resulting web page
not bookmarked nor visible in history
better for large data and logins/passwords
GET/POST/HEAD Methods
HEAD Method
used to download only response headers
used to refresh/validate cache data
used by proxies and clients
GET Example
POST Example
Lab
Lab
Lab
http://google.com
Standard ASCII encoding
http://%67 %6F %6F %67 %6C %65.com
sometimes used by SPAM but still legal
Double illegal encoding
http://%67 %6F ...
http:// %25%36%37 %25%36%66 ...
should be blocked on TMG, but some applications may
require it
Hidden by default
Enables TMG to access vital services
Some can be customized
Some are modified automatically
VPN client traffic
Connectivity verifiers
AD Best Practice
Lab
MALWARE INSPECTION
Antivirus Settings
Trickling and Progress
Progress notification
returns progress web page (requires script)
Standard trickling
returns the file directly, but only with very slow speed
only small portion of the file gets to the client until
inspected
Fast trickling
returns the file quickly
most of the file (even with virus) gets to the client
temp/cache before finally blocked by TMG
Trickling
Standard trickling
for commonly large downloads
PDF, ZIP, EXE etc.
keeping clients live
Fast trickling
nearly the normal user experience
virus can partly/whole appear on the client before the
download is finally blocked by proxy
used for probably clear content such as audio/*,
video/*
Trickling Settings
User Experience
Definition updates
Require subscription
Require direct access to Microsoft Update or
WSUS
offline update installation not possible
Using WSUS
consider doing WSUS synchronization more frequently
than once a day
Definition updates
Lab
Intrusion detection
for known IP/TCP
and application
layer exploits
Network Inspection System
Lab: Optional
ADVANCED TOPICS
CRL Checking
HTTP Compression
DiffServ Prioritization
Lab: Optional
CACHE
Caching
Static HTML
usual web sites are dynamically built (news, free mail,
e-shops, search engines etc.)
Pictures, videos, ZIP/EXE files etc.
Partial downloads
Content-Range header
used by various downloaders and Windows Update
Cache-Control
no-cache
max-age – maximum time in seconds to remain in cache
private – can be cached only if could be user separated
Last-Modified
static content (picture, HTM) file last modification date
Date
the timestamp when the response message was generated
by the originating web server
Expires
IE Operation
Lab: Optional
LOGGING NOTES
Logging Notes
THANK YOU