Forefront Threat Management Gateway TMGOverview

Forefront Threat Management Gateway (TMG) Overview
Table of Contents
Forefront Threat Management Gateway (TMG) Overview ...................................................... 1
Exercise 1 Configuring and Using Malware Inspection ..................................................................................................2 Exercise 2 Blocking Traffic with Network Inspection System (NIS)................................................................................8 Exercise 3 Controlling Web Access with URL Filtering .................................................................................................10 Exercise 4 Configuring Outbound HTTPS Inspection ...................................................................................................14

Objectives
After completing this lab, you will be better able to: Configure and use Malware Inspection Block Traffic with Network Inspection System Control Web Access with URL Filtering Configure Outbound HTTPS inspection
Scenario
In this lab you will use malware inspection, a network inspection system, control web access with URL filtering and configure outbound HTTPS inspection. 60 Minutes
Estimated Time to Complete This Lab Computers used in this Lab
Denver
Cairo
Toronto
Rome
The password for the Administrator account on all computers in this lab is: password
Page 1 of 19
Exercise 1 Configuring and Using Malware Inspection

Scenario
In this exercise, you will configure Threat Management Gateway (TMG) to use Malware Inspection on downloaded HTTP content. TMG includes the Microsoft antimalware engine, and periodically downloads new definition updates from Microsoft Update. The Malware Inspection functionality is part of the new Web Access Policy. Tasks Complete the following tasks on: Toronto 1. On the Toronto computer, use the TMG console to examine the existing access rule. Detailed Steps
a. On the Toronto computer, on the Start menu, click All Programs, click
Microsoft Forefront TMG, and then click Forefront TMG Management. Note: The Forefront TMG management console opens.
b. In the TMG console, in the left pane expand, Forefront TMG, and then select
Firewall Policy. Note: The Firewall Policy lists all defined firewall rules that allow or deny network traffic to and from the TMG firewall. The user interface of Threat Management Gateway is very similar to the user interface of the predecessor product: Internet and Acceleration (ISA) Server 2006.
c. In the left pane, select Web Access Policy.
Note: The Web Access Policy group is a group of firewall rules that inspects and filters the network access to the Internet, and is created and maintained by running a single wizard. You will run the wizard later in this exercise. The lab environment already contains custom access rules for another lab exercise. These rules allow network traffic from the Internal network (containing Cairo) to the External network (containing Rome).
d. In the right pane, on the Tasks tab, click Configure Malware Inspection.
Note: For this exercise, you will first disable TMG malware inspection.
e. In the Malware Inspection dialog box, on the General tab, CLEAR
Enable malware inspection, and then click OK. 2. Apply the changes.
a. Click Apply to save the changes and update the configuration. b. If the Configuration Change Description dialog box appears, then click Apply.
Note: In the Configuration Change Description dialog box, you can provide a description for the changes.
c. Click OK to close the Saving Configuration Changes dialog box.
Note: TMG has saved the new configuration.

d. The configuration settings are saved into a local instance of Active Directory
Lightweight Directory Services (AD LDS). The previous name of AD LDS is Active Directory Application Mode (ADAM). 3. Use the TMG console to examine the current Configuration status.
a. In the left pane, select Monitoring. b. In the middle pane, select the Configuration tab.
Note: To see the Configuration tab, you may (temporarily) need to close the Task pane, by clicking the Open/Close Task Pane button.
c. In the Tasks pane, click Refresh Now.
Page 2 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps Note: The Configuration Status indicates whether the Firewall service has applied the (updated) configuration settings stored in AD LDS. The new configuration is not active until the Status is Synced
d. Click Refresh Now.
Note: To avoid pressing Refresh Now, waiting for the Synced status, you will use the custom TMG Status Monitor tool in the next step. 4. Start the TMG Status Monitor to quickly see the current Configuration status.
a. Use Windows Explorer to open the C:\Tools\TMGStatus folder. b. In the TMGStatus folder, right-click TMGStatus.hta, and then click Open.
Note: TMG Status Monitor is a small HTML application, specifically created for use with this lab. It displays updated Configuration status and Network Load Balancing (NLB) status of the TMG server, every second. This is the same information that is displayed in the TMG console at the Monitoring node on the Configuration tab (Configuration Status) and on the Services tab (NLB Status).
c. Close the TMGStatus folder. d. Use the TMG Status Monitor to wait until Config Status is Synced. a. On the Cairo computer, log in as Joe with the password password, open Internet
Complete the following task on: Ciaro 5. On the Cairo computer, connect to the Fabrikam Support Site, and download the file Dev-Manual.rtf.
Explorer. In the address bar, type http://support.fabrikam.com, and then press Enter. Note: Internet Explorer opens the Fabrikam Support site. Fabrikam Support Site is a Web site running on a server on the Internet (Rome). In the lab scenario, the Web site offers user guides and manuals available for download. The dev-manual.rtf file contains a virus. You will first download the file with Malware Inspection disabled on Threat Management Gateway (TMG), and then enable Malware Inspection, and attempt to download the file again.
b. In the Fabrikam Support Site, click the Click to download Dev-Manual.rtf link.
Note: The File Download dialog box appears. This verifies that the file is not blocked by TMG, when malware inspection is disabled.
c. Click Save, and attempt to save Dev-Manual.rtf.
Note: The virus in the file is the EICAR file. This is not really malicious software. It is the industry standard antivirus test file. All antivirus products detect this test file in order to simulate an infected file.
d. Click Cancel to close the File Download dialog box. e. Close Internet Explorer. a. On the Toronto computer, in the TMG console, in the left pane, select
Complete the following tasks on: Toronto 6. On the Toronto computer, use the TMG console, to examine the Update Center configuration. In Web Access Policy, delete the existing
Update Center. Note: TMG includes Malware Inspection for downloaded HTTP content.
b. In the right pane, click Configure Settings. c. In the Update Center Properties dialog box, select the Microsoft Update tab.
Note: TMG downloads definition updates from the Microsoft Update site on the Internet. You can configure TMG to periodically check for new definition updates.
d. Click Cancel to close the Update Center Properties dialog box.
Note: The lab environment is not connected to the Internet. Therefore the current definition updates may be out-of-date. This is indicated by the red cross icon
a. In the TMG console, in the left pane, select Web Access Policy.
7.
Note: Web Access Policy lists all firewall rules that define and control outgoing Web Page 3 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks HTTP access rules. Detailed Steps network traffic. Those are HTTP and HTTPS access rules. In the steps below, you will delete the existing HTTP access rules, and then use the Web Access Policy wizard to enable new access rules with Malware Inspection enabled.
b. In the middle pane, right-click the Allow Web Access for All Users rule, and then
click Delete.
c. Click Yes to confirm that you want to delete the rule. d. In the middle pane, right-click the Block Web Destinations rule, and then click
Delete.
e. Click Yes to confirm that you want to delete the rule.
Note: The HTTP access rule is removed. 8. Create a new Web Access Policy.
a. In the right pane, click Configure Web Access Policy.
Note: The Web Access Policy Wizard appears. The wizard allows you to create and maintain a set of access rules defining what outgoing Web traffic is allowed, and what type of inspection is required. This set of rules is called the Web Access Policy Group.
b. On the Welcome to the Web Access Policy Wizard page, click Next. c. On the Web Access Policy Rules page, select No, to indicate that you do not want
to create a default rule that blocks access to potentially malicious URL categories. Note: In a later exercise, you will change the Web access policy to block malicious URL categories.
d. On the Blocked Web Destinations page, click Next.
Note: In this Web access policy, you will not block access to any Web destinations.
e. On the Malware Inspection Settings page, configure the following:
Yes, Inspect Web content requested from the Internet: enabled (is default)
Block encrypted archives: enabled (is default) and then click Next. Note: Malware inspection is enabled in the Web access policy. On the HTTPS Inspection Settings page, select Do not allow users to establish HTTPS connections and then click Next. Note: ISA Server 2006 supports HTTPS inspection on incoming SSL traffic to published Web sites. This is called SSL Bridging.
f.
TMG also supports HTTPS inspection on outgoing SSL requests to Web sites on the Internet. This requires an HTTPS Inspection certificate on TMG, and also requires that all client computers trust the HTTPS Inspection certificate. Notice that in order to provide malware inspection on all Web traffic, you must either inspect outgoing HTTPS inspection, or disabled HTTPS Web access. In a later exercise, you will enable inspection of outgoing HTTPS traffic.
g. On the Web Cache Configuration page, CLEAR
Enable the default Web caching rule, and then click Next.
h. On the Completing the Web Access Policy Wizard page, click Finish.
Note: TMG creates two access rules in the Web Access Policy Group:
i.
Block all HTTPS traffic - blocks all outgoing HTTPS traffic. Allow Web Access for All Users - allows outgoing HTTP traffic.
In the left pane, select Firewall Policy. Note: The rules in the Web Access Policy Group are part of the overall Firewall policy. You can create additional access rules and publishing rules before and after the Web Page 4 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks 9. Configure Malware Inspection to use progress notification for Rich Text Format (RTF) files. Detailed Steps Access Policy Group.
a. In the left pane, select Web Access Policy. b. In the Web Access Policy Group, right-click the Allow Web Access for All Users
rule, and then click Properties.

c. In the rule Properties dialog box, select the Malware Inspection tab.
Note: Notice that you can enable Malware inspection per access rule.
d. Click Cancel to close the Allow Web Access for All Users Properties dialog box. e. In the right pane, click Configure Malware Inspection.
Note: Malware inspection can be enabled per access rule, but you can also disable malware inspection for all rules. This is useful if you deploy a third-party antimalware filter on the TMG computer, for troubleshooting purposes, or to determine the performance impact of using malware inspection. On the Destination Exceptions tab, select Sites Exempt from Malware Inspection, and then click Edit. Note: To improve performance, you can exempt trusted high-volume Web sites from malware inspection. By default, the microsoft.com, windows.com, and windowsupdate.com domains are exempt.
f. g. Click Cancel to close the Sites Exempt from Malware Inspection Properties dialog
box.
h. On the Inspection Settings tab, ensure that Block encrypted files is enabled.
Select the Content Delivery tab. Note: Because malware inspection may cause some delay in delivering requested content to the client computer, TMG uses two different methods to avoid that the client application gives up:
i.
Trickling: To avoid that the client application times out waiting for the content delivery, TMG sends small portions of the file to the client application, while it inspects the file for malware. Trickling is also called partial file delivery. By default, for Standard trickling, TMG sends the first 4 KB of data after 10 seconds, and then 50 bytes every 5 seconds after that, until the file is fully inspected. For audio and video content downloads, TMG can use an accelerated rate called Fast trickling. Progress Notifications: Instead of trickling the content, for certain content types, TMG sends an HTML page to the client which includes a progress indicator of the inspection process. Click the Content Types for Progress Notification button.
j.
k. In the Content Types for Displaying Progress Notification Properties dialog box,
select the Content Types tab. Note: TMG displays a progress notification Web page for content types listed in this dialog box. For all other content types, TMG uses standard or fast trickling. In the Available types drop-down list box, type application/rtf, and then click Add. Note: TMG will use progress notification for delivering Rich Text Format (RTF) files, such as Dev-Manual.rtf.
l. m. Click OK to close the Content Types Displaying Progress Notifications Properties
dialog box.
Page 5 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps

n. Select the Storage tab.
Note: By default, TMG uses the ScanStorage folder in the %SystemRoot%\Temp folder to temporarily store files for malware inspection.
o. Click OK to close the Malware Inspection dialog box.
10. Enable the malware detected alert.
a. In the left pane, select Monitoring. b. In the middle pane, select the Alerts tab, and then in the right pane, click
Configure Alert Definitions. Note: In the Alerts Properties dialog box, you can configure alert definitions, which define the actions TMG must take when a certain event occurs. TMG has more than 180 predefined alert definitions.
c. In the Alerts Properties dialog box, select the check box for the
Malware Inspection Filter Detected Malware alert.

d. Select the Malware Inspection Filter Detected Malware alert, and then click Edit. e. In the Malware Inspection Filter Detected Malware Properties dialog box, select
the Actions tab. Note: Notice that TMG is now configured to report to the Windows event log, when it detects malware.
f.
Click Cancel to close the Alert Actions dialog box.
g. Click OK to close the Alerts Properties dialog box.
11. Apply the changes.
a. Click Apply to save the changes and update the configuration. b. If the Configuration Change Description dialog box appears, then click Apply. c. Click OK to close the Saving Configuration Changes dialog box. d. Use the TMG Status Monitor to wait until Config Status is Synced.
Note: TMG has saved the new configuration. Complete the following tasks on: Ciaro 12. On the Cairo computer, connect to the Fabrikam Support Site, and attempt to download the virus-infected file Dev-Manual.rtf. 13. In the Fabrikam Support Site, attempt to download the password-protected file User-Guide.zip.
a. On the Cairo computer, open Internet Explorer. In the address bar, type
http://support.fabrikam.com, and then press Enter. Note: Internet Explorer opens the Fabrikam Support site.
b. In the Fabrikam Support Site, click the Click to download Dev-Manual.rtf link.
Note: TMG blocks access to the file. TMG detects the EICAR virus in the file, and sends an HTML page informing the user.
c. In Internet Explorer, click the Back button.
a. In the Fabrikam Support Site, click the Click to download User-Guide.zip link.
Note: The User-Guide.zip file is encrypted with a password. TMG blocks access to the file. The Malware Inspection settings specify to block encrypted files.
b. In Internet Explorer, click the Back button
Note: With only a single client computer downloading files, the malware inspection of TMG completes much too quickly to see progress notification on the client computer for any file size. However, to show the progress notification experience, the Web site on Rome is configured to limit its bandwidth usage to maximum 1 MB per second, and we will attempt to download a 19 MB file - which takes approximately 19 seconds.
Page 6 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps When malware inspection takes longer than 10 seconds, TMG will send progress notification updates. 14. In the Fabrikam Support site, download the large file Install-Guide.rtf.
a. In the Fabrikam Support Site, click the Click to download Install-Guide.rtf link.
Note: TMG downloads the 19 MB file from Rome, and starts to inspect the contents for malware. Because the Web site on Rome is configured to limit bandwidth usage, it takes longer than 10 seconds to complete the malware inspection. After 10 seconds, TMG displays a progress notification page. When scanning is completed, it sends a Ready for downloading page with a Download button.
b. On the Ready for downloading page, click Download.
Note: Internet Explorer displays the File Download dialog box for the Install-Guide.rtf file. TMG has inspected (and possibly cleaned) a downloaded copy of the InstallGuide.rtf file.
c. Click Cancel to close the File Download dialog. d. In Internet Explorer, click the Back button. e. Close Internet Explorer.
Page 7 of 19
Exercise 2 Blocking Traffic with Network Inspection System (NIS)

Scenario
In this exercise, you will configure TMG to use Network Inspection System (NIS) on TMG to block network traffic related to exploiting unpatched computers. Tasks Complete the following task on: Toronto 1. On the Toronto computer, use the TMG console to examine NIS configuration. Detailed Steps Note: NIS is also known with its previous name GAPA.
b. In the TMG console, in the left pane, expand Forefront TMG, and then select
Update Center. Note: TMG periodically downloads definitions from Microsoft Updates. One category of definition updates is for the Network Inspection System (NIS). NIS uses definitions for known vulnerabilities, and uses those to detect and potentially block malicious traffic.
c. In the left pane, select Intrusion Prevention System.
Note: The middle pane contains a listing of more than 90 signatures for known vulnerabilities or exploits.
d. In the middle pane, scroll the view so that you can see the Related Bulletins
column. Note: Each of the NIS signatures is related to a particular Microsoft Security Bulletin. When Microsoft releases a new security bulletin for a security update, it can at the same time release a NIS signature for the related vulnerability. In this way, TMG stops malicious network traffic that is trying to exploit the vulnerability, even before all affected systems on the internal network have installed the newly released security updated. The NIS signatures may also detect known exploits of particular vulnerabilities.
e. Select any of the signatures, and then in the right pane, click
Configure Signature Properties. Note: Each signature contains a description and further details.
f.
Click Cancel to close the Signature Information Properties dialog box.
g. In the right pane, click Set All Responses to Microsoft Defaults.
Note: The default response for almost all NIS signatures is to block network traffic (and not just detect and report malicious traffic). For troubleshooting purpose, you can change the responses for all signatures to Detect only.
h. Click Cancel to close the Global Response Policy Setting dialog box.
In the right pane, click Configure Properties. Note: If needed, you can disable NIS.
i.
Click Cancel to close the Network Inspection System (NIS) Properties dialog box. Note: In the next task, you will attempt to sent HTTP text that is used in a well-known
j.
Page 8 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps example exploit of a Web server running ASP.NET which does not have security update KB 917283 (MS06-033) installed. TMG has a NIS signature to detect this network traffic. Complete the following task on: Cairo 2. On the Cairo computer, send the MS06-033 exploit text to Toronto.
a. On the Cairo computer, on the Start menu, click Run. b. In the Run dialog box, type telnet.exe Toronto 8080, and then click OK.
Note: The Microsoft Telnet Client window opens.

c. In the Telnet window, type Ctrl+].
Note: The Ctrl+] key-combination is the default escape character to type telnet commands.
d. At the Microsoft Telnet prompt, type set localecho, and then press Enter.
Note: The local echo setting is enabled. You will see the text you type inside the telnet window.
e. At the Microsoft Telnet prompt, press Enter to exit the telnet prompt.
Note: When you type the following command, you cannot correct any typing mistakes by using the backspace key. In the Telnet window, type GET /app_data\abc.xml HTTP/1.1, and then press Enter twice. Note: The exploit HTTP text is sent to TMG.
f.
TMG detects the NIS signature for MS06-033, and blocks the network traffic. The expected response from TMG is HTTP error code 502 (Proxy Error: The traffic was blocked by IPS). When you receive HTTP error code 400 (Bad Request), then you made a typing mistake. When you receive HTTP error code 502, but with the explanation "The URL does not use a recognized protocol" then the NIS responses is set to detect the traffic, not block the traffic.
g. Press Enter to close the Telnet window.
Complete the following task on: Toronto 3. On the Toronto computer, examine the NIS alert.
a. On the Toronto computer, in the TMG console, in the left pane, select
Monitoring.
b. In the middle pane, select the Alerts tab. c. In the right pane, on the Tasks tab, click Refresh Now. d. In the middle pane, select the latest alert named
NIS Blocked Traffic Matching a Known Signature. Note: Network Inspection System (NIS) in TMG blocked the traffic.
e. Expand the NIS Blocked Traffic Matching a Known Signature alert, and then
select the first event underneath the alert. Note: Notice in the Alert Information section that the traffic matched the Vuln:Win/ASPNET.URI.InfoDisc!2006-1300 signature. That is the signature for the vulnerability related to security bulletin MS06-033.
Page 9 of 19
Exercise 3 Controlling Web Access with URL Filtering

Scenario
In this exercise, you will configure TMG to use URL Filtering to block access to certain categories of URLs, such as sport-related sites. URL Filtering uses the online Microsoft Reputation Service database to find the categorization of a particular URL. Tasks Complete the following task on: Toronto 1. On the Toronto computer, use the TMG console to verify the access rule to allow HTTP access to the external network. Detailed Steps
Web Access Policy. Note: In the middle pane, notice the Allow Web Access for All Users rule. This lab exercise requires an access rule that allows HTTP access from the Internal network (Cairo) to the External network (Rome). You have created this rule in an earlier exercise.
Complete the following task on: Cairo 2. On the Cairo computer, connect to the Fabrikam Sport Fan Site, at http://sport.fabrika m.com
http://sport.fabrikam.com, and then press Enter. Note: Internet Explorer opens the Fabrikam Sport site. The current TMG access rules allow access to sport-related sites. In this exercise, you will configure TMG to block access to certain categories of Web sites, such as inappropriate sites, or sport-related sites.
b. Close Internet Explorer.
Complete the following tasks on: Toronto 3. On the Toronto computer, in the Toolbox, examine the URL Categories and URL Category Sets.
a. On the Toronto computer, in the TMG console, in the left pane, ensure that
Web Access Policy is selected.

b. In the right pane, on the Toolbox tab, in the Network Objects section, expand
Domain Name Sets. Note: Domain Name Sets are not new in TMG. They are used as destination in access rules for any protocol, and do not contain a path-component.
c. In the Network Objects section, expand URL Sets.
Note: URL Sets are also not new in TMG. They are used only for the HTTP and HTTPS protocol in access rules, and can include a path-component as well.
d. In the Network Objects section, expand URL Categories.
Note: URL Categories (and URL Category Sets) are a new feature in TMG. Unlike Domain Name Sets and URL Sets you do not have to add URLs to URL Categories. Instead for each URL used in an outgoing Web request, TMG will query the online Microsoft Reputation Service (MRS) to find out to which of the 85 different categories
Page 10 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps a particular URL belongs. TMG then caches that result for 5 days. The Microsoft Reputation Service is an online database, managed and populated by Microsoft, with category information of many millions URLs. When a particular URL is not found in the MRS database, the service returns category Unknown, which is one of the 85 categories.
e. In the Network Objects section, collapse URL Categories, and then expand
URL Category Sets. Note: URL Category Sets is a grouping of any of the 85 URL Categories. In the TMG console, you can create new URL Category Sets, but you cannot create new URL Categories.
f.
Under URL Category Sets, right-click Entertainment, and then click Properties.
g. In the Entertainment Properties dialog box, select the URL Categories tab.
Note: The predefined URL Category Set named Entertainment consists of five URL categories.
h. Click Cancel to close the Entertainment Properties dialog box.
4.
Add an URL category override.
a. In the right pane, on the Tasks tab, click Configure URL Filtering. b. In the URL Filtering Settings dialog box, on the Category Query tab, in the text
box, type www.microsoft.com, and then click Query. Note: To see the category of a particular URL, you can query the online MRS database. Because the lab environment is not connected to the Internet, TMG cannot connect to the MRS service, and therefore returns URL category Unknown for each URL. Normally, the MRS service categorizes www.microsoft.com as "General Business".
c. Select the URL Category Override tab.
Note: When you believe that the Microsoft Reputation Service (MRS) has categorized a particular URL incorrectly (or returns the Unknown category), you can override this locally by adding that URL to another category. In the lab environment, the Web site www.contosowild.com is categorized as "General Business", and the unknown Web site www.contosogirls.com is categorized as "Nudity".
d. On the URL Category Override tab, click Add. e. In the URL Categories Override dialog box, complete the following information:
URL pattern: sport.fabrikam.com/*
URL category: Sports and then click OK. Note: The Web site sport.fabrikam.com is now categorized as Sports.
f.
Click OK to close the URL Filtering Settings dialog box.
5.
Configure a Web Access Policy.
a. In the right pane, click Configure Web Access Policy.
Note: The Web Access Policy Wizard appears.

b. On the Welcome to the Web Access Policy Wizard page, click Next. c. On the Web Access Policy Rules page, select No.
Note: Instead of using a default rule that blocks access to several URL Categories, you will create a custom rule in the next step.
d. On the Blocked Web Destinations page, click Add. e. In the Add Destinations dialog box, expand URL Categories, select Nudity, click
Add, select Pornography, click Add, and then select Sports, click Add, and then click Close.
Page 11 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps Note: The Web access policy will block access to URLs in the categories Nudity, Pornography and Sports.
f.
On the Web Access Policy Wizard page, click Next.
g. On the Blocked Web Destinations Exceptions page, click Next.
Note: On the Blocked Web Destinations Exceptions page, you can specify which users have unrestricted Web access.
h. On the Malware Inspection Settings page, configure the following: i. j.
Yes, Inspect Web content requested from the Internet: enabled (is default) Block encrypted archives: enabled (is default) and then click Next. On the HTTPS Inspection Settings page, ensure that Do not allow users to establish HTTPS connections is selected, and then click Next.
On the Web Cache Configuration page, ensure that Enable the default Web caching rule is not selected, and then click Next. Note: Web caching is related to the storing frequently accessed Web content. It is not related to caching the URL category query results from the Microsoft Reputation Service.
k. On the Completing the Web Access Policy Wizard page, click Finish.
Note: TMG creates three access rules in the Web Access Policy Group:
Block all HTTPS traffic - blocks all outgoing HTTPS traffic. Blocked Web Destinations - blocks access to Web sites in three URL categories. Allow Web Access for All Users - allows outgoing HTTP traffic. Properties.
6.
Configure the Blocked Web Destinations access rule.
a. In the middle pane, right-click the Blocked Web Destinations rule, and then click b. In the Blocked Web Destinations Properties dialog box, select the To tab.
Note: The access rule blocks access to all destinations in the URL categories Nudity, Pornography and Sports. This includes the URL category override for the sport.fabrikam.com Web site.
c. Select the Action tab.
Note: In an access rule with a Deny action, you can specify a custom text to notify the users. The text can use HTML formatting, or even include a href mailto tag.
d. In the text box, replace the current text with
<font color=red>Blocked by Web Access Policy.</font>

e. Enable the Add denied request category to notification check box. f.
Click OK to close the Blocked Web Destinations Properties dialog box.
7.
Apply the changes.
Note: TMG has saved the new configuration. Complete the following task on: Cairo On the Cairo computer, attempt to
http://sport.fabrikam.com, and then press Enter. Note: Internet Explorer displays an Access Denied page. The page includes the custom red text, and the category "Sports".
b. In the address bar, type http://www.contosogirls.com, and then press Enter.
8.
Note: TMG also blocks access to the Contoso Girls Web site, as it is categorized as
Page 12 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks connect to two Web sites. Detailed Steps "Nudity".
c. Close Internet Explorer.
Note: URL Categories are not only intended to block network traffic. In the next exercise, you will see an example of using URL Categories to allow network traffic.
Page 13 of 19
Exercise 4 Configuring Outbound HTTPS Inspection

Scenario
In this exercise, you will configure TMG to inspect outbound HTTPS network traffic. To implement outbound HTTPs inspection, TMG will intercept outgoing HTTPS requests, and set up two separate HTTPS connections for each client connection. Tasks Complete the following tasks on: Toronto 1. On the Toronto computer, configure a Web Access Policy. Detailed Steps Note: In TMG terms, outbound traffic means all Web requests initiated by an internal client computer AND the related response from the external Web server.
Web Access Policy.

c. In the right pane, click Configure Web Access Policy.
Note: The Web Access Policy Wizard appears.

d. On the Welcome to the Web Access Policy Wizard page, click Next. e. On the Web Access Policy Rules page, select No.
Note: The Web access policy does not have a default rule that blocks access to several URL Categories. On the Blocked Web Destinations page, ensure that no Web destinations are listed, and then click Next. Note: The Web access policy will not block access to any Web destinations.
f. g. On the Malware Inspection Settings page, configure the following:
Yes, Inspect Web content requested from the Internet: enabled (is default)
Block encrypted archives: enabled (is default) and then click Next. Note: The Web access policy includes malware inspection.
h. On the HTTPS Inspection Settings page, configure the following:
Allow users to establish HTTPS connections: enabled
Do not inspect HTTPS traffic, but validate HTTPS site certificate: enabled and then click Next. Note: The Web access policy allows HTTPS connections, but does not inspect the HTTPS traffic. Later in this exercise, you will enable inspection of HTTPS traffic.
i. j.
On the Web Cache Configuration page, ensure that Enable the default Web caching rule is not selected, and then click Next.
On the Completing the Web Access Policy Wizard page, click Finish. Note: TMG creates one access rules in the Web Access Policy Group: 2. Apply the changes. Allow Web Access for All Users - allows outgoing HTTP and HTTPS traffic.
a. Click Apply to save the changes and update the configuration. b. If the Configuration Change Description dialog box appears, then click Apply. c. Click OK to close the Saving Configuration Changes dialog box.
Page 14 of 19

d. Use the TMG Status Monitor to wait until Config Status is Synced.
Note: TMG has saved the new configuration. Complete the following task on: Cairo 3. On the Cairo computer, connect to https:// support.fabrikam.co m to download the dev-manual.rtf file.
https://support.fabrikam.com, and then press Enter. Note: Internet Explorer displays the Fabrikam Support Site, by using an HTTPS connection.
b. At the end of the address bar, click the Security Report button, and then click
View certificates. Note: The HTTPS connection uses the Web server certificate that is installed on the Rome Web server. Cairo (and Toronto) trust the Denver CA certification authority.
c. Click OK to close the Certificate dialog box. d. In the Fabrikam Support Site page, click Click to download Dev-Manual.rtf.
Note: The File Download dialog box appears. This result indicates that TMG did not block the virus-infected content when using https. It is not configured to use HTTPS inspection.
e. Click Cancel to close the File Download dialog box. f.
Close Internet Explorer. Web Access Policy is selected.
Complete the following tasks on: Toronto 4. On the Toronto computer, enable HTTPS Inspection, and generate a HTTPS Inspection certificate.
a. On the Toronto computer, in the TMG console, in the left pane, ensure that b. In the right pane, click Configure HTTPS Inspection. c. In the HTTPS Outbound Inspection dialog box, on the General tab, ensure that
Enable HTTPS inspection is selected, and then select Inspect traffic and validate site certificates. Note: In order to inspect the outbound HTTPS traffic, TMG must be able to decrypt the SSL-protected HTTP traffic. That is only possible if TMG knows the private key of the Web server certificate for the HTTPS connection. It is not possible to obtain this private key from the original Web server on the Internet. Therefore TMG intercepts the initial SSL request network packet from the client computer, generates its own Web server certificate with the intended Web site name, and then sets up two separate SSL connections: From the client computer to TMG - using the TMG-generated Web server certificate. From TMG to the Web server on the Internet - using the original Web server certificate from the Web server on the Internet.
In that way, TMG can inspect the outbound HTTPS network traffic, including the responses from the Web server. (Technically, TMG is performing a so-called man-in-the-middle attack against the SSL connection.) To digitally sign the TMG-generated Web server certificate, TMG can either use an imported certification authority (CA) certificate with private key, or generate a new CA root certificate with private key. In this exercise, you will generate a new CA root certificate.
d. In the HTTPS Outbound Inspection dialog box, select Use Forefront TMG to
generate a certificate, and the click Generate.

e. In the Forefront TMG message box, click Yes to confirm that you want to continue
creating a new certificate.

f.
In the Generate Certificate dialog box, in the Issuer name text box, change the name to TMG HTTPS Inspection CA.
Page 15 of 19

g. Click Generate Certificate Now.
Note: TMG generates a private key and a CA root certificate. This is called the HTTPS Inspection certificate. Later in this exercise, you will configure the domain, so that all domain computers trust this TMG-generated CA root certificate.
h. Click OK to close the Certificate dialog box. i. j.
Click Close to close the Generate Certificate dialog box. Click OK to close the HTTPS Outbound Inspection dialog box.
5.
Apply the changes.
Note: TMG has saved the new configuration. Complete the following task on: Cairo On the Cairo computer, connect to https:// support.fabrikam.co m, and attempt to download devmanual.rtf.
6.
https://support.fabrikam.com, and then press Enter. Note: Internet Explorer displays a Certificate Error page, and blocked navigation to the Web site. The error page indicates that the Cairo computer does not trust the security certificate for the Web site.
b. In the Certificate Error page, click Continue to this website.
Note: Internet Explorer displays the Fabrikam Support Site, by using an HTTPS connection. However, note that the address bar has turned red to indicate the certificate error.
c. At the end of the address bar, click Certificate Error, and then click
View Certificates. Note: When Cairo sent the initial SSL request to support.fabrikam.com, TMG generated a new Web server certificate for support.fabrikam.com. It used the TMG HTTPS Inspection CA certificate to sign this newly generated Web server certificate. It is valid until 24 hours from the current time. However, Cairo does not trust the issuing (signing) CA certificate, and Internet Explorer displays the certificate error. The fact that Cairo does not trust the issuing CA certificate, is in the design of the SSL protocol exactly the intended defense against man-in-the-middle attacks. This is also the reason that a user does not have to worry that an hotel can use outbound HTTPS inspection undetected, when connecting through a hotel room connection, with the user's own notebook.
d. Click OK to close the Certificate dialog box. e. In the Fabrikam Support Site page, click Click to download Dev-Manual.rtf.
Note: TMG detected the virus infection in the dev-manual.rtf file. This result confirms that TMG successfully used HTTPS inspection. Close Internet Explorer. Note: In the next few steps, you will configure the domain so that client computers in the domain will trust the TMG HTTPS Inspection CA root certificate.
f.
Complete the following task on: Toronto
a. On the Toronto computer, in the TMG console, in the left pane, ensure that

b. In the right pane, click Configure HTTPS Inspection. c. In the HTTPS Outbound Inspection dialog box, on the General tab, click
Page 16 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks 7. On the Toronto computer, use the TMG console to publish the HTTPS Inspection CA root certificate to Active Directory. Detailed Steps HTTP Inspection Trusted Root CA Certificate Options. Note: Currently, client computers in the domain (including Cairo) do not trust the TMG HTTPS Inspection CA root certificate. There are two ways to ensure that client computers trust the CA root certificate: Publish and distribute the CA root certificate through Active Directory. Export the CA root certificate, and import manually at client computers.
In this step, you will publish the CA root certificate to Active Directory.
d. In the Certificate Deployment Options dialog box, click
Domain Administrator Credentials.

e. In the dialog box, complete the following information:
User Name: WoodgroveBank\Administrator
Password: password and then click OK. Note: TMG executes the certutil.exe -dspublish command to publish the CA root certificate to Active Directory.
f.
Click OK to acknowledge that automatic certificate deployment succeeded.
g. Click OK to close the Certificate Deployment Options dialog box. h. Click OK to close the HTTPS Outbound Inspection dialog box. a. On the Denver computer, on the Start menu, click Administrative Tools, and then
Complete the following task on: Denver On the Denver computer, examine the Certification Authorities node in Active Directory.
click Active Directory Sites and Services. Note: The Active Directory Sites and Services console opens.
b. In the Active Directory Sites and Services console, on the View menu, click
8.
Show Services Node. Note: The Services node appears in the left pane.
c. In the left pane, expand Services, expand Public Key Services, and then select
Certification Authorities. Note: Notice that the TMG HTTPS Inspection CA certificate is published to Active Directory. Periodically computers in the domain will check this location, and download and trust any new CA root certificates published at this node. The Forefront TMG HTTPS Inspection CA certificate is related to a different lab exercise.
d. Close the Active Directory Sites and Services console.
Complete the following tasks on: Cairo 9. On the Cairo computer, examine the trusted CA root certificates, and initiate certificate autoenrollment.
a. On the Cairo computer, on the Start menu, click Run. b. In the Run dialog box, type certmgr.msc, and then press Enter.
Note: The Certificates console for the current user (Administrator) opens. The new CA root certificate needs to be trusted by the local computer (Cairo), and not only by the current user. However, the Certificates console for the current user is a quick method to list the trusted CA root certificates on the computer.
c. In the left pane, expand Trusted Root Certification Authorities, and then select
Certificates. Note: In the right pane, notice that Cairo trusts 11 CA root certificates. This includes the lab-specific certificates named Denver-CA and Paris-CA, but does not include the TMG HTTPS Inspection CA root certificate yet. By default, every eight hours computers in the domain check for and download new CA root certificates from Active Directory. Instead of waiting that long, you can use the certutil command to manually initiate the process.
d. On the Start menu, right-click Command Prompt, and then click
Page 17 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Detailed Steps Run as administrator.
e. In the User Account Control dialog box, click Yes to confirm that you want to
allow Windows Command Processor to make changes. Note: An elevated Command Prompt window opens. In the Run dialog box, type certutil.exe -pulse, and then press Enter. Note: The certutil.exe application initiates the "certificate autoenrollment" process, and downloads the new CA root certificate from Active Directory.
f.
If the -pulse command fails, because access is denied, then redo the command in an elevated Command Prompt window.
g. In the Certificates console, in the left pane, under
Trusted Root Certification Authorities, right-click Certificates, and then click Refresh. Note: Cairo now trusts the TMG HTTPS Inspection CA root certificate.
h. Close the Certificates console.
10. Connect to https:// support.fabrikam.co m.
a. Open Internet Explorer. In the address bar, type https://support.fabrikam.com,
and then press Enter. Note: Internet Explorer displays the Fabrikam Support Site, by using an HTTPS connection. Notice that Internet Explorer does not indicate a certificate error. At the same time, a notification balloon appears near the Firewall Client icon in the notification area, indicating that the secure connection is being inspected for malware detection.
b. At the end of the address bar, click the Security Report button, and then click
View certificates.
c. In the Certificate dialog box, select the Certification Path tab.
Note: Cairo trusts the TMG HTTPS Inspection CA root certificate. Therefore Internet Explorer displays the HTTPS Web site without any indication that TMG (between the client computer, and the Web server) inspects the network traffic.
d. Click OK to close the Certificate dialog box. e. Close Internet Explorer.
Note: Depending on a country's privacy laws, and labor laws, it may be required to notify users in your organization that the expected end-to-end secure HTTPS connection is inspected by the company TMG servers. To display inspection notifications, users need to install and enable the Firewall Client application. Similarly, you may want to exempt banking sites and healthcare related sites from HTTPS inspection. In the steps below, you will examine the HTTPS inspection notification, and use URL Categories to exempt certain sites from HTTPS inspection. 11. Examine the Firewall Client notification.
a. In the notification area, right-click the Firewall Client icon, and then click
Configure.
b. In the Forefront TMG Client dialog box, select the Secure Connection Inspection
tab. Note: The most recent notification is displayed in the dialog box.
c. Click Cancel to close the Forefront TMG Client dialog box.
Complete the following tasks on:
a. On the Toronto computer, in the TMG console, in the left pane, ensure that Web
Access Policy is selected.

b. In the right pane, click Configure HTTPS Inspection.
Note: When you enable HTTPS Inspection on TMG, client notification through the Page 18 of 19
Forefront Threat Management Gateway (TMG) Overview Tasks Toronto 12. On the Toronto computer, examine the HTTPS Inspection configuration to notify users. 13. On the Toronto computer, add a new access rule. Detailed Steps Firewall Client is enabled by default.
c. Click Cancel to close the HTTPS Outbound Inspection dialog box.
Note: In the next step, you will create a sample access rule to exempt certain sites from HTTPS Inspection. Banking Web sites and health related Web sites are good candidates for such an exemption. You will not use this rule in the exercise.
a. On the Toronto Computer, in the TMG console, in the left pane, ensure that

b. In the middle pane, ensure that the Allow Web Access for All Users rule is
selected. Note: You will create a new access rule before this rule.
c. In the right pane, click Create Access Rule.
Note: The New Access Rule Wizard appears.

d. On the Welcome to the New Access Rule Wizard page, in the Access rule name
text box, type Allow Secure Web Access (no inspection), and then click Next.
e. At the Rule Action page, select Allow, and then click Next.
At the Protocols page, select the HTTP protocol, and then click Remove. Note: The access rule only applies to the HTTPS protocol.
f. g. On the Malware Inspection page, select
Do not enable malware inspection for this rule, and then click Next.
h. On the Access Rule Sources page, click Add. i. j. l.
In the Add Network Entities dialog box, expand Networks, select Internal, click Add, and then click Close. On the Access Rule Sources page, click Next.
k. On the Access Rule Destinations page, click Add.
In the Add Network Entities dialog box, expand URL Categories, select Financial, click Add, select Health, click Add, and then click Close. Note: The access rule only applies to traffic to URLs in the Financial category, or the Health category. Instead of listing the URL Categories in this rule, you can also create a custom URL Category Set named Exempt from HTTPS Inspection, or a Domain Name Set which lists specific banking or healthcare sites, and use that in the rule.
m. On the Access Rule Destinations page, click Next. n. On the User Sets page, click Next. o. On the Completing the New Access Rule Wizard, click Finish.
Note: A new access rule named Allow Secure Web Access (no inspection) is added, before the existing Allow Web Access for All Users rule.
p. Click Discard to discard the new rule. q. Click Yes to confirm that you want to discard the changes.
Page 19 of 19

Forefront Threat Management Gateway TMGOverview

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Forefront Threat Management Gateway TMGOverview

Enviado por

Direitos autorais:

Formatos disponíveis

Forefront Threat Management Gateway (TMG) Overview