If your enabling DirectAccess on Forefront Unified Gateway in a lab, and you try to request an IP-HTTPS certificate for the UAG machine from your Enterprise CA, you might run into the following error:
“RPC Server Unavailable 0x800706ba”
This is because Forefront Unified Access Gateway is already installed on the machine, and TMG (Threat Management Gateway) is blocking DCOM/RPC traffic that is required to request a certificate using the MMC snap-in.
To avoid this issue, Tom Shinder’s documentation suggests that you request the IP-HTTPS certificate before you install UAG.
However, if you have already installed UAG, follow these steps to request and install the IP-HTTPS certificate:
1. Open Notepad, and paste the following code to make the INF file for the request. The only text that may need to be changed are in red.
[Version] Signature="$Windows NT$"
[NewRequest] Subject = "CN=uag1.contoso.com" ; (Replace the subject name with the external FQDN of your UAG server) Exportable = FALSE KeyLength = 2048 KeySpec = 1 KeyUsage = 0xA0 MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 SMIME = FALSE RequestType = CMC
Of late, I have seen that a lot of customers and even partners are confused between the capabilities of Forefront Threat Management Gateway (TMG) and Forefront Unified Access Gateway (UAG).
The most important difference is that TMG is an “inbound AND outbound” access gateway that includes a network level firewall with stateful packet inspection & application filtering, forward and reverse web proxy, VPN server (for users and site-to-site). TMG is more focused on keeping the bad guys out and to a certain extent, allowing good guys in. On the other hand, UAG is an “inbound-only” secure remote access gateway that enables you to allow "the good guys” in more securely.
I need TMG if:
I need an inbound and outbound access gateway
I need a state-of-the-art firewall with stateful packet inspection and application filtering capabilities to protect my network
I need built-in IPS (Intrusion Prevention System) on that firewall
I need a secure forward proxy for users on my network to access the internet
I need to be able to do web filtering based on individual URLs or URL categories (like Politics, Sports, Pornography, etc)
I need to be able to monitor my user’s web activity and firewall logging.
I need to publish (reverse proxy) services to the internet (like web servers, email servers, webmail, extranet, intranet and internet portals, etc)
I need SSL bridging to protect my publish servers against threats embedded inside SSL
I need zero day protection from vulnerabilities that do not have a patch released yet (NIS)
I need site-to-site VPN
I need a VPN server for my users in addition to all the above
I need UAG if:
I need an ‘inbound only’ access gateway
I need to enable my users to securely access internal resources remotely (while they are outside the company network)
I need to enable Secure VPN access for users when they are outside my network
I need to quickly and easily enable DirectAccess for my Windows 7 users
I need to ensure only healthy and secure remote machines can access information/services/applications in my network with appropriate user authentication
I need to be able to define which applications or services these users can access and granularly define the security policies that will govern access to these services remotely
I need to ensure that these users can access these applications regardless of whether they are web-based, terminal services, RemoteApp or Citrix without having to establish VPN connection.
I need to give my users the ability to access these applications from a mobile device, or a non-Windows client such as a Mac or a Linux machine.
I need to provide a web-based interface that the user can login remotely and execute these applications from this portal without connecting VPN, provided his machine is healthy.
I need to provide a web-based interface that the user can login remotely and establish a secure SSTP VPN session or access file servers from the portal without connecting VPN, provided his machine passes the health requirements of my organization.
I need to be able to easily define the security/machine health policies for machines that are attempting to access these applications.
I have smaller remote sites where I have small numbers of users with no site-to-site VPN and just an internet connection. I need to provide them secure access to my applications over the internet.
As you can see, each product is specialized to deliver very focused capabilities. Hence it is quite possible that some organizations need both solutions while others need only one. For many smaller organizations which need a one-product solution to protect their network and provide reasonably secure remote access, TMG would be the answer. However, for designs that focus purely on inbound access, UAG needs to be considered. If an organization has separate TMG/ISA Server arrays – one for inbound access and another for outbound access – the solution is simple – use a UAG array instead for inbound access and continue using TMG for the outbound array.
Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) got released on 23rd June 2010.
Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) introduces following new features and functionality to Forefront TMG 2010 Standard and Enterprise Editions.
The new User Activity report displays the sites and site categories accessed by any user.
All Forefront TMG reports have a new look and feel.
Enhancements to URL Filtering
You can now allow users to override the access restriction on sites blocked by URL filtering. This allows for a more flexible web access policy, in that users can decide for themselves whether to access a blocked site. This is especially useful for websites that have been incorrectly categorized.
You can now override the categorization of a URL on the enterprise level; the override is then effective for each enterprise-joined array.
Denial notification pages can now be customized for your organization’s needs.
Enhanced Branch Office Support
Collocation of Forefront TMG and a domain controller on the same server, which can help reduce the total cost of ownership at branch offices.
When installed on a computer running Windows Server 2008 R2, SP1 simplifies the deployment of Branch Cache at the branch office, using Forefront TMG as the Hosted Cache server.
Support for publishing SharePoint 2010
Forefront TMG SP1 supports secure publishing of SharePoint 2010.
In this post, I show you how to block users from playing YouTube videos on your network. I also show you how to block Flash content embedded on web pages (although in today’s times blocking all Flash content may not be such a good idea )
Yes you could always block the URL youtube.com but this may not be effective as YouTube videos can be embedded in other websites and there are plenty of sites *like* YouTube out there. A more effective approach would be to block by MIME type, thanks to the enhanced content filtering capabilities built into TMG.
Before I get started, two important notes:
I mention YouTube because it is everyone’s favorite, but the steps below will work for Vimeo, and any other video sharing sites that rely on Adobe Flash technology.
The steps below can be used to block YouTube and flash content on ISA Server 2004/2006 too.
Blocking YouTube videos using TMG
1. On the TMG Console, right-click Firewall Policy, choose New Access Rule and create a new “Deny” rule named “Block Youtube” as follows:
Applies to: All Outbound traffic
Click Finish to close the wizard.
2. Do not apply the changes yet! Right click on the new rule you just created and choose Properties.
3. Open the Content Types tab. Click New.
4. Create a new Content Type Set as follows:
Available types: (type each of the below and click the Add button)
5. Click OK. Ensure the check box next to your new content type set is enabled:
6. Click OK and apply your changes. Wait for the config synchronization to complete.
Test your changes by trying to play some videos on YouTube or other video sharing websites.
Blocking Adobe Flash Player content using TMG
1. Follow steps 1 to 3 above.
2. While creating a new Content Type set, use the following parameters:
In the available types box, type:
3. Proceed with step 5 above.
Blocking additional MIME types
If you need to block something else, it is easy to find what content type to block. Simply monitor the Logging (Logs & Reports > Logging) in the TMG console. Once you encounter the log entry that allowed the content you want to block, expand the “Additional Information” and you will find the MIME type that you need to block.
What is Forward HTTPS Inspection or Outbound HTTPS Inspection?
In ISA Server 2004/2006, we had Inbound HTTPS inspection, which we are familiar with by the name “SSL Bridging”. SSL Bridging or Inbound HTTPS inspection is used to protect published web servers from malicious requests originating from the Internet/external network. In essence, the ISA Server had the same SSL certificate that the web server had, along with its private key. When an HTTPS request reaches the ISA Server, it decrypts the request using the certificate and inspects it. If it is found to be safe, the ISA Server establishes another SSL session between itself and the published web server.
SSL Bridging was an excellent piece of technology for inspecting inbound HTTPS traffic, but ISA Server did not have a feature to inspect “outbound” HTTPS traffic.
Okay – so what’s Outbound HTTPS Inspection?
Outbound HTTPS traffic refers to the HTTPS requests originating from the internal network to the Internet, (for example, user’s internet browser). Why is this required? Often blocked websites or services can be accessed through an HTTPS session because the proxy servers do not have visibility of the content that is passing inside the HTTPS session.
This is often the technique used by many anonymizers, P2P software, and applications like Skype to evade being blocked by a proxy server. More dangerously, it is often used by modern malware to pass undetected between your internal network and the internet, as your edge security products simply cannot see what’s inside the SSL.
So, how does HTTPS Inspection work? I’m putting it down in *very* simple terms below:
1. TMG Server has an SSL CA Certificate on it (can be self-generated or from Active Directory). However, all client computers in your internal network must trust TMG’s HTTPS Inspection certificate.
2. User’s computer tries to access an HTTPS website (or other HTTPS content) on the Internet.
3. TMG does not blindly “proxy” the request to remote HTTPS server. Instead, TMG Server acts like a client and talks to the remote HTTPS website.
4. TMG validates the site’s certificate, copies the details of that certificate and creates a new SSL certificate with those exact same details and signs it with its own CA Certificate. It then returns this certificate to the internal client.
Since TMG pretends to be the client to the remote server, it gets to decrypt the content sent back and perform malware inspection and policy based filtering on the content returned.
5. What you get here is two different tunnels, one from TMG to the remote HTTPS server and another from TMG to the internal client – a perfect “man-in-the-middle attack”. I like to call it the “good-man-in-the-middle attack”. With the connection being “cut” into two different tunnels, TMG server can decrypt, inspect and re-encrypt all communication between the client and the remote HTTPS server.
Let’s now roll up our sleeves and see how to turn on HTTPS inspection.
Right click on Web Access Policy. Choose “Configure” > “HTTPS Inspection”
Choose “Enable HTTPS inspection”
You can choose to Inspect traffic and validate site certificates (recommended).
Under the HTTPS Inspection Certificate settings, you have two options – Use TMG to generate a certificate or Import a certificate already issued by your Enterprise Root CA trusted by your organization or issued by a third party certificate. In either case, all client computers in your network MUST trust the CA certificate.
If you used Forefront TMG to generate the certificate, make sure you save the CA certificate in the Trusted Root CA store on all your computers. You can automatically deploy the certificate by clicking on the HTTPS Inspection Trusted Root CA Certificate Options button. You will need domain administrator credentials.
It has never been easier to block instant messaging (IM) with Forefront Threat Management Gateway (TMG). If you’ve read my article that I wrote a couple of years ago on how to block IM protocols on ISA Server, you’ll definitely appreciate the ease with which you can do the same stuff more effectively with TMG.
In this post, I show you how you can block Skype, Google Talk, Yahoo Messenger, Live Messenger, etc using Forefront TMG 2010.
Before I go in to the step-by-step procedure, I want to highlight what’s happening in the background.
Microsoft Forefront TMG 2010 now comes with URL Filtering. URL filtering enables you to block web content belonging to a particular category such as Chat, Social Networking, or Pornography.
These are the two new features that we will leverage to block chat. Here is a summary of what we will do:
The only allowed traffic on your TMG server is regular web traffic (HTTP and HTTPS). I am against creating “generic” rules like “allow all” from internal to external when you have SecureNAT clients in your network as this defeats the purpose of filtering.
Turn on HTTPS inspection. Read my earlier post if you need help enabling HTTPS inspection.
In a “Deny” rule on your Web Access Policy, add the “Chat” URL category.
Why do you need HTTPS inspection?
Many IM clients and software like Skype, try to connect using dynamic UDP ports and eventually fail back using HTTPS. With HTTPS inspection turned on, TMG will be able to inspect inside HTTPS to see if the software is trying to request access from a blocked URL.
1. In the Forefront TMG console, locate your Web Access Policy that denies traffic. If you do not have one, right click on Web Access Policy in the left pane and choose Configure Web Access Policy.
2. Click on the “To” tab. Click the Add button.
3. Expand URL Categories. Add the “Chat” URL category to the list.
4. Click OK and Apply your changes. Wait for the changes to synchronize (Tip: you can verify this under Monitoring > Configuration)
Now for the best part: try connecting to Skype, or any of your favorite instant messaging software. Note that the web versions of these messengers are also blocked!
On a closing note – you can use the same technique to block P2P (peer-to-peer) and file sharing applications like eMule, Kazaa, eDonkey, BitTorrent, etc using TMG. In step 3, choose “P2P/File sharing” URL category.
How to enable and configure Malware Inspection in TMG
Web traffic may contain malware (such as worms, viruses, and spyware). Microsoft Forefront Threat Management Gateway (TMG) includes malware inspection for scanning, cleaning, and blocking harmful HTTP content and files. When malware inspection is enabled, downloaded Web pages and files allowed by access rules may be inspected for malware.
Malware inspection is performed by the Malware Inspection Filter (Web filter). Malware inspection applies to traffic that uses the HTTP protocol and does not involve the Firewall Client software.
The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header. If the body is compressed and the encoding scheme is not recognized, Forefront TMG cannot inspect the content. HTTP content compressed with gzip encoding can be decoded, inspected, and encoded in both directions.
In this post, I will explain how to enable malware inspection and also explain the user experience when this feature is enabled.
1. Enable Malware Inspection on the server
Malware Inspection requires a special “subscription license” (per user, per year). The first time you install TMG, you can enable Malware Inspection time-based trial for free. You can check if Malware Inspection is enabled and check the status by navigating to the “Update Center” option in TMG console. You can also check if the signature updates are getting installed.
2. Configure Malware Inspection
Merely having Malware Inspection filters will not protect your users unless it is turned on and configured. To configure Malware Inspection, open your Web Access Policy and click on Configure Malware Inspection on the Tasks pane.
Ensure that the Enable malware inspection checkbox has been enabled.
In the above dialog box, you can also configure exceptions, definition updates and licenses.
An important option that you can configure here is to choose between “standard trickling” and “fast trickling”. “Trickling” refers to the process in which the file is transferred to the user after/while being scanned for threats.
Standard Trickling: TMG keeps most of the file, but sends small parts of it to the client to keep the connection alive.
Fast tricking: TMG sends the file as fast as possible to the user, holding back the last part till the whole file is scanned. The user “perceives” better performance, although the TMG server needs more resources in this method.
You can also choose “Progress Notification” method for some file types so that TMG presents a scanning progress notification message in the browser before letting the user download the file. This is done by clicking “Content Types for Progress Notification”.
Notice in my example, the PDF file type is configured for Progress Notification.
3. Enable Malware Inspection on your rules
You also need to enable malware inspection in the applicable Web Access policy rules and Firewall policy rules. To enable Malware Inspection on an “allow” rule, right click on the rule and choose properties
Ensure “Inspect content downloaded from Web servers to clients” and “Force full content requests” is checked.
You can have more control on the malware inspection by enabling to “use rule specific settings for malware inspection”. Then click on the Rule Settings button.
Click OK all the way out and save your configuration. It might take a while till your configuration is synchronized. (This can be verified at Monitoring > Configuration)
Once the rule is applied, try downloading a file on a Web proxy client. TMG presents a scanning status message on the browser.
Once the scanning is complete, the user is allowed to download the file.
If the file contained a virus, the user is shown a warning message and access to the file is blocked.
Malware Inspection is a brand new feature in TMG and I’m sure you will find this feature very exciting. Feel free to post your comments below.
I thought I’d share this great video by Jim Harrison on considerations to make when planning to run Microsoft Forefront Threat Management Gateway (TMG) (or ISA Server, for that matter) on a virtualized environment.
In this video, he discusses:
Performance, security and management considerations
Why it’s not recommended to place TMG on the parent, and how to configure the parent partition
High Availability with TMG in a virtual environment