Anti-malware, firewall, intrusion detection, and more
Microsoft Forefront Threat Management Gateway (TMG) 2010 offers a dynamic response to security threats, providing a variety of security technologies such as anti-malware, firewall, and intrusion detection under one umbrella.
It replaces Internet Security and Acceleration Server (ISA) 2006 and integrates with Forefront Protection Manager (currently in beta and due to RTM in Q1 2010), a single-console solution, previously code-named Stirling, which offers central management of Microsoft Forefront products.
Forefront TMG connects to Forefront Protection Manager via the Security Assessment Sharing (SAS) system.
Forefront TMG Medium Business Edition was recently released as part of Essential Business Server and is designed to protect up to 300 users. Forefront TMG 2010 Standard and Enterprise editions replace ISA 2006, with the Enterprise Edition supporting deployment and management of TMG arrays and an unlimited number of processors.
Microsoft calls Forefront TMG 2010 a Unified Threat Management (UTM) product, and improvements over ISA include the ability to inspect outbound SSL traffic, definition-based network inspection (NIS), and malware blocking at the gateway. Let’s walk through the major features and basic setup of Forefront TMG 2010.
Installing Forefront TMG 2010
Forefront TMG 2010 requires Windows Server 2008 or Windows Server 2008 R2 (64-bit editions only), 2GB RAM, 2.5 GB of free disk space and one or more network cards. Additionally, you will need to install the .NET Framework 3.5, Windows PowerShell, and the Microsoft Message Queuing Service with Directory Integration.
You can download Forefront TMG 2010 at the Microsoft site. For the purposes of this article, I’ve installed Forefront TMG on a Server 2008 R2 member server with one network card connected to the Internet and another to my internal network.
The Preparation Tool wizard guides you through installation, allowing the selection of required components. You can choose among three options when installing Forefront TMG: Forefront TMG Services and Management, Forefront TMG Management only, and Enterprise Management Server (EMS) for centralized array management.
Arrays consist of multiple TMG servers that work in unison to provide high availability and scalability. In this simple testing scenario, I opted for Forefront TMG Services and Management, which installs Forefront TMG and the management console.
Once installed, Forefront TMG offers a series of Getting Started wizards for basic configuration, the most important of which is the Network Settings wizard, which lets you choose the topology for firewall configuration. Setup is unusually fast and simple for a Microsoft server product.
Features in Forefront TMG 2010
Forefront TMG takes ISA beyond firewall, proxy and remote access, and provides a comprehensive UTM solution. Forefront TMG boasts the ability to inspect inbound and outbound HTTPS traffic; the ability to block malware downloads at the gateway; an improved network inspection system; and category-based URL filtering for controlling employee Internet access (or “productivity management” in Microsoft-speak).
For the first time, Microsoft’s enterprise firewall application runs on 64-bit processors, permitting better performance along with deep network inspection. Another important feature of Forefront TMG is that it integrates with Forefront Protection Manager, currently in beta, which collects data from other products in the Forefront range, letting administrators configure dynamic protection against threats as they’re discovered on the network.
Besides the wizards that are launched after setup has completed, the Role Configuration tab on the main Forefront TMG screen provides quick links to various parts of the console so you can continue configuration. However, no additional configuration wizards are provided.
The dashboard and monitoring screens, which Figure 1 shows, provide a good overview of all of Forefront TMG’s components, and other network services that it depends on, such as Active Directory (AD) and DNS.
The Tasks pane on the Firewall Policy node provides quick links to publish common servers such as SharePoint or Exchange Mail services. Forefront TMG is supplied with a Session Initiation Protocol (SIP) filter that automatically manages the opening and closing of Real Time Protocol (RTP) ports for VOIP sessions.
Web Access Policy includes proxy authentication, HTTP compression, HTTPS inspection, malware protection, and caching. The category-based URL filtering is based on information provided by Microsoft Reputation Services.
Forefront TMG can also be used as an SMTP relay, providing spam filtering and virus protection for Exchange. If installed on the same machine as Exchange Edge Server and Forefront Protection 2010 for Exchange, Forefront TMG can be used to centrally manage SMTP, antispam, and anti-malware policies on the network edge with support for arrays.
Definition-based network inspection in Forefront TMG, which Figure 2 shows, is based on new technology from Microsoft Research, Generic Application-level Protocol Analyzer (GAPA), and can be used to block traffic to network resources if an attack pattern is identified.
Network inspection, otherwise known as virtual patching, can be useful in situations where a patch has not yet been developed or deployed for a known vulnerability, especially considering the speed at which a definition can be implemented. Other standard features carried over from ISA 2006 include DNS attack detection and flood mitigation.
Despite the limited focus on new inbound access features in this release, the most important development in TMG Remote Access is support for Server 2008’s Network Access Protection (NAP), enforcing health policies when VPN clients connect via TMG and disposing of the complex script-based Network Access Quarantine (NAQ) that shipped with Windows 2003.
Forefront TMG also adds integrated support for SSTP, allowing Windows Vista and Windows 7 users to make a VPN connection over HTTPS.
ISP redundancy is a great new feature in Forefront TMG for companies that don’t want to rely on a single Internet service provider. Not only can Forefront TMG detect when a link is down and move all traffic to a redundant network, load balancing can be performed across links, so that if one link is faster, more traffic can be routed via the faster link.
As in ISA, Forefront TMG’s Firewall Client can provide comprehensive reports on user activity and network traffic. The detailed reporting provided by Firewall Client, which is an optional component that can be installed on desktops and notebooks for advanced functionality, proves especially useful in high security environments or for companies that must comply with strict regulatory requirements.
Forefront TMG’s Firewall Client can be configured to use AD to securely discover approved web proxy servers, as opposed to using the Web Proxy Auto-Discovery Protocol (WPAD), which is less secure and more complicated to set up.
Forefront TMG Will Be a Winner
ISA has always provided the most complete protection for Microsoft products, and Forefront TMG builds on that foundation. Sys admins will warm to the improvements on the usability front from the outset, such as setup wizards and support for Server 2008’s NAP. Another nice touch is the ability to enter a change description and export the current settings before applying configuration changes.
With the exception of support for SSTP and secure server publishing features from ISA 2006, going forward, most new inbound access developments will focus on Microsoft’s new Forefront Unified Access Gateway (UAG) product.
Finally, with the promise of true dynamic infrastructure management, Forefront TMG will integrate with Forefront Protection Manager to provide reactive responses to emerging threats and proactive security.