Introducing Forefront TMG CHAPTER 13 575 TABLE 13-1 Default firewall policy rules in Windows EBS NAME TYPE ACTION PROTOCOL LISTENING PORT, PROTOCOL TYPE, AND DIRECTION Default rule Access rule Deny requests from all networks to all net- works. This predefined access rule helps pro- tect your networks by blocking all traffic that is not explicitly allowed by other, user-defined, access rules. This rule is always processed last. All traffic All traffic Understanding System Policy Rules System policy rules are a set of access rules that are hidden by default. These rules are used to allow communication between the Local Host network (the Security Server) and other com- puters. They allow the traffic and protocols necessary for Forefront TMG to perform authenti- cation, domain membership, network diagnostics, logging, and remote management. To display system policy rules, select the Firewall Policy node in the console tree and then click the Show/Hide System Policy Rules icon on the menu bar, which is shown in Figure 13-11. (Alternatively, you can select the Show System Policy rules option from the View menu.) After you select the option to display system policy rules, these rules appear at the top of the All Firewall Policy list, as shown in Figure 13-12. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 576 CHAPTER 13 Configuring Forefront Threat Management Gateway FIGURE 13-11 Opting to show system policy rules in the Forefront TMG console FIGURE 13-12 System policy rules Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Introducing Forefront TMG CHAPTER 13 577 In Windows EBS, 36 system policy rules are created by default. These rules are shown in Table 13-2. Note that not all system policy rules are enabled after Windows EBS installation. TABLE 13-2 System policy rules in Windows EBS NAME POLICY GROUP STATUS Allow access to directory services for authentication purpose s Authentication Services Enabled Allow remote management from selected computers using MM C Remote Management Enabled Allow remote management from selected computers using Terminal Serve r Remote Management Enabled Allow remote management from selected computers using a Web applicatio n Remote Management Enabled Allow remote logging to trusted servers using NetBIO S Remote Logging Disabled Allow RADIUS authentication from Forefront TMG to trusted RADIUS server s Authentication Services Disabled Allow Kerberos authentication from Forefront TMG to trusted server s Authentication Services Enabled Allow DNS from Forefront TMG to selected server s Network Services Enabled Allow DHCP requests from Forefront TMG to all network s Network Services Enabled Allow DHCP replies from DHCP servers to Forefront TM G Network Services Enabled Allow ICMP (PING) requests from selected computers to Forefront TM G Diagnostic Services Enabled Allow ICMP (PING) requests from Forefront TMG to selected server s Diagnostic Services Enabled Allow VPN client traffic to Forefront TM G This system policy rule is not modified through the system policy editor. This rule is enabled automatically by Forefront TMG when you en- able VPN traffic. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 578 CHAPTER 13 Configuring Forefront Threat Management Gateway TABLE 13-2 System policy rules in Windows EBS NAME POLICY GROUP STATUS Allow VPN site-to-site traffic to Forefront TM G This system policy rule is not modified through the system policy editor. This rule is enabled automatically by Forefront TMG when you create a site-to-site network. Allow VPN site-to-site traffic from Forefront TM G This system policy rule is not modified through the system policy editor. This rule is enabled automatically by Forefront TMG when you create a site-to-site network. Allow Microsoft CIFS from Fore- front TMG to trusted server s Authentication Services Enabled Allow remote SQL logging from Forefront TMG to selected server s Remote Logging Disabled. (Note: You should enable this rule if you configure Forefront TMG to write log data to a remote SQL Server.) Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads ) Authentication Services Enabled Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifier s Diagnostic Services Disabled Allow remote performance monitoring of Forefront TMG from trusted server s Remote Monitoring Enabled Allow NetBIOS from Forefront TMG to trusted servers Diagnostic Services Disabled Allow RPC from Forefront TMG to trusted servers Authentication Services Enabled Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error-reporting site s Diagnostic Services Enabled Allow SecurID authentication from Forefront TMG to trusted server s Authentication Services Disabled Allow remote monitoring from Forefront TMG to trusted servers, using Microsoft Operations Manager (MOM) agen t Remote Monitoring Enabled Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Introducing Forefront TMG CHAPTER 13 579 TABLE 13-2 System policy rules in Windows EBS NAME POLICY GROUP STATUS Allow HTTP/HTTPS requests from Forefront TMG to speci- fied site s Various Enabled. (Note: This rule allows Forefront TMG to communicate with sites in the System Policy Allowed Sites domain name set.) Allow HTTP/HTTPS requests from Forefront TMG to specified Microsoft Update site s Various Enabled Allow NTP from Forefront TMG to trusted NTP server s Network Services Enabled Allow SMTP from Forefront TMG to trusted server s Remote Monitoring Disabled Allow HTTP from Forefront TMG to selected computers for Content Download Job s Various Disabled Allow MS Firewall Control communication to selected computer s Remote Management Enabled Allow remote access to Configuration Storage serve r Configuration Storage Servers Enabled Allow access from trusted servers to the local Configuration Storage serve r Configuration Storage Servers Enabled Allow replication between Configuration Storage server s Configuration Storage Servers Enabled Allow intra-array communication Intra-Array Communication Enabled Allow Remote Access to Forefront TMG Reportin g Network Services Enabled Understanding Web Access Policy You can see the locally configured Web access policy in the Forefront TMG console when you select the Web Access Policy node in the console tree. The access rules that make up Web access policy appear in the Details pane, as shown in Figure 13-13. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 580 CHAPTER 13 Configuring Forefront Threat Management Gateway FIGURE 13-13 Web access policy access rules Web access policy is a subset of firewall policy. The access rules that you see displayed as part of Web access policy also appear in the list of firewall policy rules when the Firewall Policy node is selected in the console tree. However, unlike other firewall policy rules, Web access policy rules are used to control the flow of HTTP traffic associated only with the internal adapter of the Security Server. As a result, you can use Web access policy to control most Internet access for your organization. By using Web access policy rules, you can manage Web access in the following ways: n Allow anonymous Internet access or require users to authenticate. n Create access rules that allow or deny access to specific Web sites or groups of sites. n Configure a default Web access policy that allows or denies access to Web sites that are not specifically mentioned in access rules. n Exempt specific users from rules that block Internet access. n Enable caching of Web content for faster access and reduced bandwidth. n Configure antivirus scanning to inspect Web content for malware. Windows EBS automatically creates a Web access policy that consists of the following two rules in addition to the Default rule (which is read last and blocks all traffic): 1. Allow Internet Access to All Users As its name suggests, this rule allows all users—whether they are connecting from the Internal network, the Local Host network, the VPN Clients network, or the Quarantined VPN Clients network—to connect to all Web destinations on the External network. This rule also enables malware inspection on all traffic associated with outgoing Web requests. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Introducing Forefront TMG CHAPTER 13 581 2. Allow SCE Management Access from SCE Agent to Management Server This rule is needed for reporting purposes in Microsoft System Center Essentials. It allows Web connection requests from the Local Host network to the Management Server. Creating a Web Access Policy The default Web access policy created by Windows EBS is to allow all users unrestricted Web access. If you want to change this default policy, you should use the Web Access Policy Wizard, which is a feature that is new to Forefront TMG. To open the Web Access Policy Wizard, you can use the Windows EBS Administration Console or the Forefront TMG console. In the Windows EBS Administration Console, select the Security tab, right-click Network Firewall, and then click Create Policy Rules For Accessing The Internet from the shortcut menu, as shown in Figure 13-14. FIGURE 13-14 Opening the Web Access Policy Wizard from the Windows EBS Administration Console To open the Web Access Policy Wizard from the Forefront TMG console, select the Web Access Policy node in the console tree and then click Configure Web Access Policy in the Details pane or on the Tasks tab, as shown in Figure 13-15. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 582 CHAPTER 13 Configuring Forefront Threat Management Gateway FIGURE 13-15 Launching the Web Access Policy Wizard from the Forefront TMG console note If you have already run the wizard, a message appears warning you that manual changes made to settings and rules previously configured using the wizard will be discarded. To complete the Web Access Policy Wizard, perform the following steps: 1. On the Welcome page of the Web Access Policy Wizard, shown in Figure 13-16, click Next. FIGURE 13-16 The Web Access Policy Wizard Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Introducing Forefront TMG CHAPTER 13 583 2. On the Web Protection page, click Yes, Enable The Malware Inspection Feature if you want to turn this feature on as a global setting. Malware inspection is available for evaluation for a year. After this period, a license is required. Malware inspection is applied to content sent from server to client and to content provided by access rules. To apply inspection to access rule content, you must enable malware inspection in the rule settings in addition to this global setting. You can perform this task when you run the New Access Rule Wizard. (For more information about malware inspection, see the section “Understanding HTTP Malware Inspection” later in this chapter.) 3. On the Web Access Policy Type page, select the type of Web access policy that you want to apply in your organization:  Select Create A Simple Web Access Policy For All The Clients In My Organization to allow all users to visit all Web sites except those URLs that you specifically block. Using this policy, you can also enable malware scanning for HTTP traffic and configure caching.  Select Create Customized Web Access Policies For Users, Groups, And Computers to specify that Web policy is controlled by authenticated user access, nonauthenticated IP address access, or a mixture of both. Using this policy, you can create rules for authentication and anonymous access, enable malware scanning, configure caching, and specify how requests that do not match users and IP addresses specified in rules should be handled. 4. Specify settings on each page of the wizard. Use the following tables to help you. Table 13-3 and Table 13-4 provide information about the pages that appear when you choose either the simple policy or the customized policy, respectively. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 584 CHAPTER 13 Configuring Forefront Threat Management Gateway TABLE 13-3 Web Access Policy Wizard pages for the simple policy settings option PAGE FIELD OR PROPERTY SETTING OR ACTION RULES OR GLOBAL SETTINGS Restricted Web Destination s Add This setting creates an al- low rule that allows access to the External network, and it creates a deny rule that blocks access to Web sites you specify. All users can access all sites not specified on this page. Rule name: Web Access Default Rule Rule type: Allow From: Internal To: External Applies to: All Users Rule name: Web Access Restrictions Rule type: Deny From: Internal To: Specified URL destinations Applies to: All Users Exceptions: Any users specified on the Restricted Destinations Exceptions page. Restricted Destina- tions Exception s Add This setting enables you to exempt users or user groups from the deny rule. Exemptions to Web Access Restrictions rule Malware Inspection Setting s Do Not Inspect Web Content Requests From The Internet Inspect Web Content Requested From The Internet Select to configure anti virus scanning of Web traffic. This setting applies malware inspection to the rules created by the wizard. Web Cache Configuratio n Enable Web Caching Select this setting. Then se- lect the drive from the list and click Cache Drives to turn on caching and define cache drives. Caching is not active until both of these steps are complete. After completing the wizard, you configure cache settings and create cache rules to download content. This global setting applies to all content that is specified for caching by the defined cache rules. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Exchange RPC Server n FTP Server n DNS Server HTTPS Server Understanding Server Publishing CHAPTER 13 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 599 n IKE Server n IMAP4 Server n IMAPS Server n IPsec ESP Server n IPsec NAT-T Server n L2TP Server n Microsoft SQL Server n MMS Server n MS Firewall Secure Storage Server n MS Firewall Storage Server n NNTP Server n NNTPS Server. .. Storage Server n NNTP Server n NNTPS Server n PNM Server n POP3 Server n POP3S Server n PPTP Server n RDP (Terminal Services) Server n RPC Server (all interfaces) n RTSP Server n SMTP Server n SMTPS Server n Telnet Server If you want to publish a server whose protocol is not preconfigured, you need to create the new protocol definition before creating the server publishing rule To create a new protocol... instructions Note that for server protocols to be used in server publishing rules, you should specify the direction of the protocol as inbound Creating a New Server Publishing Rule If the server protocol for the server you want to publish is already created, you can use the New Server Publishing Rule Wizard to publish that server To start the New Server Publishing Rule Wizard, you can use the Windows EBS Administration... internal server any requests for specific services that are received by the external interface of the Security Server By default, only one server publishing rule is created by Windows EBS This rule, named “Allow incoming e-mail by publishing SMTP mail server allows e-mail to be sent from the Internet to the Microsoft Exchange Edge Transport server role on the Security Server Note The Edge Transport server. .. Understanding Server Publishing In Forefront TMG, to publish a server means to make a non–Web server on your internal n ­ etwork available from the Internet For example, by publishing an FTP server that is hosted on your internal network, you can make that FTP server accessible to external users Server publishing is made possible through the use of server publishing rules Like Web publishing rules, server. .. to your SMTP and Web servers you want to make another internal server available from the Internet, you need to create a new server publishing rule A server p ­ ublishing rule configures Forefront TMG to listen for client requests to a specified external IP address and port number By default, Forefront TMG includes the following 26 common server protocols that you can specify in a server publishing rule:... Starting the New Server Publishing Rule Wizard from the Forefront TMG console When the Welcome page of the New Server Publishing Wizard appears, use Table 13-9 to help you complete the pages of the wizard Table 13-9  Pages of the New Server Publishing Rule Wizard Page Field or property Setting or action Welcome To The New Server Publishing Wizard Server Publishing Rule Name Type a name for the server publishing... Type a name for the server publishing rule Select Server Server IP Address Type the IP address of the server that you want to publish Select Protocol Selected Protocol From the drop-down list, select the server protocol for the server you want to publish Then click Ports if you want to override the default ports in the protocol definition Understanding Server Publishing CHAPTER 13 Please purchase PDF... request messages sent to the published server If you are publishing a single Web server and the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use A Computer Name Or IP Address To Connect To The Published Server, and then type the resolvable computer name or IP address of the published server Path (Optional) Type the... In the Windows EBS Administration Console, on the Security tab, right-click the Network Firewall component, and then click Create A Server Publishing Rule on the shortcut menu, as shown in Figure 13-23 Understanding Server Publishing CHAPTER 13 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 601 Figure 13-23  Starting the New Server Publishing Rule Wizard in the Windows . Configuration Storage Servers Enabled Allow access from trusted servers to the local Configuration Storage serve r Configuration Storage Servers Enabled Allow. Web publishing rul e /Microsoft -Server- ActiveSync/* External Web Listener Messaging Server Allow All Authenti- cated Users Server publishing rule to redirect