TMG Beta 2 – Quickly Print Screening Through

The new TMG Beta 2 was released yesterday:
http://blogs.technet.com/isablog/archive/2009/02/06/forefront-tmg-beta-2-is-released.aspx

Although a beta version, the management interface, clean, shiny and slick, will make Check Point feel a little, just a little bit jealous. ;)
Cisco’s ASDM ? What’s that ?(OK, I’m a mean person, feel free to excuse me).

Let’s quickly navigate through some of TMG Beta 2’s features(there are many of them). Remember this is just beta stuff(ignore the fact that the machine’s name is tmgb1).

 

Outbound HTTPS Inspection

A new feature present out-of-the-box in this Beta 2 release(for ISA Server 2006 an add-on from Collective Software called ClearTunnel made this possible). We can configure it from the Web Access Policy node, Tasks panel(on the right side), above the Configure Malware Inspection:

web_access_policy 

We can validate the server’s certificate and inspect the HTTPS traffic, or just validate the certificate:

https_inspect_opt_1

We can access the options of the root certificate used to sign on-the-fly the servers’ certificates. This certificate must be trusted by the clients, otherwise their browsers’ will display a warning.

https_inspect_opt_2

And this is the root certificate we were talking about:

https_inspect_opt_3

md5RSA ?

md5rsa

Key usage:

ca_cert_key

EKU:

eku

Generate the self-signed cert:

gen_cert

Or we can import such a certificate if we want to:

import_cert

We can distribute this certificate via Active Directory. Note that different browsers' may have their own trusted CAs stores:

https_inspect_opt_4

Some validation’s options:

https_inspect_opt_6

Clients running the Microsoft Firewall Client for Forefront TMG can be notified when HTTPS inspection is applied:

https_inspect_opt_7 

Let’s see it in action. For example I’m going to a HTTPS web site. The logs on the TMG show the https-inspect “protocol”:

https_inspect_my_blog_1

Here is how the real certificate of the web site looks like:

https_inspect_my_blog_2

my_blog4

my_blog5

And here is the certificate that the browser on the client will see:

my_blog2

my_blog

my_blog3

In case the name on the SSL server certificate does not match the name that the client requested, TMG will deny this connection:

https_inspect_name_cert_mism 

Also if the CA that issued the web server’s certificate is not trusted by TMG, the connection will be denied:

https_inspect_ca_not_trusted

And here we are, you know the old story, how do I block Skype with ISA ?

That’s no longer an issue. Skype does not use true SSL, and due to the HTTPS inspection, the SSL connections will not be completed, and Skype will fail to escape over TCP port 443, as it did before. On the TMG logs you will see a lot of failed logs of the https-inspect “protocol”:

https_inspect_skype_failed

https_inspect_skype_failed_2 

Network Anti-Virus/Anti-Malware Software Rendered Useless without Outbound SSL Inspection ?
No longer the case, right out-of-the-box:

https_malware_inspect_eicar

 

Malware Inspection

We can globally Configure Malware Inspection from the Web Access Policy node, Policy Editing Tasks:

web_access_policy

Options grouped together:

malware_inspect_opt_1

malware_inspect_opt_2

malware_inspect_opt_3

malware_inspect_opt_4

malware_inspect_opt_5

malware_inspect_opt_6

malware_inspect_opt_7

malware_inspect_opt_8

malware_inspect_opt_9

malware_inspect_opt_10

Per rule settings:

malware_inspect_opt_per_rule_1

malware_inspect_opt_per_rule_2

No malware detected, accessing various sites:

no_malw_det 

In the line of duty, malware inspection, either over HTTP or HTTPS, EICAR test:

malware_inspect_eicar_1

malware_inspect_eicar_2

Various tests:

http_malware_inspect_test_1 

comprr

comprr_log

no_comprr

no_comprr_log

 

Intrusion Prevention System

This a new feature in the Beta 2 release.

We can access it from the Intrusion Prevention System node:

ips_opt_1

Also from the Intrusion Prevention System node, we can configure Intrusion Detection, DNS Attack Detection, IP Preferences or Flood Mitigation(which are also of accessible from the Firewall Policy node):

ips_opt_2

The signatures grouped by severity:

ips_opt_9

ips_opt_14

As can be observed from above we can set all NIS responses to Microsoft Defaults or to Detect Only.

A few options are globally configurable, like Enable signature-based NIS:

ips_opt_3

Exclude the traffic from or to the certain networks:

ips_opt_4

Update and install checks frequency:

ips_opt_11

ips_opt_5

The default policy for new signatures:

ips_opt_6

A weird NIS signatures version:

ips_opt_13

There are a few signatures.
We can view and and modify the settings for the signatures, if the signature is enabled with what response(for example to block):

ips_opt_12

ips_opt_7

ips_opt_8

IPS Alerts:

nis_alert

nis_alert_click_config

nis_alert_config

Logs, IPS Scan Result, IPS Signature and messages on the client side:

 ips_opt_10

tmg_ips_log_2

tmg_ips_log_10

tmg_ips_log_11 jason

jim

steve

tom

tmg_ips_log_1 

tmg_ips_log_4 

tmg_ips_log_6

tmg_ips_log_8

 tmg_ips_log_9

ips_log_catch

 

NAT Features

When we define a network rule with a NAT relationship we have a new option now, to select the IP address from the network adapter used to hide computers:

new_net_rule_nat

For example I can hide host 192.168.10.2 behind the 192.168.22.235 IP address:

nat_rule

 

ISP Redundancy

ISP redundancy is a new feature of this Beta 2 release.

routing_tmgb2

Only two Internet connections can be used with this feature.

routing_2

We can access and enable it from the Networking node, the ISP Redundancy menu:

isp_redun

We can select Failover using a primary and backup link or Load balancing between two ISP links, for example let’s select load balancing:

isp_redun_1

And specify the options for ISP Link 1 and ISP Link 2:

isp_redun_2

isp_redun_3

As can be seen, we can explicitly send the traffic to certain destinations over a selected link:

isp_redun_8

Choose a load balancing factor:

isp_redun_4 

And Load Balancing is enabled, we can notice that ISP 2 Link is down for the moment:

isp_redun_6

If we choose failover instead of load balancing:

isp_redun_11

Then our options for ISP Links would look the same except we no longer see the Explicit route destinations one(since we now have a primary and a backup link):

isp_redun_9

isp_redun_10

And obviously now we need to select the primary link:

isp_redun_5

isp_redun_7

 

Firewall Policy

The firewall options are nicely grouped and can be accessed from the Firewall Policy node:

fw_opt_1

We can quickly spot a new option called Configure VoIP under the Firewall Policy Tasks, which starts the SIP Configuration Wizard:

fw_opt_2

Also we have a Configure VoIP Settings option under Related Tasks:

fw_opt_3

And the Flood Mitigation settings include a SIP Quotas tab:

fw_opt_4 

A quick look at the Toolbox/Protocols:

fw_opt_7

And the System Policies:

fw_opt_8

 

Forefront TMG E-Mail Protection Feature

I didn’t install the Exchange Edge Transport Role of Exchange Server 2007 with Service Pack 1 on the Forefront TMG server, prior to installing Forefront TMG, so I can’t use the Forefront TMG E-Mail protection feature found under the E-mail Policy(you can find a little bit about it in the Forefront Threat Management Gateway Release Notes for Beta 2.docx from here):

email_1

email_2

email_3

 

The Roles Configuration and the System node

The Roles Configuration:

syst_4

From the System node we can configure this TMG server(a local server):

syst_1

syst_2

Also there are some Related Tasks we can perform, like install a server certificate:

syst_3

The Application Filters present on TMG Beta 2, note the new kid on the block, the SIP Access Filter:

fw_opt_5

The Web Filters present on TMG Beta 2:

fw_opt_6

 

VPN

There isn’t much new stuff in the area of the VPN Clients:

vpn_1 

But we get NAP:

vpn_3

Same old protocols:

vpn_2

The authentication methods, almost same old screen:

vpn_14

And the Remote Sites area:

vpn_4

vpn_5

An IPsec tunnel mode s2s VPN, NSA “Suite B” cryptography:
http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

vpn_6

vpn_7

vpn_8

AES GCM is here:

vpn_9

vpn_10

vpn_11

As said above, the fast AES GCM is here:
http://technet.microsoft.com/en-us/library/dd125356.aspx
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
http://www.ietf.org/rfc/rfc4106.txt

But something is not right or just confusing, as AES GCM provides both confidentiality and integrity(data origin authentication), being efficient, fast and secure, but the screens are not very clear on this matter(I haven’t test it), the Integrity algorithm field should go grey or so and not showing SHA or MD5, see bellow.
For example, from http://www.ietf.org/rfc/rfc4869.txt, “”does not specify an Internet standard of any kind":

3.1.  Suite "Suite-B-GCM-128"

   This suite provides ESP integrity protection and confidentiality
   using 128-bit AES-GCM (see [RFC4106]).  This suite or the following
   suite should be used when ESP integrity protection and encryption are
   both needed.

   ESP:
     Encryption     AES with 128-bit keys and 16-octet Integrity
                      Check Value (ICV) in GCM mode [RFC4106]
     Integrity      NULL

Even Microsoft’s doc points this aspect:
http://technet.microsoft.com/en-us/library/dd125356.aspx#bkmk_aesgcm

vpn_12

 vpn_15

vpn_13 

 

Logs and Reports

The logs and reports are grouped together under the node with the same name, Logs and Reports:

logs_rep_1

The default log storage format is set to SQL Server Express Database(on local server) for both Firewall Logging and Web Proxy Logging:

logs_rep_2

logs_rep_3

logs_rep_4

logs_rep_5

The Reports area is also nice and clean:

logs_rep_6

Reports include the new features Malware Inspection and NIS:

logs_rep_7

logs_rep_8

 

Monitoring

As we seen, unlike with ISA Server 2006 the Logs an Reports are separated from the Dashboard, Alerts or areas, and the management interface looks cleaner and easy to use.

The Dashboard tab:

mon_1

The Alerts tab:

mon_2

The Configuration tab:

mon_3

 

Update Center

The Update Center node, again options nicely grouped:

updt

Configure Settings, a central place to manage all the updates settings:

updt_2

updt_3

updt_4

 

Troubleshooting

The Troubleshooting node:

troubl

Comments (2) -

  • Nice overview Adrian...and quick too! ;)

Pingbacks and trackbacks (2)+

Comments are closed