50357 a enu-module05
DESCRIPTION
TRANSCRIPT
Module 5: Forefront TMG Design and Deployment Considerations
© 2009, Microsoft. All rights reserved. All other trademarks are the property of their respective owners.
Module Overview
Logical design considerations
Scalability and availability
Client configuration
Migration options
Logical design considerations
Scalability and availability
Client configuration
Migration options
Lesson 1 – Logical Design Considerations
Design OptionsSingle purpose and location, no high availability
Forefront TMG 2010 Standard Edition
Single purpose and location, high availabilityForefront TMG 2010 Enterprise Edition in stand-alone array
Multiple purposes and/or locations, high availabilityEnterprise Management Server
5
Internet
Forefront TMG Standard Edition
Single Purpose and LocationForefront TMG 2010 Standard Edition (SE)
Light and medium trafficAll-in-one solutionNo high availabilityrequirements
6
Single Purpose and Location
Internet
Stand-aloneArray
Forefront TMG 2010 Enterprise Edition (EE):Stand-alone arrayShared configurationHigh traffic solution
Simple upgrade to EEData maintainedEE license key
Provides high availability and scale out
7
Forefront TMG ArraysShared configuration of EE serversAllows scale out and high availabilitySeen as single entity by clients
Network connections load balanced across the array
Administered as single entityConfiguration settings share across array members
Stand-alone arrayNo dedicated management serverOne server designated as the array managerConsoles redirect to array manager
8
Joining Stand-alone Array
9
Enterprise Management Server (EMS)Dedicated, replicated configuration storeSingle point of administrationUses Windows Server® 2008 Active Directory® Lightweight Directory Services (AD LDS) to host configuration store
Same replication mechanism as Active Directory (AD)Requires Active Directory authentication to replicate
10
Using EMS-managed ArraysArrays can enforce Enterprise policy configured in EMS
Optionally allow local array policy
Define primary and secondary EMS servers for high availabilityArray members query EMS using LDAP
Domain-joined array members authenticate via AD (Kerberos)Workgroup servers or in untrusted domains authenticate using TLS (certificates)
11
Deploying an EMS
Select EMS to be installed on the serverConfigure to create a new enterprise or be a replica of an existing oneSelect the authentication method
12
Creating an Array on EMS
An EMS can store policies for several different arrays, as well as a default enterprise policy
13
Joining EMS-managed ArrayServers select which primary and secondary EMS to use and which array to join
14
Managing Forefront TMG SE from EMS Array
EMS can be used to manage policies for Forefront TMG 2010 Standard Edition (SE) servers
15
Forefront TMG Enterprise Deployment Design
Single, replicated AD LDS databaseHosted on two or more EMS replicasContains one or more arrays of Forefront TMG EE serversOptionally managing Forefront TMG SE servers
Recommended one EMS database per organization
16
Sample Enterprise TMG Deployment
Internet
Branch Office(WAN & Internet link)
Regional HQ
EMS Array
EMSEMS Array
(Web Access)
WAN
Corp HQ
EMS Array(Web Access)
Branch Office(WAN link only)
TMG SE
TMG SEBranch Office
(Internet link only)
EMS
Standalone Array(Publishing)DMZ
EMS Array(VPN)
TMG Management
Site-to-Site VPN
ReplicatedConfiguration
TMG Management
17
EMS Design ConsiderationsIf EMS fails, you cannot monitor array or manage its configuration
Always define at least one EMS replica
EMS cannot be hosted on array membersSample design for EMS high availability:
Deploy two EMS servers (one primary, one replica) in one physical siteDeploy one EMS server (replica) in other physical sitesUse a maximum of 40 arrays or servers per EMS
18
Console Design Considerationsx86 and x64 Management ConsoleRequires Windows Server® 2008 or Windows Vista®Deployed on administrative workstationsRequire LAN-speed and latency to EMS and array members
Otherwise the best option is to use Remote Desktop
19
DNS ConsiderationsWindows can only use one primary DNS serverWhich to use?
ISP DNS servers?Corporate DNS servers?
Solutions:Use Corporate DNS servers and forwardersHost DNS service locally
Use conditional forwarding for internal DNS zonesForward all other queries to to ISP DNS servers
20
Domain vs. WorkgroupWorkgroup scenarios
Unauthenticated inbound and outbound trafficFor example, Secure Mail Relay
Web site publishing using LDAP, RADIUS, or SecurID tokensVPN with RADIUS authenticationOutbound Web Access using RADIUS
Deployment considerationsRequire certificates on all EMS and array members
21
Web Proxy Chaining
Main scenarioSite with no Internet link
Default rule is to retrieve directlyChain all Web requests, or just requests to specific destinationsAlso used for site redirection
22
Web Proxy Chaining
23
Internet
Branch Office(WAN and
Internet link)
Small Branch Office(Link to Regional HQ)
Disaster Recovery site
TMG ArrayTMG Array
WAN
Head QuartersBranch Office
(WAN link only)
TMG SE
TMG SE
Regional HQ
TMG Array
Internet
ISP 1
ISP 2
TMG Array
ISP Link
Chaining
Client Traffic
Sample Web Proxy Chaining Design
Lesson 2 – Scalability and Availability
Scalability and AvailabilityService scale out and high availability options
Network load balancingCache Array Routing Protocol (CARP)
Connectivity high availability through Internet service provider (ISP) redundancy
26
Network Load Balancing (NLB)Provides high availability at host level
When the host is off its traffic is redirected to other members of the NLB cluster
Allows scale outUses client IP instead of cookie for session affinity
Works with any IP device
Built in Windows feature, integrated with Forefront TMG
Single affinity
Use forWeb proxy (outbound)Web and server publishing (inbound)Remote access through VPN
Network Load Balancing
NLB hosts share the sameMAC address and Virtual IP
NLB Cluster
Client(s)
Internet
The network floods the incoming client
request
One server accepts the client requestA response is sent back to the clientA client initiates a request to an NLB
cluster
Host 3
Host 1
Host 2
L2 or L3 Switch
NLB ModesUnicast
MAC address overwritten with shared MACPrevents node-node communicationNot supported on Microsoft Hyper-V™Switch flooding issues
MulticastAdds multicast MAC addressMay require ARP table entry at router/L3 switch
IGMP MulticastOnly sends to ports in IGMP groupNot RFC-compliant
29
Enabling NLB Integration
30
Maintaining NLB Settings
Web Content CachingForward proxy caching
Cache objects requested by internal web proxy clients
Reverse proxy cachingCache static content from published web sitesReduces load on Web servers
Cache rules based on destination onlyNetworks, IP ranges, DNS domains, URLs
Security Support
32
Enabling CachingDefine cache drives on array members
33
Enabling CachingDefine cache settings
34
Cache Array Routing Protocol (CARP)Distributed caching algorithm
Returns the IP address or host name of the caching server most likely to have a cached copy of the contentPer fully qualified domain name (FQDN), not per page
Allows the implementation of a single, logical cache (scales linearly)Implemented using script that runs client-side or server-side
Server-side – Allows members of the Forefront TMG array to fetch content in other array membersClient-side – Allows Web proxy clients to fetch the content directly from the appropriate array member
Server-side CARP
NLB Cluster
with CARP
enabled
Client / Downstrea
m Proxy
Internet
Host 3
Host 1
Host 2
1. Client requests URL
2. NLB hash:Hash(Client IP) = Host 3
3. Host 3 gets CARP hash:Hash(URL) = Host 2
4. Forwards request to Host 25. Host 2 gets CARP hash:Hash(URL) = Host 2
6. Checks cache/fetches object
7. Caches object/returns to Host 3
8. Host 3 returns to client
Client-side CARP
NLB Cluster
with CARP
enabled
Internet
Host 3
Host 1
Host 2
2. Client gets CARP hash:Hash(URL) = Host 2
3. Forwards request to Host 2
4. Host 2 gets CARP hash:Hash(URL) = Host 2
5. Checks cache/fetches object
6. Caches object/returns to client
Client / Downstrea
m Proxy
1. Client gets WPAD.dat orauto configuration script
37
Enabling CARPServer-side:
Enable per networkCARP exceptions per network
Client-side:Use configuration script provided by the array
Provided by WPAD or by the Use automatic configuration script option
Load factor
38
CARP and Kerberos
39
CARP, NLB, and High AvailabilityClient-side CARP is not a high availability solution
Browser restart on node failure
If you need high availability:Enable CARP on serverConfigure clients to use NLB address(disables client-side CARP)
If you want cache efficiency and performance:Enable CARP on serverConfigure clients to use client-side CARP
Use WPAD or automatic configuration script
40
Internet Service Provider (ISP) RedundancyEnables utilizing two ISPs for external connectivity
Two modes of operationFailover – Primary and backup ISPLoad balancing and failover – Connections distributed between two active ISPs
Percentage of connections routed through each ISPNetwork rules can be use to route subnets through a specific link
Lesson 3 – Client Configuration
42
Client TypesWeb proxy client
CERN-compatible browsers/applications
SecureNAT clientAny host supporting IP
Forefront TMG clientFormerly ISA firewall clientWindows computers
Client Comparison
FeatureSecureNAT
ClientForefront TMG Client
Web Proxy Client
Installation required
IP Routing configuration
Yes Web browser configuration
OS Support Any OS supporting
TCP/IP
Windows only Any proxy-aware Web application
Protocol support
Requires application filters for multiple-
connection protocols
All Winsock applications
HTTP, HTTPS, and FTP
download
User-level authentication
No Yes Yes
44
Web Proxy Client ConfigurationGenerate configurationDiscover configuration
Automatic configuration scriptWeb Proxy Auto Discovery (WPAD)Static proxy configuration
Enforce configurationManualGroup policyForefront TMG client
45
Generate Web Proxy Client Configuration
46
Discover Web Proxy Configuration
Script maintained by arrayhttp://<FQDN>/array.dll?Get.Routing.Script
Configures:Web proxy address and portSite and domain bypassAlternate proxyCARP membership
Configure via site group policy object (GPO) forroaming clients
Automatic Configuration Script
47
Discover Web Proxy Configuration
Allows Web clients to autodiscover the Web proxy using DNS or DHCPDNS client queries for host wpad in each DNS suffix
Not location aware
DHCP client queries lease for option 252
http://<FQDN>:80/wpad.datLocation aware
Takes precedence over Automatic Configuration Script
Can be enabled via GPO
Web Proxy Automatic Discovery (WPAD)
48
Discovery Web Proxy Configuration
Configurable via GPOBest option with NLB or other load balancing solutionsSupported by all platformsLimitations:
Disables client-side CARPIf NLB is used, clients use NTLM authenticationCannot define alternate proxy
Static Proxy Configuration
Enforce ConfigurationManual browser configuration
Can be scripted
Active Directory GPORestricted to domain membersDefined per domain, site ororganizational unit (OU)
Forefront TMG ClientClient configures browser settings
SecureNAT clientsOnly requires proper routingClients perform DNS resolutionLimitations:
No user information passedNo support for secondary connections(without application filter)
Use for:Non-Web protocolsSimple, unauthenticated protocolsNon-Windows systems
51
Enhanced NATSpecify IP used for NAT from source to destination network
Solves issues with SMTP Sender Policy Framework and other IP-based authorization policies
Web proxy and NAT-based access rules onlyOverrides ISP redundancy load balancing mode
52
Forefront TMG ClientFormerly known as ISA Firewall clientSupports all WinSock-based applications
FwcWsp.dll registered with WinSock protocol stackFwcWsp tracks all WinSock callsAll remote TCP calls sent to FWC listener (TCP 1745)User information passed on all requests
Use for:User-based access authentication to non-Web protocolsComplex protocols with secondary connections
53
Forefront TMG Client DiscoverySecure discovery using Active Directory, with fallback to DHCP and DNS
Secure discovery uses AD to store discovery information for domain membersForefront TMG client and Web proxy discoveryAllows global and site-specific markersConfigured using TmgAdConfig.exeTmgAdConfig add –site <Site> -type <winsock|webproxy> -url
<URL>
54
Server-side ConfigurationDomains and Addresses tabs determine routing
55
Client-side Configuration SettingsClients settings stored in the following files:
Management.iniCommon.iniApplication.ini
Client settings defined in the console are delivered to the client during restart, and then every six hours
Manual refresh also possible
56
Client-side Configuration
Users can use the client to configure HTTPS Inspection notifications and Automatic Detection options
Lesson 4 – Migration Options
Migration from ISA Server to Forefront TMG
ISA Server 2004/2006 settings can be exported to a file and then imported on Forefront TMG SE or EE
Export confidential information option must be set
ISA Server EE can be migrated to Forefront TMG EMSNo in place upgrade option
ISA Server x86 only, Forefront TMG x64 only
ISA Server SE Forefront TMG SE
Forefront TMG EE standalone server
ISA Server EE Forefront TMG EMS
Upgrading from Forefront TMG SE to EESimply select the Upgrade to Enterprise Edition option on the System Properties
Enter the Forefront TMG 2010 Enterprise Edition product key
No need to rerun setup
Questions
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.