extending forefront beyond the limit tmguag isaiag ag security suite
TRANSCRIPT
Extending ForeFront beyond the limit
www.AGATSolutions.com
AGAT Security suite - introductionAGAT Security suite is a set of unique
components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks.
To learn more about our solutions please visit our website at http://www.agatSolutions.com
Main Filter listActiveSyncAG Authentication RelayAG Remote Cert AuthAG SSOAG MultiplexerAG Access Controller Secured File Upload
AG Active Sync Filter
AG ActiveSync - introductionActiveSync is a data protocol used to synchronize
end user devices with Exchange server.More and more companies encourage their
employees to work with their mobile devices implementing Bring Your Own (BYO) strategy to save money and improve efficiency.
But from a security point of view, mobile smart phones are in fact mini computers and should be treated from a security aspect as a potential threat.
AG ActiveSync - requirementTypically the exchange server is published
using ISA/TMG or IAG/UAG.
Organizations have the need to control the content published to the client (ie iPhone, windows mobile) to ensure that the content published is compatible with the device security level requirements.
AG ActiveSync filter solutionAG ActiveSync Filter is a solution for
controlling who and what to Sync when users connect to Exchange server with mobile devices.
The ActiveSync filter allows configuring publishing rules according to device type and Exchange objects (mail, events, tasks and contacts).
In addition, the filter can block publishing of attachments and can perform content filtering.
AG ActiveSync - Architecture
AG ActiveSync filter featuresManaging filter rule configuration by device type
(iPhone, windows mobile etc). Allowing or blocking by DeviceType (specific phones) or
DeviceID (specific users) Allowing or blocking Sync of the following objects: Mail
messages, Contacts, Tasks and calendar events Allowing or blocking Sync of attachments in mails
messages or events. Filtering by words in subject of mail and calendar
events. Allowing meeting requests to be published even when
mail is blocked. Filtering by the sender's domain nameOptional authentication manager add on solution. Support ActiveSync 4.5
AG Active Sync - Use casesWhen publishing exchange data via IAG / UAG
or ISA / TMG to mobile devices and there are security requirements to block documents / attachments from syncing to mobile clients.
A need to block class types (mail, task, contact or event) from being synchronized.
Blocking mails or events by words in content. Restricting less secured phones from syncing
mails/attachments Blocking internal mails from being synced
AG ActiveSync Authentication Manager
AG ActiveSync Authentication Manager General description
The Authentication manager is a solution for identifying users using ActiveSync without Active Directory .
It is needed when there is no active directory user & pass management (and typically use certificate authentication ).
The solution forces the ActiveSync to authenticate against the manager instead of active directory
AG Authentication Manager - Architecture
AG Authentication Manager - FeaturesStrong Security level solution with something you
have and something you know.Zero client installation Create user name and passwordChange mobile device by userChange password by userUser managementConfiguration of User name and password policy
The solution is an optional add on to the AG ActiveSync filter
AG Authentication Relay
AG Authentication RelayGeneral description
The Authentication Relay filter allows users to authenticate using a digital certificate when the application is protected by more than one ForeFront server in a cross domain architecture.
The solution does not require any domain trust relationship between the front and back domains
.
AG Authentication Relay (cont)
The solution is based on two web filters: In the front server Relay filter signs the user’s name
(after being authenticated by ISA) and time stamp and submits the signed data in the request header.
In the back server the Consumer filter verifies that the message was received from the front ISA and then performs the authentication to the required application..
.
AG Authentication Relay (cont)
ArchitectureOption A- Basic Authentication Relay
AG Authentication Relay (cont)
ArchitectureOption B- Strong Authentication Relay
AG Authentication Relay – Use casesWhen more than one ISA is protecting the application and smart card authentication is needed.When there is a single front end ISA in the external domain protecting several sub-networks that are using ISA.Typically when using IAG as a gateway and several ISA servers are protecting the internal domains.When you need the client’s certificate at the back end of multiple ISA architecture.
AG Remote Cert Auth
AG Remote Cert Auth- DescriptionEnable to perform certificate authentication
using an LDAP that is not in the same domain as the ISA server.
AG Remote Cert Auth -Use casesWhen users are using smart cards to login
and the LDAP is in a different domain than the ISA.
Typically when organization is securing theLDAP / Active directory in a separate domain then the ISA
AG SSO
AG SSO - DescriptionAdd user certificate and LDAP properties to
header request for application authentication.
AG SSO - Use casesWhen your web application is not
configured to use Windows authentication and user identity is needed.
Properties from LDAP are needed for the application.
When you need to pass the client certificate to your internal IIS.
AG Multiplexer
AG Multiplexer - DescriptionEnable transmitting the user's request
via a single point of access to several internal destinations according to user organization unit or group
Automatically generate a menu page listing all accessible URLs.
AG Multiplexer – Use casesWhen you need to provide a single point of
access to all users to browse to different web applications.
When routing users is needed according to the location in the Organization Unit (OU) or Group.
Typically when the network is divided into several subnets/domains managed separately.
Avoid publishing many internal sites.
AG Access Controller
AG Access Controller- DescriptionThe filter extends the ISA web publishing
rule system with additional criteria.Supports configuring the web publishing
rules based on user OU or Group.Enables working with an LDAP server that is
not in the same domain as the ISA/IAG.
AG Access Controller - SSL VPN Allows filtering users that use SSL VPN.Enables identifying the user in SSL VPN in
order to prevent anonymous requests entering the firewall
AG Secured File Upload
AG Secured File Upload- DescriptionFast file content verificationVerify that the extension of the file matches
the file contentPass file to antivirus to check virus in contentBlock dangerous content before reaching
internal site.
END
See more filters available on http://www.agatsolutions.com