Forefront Threat Management Gateway 3/31/2017 1:22 AM Forefront Threat Management Gateway Stanislas Quastana, CISSP Architecte Infrastructure (et super fan d’ISA Server depuis Proxy 2.0 ) Microsoft France http://blogs.technet.com/stanislas © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Présentation de la nouvelle génération ISA 3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Présentation de la nouvelle génération ISA 3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Un peu d’histoire 2004 2006 2007 2008 2009 Passerelle d’accès sécurisée Protection contre les menaces en ligne Plateforme universelle d’accès distants aux applications (Web et C/S)

Objectifs de Forefront TMG Contrôler les accès entrant et sortant au niveau du périmètre de votre réseau Protéger les utilisateurs lors de la navigation sur le Web Protéger les infrastructures de messagerie Protéger les machines contre les exploits au travers du réseau Faciliter l’administration et le déploiement

Scénarios de déploiement Passerelle sécurisée pour le Web Proxy authentifiant / pare-feu multicouches Anti-virus HTTP et filtrage d’URLs Inspection du trafic HTTP et HTTPS Passerelle d’accès distant VPN nomade VPN Site à site Publication Web sécurisée Relais de messagerie sécurisé Anti Spam Anti Virus Filtrage du contenu des courriers Unified Threat Management (UTM) Solution tout en 1 pour les moyennes entreprises ou les réseaux d’agences Pare-feu, VPN, Web sécurisé, NIS, relais SMTP sécurisé

Agenda Présentation de la nouvelle génération ISA 3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Déploiement et administration Pré-requis d’installation Windows Server 2008 64 bit PowerShell, .Net Framework 3.5, MSMQ Assistant de démarrage (configuration initiale) Interface orientée tâches Gestion centralisée de la configuration (groupe de serveurs) Amélioration de la journalisation et des rapports

Aperçu de la console Forefront TMG 3/31/2017 1:22 AM Administration demo Aperçu de la console Forefront TMG © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protection des clients Web Analyse anti logiciels malveillants Analyse des fichiers téléchargés Paramétrage de l’analyse global ou par règle Filtrage d’URLs Catégories d’URL et exclusions Inspection du trafic sortant HTTPS Filtrage d’URLs, analyse AV et protection IPS Zone d’administration dédiée au contrôle des accès Web sortants

Protection des clients Web Analyse anti-logiciels malveillants Moteur antivirus de Microsoft 3 scénarios d’analyse Régulier : analyse du contenu avant délivrance Si le temps d’inspection prend moins de X secondes Si le temps d’inspection dépasse X secondes Page HTML avec barre de progression de l’analyse Pour les exécutables et certains types de fichiers Envoi de contenu partiel (Trickling) D’infimes morceaux de données (sains) sont envoyés au client jusqu’à ce que l’inspection complète du fichier soit finie

demo Accès Web sécurisés Analyse AV 3/31/2017 1:22 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protection des clients Web Le cas du trafic HTTPS sortant Une fois la session SSL établie, les proxies ou les pare-feu sont incapables de voir les données échangées. De nombreuses logiciels utilisent cette solution Outlook 2003/2007 (RPC over HTTPS) Terminal Server (via la passerelle TS) Messageries instantanées Clients VPN SSL Logiciels P2P….

Pourquoi un simple pare-feu réseau est parfois inefficace ? P2P MS RPC… HTTP(S) HTTP, https, FTP… IM, P2P, MS RPC… IM, P2P, MS RPC… http, https, FTP Internet Pare feu réseau Client

Protection des clients Web Inspection du trafic HTTPS sortant Comment réduire le risque induit par ces échanges non contrôlés ? Limiter les accès HTTPS sortants via des listes blanches Bloquer les requêtes dans la phase de négociation Déchiffrer le SSL en sortie au niveau du proxy/pare feu (Man In The Middle). Concept intéressant en terme de sécurité mais pas vraiment en terme de confidentialité… … on va en discuter car Forefront TMG fonctionne sur ce modèle  

Forefront TMG et les flux SSL Analyse HTTP (URL, entêtes, contenu, antivirus…) & Inspection SSL IM P2P MS RPC… HTTPS IM, P2P, MS RPC… Internet Forefront TMG Client

demo Accès Web sécurisés Inspection SSL 3/31/2017 1:22 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protection de la messagerie électronique Hygiène complète des flux SMTP Anti-virus multi moteurs (5 à choisir parmi 8) Anti-spam/ Anti-Phishing Filtrage de contenu Grâce à l’intégration de Exchange Server 2007 en rôle Edge Forefront Security for Exchange Protège tout type de serveur SMTP

Protection de la messagerie demo Paramétrage © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Prévention des intrusions réseaux Détection et prévention des attaques sur des vulnérabilités connues Permet de “fermer la fenêtre” le temps nécessaire aux tests et au déploiement des correctifs de sécurité Forefront Network Inspection System (NIS) Basé sur GAPA provenant de Microsoft Research Generic Application Level Protocol Analyzer Basé sur des signatures de vulnérabilités Mise à jour via Microsoft Update

Intrusion Prevention System 3/31/2017 1:22 AM Intrusion Prevention System demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Améliorations du pare-feu Filtrage SIP Redondance des connexions Internet (2 FAI) NAT « avancé »  Nouveau client pare-feu Découverte automatique et sécurisée avec utilisation Active Directory

Améliorations du pare-feu Filtrage SIP Local IP PBX support SIP messages quota protection Support de SIP trunk

Améliorations du pare-feu Redondance des connexions FAI 2 options d’utilisation : Tolérance de panne Agrégation de liens Uniquement pour le trafic sortant Trafic réseau « NATé » par Forefront TMG pour le réseau Externe

Redondance / Aggrégation FAI 3/31/2017 1:22 AM Redondance / Aggrégation FAI démo Ou presque ;-) © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Améliorations du VPN nomade Support de Network Access Protection Mise en conformité et quarantaine Support des nouveaux algorithmes (AES…) Support de SSTP Avec un peu de chance, on peut espérer celui de IKEv2 (VPN Reconnect) disponible dans Windows Server 2008 R2 combiné à Windows 7  si ce n’est pas dans la version RTM de Forefront TMG, ça pourrait arriver avec le premier Service Pack

Agenda Présentation de la nouvelle génération ISA 3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Forefront Stirling Administration / Supervision Remontée et partage d’informations Réponse dynamique Protection des postes et serveurs Protection des applications serveurs Protection du périmètre « v2 »

Intégration de TMG avec Stirling Intégration à la suite de sécurité Supervision au travers de System Center Operation Manager Remontée des incidents Participation dynamique à la protection globale Stratégies de réponse et de remède

Agenda Présentation de la nouvelle génération ISA 3/31/2017 1:22 AM Agenda Présentation de la nouvelle génération ISA Introduction Nouvelles fonctionnalités Déploiement et administration Protection des clients Web Protection de la messagerie Prévention des intrusions Améliorations du Pare-feu Forefront TMG et Forefront Stirling Synthèse Ressources utiles © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tableau récapitulatif des fonctions ISA 2006 TMG dans EBS* Forefront TMG * “EBS” = Windows Essential Business Server Pare feu réseau    Pare- feu applicatif    Protection des accès Internet (Proxy)    Publication basique Web    Exchange publishing (RPC over HTTP)    IPSec VPN (remote & site-to-site)       Web caching, HTTP compression Windows Server 2008, 64-Bit (only)   Nouveau Web anti-virus, anti malware   Nouveau Nouveau URL filtering  Nouveau Email anti-malware, anti-spam  Nouveau Network intrusion prevention  Nouveau Integration with codename “Stirling”  Nouveau Enhanced UI, management, reporting  Nouveau  Nouveau

Synthèse des nouveautés Pare-feu VoIP traversal (SIP) NAT « avancé » Redondance des connexions FAI Accès Web sécurisés Anti-virus/spyware HTTP(s) Filtrage d’URLs Inspection https sortant Protection messagerie Intégration d’Exchange Edge/FSE Anti-virus Anti-spam Prévention des intrusions Intrusion Prevention System Security Assessment and Response (SAS) Accès distants VPN avec support de Network Access Protection (NAP) SSTP Déploiement et admin. W2K8, 64-bit natif Assistants adaptés aux scénarios Amélioration des journaux et des rapports Abonnement Services Update Center : HTTP: AV+ Filtrage d’URLs Email: AV+Anti-Spam Signatures NIS

Ressources utiles Blog de Stanislas http://blogs.technet.com/stanislas Dans ce blog, cliquez Forefront TMG / Threat Management Gateway dans la zone de tags pour accéder à toutes les informations complémentaires et les liens vers les documents de références.

Save the date for tech·days next year! 3/31/2017 1:22 AM Save the date for tech·days next year! 14 – 15 avril 2010, CICG © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Premium Sponsoring Partners 3/31/2017 1:22 AM Premium Sponsoring Partners Classic Sponsoring Partners © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3/31/2017 1:22 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.