Ung Dung Microsoft Forefront TMG 2010 Trong Bao Mat Mang Doanh Nghiep

TRNG CAO NG NGH iSPACE
240 V Vn Ngn, Phng Bnh Th, Qun Th c, TpHCM

Website: www.ispace.edu.vn Email: ispace@ispace.edu.vn
Tel: (848) 6267 8999 - Fax: (848) 6283 7867
XY DNG GII PHP BO MT DA TRN NN TNG

NG DNG MICROSOFT FOREFRONT TMG 2010
CHO CNG TY C PHN THNG MI DCH V
D.M.A COMPUTER TECHNOLOGY
_____________________________________________________________________________________
Trng C Ngh CNTT Ispace Khoa: CNTT: ti tt nghip
Trang 2

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
LI CM N
gy nay chng ta c th ni rng cng ngh thng tin l mt thnh phn khng th
thiu trong s pht trin ca x hi bi nhng tnh nng v kh nng u vit m n
mang li tiu biu l s pht trin ca mng din rng to nn cuc cch mng mi
v cng ngh trong s pht trin ca x hi. Bn cnh mt tch cc lun l s xut hin ca
tiu cc, nhiu tin tc li dng s pht trin ca h thng mng m chng ph s pht trin
ca cc doanh nghip v chnh ph. Chnh v th nhiu bui chuyn , hi tho v mng bo
mt c trin khai nhm tm ra nhng gii php ti u bo v cho cc h thng mng
trn. Trong ti ny chng ti xin gii thiu mt gii php bo mt cho mng doanh nghip
da trn nhng kin thc hc v nhng kin thc tm hiu nng cao. Chng ti xin c
a ra nhng gii php bo mt da trn nn tng tng la mm ca Microsoft l Microsoft
Forefront Threat Managerment Gateway (TMG) 2010 cho cng ty C Phn Thng Mi Dch V
D.M.A Computer Technology.
hon thnh tt ti ny chng ti xin chn thnh cm n ban lnh o Trng Cao ng
Ngh CNTT Ispace cng tt c cc ging vin to iu kin thun li v nhit tnh ging dy
cho chng ti trong sut thi gian hc va qua chng ti c th hc tp tt v t c kt
qu nh ngy hm nay. Chng ti cng xin chn thnh gi li cm n n thy Nguyn Siu
ng tn tnh hng dn cho chng ti v ti v ng thi chng ti cng xin gi li cm
n n cc bn thnh vin mt s webiste v din n cung cp thm mt s thng tin
hu ch cho chng ti thc hin tt ti ny.
Do quy m ti, thi gian v kin thc cn hn ch nn khng trnh khi nhng sai st.
Nhm chng ti knh mong qu thy c v cc bn nhit tnh ng gp kin chng ti
cng c, b sung v hon thin thm kin thc cho mnh.
Trn Trng.
_____________________________________________________________________________________
Trang 3

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
LI NI U
hng nm gn y, x hi ca chng ta v ang c nhiu thay i, nhiu xu hng

pht trin mi, v nhng thnh tch tin b vt tri trong tt c cc ngnh cng nghip
cng nh nng nghip. iu ny phi k n s ng gp tch cc ca cc ngnh khoa
hc hin i, ng k nht l s ng gp ca cc ngnh Vin Thng Tin Hc.
Cng vi s ra i ca mng my tnh v cc ng dng, to nn nhiu tin pht trin
mi ca tng li: rt ngn khong cch gia cc quc gia trn a cu, to iu kin thun li
cho s kt ni gia cc doanh nghip trong v ngoi nc. Tuy nhin y cng l thch thc to
ln cho tt c nhng doanh nghip mun tn ti v pht trin trong khng gian kt ni mng.
Cng vi nhng nhu cu v bo mt thng tin ca doanh nghip, nhiu ng dng bo mt
c trin khai vi nhiu hnh thc nhm gi ton vn thng tin ca doanh nghip c ra i.
v d: Cisco bo v mng doanh nghip thng qua h tng phn cng kt ni mng c
cung cp b hng Cisco. ISA (Internet Sercurity Acceleration) Server - ng dng bo v mng
theo m hnh phn lp mng, lc gi tin, c cung cp bi hng Microsoft.
Trc nhng s tn cng khng ngng th cc ng dng bo mt h thng mng l tm
khing che chn kh vng chc cho mng doanh nghip. v ng dng bo mt h thng mng
doanh nghip cng chnh l ch m nhm chng ti chn v cng tho lun - ng
dng Microsoft Forefront TMG 2010 trong bo mt mng doanh nghip.
K t phin bn ISA Server 2006 tr i Microsoft ngng pht trin chng trnh ny v
chnh thc cho ra mt sn phm mi l Microsoft Forefront Threat Management Gateway
(Forefront TMG) y chnh l mt ci tin ng k t pha Microsoft v thc s Forefront TMG
chnh l phin bn tch hp ca:
Internet Security and Acceleration Server (ISA)

Forefront Client Security
Forefront Security for Exchange Server
Forefront Security for SharePoint
Chnh v l mt sn phm ra i sau v tha hng mi tinh hoa ca cc ng dng trn nn

Forefront TMG c kh nng:
Bo v h thng a dng hn
Ngn chn c s ly nhim virus, malware trn phng din rng v hiu qu
Mc d ra i sau tuy nhin ng dng Microsoft Forefront Threat Management Gateway 2010
sm khng nh c v th ca mnh. R nt l ang c nhiu doanh nghip tm hiu v
p dng Microsoft Forefront TMG 2010 vo m hnh mng ca doanh nghip mnh.
_____________________________________________________________________________________
Trang 4

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
NHN XT CA DOANH NGHIP

.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
_____________________________________________________________________________________
Trang 5

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
NHN XT CA GING VIN HNG DN

.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
_____________________________________________________________________________________
Trang 6

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
MC LC
LI CM N ...................................................................................................................................... 3
LI NI U ..................................................................................................................................... 4
NHN XT CA DOANH NGHIP ......................................................................................................... 5
NHN XT CA GING VIN HNG DN ........................................................................................... 6
MC LC ........................................................................................................................................... 7
I.
GII THIU TNG QUAN .......................................................................................................... 13

1.
TNG QUAN V FOREFRONT TMG 2010 ................................................................................. 13
2.
LCH S, QU TRNH PHT TRIN CA FOREFRONT TMG 2010 .............................................. 15

2.1.
Lch s .......................................................................................................................... 15
2.2.
Qu trnh pht trin: ...................................................................................................... 16
3.
PRICE V LICENSE CA TNG PHIN BN FOREFRONT 2010.................................................. 17
4.
CC TNH NNG CA TMG 2010 ............................................................................................ 18
5.
II.
4.1.
Cc chc nng chnh ...................................................................................................... 18
4.2.
Cc tnh nng ni bt ca TMG 2010 ............................................................................... 18
4.3.
System Requirement ...................................................................................................... 20
CC M HNH FIREWALL ....................................................................................................... 21

5.1.
Network template. ......................................................................................................... 21
5.2.
Cu hnh cc thit lp mng ........................................................................................... 22
5.2.1.
Edge Firewall ............................................................................................................. 22
5.2.2.
3-Leg Perimeter ......................................................................................................... 22
5.2.3.
Back Firewall .............................................................................................................. 23
5.2.4.
Single Network Adapter .............................................................................................. 23
NHNG TNH NNG MI CA FOREFRONT TMG 2010 ............................................................ 25

1.
GII THIU TMG .................................................................................................................. 25
2.
GIAO DIN QUN L ............................................................................................................. 26
3.
CC TNH NNG MI ............................................................................................................ 27
4.
S KHC NHAU GIA TMG V UAG L G? ............................................................................. 33

4.1.
Vic kch hot truy cp t bt c ni no ........................................................................ 33
4.2.
Nhng im mi trong UAG ............................................................................................ 34
4.3.
Thit k mng bo v .................................................................................................... 35
_____________________________________________________________________________________
Trang 7

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
4.3.1.
Trin khai UAG ........................................................................................................... 35
4.3.2.
Trin khai TMG? ......................................................................................................... 36
4.3.2.1.
Edge Firewall .......................................................................................................... 37
4.3.2.2.
3-Leg perimeter ...................................................................................................... 38
4.3.2.3.
Back Firewall .......................................................................................................... 39
4.3.2.4.
Single-NIC .............................................................................................................. 39
5.
YU CU H THNG ............................................................................................................. 40
5.1.
Yu cu phn cng: ....................................................................................................... 40
5.2.
Yu cu Phn mm ........................................................................................................ 41
5.3.
H tng mng ................................................................................................................ 42
5.3.1.
Tn phn gii ............................................................................................................. 42
5.3.2.
Xc thc .................................................................................................................... 43
5.4.
Trin khai trong cc mi trng o ................................................................................. 44
6.
PHN TCH YU CU MNG ................................................................................................... 44
7.
XC NH H S TRAFFIC .................................................................................................... 44
7.1.
Bn mng ................................................................................................................. 45
7.2.
Bn ng dng ........................................................................................................... 45
8.
GII QUYT CC MNG PHC TP ........................................................................................ 49
9.
DNS TRONG TMG .................................................................................................................. 49

9.1.
H thng gii quyt tn phn gii nh th no ? .............................................................. 50
9.1.1.
Edge hoc Perimeter trong Workgroup ........................................................................ 51
9.1.2.
Edge hoc Perimeter trong Domain ............................................................................. 53
9.2.
nh hng ca DNS ....................................................................................................... 53
9.3.
DNS Cache trong TMG .................................................................................................... 53
10.
CHN NETWORK TEMPLATE .............................................................................................. 54
10.1.
Edge Firewall Template............................................................................................... 54
10.2.
3-Leg Perimeter mng Template ................................................................................. 55
10.3.
Back Firewall Template ............................................................................................... 56
10.4.
Single NIC Template ................................................................................................... 57
10.5.
Join Firewall TMG vo Domain hoc Workgroup ........................................................... 59
11.
Di tr TMG ........................................................................................................................ 60
12.
CC LOI TMG CLIENT ...................................................................................................... 61
12.1.
Web Proxy Client ........................................................................................................ 61
12.2.
Web Proxy Client lm vic nh th no? ...................................................................... 62
_____________________________________________________________________________________
Trang 8

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
12.3.
Cu hnh Server-Side .................................................................................................. 64
12.4.
S dng Web Proxy Client .......................................................................................... 65
12.5.
SecureNET Clients ...................................................................................................... 66
12.6.
SecureNet Client lm vic nh th no? ....................................................................... 67
12.7.
SecureNet Client advantages ....................................................................................... 68
12.8.
SecureNet Client Disadvantages .................................................................................. 68
12.9.
Forefront TMG Client .................................................................................................. 69
13.
GIAO DIN TMG ................................................................................................................ 72
13.1.
TMG 2010 .................................................................................................................. 72
13.2.
Monitoring ................................................................................................................. 73
13.3.
Firewall policy ............................................................................................................ 73
13.4.
Chnh sch Web Access .............................................................................................. 74
13.5.
E-Mail Policy............................................................................................................... 74
13.6.
Intrusion Prevention System ....................................................................................... 76
14.
NEW WIZARDS .................................................................................................................. 79
14.1.
The Getting Started Wizard ......................................................................................... 79
14.2.
Network Setup Wizard ................................................................................................ 80
14.3.
System Configuration Wizard ...................................................................................... 81
14.4.
Deployment Wizard .................................................................................................... 81
14.5.
The Web Access Policy Wizard .................................................................................... 82
14.6.
The Join Array and Disjoin Array Wizards (TMG 2010 only) ........................................... 82
14.7.
The Connect to Forefront Protection Manager 2010 Wizard (TMG 2010 only) ................. 83
14.8.
The Configure SIP Wizard (TMG 2010 only) ................................................................. 83
14.9.
The Configure E-Mail Policy Wizard (TMG 2010 only) .................................................... 84
14.10.
The Enable ISP Redundancy Wizard (TMG 2010 only)................................................... 84
15.
CU HNH TMG NETWORKS ............................................................................................... 84
15.1.
Route Relationships .................................................................................................... 84
15.2.
NAT Relationships ...................................................................................................... 85
15.3.
Mng Rules ................................................................................................................ 88
15.4.
Built-In Mng ............................................................................................................. 89
15.5.
Cu hnh mng c bo v ca bn ........................................................................... 91
15.6.
Chng thc Traffic t mng c bo v ..................................................................... 92
16.
CN BNG TI .................................................................................................................. 93
16.1.
ISP Redundancy l g? ................................................................................................ 93
_____________________________________________________________________________________
Trang 9

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
16.2.
Enabling ISP-R ........................................................................................................... 93
16.3.
NLB Kin trc ............................................................................................................. 94
16.4.
S dng TMG Management Console ............................................................................ 95
17.
NETWORK INSPECTION SYSTEM ........................................................................................ 96
17.1.
Thc hin kim tra h thng mng .............................................................................. 97
17.2.
Cc kiu tn cng ....................................................................................................... 99
18.
CACHING ........................................................................................................................ 100
18.1.
Hiu bit v cache Proxy ........................................................................................... 100
18.2.
Cng vic Caching nh th no? ............................................................................... 100
19.
MALWARE INSPECTION ................................................................................................... 102
19.1.
Tm hiu v Inspection Malware trong TMG ............................................................... 102
19.2.
Cc ty chnh trong Malware Inspection .................................................................... 104
19.2.1.
Inspection Settings ................................................................................................... 104
19.2.2.
Content Delivery....................................................................................................... 105
19.2.3.
Storage.................................................................................................................... 106
19.2.4.
Update Configuration ................................................................................................ 106
19.2.5.
License .................................................................................................................... 107
19.3.
URL Filtering ............................................................................................................ 108
19.3.1.
How URL Filtering Works .......................................................................................... 108
19.3.2.
Cc thnh phn Tham gia trong URL Filtering ............................................................ 111
19.4.
E-Mail Protection ...................................................................................................... 112
20.
HTTP AND HTTPS INSPECTION TRONG NG DNG LC WEB PROXY ................................ 114
21.
PUBLISHING SERVERS ..................................................................................................... 115
21.1.
Lm th no Publish mt my ch Web? ............................................................... 115
21.2.
Publishing a Web Server Using HTTPS ....................................................................... 115
21.3.
Installing Certificates on TMG .................................................................................... 116
21.4.
Creating an https Web Listener ................................................................................. 122
21.5.
Creating a Secure Web publishing rule ....................................................................... 126
22.
REMOTE ACCESS ............................................................................................................. 131
22.1.
khi nim VPN.......................................................................................................... 131
22.1.1.
Tunnel types ............................................................................................................ 132
22.1.2.
Protocols.................................................................................................................. 132
22.1.2.1.
point-to-point tunneling protocol (pptp) ................................................................. 132
22.1.2.2.
Layer-two tunneling protocol Over Ipsec (L2tp/Ipsec) ............................................. 133
_____________________________________________________________________________________
Trang 10

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
22.1.2.3.
Secure Socket Tunneling Protocol (SSTP) ............................................................... 133
22.1.2.4.
Authentication ...................................................................................................... 133
22.1.3.
So snh Cng ngh VPN ........................................................................................... 135
22.1.4.
Tch hp NAP ........................................................................................................... 136
23.
Gii thiu v UAG DirectAccess ......................................................................................... 137
23.1.
DirectAccess lm vic nh th no? ........................................................................... 137
23.2.
Kt ni my khch DirectAccess ................................................................................ 138
III.
PHN TCH NI DUNG TI ............................................................................................. 141
1.
KHO ST NHU CU D N................................................................................................. 141

1.1.
Tnh hung ti: ....................................................................................................... 141
1.2.
M hnh mng logic ti tr s ....................................................................................... 142
1.3.
S lun l chi tit .................................................................................................... 143
1.4.
S t chc ca cng ty ............................................................................................ 143
1.5.
Nhu cu ca cty D.M.A: ................................................................................................ 144
2.
XUT GII PHP ............................................................................................................ 144

2.1.
Cc tnh nng mi: ....................................................................................................... 144
2.2.
Nhng tnh nng ct li: ............................................................................................... 149
I.
Server Publishing: Bo mt truy cp n cc server trong h thng ni b .......................... 149
II. Virtual Private Networking (VPN) (H tr ngi dung di ng v lm vic hiu qu, H tr kt
ni an ton gia cc site vi VPN thng ra Internet). ................................................................ 150
3.
IV.
III.
Cc tnh nng qun l .................................................................................................. 151
IV.
Monitoring and Reporting: ............................................................................................ 151
DANH MC THIT B ........................................................................................................... 153

3.1.
Danh mc cc server .................................................................................................... 153
3.2.
Cu hnh phn cng ngh cho my ci t Forefront TMG .......................................... 153
3.3.
Bng bo gi thit b .................................................................................................... 154
THC HIN ......................................................................................................................... 155
1.
Ci t forefront tmg 2010................................................................................................... 155
2.
Cu hnh m hnh mng 3-Leg perimeter .............................................................................. 157
3.
Cu hnh cc Access Rule ..................................................................................................... 161

3.1.
Web Access ................................................................................................................. 161
3.2.
DNS Query .................................................................................................................. 166
3.3.
Malware Inspection ...................................................................................................... 169
3.4.
HTTPS Inspection ........................................................................................................ 173
3.5.
Caching (tng tc truy cp web) .............................................................................. 179
_____________________________________________________________________________________
Trang 11

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3.6.
URL Filtering ................................................................................................................ 185
3.7.
DMZ join Domain ......................................................................................................... 186
4.
Cu hnh network ispection system (NIS) .............................................................................. 190
5.
Cu hnh kt ni vpn site to site ........................................................................................... 196
6.
Cu hnh kt ni vpn client to site ........................................................................................ 203
7.
Cu hnh Intrusion Detection ................................................................................................ 207
8.
Bo mt h iu hnh vi forefront client security ................................................................. 209
9.
Cu hnh forefront unifiel access gateway 2010 ..................................................................... 214
10.
Bo mt my ch Exchange ............................................................................................. 220
11.
Cu hnh ISP Redundancy (Load balancing) ...................................................................... 222
12.
Thc hin backup v restore ............................................................................................ 226
V.
NH GI V HNG PHT TRIN ......................................................................................... 233

1.
NH GI TI ............................................................................................................... 233
1.1.
Kh nng p dng v m rng: .................................................................................... 233
1.1.1.
Kh nng p dng ca Forefront: .............................................................................. 233
1.1.2.
Kh nng m rng ca Forefront ............................................................................... 234
1.2.
Khc phc nhng mt cn hn ch ............................................................................... 234
1.3.
Hn ch ca gii php hin ti: ..................................................................................... 235
1.3.1.
Cu hnh phn cng: ................................................................................................ 235
1.3.2.
Cc dch v c s h tng ......................................................................................... 236
1.3.3.
Ni mng ................................................................................................................. 236
VI.
TI LIU THAM KHO ......................................................................................................... 240
VII.
PH LC ............................................................................................................................. 241
_____________________________________________________________________________________
Trang 12

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
I.
GII THIU TNG QUAN
1. TNG QUAN V FOREFRONT TMG 2010
Hnh I.1.1 - Forefront Threat Managerment Gateway
heo li ng Stefan Tanase, nh nghin cu cao cp v bo mt Kaspersky Lab, tt

c cc t chc v thm ch c nhn trn ton cu u ang i mt vi mt nguy c
chung t cc malware c kh nng xm nhp v nh cp d liu.
Hin nay nguy c ny vn khng c nh gi ng mc nguy him ca n. i vi

nhng ngi s dng my tnh thng thng, gii tin tc thng nhm n cc thng tin
c nhn nh mt khu, chi tit ti khon ngn hng, s th tn dng, ti liu ring t
cc t chc ln hn nh doanh nghip nh, tp on thm ch l c quan chnh ph, vic
r r thng tin v ti liu ni b cng ty, tnh hnh ti chnh, an ninh quc gia c th gy
ra tn tht to ln v mt kinh t, chnh tr Cc malware nh cp d liu bao gm cc
dng malware nh trojan can thip hot ng giao dch ngn hng, trojan nh cp mt
m v cc trojan gin ip. Cc mi him ha ny ang gia tng vi tc chng mt
87% trong nm qua v c bit cc dng phn mm gin ip tng n 135%.
Theo nhn nh ca ng Raymond Goh, Gim c K thut Khu vc ng Nam , ph
trch mng thit k h thng v dch v t vn khch hng ca Symantec, nm 2011 tnh
hnh an ninh mng vn quy t y quanh 5 xu hng tn cng chnh ca nm 2010
nhng mc ln hn, phc tp tng ln v tinh vi hn rt nhiu. l tn cng c
mc tiu tip tc n r, dng mng x hi v k thut x hi xm nhp vo h thng,
tng mnh cc gi cng c tn cng, tin tc lun n mnh v tm kim c hi tn cng, cc
mi nguy hi t thit b di ng tng mnh.
_____________________________________________________________________________________
Trang 13

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh I.1.2 - Biu biu th s tng trng ca cc phn mm c hi
Do , cc h thng mng doanh nghip trn ton cu u cp thit tm gii php bo mt,
ngn chn cc mi nguy hi t cc cuc tn cng t Internet. Song song c rt nhiu
cng ty bo mt trn th gii a ra hng lot cc gii php, sn phm v thit b h tr
cho vic an ninh h thng mng. Trong s , cng ty phn mm hng u th gii
Microsoft trnh lng Microsoft Forefront Threat Management Gateway (TMG) 2010, mt
th h mi ca phn mm tng la pht trin trn nn tng Microsoft Internet Security
Acceleration (ISA) 2006, tch hp cc tnh nng mi c kh nng cnh bo, ngn chn tn
cng v lc cc m c hi khi truy cp Internet. Hn th na, Microsoft Forefront TMG
2010 chnh l phin bn tch hp cc ng dng: Microsoft ISA Server 2006, Forefront Client
Security, Forefront Security for Exchange Server v Forefront Security for Sharepoint nn n
cung cp cc c im ni bt v bo mt nh:
Bo v h thng a dng v hon thin.

Pht hin virus, malware v ngn chn tn cng.
Giao din qun l thn thin v d dng.
Gim st h thng mng c tng cng.
Theo Microsoft gii thiu th Forefront TMG l mt bc tng la (Firewall) l chng trnh
chuyn v bo mt h thng mng. Mi thng tin ra vo h thng ca chng ta u phi
qua Forefront TMG kim duyt rt k lng. Microsoft Forefront TMG 2010 cho php thit
lp bo mt h thng mng LAN, cc ngi dng trong cng ty s dng Internet kinh
doanh m khng cn lo ngi v phm mm c hi v cc mi e da khc. N cung cp
nhiu lp bo v lin tc c cp nht, bao gm tt c cc tnh nng c tch hp vo
mt, (TMG) cho php bn d qun l mng, gim chi ph v phc tp ca vic bo mt
web. Hay ni cch khc khi dng Forefront TMG ln m hnh mng ca chng ta s c
chia ra lm 3 phn ring bit:
_____________________________________________________________________________________
Trang 14

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Internal Network - Bao gm tt c my tnh c trong mng chng ta

Local Host - l mt bc tng ngn cch gia mng chng ta v th gii, chnh l
my Forefront TMG
External Network - l mng Internet, nh vy mng Internet c xem nh l
mt phn trong m hnh Forefront TMG m thi
Hnh I.1.3 - M hnh tng quan 3 lp mng ca tng la
2. LCH S, QU TRNH PHT TRIN CA FOREFRONT TMG 2010

2.1. Lch s
Hnh I.2.1.1 - S pht trin ca Forefront TMG 2010
Trc kia, Microsoft a ra 2 phin bn software firewall chnh l ISA 2004, ISA 2006
nhng 2 phin bn firewall ny ch c h tr trn cc h iu hnh trc nh:
Windows Server 2000, Windows XP, Windows Server 2003 m khng c h tr trn cc
h iu hnh mi ca Microsoft nh: Windows 7, Windows Server 2008. V th ci t
mt tng la trn cc h iu hnh nh Windows 7 hay Windows Server 2008 chng ta s
phi s dng n mt software mi ca Microsoft l Microsoft forefront Threat
Management Gateway 2010.
_____________________________________________________________________________________
Trang 15

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2.2. Qu trnh pht trin:

Qu trnh pht trin ca MS Forefront TMG 2010 tri qua cc giai on pht trin sau:
1/1997 - Microsoft Proxy Server v1.0 (Catapult)
18/03/2001-Microsoft Internet Security and Acceleration Server 2000 (ISA Server
2000)
2004)
2006)
17/11/2009-Microsoft Forefront Threat Management Gateway 2010 (Forefront
TMG 2010)
Hnh I.2.2.1 - S pht trin ca Forefront TMG 2010
_____________________________________________________________________________________
Trang 16

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. PRICE V LICENSE CA TNG PHIN BN FOREFRONT 2010
Hnh I.3.1 - Thng tin prices v licenses ca cc phin bn Forefront
Hnh I.3.2 - Thng tin Price v Licenses ca Windows Server 2008
_____________________________________________________________________________________
Trang 17

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
4. CC TNH NNG CA TMG 2010

4.1. Cc chc nng chnh
Hnh I.4.1.1 - Cc tnh nng chnh trong Forefront TMG 2010
4.2. Cc tnh nng ni bt ca TMG 2010
Hnh I.4.2.1 Nhng Tnh nng ni bt ca Forefront TMG 2010
_____________________________________________________________________________________
Trang 18

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Enhanced Voice over IP - Cho php kt ni & s dng VoIP thng qua TMG.
ISP Link Redundancy - H tr Load Balancing & Failover cho nhiu ng truyn
internet.
Web Anti-Malware - Qut virus, phn mm c hi & cc mi e da khc khi
truy cp web.
URL Filtering - Cho php hoc cm truy cp cc trang web theo danh sch phn
loi ni dung sn c nh: ni dung khiu dm, ma ty, mua sm, chat...
HTTPS Inspection - Kim sot cc gi tin c m ha HTTPS phng chng
phn mm c hi & kim tra tnh hp l ca cc SSL Certificate
E-mail Protection Subscription Service - Tch hp vi Forefront Protection 2010
for Exchange Server & Exchange Edge Transport Server kim sot virus,
malware, spam e-mail trong h thng Mail Exchange
Network Inspection System (NIS) - Ngn chn cc cuc tn cng da vo l
hng bo mt
Network Access Protection (NAP) Integration - Tch hp vi NAP kim tra
tnh trng an ton ca cc client trc khi cho php client kt ni VPN
Security Socket Tunneling Protocol (SSTP) Integration - H tr VPN-SSTP
Windows Server 2008 with 64-bit support - H tr Windows Server 2008 &
Windows Server 2008 R2 64-bit
Bng I.4.2.1 So snh cc tnh nng trong Forefront TMG Standard v Enterprise
_____________________________________________________________________________________
Trang 19

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bng I.4.2.2 So snh cc tnh nng gia ISA 2006 v Forefront TMG
4.3. System Requirement
Bng I.4.3.1 Yu cu ci t
_____________________________________________________________________________________
Trang 20

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5. CC M HNH FIREWALL
Forefront TMG s dng mt khi nim multi networking. nh ngha topo mng, u
tin chng ta cn to cc mng trong Forefront TMG. Sau khi tt c cc mng cn thit,
chng ta cn c to quan h cho cc mng ny vi nhau di dng cc network rule.
Forefront TMG h tr hai kiu network rule l:
Route y l kiu s thit lp mt kt ni mng hai chiu gia hai mng, kiu
thit lp ny s nh tuyn cc a ch IP gc gia hai mng.
NAT y l kiu thit lp kt ni mng theo mt hng duy nht gia hai mng,
kiu thit lp ny s che giu cc a ch IP trong cc on mng bng a ch IP
ca network adapter tng ng.
Sau khi to cc mng v cc network rule cho mng, bn phi to cc rule cho tng
la cho php hoc t chi traffic gia cc mng c kt ni.
5.1. Network template.
d dng cho vic cu hnh Forefront TMG, TMG cung cp cc mu c thit k sn
(Network Template) cho php to cc kch bn Firewall in hnh. Bn hon ton c
th thay i thit k mng sau ci t ban u. y tt c nhng g bn cn thc
hin l chy Getting Started Wizard trong giao din qun l TMG Management.
Hnh I.5.1.1 Network setup wizard
_____________________________________________________________________________________
Trang 21

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5.2. Cu hnh cc thit lp mng

Launch Getting Started Wizard cho php bn chn Network Template cn thit cu
hnh. Forefront TMG cung cp cho bn ti 4 Network Template:
Edge Firewall
3-Leg perimeter
Back firewall
Single network Adapter
5.2.1. Edge Firewall
Hnh I.5.2.1.1 Edge Firewall Template
Edge Firewall template l mt Network Template c v kt ni mng bn trong vi

Internet, c bo v bi Forefront TMG. Mt Edge Firewall template in hnh yu cu
ti thiu hai network Adapter trn Forefront TMG Server. y l ty chn mc nh v
mt trong nhng s dng trong a s trng hp. iu ny s to ra mt mng ni b
mc nh v mt mc nh ngoi mng.
5.2.2. 3-Leg Perimeter
Hnh I.5.2.2.1 3-Leg Perimeter Template
3-Leg Perimeter Firewall l mt Forefront TMG Server vi ba hoc nhiu network

adapter. Mt network adapter kt ni mng bn trong, mt network adapter kt ni vi
mng bn ngoi v mt network adapter kt ni vi DMZ (Demilitarized Zone), cng
c gi l Perimeter Network. Perimeter Network gm c cc dch v, nn cn c th
truy cp t Internet nhng cng c bo v bi Forefront TMG. Cc dch v in hnh
_____________________________________________________________________________________
Trang 22

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
trong mt DMZ l Web Server, DNS Server hoc WLAN network. Mt 3-Leg Perimeter
Firewall cng thng c gi l Poor Mans Firewall, n khng phi l mt DMZ ch
thc. Mt DMZ ch thc chnh l vng gia hai Firewall khc nhau.
5.2.3. Back Firewall
Hnh I.5.2.3.1 Back Firewall Template
Ty chn ny c s dng khi bn c mt bc tng la, chng hn nh mt bc

tng la TMG, tng la firewall ISA hoc bn th 3, trc cc bc tng la TMG,
mt chu vi TMG Firewall Network s c t ng tao ra cng nh mt mc nh mng
ni b. Back Firewall template c th c s dng bi Forefront TMG Administrator, khi
Forefront TMG c t pha sau Front Firewall. Back firewall s bo v mng bn trong
i vi vic truy cp t DMZ v mng bn ngoi, n c th iu khin lu lng c
php t cc my tnh trong DMZv t Front Firewall.
5.2.4. Single Network Adapter
Hnh I.5.2.4.1 Single Network Adapter Template
Ty chn ny c s dng khi bn c mt NIC c ci t trn cc bc tng la

TMG. iu ny ch c s dng khi cc bc tng la l c c s dng nh mt
my ch proxy web. Cu hnh ny khng h tr bt k giao thc khc hn so vi HTTP,
HTTPS v FTP. N h tr truy cp t xa VPN
Single Network Adapter template c mt s hn ch v mt Forefront TMG server vi ch
mt giao din mng khng th c s dng nh mt Firewall thc s, v vy nhiu
dch v theo m khng c. N ch c cc tnh nng di y:
_____________________________________________________________________________________
Trang 23

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Chuyn tip cc request ca Web Proxy c s dng HTTP, Secure HTTP

(HTTPS), hoc File Transfer Protocol (FTP) cho cc download.
Lu tr ni dung web phc v cho cc my khch trn mng cng ty.
Web publishing bo v cc my ch FTP v published Web
Microsoft Outlook Web Access, ActiveSync v RPC trn HTTP (cng c gi l
Outlook Anywhere trong Exchange Server 2007).
_____________________________________________________________________________________
Trang 24

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
II.
NHNG TNH NNG MI CA FOREFRONT TMG 2010
1. GII THIU TMG

Microsoft Forefront Threat Management (TMG) 2010 l mt tng la c lp ng dng
thng minh v kh nng chng phn mm c hi c th c s dng xc nh v
gim thiu nhng mi e da i mt vi cc mng hin i. Forefront TMG l k tha cho
Microsoft ISA Server v bao gm tt c cc chc nng ISA Server ng thi nng cao kh
nng s dng, bo mt, v chc nng.
Cng vi Forefront Unified Access Gateway (UAG), TMG l mt b sung mi cho b sn
phm Forefront Edge. TMG ch yu l nhm mc tiu vo cc tnh hung bn ngoi, chng
hn nh nhng ngi to ra bi cc host trn mng c bo v; UAG ch yu l nhm
mc tiu vo cc tnh hung bn trong, nh trong trng hp Microsoft SharePoint hoc
Exchange, Web Publishing.
Hai phin bn ca TMG l:
TMG Medium Business Edition (MBE) trong c sn trong mt phin bn c
lp hoc vi Windows Essential Bussiness Server (EBS).1
TMG 2010 cho tt c cc trin khai khc.
Bng II.1.1 So snh cc tnh nng ca TMG MBE v TMG FULL
* TMG MBE c pht hnh vi Windows EBS vo cui nm 2008. TMG 2010 c pht hnh vo cui nm 2009.
_____________________________________________________________________________________
Trang 25

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2. GIAO DIN QUN L

Forefront TMG Management Console c t chc li n gin ha trong cu hnh v
gim st. Nhiu iu khin nh hng nhim v c chuyn n gn hn v d dng truy
cp hn trong tab Task. V d, nhng iu khin bn tri giao din ca ISA Server 2004
v ISA 2006 c b bt, v cc chc nng lin quan c nhm li bn trong tab Task.
Hnh II.2.1 Giao din qun l ca Forefront TMG
Hnh II.2.2 Giao din qun l ca ISA 2006
_____________________________________________________________________________________
Trang 26

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. CC TNH NNG MI
H tr Windows Server 2008, Windows Server 2008 R2 v Native 64-Bit
Bi v s gia tng s lng ngi s dng trong c cc mng ln nn cn thit phi c
cc thit b x l lu lng truy cp nhanh. ISA Server l mt "phn mm" tng la
da trn h iu hnh Windows. Mt hn ch c bit n ca ISA Server l n khng
th c ci t trn mt nn tng 64-bit. TMG khng c gii hn ny, bn phi ci t
chng trn h iu hnh 64-bit. Windows Server 2008 v Windows EBS cng h tr mi
trng 64-bit. Vi vic gii thiu h tr 64-bit, tng la TMG c th s dng hn 4
gigabyte (GB) b nh RAM.
H tr Web Antivirus v Anti-Malware
Tng la TMG c th pht hin v c lp ni dung c hi trong lung thng tin HTTP
trc khi n n n khch hng. Tnh nng ny cung cp thm lp bo v v tng
cng an ninh cho tt c cc host trn mng c bo v bi TMG.
Cc b lc HTTP Malware l mt b lc web chn lung d liu gia ngi dng v my
ch Web. Ni dung ca lung d liu ny c lu tr trong b nh hoc trn a, ty
thuc vo kch thc ca ni dung. MPEngine TMG (Microsoft Malware Protection
Engine) qut ni dung trc khi n c phn phi cho ngi dng.
hiu r hn qu trnh ny, hnh II.3.1 minh ha lm th no cc yu cu t ngi
dng ly t my ch Web, chn bi cc bc tng la TMG, thng qua MPEngine v
cui cng, tr li cho ngi dng sau khi x l.
Hnh II.3.1 MPEngine v cc bc x l
Hnh II.3.1 minh ha cc bc sau:

1) Yu cu ban u t ngi dng b chn bi cc c Firewall TMG.
2) Yu cu c chuyn tip t TMG n Web Server.
_____________________________________________________________________________________
Trang 27

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3)
4)
5)
6)
Cc phn hi t my ch Web c tr li cho TMG.

D liu c chuyn tip t tng la TMG n b lc Web.
D liu c gi n x l giao thc phn tch lu lng HTTP trc khi kim tra.
D liu c gi n ACCUMULATOR, ni m ni dung c tch ly trn a hoc
b nh, ty thuc vo kch thc.
7) Sau khi ni dung c tch ly n c gi tr li lc.
8) B lc gi ni dung n Edge Malware Protection (EMP) My qut kim tra.
9) My qut EMP kim tra lu lng truy cp v gi n tr li vi b lc web.
10) D liu c gi n x l ch.
11) Vic x l ch ly ni dung tch ly.
12) D liu c gi n x l giao thc mt ln na ng gi n li trong HTTP.
13) Mt khi d liu c ng gi trong HTTP, n c a tr li x l ch.
14) Vic x l ch gi lu lng truy cp n b lc Web p ng tr li ngi dng.
15) B lc ny s gi lu lng truy cp n Firewall Engine.
16) TMG Firewall Engine gi tr li cui cng li cho ngi dng.
Khi ngi dng c gng duyt mt trang web v ti v mt tp tin, TMG tch ly ni
dung, kim tra n s mt bao nhiu thi gian hon tt vic ti v, v sau kim tra ni
dung. Nu ni dung c ti v v kim tra trong vng 10 giy, TMG chuyn tp tin n
ngi dng cui. Nu ni dung c ti v v kim tra cc tp tin mt hn 10 giy, TMG s
gi mt trang tin HTML cho ngi dng th hin tin trnh ti v hoc cho thy mt
phn ng trickled ty thuc vo loi ni dung c ti v. Mt phn ng trickled l cng
mt loi phn ng ngi ta s thy khi sao chp tp tin t mt th mc khc.
Hnh II.3.2 Qun l down load vi Forefront TMG
_____________________________________________________________________________________
Trang 28

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Giao din ngi dng, qun l v bo co nng cao

TMG c cc cng c bo co mi l: SQL Server Reporting Services (SRS). SRS c
th to ra cc bo co t c s d liu SQL. SRS cho php bo co thit k v nh
ngha, bo co lu tr, hin th mt s nh dng, mt dch v Web c th lp trnh
giao din, v nhiu hn na. SRS gm dch v c s d liu v trong trng hp ca
SRS 2005, dch v web c t chc bi IIS, IIS yu cu trn my tnh TMG v l do
ny. IIS cng c yu cu cho Windows EBS qun l bo co t xa. IIS khng phi l
mt vai tr cn thit cho TMG 2010.2
Cc bo co mi ca TMG bao gm thng tin lin quan kim tra phn mm c hi,
lc URL v phng chng xm nhp. TMG bo co bao gm thng tin khng c sn trong
cc phin bn trc ca cc bc tng la. Khi Forefront Protection Manager 2010
(FPM) c khi ng, TMG 2010 s tch hp hon ton vi FPM cung cp mt gii
php bo v end-to-end. Bo co TMG c th c xem hoc kim sot t giao din
bo co FPM.
TMG cng bao gm cc tnh nng giao din ngi dng mi ci thin vic to ra bo
co v qun l.
Bng di cho thy cc chc nng bao gm trong cc bc tng la TMG cho Windows
Essential Business Server v TMG 2010.
Bng II.3.1 So snh chc nng trong TMG MBE v TMG 2010
URL Filtering
Cc tnh nng lc URL cho php bn thc thi cc chnh sch an ninh. S dng lc URL,
bn c th ngn chn truy cp ca ngi dng vo cc trang web c th gy ra mt
nguy c bo mt hoc b cm theo chnh sch duyt web ca cng ty.
L ngi qun tr, bn c th xc nh cc loi URL chng hn nh phn mm c hi.
Sau , bn c th s dng Web Access Wizard to cho php hoc t chi chnh
sch i vi cc loi ny. Bn cng c th ch ty chnh t chi thng bo cho cc trang
* SRS-kch hot mc nh ca IIS lng nghe trn cng TCP 8008 v khng phi trn TCP cng 80 cung cp mt b mt tn cng
thp hn.
_____________________________________________________________________________________
Trang 29

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
web b t chi. Bn c th cu hnh cc quy tc t chi c th min tr cho php

ngi s dng truy cp vo cc trang web ny nu c iu kin nht nh.
Khi ngi dng c gng truy cp vo mt trang web b chn th ngi nhn c
mt thng bo HTML m bn cm truy cp vo website vo trang web b cm theo
chnh sch cng ty. Thng bo HTML c th c cu hnh trn TMG.
HTTPS Inspection
HTTPS Inspection cho php hin th vo Secure Sockets Layer (SSL) phin khi ng
t cc my tnh trong mng c bo v. Tnh nng ny ng mt vai tr quan trng
trong kim tra phn mm c hi v gip cung cp bo v t virus ti v t Web da
trn cc my ch e-mail nh Outlook Web Access (OWA) v cc trang web khc HTTPS.
Khi mt ngi dng yu cu mt trang an ton trn Internet, TMG chn cc phn hi t
my ch Web, to ra mt giy chng nhn cng tn v gi li cho ngi dng. Trong
cch ny tt c lu lng HTTPS c th c TMG kim tra trc khi n c thng
qua gia my khch v my ch.
H tr E-Mail Anti-Malware v Anti-Spam
TMG cung cp mt giao din kim sot mail, chng th rc v tnh nng chng phn
mm c hi.
i vi cc my ch web da trn e-mail, ni dung c th c kim tra bng cch s
dng kim tra HTTPS trc khi p ng c thng qua cho ngi dng. i vi cc
giao thc SMTP, bn c th xc nh mt con ng SMTP, l mt thc th i din cho
mt lin kt gia TMG v ni b hoc cc my ch th bn ngoi. Mc ch cc tuyn
ng SMTP l n gin ha cu hnh v cung cp mt lin kt gia TMG v
Internet, gia TMG v published mail server. Giao din ngi dng mi lm cho n d
dng hn qun l cu hnh published mail server, bn ch cho php antivirus (AV)
qut trn cc tuyn ng SMTP.
S dng cc bo co mi v tnh nng ng nhp, bn c th theo di lu lng truy
cp v nhn c bo co cho bt k ni dung th rc hoc m c c gi qua email.
Network Intrusion Prevention (Ngn chn xm nhp mng)
Intrusion Prevention System (IPS) l mt cng c rt ph bin, ch yu l bi v n c
th c s dng nh mt bin php ch ng pht hin xm nhp. IPS l mt thit
b bo v h thng. Mt IPS thng c coi l mt phn m rng ca Intrution
Detection System (IDS), nhng cng c th c xem nh l mt hnh thc kim sot
truy cp, tng t nh mt lp ng dng tng la khng ch pht hin hot ng
ng ng, nhng cng c cc bin php phng nga ngn chn xm nhp v cho
php c la chn con ng i qua.
_____________________________________________________________________________________
Trang 30

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
TMG s dng Network Intrusion System (NIS) cung cp chc nng IPS. TMG 2010
cng cung cp da trn ng k URL v lc ch k phn mm c hi.
Hnh II.3.3 Giao din Intrusion Prevention System (IPS)
The Session Initiation Protocol (SIP) Filter

B lc Session Initiation Protocol (SIP) c i km vi TMG, h tr m thanh
v video thng qua cc bc tng la TMG v cng cho php ngi dng chuyn cc
tp tin v chia s ng dng.
TFTP Filter
TMG bao gm Trivial File Transfer Protocol (TFTP) Filter. TFTP thng c s dng bi
BootP client ti v mt h iu hnh. Ngoi ra, do nhiu Voice Over IP (VoIP)
in thoi s dng TFTP download cc file cu hnh, cc bc tng la TMG cung
cp h tr TFTP to iu kin thun li cho nhng yu cu ny bng cch s dng b
lc TFTP. Vic s dng TFTP di chuyn d liu vo my tnh mi c trin khai.
TFTP l mt truyn tp tin giao thc tng t nh File Transfer Protocol (FTP), nhng
hot ng kh khc nhau mt cht v s dng khc nhau. Bi v ISA Server thng
c dng c lp mng li ca nhau v khng hiu lm th no qun l TFTP
Communications, nn vic trin khai t ng ca Windows v bng nh a thng b
tht bi. TMG gii quyt vn ny bng cch thm mt b lc TFTP cung cp s
qun l tt hn v an ton hn.
_____________________________________________________________________________________
Trang 31

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Network Functionality Enhancements (Ci tin chc nng mng)

Trong tt c cc phin bn trc y ca ISA Server, khi mt mi quan h Network
Address Translation (NAT) tn ti gia cc mng, ISA khng cho php xc nh a ch
IP bn ngoi, ngay c khi giao din bn ngoi c nhiu a ch IP. Thay vo , ISA lun
lun s dng chnh a ch IP kt hp vi giao din, lm cho a ch IP ca a ch
ngun cho tt c cc outboud traffic. Tng t nh vy, ISA khng th lm cho vic s
dng kt ni nhiu hn mt ISP, khin nhiu ngi dng phi mua mt thit b ring
bit p ng nhu cu ny.
Nat address Selection (La chn a ch NAT)
Cc tng la TMG c NAT ci tin mi cho php bn ch nh a ch s dng cho
cc yu cu gi i khi c mt mi quan h NAT gia cc thc th mng. Ngoi ra, nu
TMG c nhiu a ch IP bn ngoi, bn c th ch nh a ch c xem bi cc my
ch SMTP t xa. iu ny c bit hu ch nu c hn ch a ch IP ang c bo
v th rc ti SMTP Server t xa. La chn a ch NAT c thit lp thng qua cc
New Network Rule Wizard.
Hnh II.3.4 Nat address Selection wizard
ISP Sharing/Failover
TMG cng h tr kt ni dual ISP (Lin kt bn ngoi) c th hot ng theo mt trong
hai ch : chuyn i d phng ISP hoc ISP chia s. Trong ch chuyn i d
phng ISP, nu mt ISP kt ni b hng, TMG c th cung cp kh nng chu li bng
cch t ng chuyn sang kt ni ISP khc. iu ny gip TMG cung cp cn bng ti
nng ng gia cc nh cung cp dch v Internet vi d phng v kh nng chuyn
_____________________________________________________________________________________
Trang 32

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
i d phng. Trong ch nh cung cp dch v Internet chia s ti, bn c th ch

nh mt t l phn trm ti gia hai ISP kt ni v TMG s nh tuyn da trn lu
lng giao thng hin ti thng qua mi ISP kt ni.
So snh tnh nng c h tr trong TMG 2010 vi TMG MBE v ISA 2006
Bng II.3.2 so snh tnh nng gia ISA 2006 vi TMG MBE v TMG 2010
4. S KHC NHAU GIA TMG V UAG L G?

Vo thng nm 2006, Microsoft chnh thc cng b vic mua li Whale Communications.Ltd
Ti thi im , secure Sockets Layer Virtual Private Network (SSL VPN) l cng c tng
kh nng hin th cho cc t chc thuc mi quy m. Ti thi im Microsoft khng
c sn phm SSL VPN gateway no v quyt nh c c gii php SSL VPN cung
cp trong b sn phm Forefront. Mt nm sau khi vic mua li ny, Microsoft thay i tn
ca sn phm thnh Intelligent Application Gateway 2007 (IAG 2007).
4.1. Vic kch hot truy cp t bt c ni no
Cc phng php truyn thng ca ngi dng cho php ti cc a im truy cp t xa
vo ti nguyn ni b trn Internet l thng qua cc lp mng Mng ring o (VPN).
Lp mng cng ngh VPN truyn thng lm vic vi mt trong hai giao thc ng hm
chnh: PPTP v L2TP. Cc giao thc ny cho php cc ng hm m ha c thit lp
gia khch hng v my ch hoc gia hai lp mng cng VPN (cn c gi l thit b
nh tuyn VPN).
_____________________________________________________________________________________
Trang 33

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Vn l i khi khch hng sau mt edge firewall ch cho php HTTP v HTTPS
outbound traffic, nh th hin trong Hnh II.4.1.1. iu ny thng lm tht vng ngi
dng cui bi v khi i PPTP hoc L2TP/IPsec kt ni b t chi. V vy, thut ng truy
cp t bt c ni no thc s khng p dng khi ni v kt ni lp mng VPN.
Hnh II.4.1.1 Thc hin kt ni VPN vi UAG
Hnh II.4.1.1 cho thy rng cng ngh SSL VPN khng b cc vn kt ni vn c
trong cc kt ni lp mng VPN. Con s ny cho thy mt Edge Firewall ch cho php
HTTP v HTTPS mi i ra bn ngoi v hai pha sau tng la ny. Cc khch hng
bng cch s dng mt truyn thng VPN (chng hn nh PPTP) kt ni vi my ch
VPN b chn bi cc tng la, trong khi cc my khch SSL VPN l khng. iu ny
minh ha s linh hot ln hn cng ngh SSL VPN, cho php truy cp tng cng an
ninh m khng cn phi i ph vi cc vn kt ni c th c p t bi cc hn
ch. SSL VPN lm cho cc my trm khch hng t xa d dng kt ni vi cng thng
tin HTTPS v t kt ni vi cc ngun ti nguyn ni b (my ch, my trm) v nh
vy t mt s a im khc nhau m khng cn phi lo lng v cc vn kt ni
c ph bin gp phi trong qu kh.
Cng ngh SSL VPN l mt chun cho php truy cp t xa. Server 2008 cho php bn
cu hnh RRAS nh mt my ch SSL VPN bng cch s dng Secure Socket Tunneling
Protocol (SSTP) VPN mi.
4.2. Nhng im mi trong UAG
Trong khi IAG l mt gii php thit b, UAG m rng ny cung cp vi mt phn mm,
my ch trin khai ty chn ci t. UAG s cung cp cho bn hai la chn: ci t sn
phin bn ca UAG trn mt thit b phn cng OEM v mt tp tin ti v. Bn c th
trin khai UAG trong mt mi trng o, bng cch s dng Microsoft Hyper-V hay
SVVP (Server Virtualization Validation Program).
_____________________________________________________________________________________
Trang 34

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cch tt nht hiu s khc bit gia IAG v UAG l thng qua mt so snh ngn gn
ca hai sn phm, nh minh ha trong bng di.
Bng II.4.2.1 so snh tnh nng gia IAG v UAG
Cc tnh nng mi lm nn mt s khc bit ln khi so snh IAG vi UAG bao gm:
UAG Native 64-bit s c gi trong mt phin bn 64-bit.
Tch hp vi Network Access Protection (NAP) tch hp ny cung cp thm mt
lp bo v truy cp mng ni b ca cc thit b u cui khng c bo m.
Web tnh nng cn bng ti tnh nng ny cho php bn publish mt Farm ca
cc my ch Web v phn phi cc yu cu ng u gia cc my ch. y l
mt ci tin quan trng trong m bn khng cn phi mua cc thit b cn bng
ti ring bit t c nhim v ny.
4.3. Thit k mng bo v
4.3.1. Trin khai UAG
UAG c thit k cung cp sau y:
Truy cp vo cc ng dng ca bn t Internet
H tr c ch single sign-on (SSO)
Gia tng trust ca ngi s dng v my tnh ca ngi dng
Gia tng nhn thc v ng dng v kim sot tng cng hn hnh vi ng dng
Mt di rng cc nh cung cp dch v xc thc
SSL VPN truy cp t xa
_____________________________________________________________________________________
Trang 35

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
UAG cho php cc mng phc v nhu cu ca ngi s dng in thoi di ng truy
cp ngun lc cng ty t cc a im c kt ni Internet, trong khi ng thi p ng
yu cu ca cng ty cn phi kim sot truy cp da trn mt nh ngha ca s tin cy
v an ninh cho ngi dng kt ni v my tnh.
UAG c thit k v th nghim hot ng nh cng vo Internet-Facing. t mt
tng la gia UAG v Internet c th gy ra vn khng th c gii quyt c
bng cch thay i cu hnh UAG. V UAG li dng cc chc nng tng la ca TMG.
UAG cng c th tn dng li th ca m hnh a mng TMG publish ng dng c
th c phn lp t cc mng khc. iu ny cho php bn tng tng th mc bo
mt ca bn bng cch thc hin mt m hnh an ninh mng nhiu lp.
4.3.2. Trin khai TMG?
TMG c thit k phc v trin khai yu cu bo mt c th bao gm:
Proxy v firewall cp ng dng chung
n gin ho vic truy cp vo dch v ng dng, chng hn nh SMTP, POP3,
v giao thc khc
nh gi s tin cy ca my tnh khch hng
c bo v truy cp Internet v mng ni b
SSTP, PPTP, v L2TP/IPsec kt ni VPN
Khng ging nh UAG, TMG c thit k phc v nhu cu ln hn i vi c bn
ngoi v ng dng truy cp ni b. Hnh II.4.3.2.1 th hin nhng tnh nng mi trong
TMG v UAG.
Hnh II.4.3.2.1 Nhng tnh nng trong TMG v UAG
_____________________________________________________________________________________
Trang 36

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Khng ging nh TMG, bn c th trin khai gn nh bt c ni no trn mng ni b,

UAG c c th thit k lm mt mng thit b cnh. Tuy nhin, trong mt s
trng hp chnh sch gy kh khn cho bn t IAG trn cc cnh ca mng. nh th
hin trong hnh II.4.3.2.2, nu chnh sch mng ca bn yu cu mt bc tng la
cnh mt trc ca UAG, bn s phi cho php inbound TCP cng 443 (HTTPS) n
UAG.
Hnh II.4.3.2.2 V d thit lp UAG trong mng Back End
Mt khc, TMG c thit k hot ng trong bt k ca bn mng thit k c bn

(v nhiu bin th trn cc ch ny):
Edge firewall
3-leg perimeter firewall
Back firewall
Single NIC Web proxy server
4.3.2.1.
Edge Firewall
Khi c trin khai nh mt edge Firewall, nhim v chnh ca TMG l hnh ng

nh mt layer-2 v layer-3 tng la cho traffic c gi n v t Internet. Ngay
c khi TMG cng c trin khai cung cp cp cao hn, bo v lp ng dng
(chng hn nh IDS, lc URL, kim tra phn mm c hi) v nh vy, nhim v
chnh ca TMG vn cn nh mt tng la kim tra gi stateful. L mt edge
firewall, giao din bn ngoi phi i mt vi Internet v giao tip ni b phi i
mt vi mng LAN c bo v. u im ln nht ca vic s dng TMG l mt bc
tng la cnh l n cung cp cho TMG truy cp trc tip m hnh mng c thit
k kim sot. Vi mt vi thit b b sung trong con ng mng, TMG c kh
nng tt hn nh gi v a ra quyt nh kim sot thch hp. y cng l
mc nh trin khai cu hnh cho UAG. Hnh II.4.3.2.1.1 minh ha mt trin khai
tng la in hnh.
_____________________________________________________________________________________
Trang 37

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.4.3.2.1.1 M hnh Edge Firewall
4.3.2.2.
3-Leg perimeter
Trin khai 3-Leg Perimeter nh th hin trong Hnh II.4.3.2.2.1, thng c gi l

mt Trihomed Perimeter Network v mt thit b duy nht. TMG trong trng hp
ny c ba NIC, mi NIC lin quan vi mt khu vc an ninh mng khc nhau, trong
c mt on mng vnh ai. TMG ph hp vi nhim v ny bi v n kt hp tt
c cc c ch kim sot m bn s s dng ti cc a im khc nhau vo trong
mt im kim sot mng.
Khng ging nh ISA 2006, TMG c gi nh rng bn s s dng mt mi quan
h NAT mc nh gia mng ni b v chu vi mng Trihomed, Trihomed TMG
Perimeter Network Template nhn thc c rng cc mng li c nh ngha l
chu vi v ni b khng th c tuyn ng c xc nh trc hoc cc mi quan
h NAT. V l do ny, Network Setup hng dn cung cp cho bn c hi xc
nh cc mi quan h nh l mt phn ca qu trnh cu hnh. u im ca vic
trin khai 3-Leg Perimeter tng t nh trin khai Edge Firewall: TMG c quyn truy
cp t do n lu lng truy cp ti tt c cc mng.
Hnh II.4.3.2.2.1 M hnh mng 3-Leg Perimeter
_____________________________________________________________________________________
Trang 38

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
4.3.2.3.
Back Firewall
Back Firewall l mt bin th ca mu Edge Firewall ngoi tr giao din bn ngoi

cc bc tng la TMG c kt ni vi mt phn on mng vnh ai gia n v
giao din ni b ca mt bc tng la thng ngun. Nh vy, mc cu hnh
mng mu c cp nht cung cp cho bn ty chn xc nh cc mi
quan h mng gia mng ni b v Perimeter Networks l mt trong hai tuyn
ng hoc NAT. Li th trin Back Firewall l vi mt thit b ring bit x l cc
quyt nh traffic mc thp, TMG c nhiu ngun lc hn p dng cho kim
sot lc lu lng truy cp cao hn. Hnh II.4.3.2.3.1 minh ha vic trin khai Back
Firewall.
Hnh II.4.3.2.3.1 M hnh mng Back Firewall
4.3.2.4.
Single-NIC
NIC duy nht thng c gi nh Unihomed. Ty chn ny cung cp chc nng

tng la cho my tnh m trn TMG hot ng. Ging nh ISA 2006, mt TMG
Unihomed ch c th cung cp h tr cho lu lng truy cp da trn HTTP (CERN
proxy hoc Web Publishing) v dial-in VPN cc khch hng VPN. Vi ISA 2006, mng
hp l cho mt Unihomed TMG l:
Local host mng ny bao gm tt c cc a ch IP c gn cho my tnh
TMG, khng ch l mng 127/8.
Internal Network bao gm tt c cc a ch IP khng c giao dial
vo mt trong cc VPN Client.
VPN client mng ny bao gm ch nhng a ch c nh ngha cho s
dng bi cc qun tr vin TMG.
Quarantined VPN Client Mng bao gm ch c cc a ch IP nh ngha
cho s dng bi VPN client khng p ng cc yu cu bo mt theo quy
nh cho kt ni VPN.
_____________________________________________________________________________________
Trang 39

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Mt li th ca trin khai Single NIC, nh th hin trong hnh II.4.3.2.4.1 l ti

nguyn TMG c th c dnh ring x l nhng traffic HTTP lin quan. Mt u
im khc ca Unihomed l bn khng bao gi cn phi ghi li s Network h
tr mt Unihomed TMG Firewall.
Hnh II.4.3.2.4.1 M hnh mng Single NIC
UAG Forefront l mt cng SSL VPN gip bn an ton hn khi truy cp bt c ni no

cho ngi dng ca bn. UAG SSL VPN server c li th hn RRAS mng cp VPN server: N
khng b nh hng t cc vn kt ni v hn ch tng la. Ngoi ra, UAG SSL VPN
gateway cho php bn cu hnh mnh m cc chnh sch kim sot truy cp khch hng cc
mc tin tng cho php cc mc truy cp da trn cu hnh bo mt nh gi ca h.
Mt UAG SSL VPN gateway v cc bc tng la TMG c th tn ti trn cng mt
mng. C hai UAG SSL VPN v tng la TMG c thit k c thit b bo mt. S kt
hp ca cng UAG SSL VPN v tng la TMG c th cung cp nhiu lp bo v cho mng
ca bn.
5. YU CU H THNG
5.1. Yu cu phn cng:
Yu cu ti thiu cho TMG 2010 l:
Mt phin bn 64-bit ca Windows Server 2008 Standard, Enterprise, hoc data center RTM
vi Service Pack 2 (SP2) hoc R2.
2 GB b nh RAM
Mt CPU li kp
Mt phn vng a cng nh dng vi h thng tp tin NTFS
150 MB a cng khng gian
t nht mt card mng tng thch vi h iu hnh v c th giao tip vi mng ni
b (t nht hai giao din mng c yu cu h tr chc nng tng la)
Mt card mng cho mi mng vt l TMG s c kt ni.
_____________________________________________________________________________________
Trang 40

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
y l nhng yu cu ti thiu. Chng khng c khuyn co lm vic tt nht nh

tng la TMG hoc my ch Web proxy, cng khng gii quyt nhu cu cho cc a b
sung khng gian cho cc file log, b nh m Web, v cc hot ng TMG quan trng khc.
Trong cc tnh hung c mt s lng ln ngi dng kt ni thng qua TMG cho Web proxy
hoc truy cp t xa VPN, yu cu b nh c th tng ln chng mt. Tng t nh vy, yu
cu khng gian a c th ln hn nhiu nu bn c k hoch tn dng kh nng b nh
m Web TMG.
T mt gc qun l a, TMG thng c ci t trn mt a cng duy nht vi hai
hoc nhiu phn vng hp l. mc ti thiu, tt c cc thnh phn c th c ci t trn
cng mt phn vng. Tuy nhin, ty thuc vo vai tr ca TMG, v m bo rng a
khng y nhanh chng, th mc tp tin file log v b nh cache c th c lu tr trn
a vt l ring bit.
5.2. Yu cu Phn mm
TMG phi c ci t trn mt n bn 64-bit ca Windows Server 2008. Bn khng th ci
t TMG trn mt phin bn 32-bit ca Windows Server 2008.
Bn nn cp nht cc h iu hnh Windows Server 2008 bng cch s dng Windows
Update hoc c ch cp nht a thch ca bn trc khi ci t phn mm TMG. iu ny
gip m bo rng cc tnh nng TMG s lm vic vi cc thnh phn h thng cp nht
v gim b mt tn cng tng th trc khi ci t phn mm TMG.
Khi TMG c ci t trn mt h iu hnh Windows Server 2008, n c ci t nh
sau:
The Active Directory Lightweight Directory Services Server Role
The Network Policy and Access Services Server Role
Windows Powershell 1.0
The Web Server (IIS) Server Role (ch dnh cho SRS 2005 )
Microsoft SQL Express (Microsoft Forefront TMG logging instance)
Microsoft SQL Express (Microsoft Forefront TMG reporting instance)
Microsoft SQL Server backward compatibility
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files
Microsoft SQL Server Volume Shadow Copy Service (VSS) Writer
Microsoft Office 2003 Web Components (nh l mt phn ca bn ci t SQL
Server Express)
Mc nh ca IIS trn TMG MBE lin kt vi cc cng TCP 8008. Bn khng nn sa i gi

tr ny v cc lin kt bo co chun c cu hnh sn s dng cng TCP 8008. Khi
TMG c g b, IIS Server v cc thnh phn Office Web th khng c g b. Bn phi
loi b cc thnh phn ny mt cch th cng.
_____________________________________________________________________________________
Trang 41

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5.3. H tng mng

Hiu sut TMG b nh hng bi c s h tng mng ni m n hot ng. Nu bt k
thnh phn c s h tng mng no thc hin t hn so vi hiu qu ti u, TMG s c
gng b p thng qua vic s dng lu lng truy cp m (backlog) c ch c xy
dng trong TMG. Bn cn phi gii quyt mt s vn khi thit k trin khai TMG ca
bn, tt c cc iu ny c th c mt tc ng ng k trn hiu sut TMG, n nh v an
ninh:
Phn gii tn
Xc thc
Thit b kim sot giao thng (IDS v IPS)
5.3.1. Tn phn gii
TMG ph thuc nhiu vo hot ng phn gii tn v mt DNS h tr c s h tng.
Khi chnh sch TMG cp ti cc im n nh tn (thng l cc trng hp cho lu
lng truy cp HTTP), TMG phi thc hin tn v phn gii a ch IP m bo rng
cc quy tc c th c nh gi cho c hai trng hp (a ch IP hoc tn da trn
yu cu). Mc d TMG duy tr b nh cache tn ring ca mnh ci thin tn v tra
cu hiu sut a ch IP, TMG phi ph thuc vo Windows thc hin cc tn ban
u hoc phn gii a ch IP. Nh vy, hiu qu s dng lu lng truy cp t l thun
vi hiu qu c ch phn gii tn ca Windows.
Windows cu hnh phn gii tn TMG ph thuc vo c ch phn gii tn Windows. Bi
v Windows c thit k c trin khai trong cu hnh nhiu mng. V phn ln cc
lu lng truy cp x l bi TMG HTTP-based v dnh cho Internet, Windows c cu
hnh nh mt NetBIOS mc nh. iu ny c ngha l nu Windows c sn dch v DNS
v WINS cho n v cc truy vn DNS v WINS khng cung cp thnh cng hoc phn
ng tht bi, Windows s ri tr li chng trnh broadcast tn NetBIOS. Cc im sau
y nh hng n vic trin khai TMG:
Phn ln yu cu phn gii tn TMG cho my ch Internet.
Phn gii ngc Internet c xu hng tht bi bi v t quan tm cp nht
Reverse Lookup Zones.
Chng trnh broadcast NetBIOS l c ch d phng mc nh.
TMG broadcast lu lng truy cp theo mc nh.
Bi v broadcast lu lng truy cp khng phi l chc nng trn Internet v bi v TMG
broadcast lu lng truy cp bng cch mc nh nn NetBIOS broadcast s tht bi. V
c ch hot ng ca NetBIOS broadcast, n c th mt n mt pht bo co tht
bi, gy ra s chm tr hay tht bi rt cao x l traffic TMG. Bi TMG cng ghi nht
k cc gi d liu broadcast, thm chi ph x l pht sinh cho lu lng truy cp gy
ra s chm tr x l lu lng.
_____________________________________________________________________________________
Trang 42

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cch tt nht ngn chn lu lng Broadcast n NetBIOS (v ci thin ng k

hiu sut TMG) l cu hnh Windows nh mt my ch peer-node bng cch s dng
sau y ng k gi tr:
ng dn:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters
Tn: NodeType
Type: REG_DWORD
Gi tr: 2
Bi v s thay i ny nh hng n mt thnh phn Windows mng kernel-mode
(NetBIOS trn TCP/IP), n khng c hiu lc cho n khi my tnh khi ng li.
5.3.2. Xc thc
Mt trong nhng li ch chnh ca vic trin khai TMG l kh nng kim sot lu
lng truy cp da trn bi cnh ngi dng. Bi v tt c cc yu cu ngi dng
gi ban u m khng c thng tin ny, TMG phi yu cu cc thng tin v sau
tham kho nhng thng tin quan trng mt nh cung cp dch v xc thc cho xc
nhn. S chm tr hoc li gp phi trong qu trnh xc thc cng nh hng xu n
TMG thc hin. Bn nn hiu cc im sau y v xc thc cho TMG:
Windows Authentication - Trong mt mi trng ni TMG phi xc thc yu
cu bng cch s dng cc thng tin quan trng ca Windows, TMG phi s
dng cc phng php xc thc Windows. Nu cc ti khon ngi s dng l
mt phn ca mt cu trc min, TMG phi l thnh vin ca cng mt min
hoc mt min tin tng. Nu khng, cc ti khon ngi dng phi c phn
nh trong TMG - c s d liu local ca SAM.
Non-Windows Authentication - chng thc lu lng truy cp, Web
Proxy tm ngun cung ng t mt mng c bo v nghe (thng gi l
outbound traffic Web proxy), TMG c th xc thc ngi dng da trn Windows
hoc RADIUS. Khi TMG s dng RADIUS xc thc, yu cu xc thc t TMG cho
ngi dng c xem nh HTTP c bn.
Xc thc ti - i vi Windows xc thc, thng mt tn min iu khin. i
vi Windows khng xc thc, c th c RADIUS hoc ng nhp my ch
LDAP da trn th mc. Nu thng tin khng p ng nhanh chng, yu cu kt
qu tn ng s lm suy yu hiu sut TMG v to ra mt tri nghim ngi
dng khng th chp nhn c thng c din t nh "Internet l ht sc
chm".
_____________________________________________________________________________________
Trang 43

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5.4. Trin khai trong cc mi trng o

TMG h tr trong cc mi trng o. Khi lp k hoch trin khai nh vy, bn phi xem xt
an ninh, chc nng, v cc vn qun l trin khai o ha.
Network - Bi v mng li thit k thng s dng trong mi trng o ha, lu
lng mng o thng l v hnh i vi vic gim st mng vt l v h thng
qun l.
Performance - Bi v tt c cc my ch trong mt mi trng o ang chia s cc
ngun ti nguyn ca my ch, hiu sut ca mt ng dng l khng p c tnh
cht hiu sut ca trin khai vt l. Do thay i thi gian vn c trong mt my ch
o ha, theo di hiu sut ca mt my ch o ha s dng thi gian ring ca
mnh da trn b m hiu sut c th khng chnh xc.
Security - Nghim ngt kim sot truy cp, chnh sch qun l thay i v th tc
my ch o v cc my o l ti quan trng m bo an ton trin khai o. iu
ny c bit ng trong trng hp ca Virtual Edge hoc mng vnh ai, chng
hn nh nhng ni TMG s hot ng.
6. PHN TCH YU CU MNG
kim sot tt hn mng ca bn, bn nn bit cc ng dng ang chy v giao thc h
s dng, iu ny cho php bn to ra h s lu lng truy cp ca bn. Bng vic xc
nh cc ng dng, xc nh nhng ngi s hu cc ng dng, v xc nh cc giao thc
v cu trc lin kt mng, bn c th xc nh tt hn ni TMG nn c ci t v nhng
nguyn tc m bn cn to ra. Xc nh a ch IP trn mng ca bn l mt yu t
quan trng cn c lu li trc khi ci t TMG. Trc khi bn bt u trin khai kch
thc TMG, bn cn phi hiu mng v cc mu lu lng truy cp m TMG s c yu
cu h tr. iu ny lin quan n mt vi bc, mi trong s c th yu cu cc chu k
lp i lp li kim tra v phn tch.
7. XC NH H S TRAFFIC
Mt H S Traffic l mt bn ca cc giao thc ng dng c s dng trong h thng
ca bn. C th bao gm cc giao thc n gin nh Simple Mail Transfer Protocol (SMTP)
hoc cc giao thc phc tp nh Remote Procedure Call (RPC) hoc Distributed Component
Object Model (DCOM). C l iu kh khn nht cho bt k mng hoc tng la cho qun
tr vin xc nh v duy tr mt danh sch chnh xc, ng tin cy ca thng tin giao
thng mng li ca mnh. Cc bn sau y s cung cp cc khi xy dng ca cch suy
ngh thng qua vic trin khai TMG ca bn v lu lng mng v cc giao thc, i khi gi
tt l h s lu lng truy cp mng ca bn. xc nh h s lu lng truy cp mng
ca bn, bn s thc hin cc loi sau y ca bn :
lp bn mng
lp bn ng dng
lp bn giao thc
_____________________________________________________________________________________
Trang 44

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
7.1. Bn mng
iu u tin bn phi lm l t c mt s hiu bit tt hn v c s h tng mng s
c phc v bi TMG. V d: cng ty ca bn c th l mt t chc phn phi, vi a s
ca bn vn phng ti Houston v cc vn phng v tinh London, Eilat, v Buenos Aires.
Bn cn phi c mt s hiu bit r rng ca cc mng ny c kt ni, cng nh bt k
tuyn ng sao lu hoc chia nh tuyn c s h tng. c bit, TMG c th khng x l
c phn chia nh tuyn. Hnh II.7.1.1 l mt v d ca mt bn mng n gin.
Hnh II.7.1.1 V d v bng mng
Mt nh gi ca cc mng trong Hnh II.7.1.1 cho thy rng TMG nn c t gn cc

tuyn ng phc v mi v tr a l. Nhng g bn phi xem xt trin khai lm th no
x l cc trng hp khng th trnh khi khi TMG khng c sn. V d, nu ngi s
dng Buenos Aires truy vn proxy local ca h truy cp Internet v proxy khng
c, h nn c chuyn proxy gn nht tip theo l mt ng dn sao lu.
7.2. Bn ng dng
Sau khi bn xc nh c s h tng mng, bn s dng n gip xc nh bn ng
dng cho t chc ca bn. Bi v dch v line-of-business c nhiu kh nng c tp trung,
bn cn phi xem xt liu bn c th trin khai TMG gip qun l ti giao thng cho
nhng ng dng hoc gip ci thin an ninh ca nhng ng dng tng t. Ti thi im
ny bn khng nn nh x cc giao thc mng c s dng bi cc ng dng ny.Bi v
nhiu ng dng ni b c xu hng da trn web hoc h tr truy cp da trn giao thc
HTTP (v d, Microsoft Exchange Server v Microsoft Office SharePoint Server), bn c th
s dng TMG cung cp bo mt truy cp ni b cng nh bn ngoi n cc ng dng
bng cch to ra mt cu trc mng m tt c cc yu cu ca ngi dng cho cc ng
dng u thng qua TMG.
_____________________________________________________________________________________
Trang 45

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Mt im quan trng y l xc nh trng hp cc my khch v my ch giao

tip qua Internet ch khng phi bng cch s dng cu trc mng ring ca bn. Bng bn
ng dng cung cp mt v d v mt bng v bn ng dng. Bn ny cung cp cc
d liu c bn m t bn s xy dng cc phn tip theo ca giao thng tin c nhn ca
bn giao thc. Mt khi bn hi lng vi ni dung bn ng dng, bn nn lu tr
mt ni no an ton v thit lp mt lch trnh cho nhm ca bn xem xt v cp nht
n thng xuyn. iu ny c bit ng nu t chc ca bn thay i ng dng thng
xuyn nng cp hoc chuyn i ng dng.
Hnh II.7.2.1 Bng ng dung mng
_____________________________________________________________________________________
Trang 46

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.7.2.2 Bn giao thc mng
Hnh II.7.2.3 Bn giao thc mng (2)
1. Dyn = 1025-65535 trn win server 2k3 tr v trc; 49152-65536 Dnh cho Vista tr
ln
2. Nego = cng kt ni c thit lp gia Client/Server
3. Ch cn thit nu server cu hnh dch v LDAP-SSL
4. RFC ch nh NTP client s dng ngun UDP:123, nhng Windows thng s dng
cng ng
5. Kt ni th 2 transport/protocols c tha thun trong knh i khin theo ng
dng ca Client Winsock
6. FWM dc dng bi OEM cung cp s qun l ca ISA server ko cn thng qua
MMC
_____________________________________________________________________________________
Trang 47

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
7. Vic qun l t xa ca ISA Server s dng ISA Managerment MMC. Lin quan n
vic dng cu trc RPC gim st trng thi dch v ISA
8. Vic ci t ISA server to ra mt kt ni SMB ti CSS chng thc thng qua la
chn ca user
Sau khi c s h tng mng v cc bn ng dng c nh ngha, bn cn phi xc
nh giao thc c s dng trn mng ca bn. Hai giao thc phc v tp kh khn
lp bn chnh xc l RPC v DCOM. Thng thng, c hai u bt u vi mt kt ni
n my ch RPC Endpoint Mapper ti cng TCP 135. Tip theo l kt ni n my ch ca
ng dng lng nghe cng. S phc tp ny lm cho RPC v DCOM kh theo di v kh
khn nh nhau vt qua trn mt bc tng la. TMG bao gm mt b lc ng dng
m hiu Giao thc RPC, nhng v vic k kt gi v m ha c s dng trong hu ht
cc DCOM truyn thng, TMG khng th h tr DCOM qua n. Phc tp hn, cc giao thc
m phn h tr ng dng cc b lc TMG bao gm FTP, TFTP, SIP, Media Streaming
(RTSP, MMS), v PPTP. Hnh II.7.2.4 minh ha ng dng cc b lc c cung cp vi
TMG.
Hnh II.7.2.4 B lc ng dng trong TMG
_____________________________________________________________________________________
Trang 48

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
8. GII QUYT CC MNG PHC TP

Trong nhiu trng hp, tng la thc s phc v lu lng truy cp v t cc mng m
khng phi l local firewall. Mt v d cu trc lin kt mng nh vy hin th trong Hnh
II.8.1.
Trong s ny, TMG phc v cc host trong ba mng: Houston, hot ng trong subnet
192.168.1.0/24; Buenos Aires, hot ng trong subnet 192.168.2.0/24 v London, hot
ng trong subnet 192.168.3.0/24. Tt c cc vn phng chi nhnh ang s dng TMG
(nm trong tr s chnh) l Web proxy, v v d ny, c quan duy nht c kt ni Internet
trc tip l chnh vn phng ti Houston.
Ging nh ISA Server, TMG xc nh mng li da trn cc a ch nm pha sau c th
giao din mng. Hnh II.8.1, cc a ch trong ba ID mng khc nhau c t pha sau NIC
duy nht trong TMG trong vn phng Houston. Bn s s dng tt c cc a ch ny khi
xc nh mng TMG nm pha sau NIC.
Hnh II.8.1 M hnh lin k nhiu mng
9. DNS TRONG TMG

TMG da trn Windows phn gii tn v do bt k sai lm no do cu hnh phn
gii tn Windows s nh hng xu n TMG.
_____________________________________________________________________________________
Trang 49

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
9.1. H thng gii quyt tn phn gii nh th no ?

Windows phn gii tn s dng DNS nh l phng php a thch ca phn gii tn, tuy
nhin, nu tn khng th c gii quyt bng DNS, h iu hnh s c gng thc hin
mt NetBIOS phn gii tn. i vi phn gii tn NetBIOS, hai phng php c th c
s dng gii quyt mt tn: Windows Internet Name Service (WINS) v broadcast. Nu
mng ca bn khng c mt my ch WINS, Windows s c gng gii quyt cc tn
bng cch gi mt broadcast cho NetBIOS (phn tn my ch ca tn min y , hoc
FQDN). V d, khi bn chy cc lnh ping srv1.contoso.com, Windows s c gng mc nh
cc bc:
1) Kim tra xem tn my ch local ging nh tn n gii quyt (Srv1).
2) Kim tra xem cc tp tin local HOSTS c tn ny khng.
3) Truy vn DNS server u tin trong ngn xp TCP/IP.
Cc iu hnh s gi mt truy vn n my ch u tin ca b chuyn i danh sch
tm kim l l do ti sao n quan trng phi c b chuyn i ni b pha trn ca
danh sch v ch i 1 giy cho mt phn ng. Nu h thng iu hnh khng
nhn c mt phn ng t my ch u tin trong vng mt giy, n s gi truy vn
n DNS u tin my ch trn tt c cc b iu hp v ch i hai giy cho mt phn
ng. Qu trnh ny lp i lp li trong chu k ca hai, bn v tm giy tng ng.
Nu Windows nhn c mt phn ng tch cc t cc my ch DNS, n dng li truy
vn cho tn, cho bit thm cc phn ng vo b nh cache DNS, v tr v p ng cho
ngi dng. Quan trng l Bn c th theo di s lng tht bi phn gii tn bng
cch m Performance Monitor, thm cc i tng dch v Microsoft Firewall, v gim
st Failed DNS Resolutions Counter.
4) Thc hin phn gii tn NetBIOS nu kt hp khng c tm thy.
Windows s dng phn gii tn NetBIOS nu mi n lc gii quyt tn my ch DNS
sai. Windows tng thch vi RFC 1001 v 1002, trong xc nh dch v NetBIOS cho
TCP v UDP. Mt trong nhng cch thc m h iu hnh tng thch bng cch thit
lp cc loi nt. Mc nh, Windows s dng loi broadcast node (BNode), tuy nhin,
thit lp ny c th c thay i trong registry. Cc gi tr c th l:
Peer Node Type (PNode) Gi mt truy vn trc tip n mt my ch tn
NetBIOS (V d, WINS).
Mixed Node Type (MNode) Gi mt gi tin broadcast u tin v nu khng
gii quyt c tn, n s gi mt truy vn trc tip n my ch tn NetBIOS
(WINS). y cng c gi l B+P (BNode+PNode).
Hybrid Node Type (HNode) Gi mt truy vn trc tip vi tn NetBIOS my
ch v nu n khng gii quyt c, s gi mt gi tin broadcast. iu ny cn
c gi l P+B.
_____________________________________________________________________________________
Trang 50

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5) Nu Hybrid Node Type c s dng, qu trnh phn gii tn vn c tip tc theo

cch sau y:
a) Windows kim tra b nh cache Local Name NetBIOS. Ln n 16 tn (mc
nh) c t chc trong b nh cache ny trong 10 pht.
b) Nu Windows khng th gii quyt tn t b nh cache local name NetBIOS, n
s gi mt tn NetBIOS truy vn my ch WINS chnh cu hnh trong Advanced
Ty chn TCP/IP ca giao din mng trn nh ca danh sch giao din. Nu
my ch WINS khng p ng, Windows s c gng lin lc vi tt c cc cu
hnh Cc my ch WINS (th t t trn xung).
c) Nu cc bc trn khng thnh cng, Windows s kim tra file LMHOSTS nu
LMHOSTS tra cu c kch hot vo tab WINS trong cc hp thoi thuc tnh
TCP/IP nng cao. Hp thoi ny c tm thy trong cc thuc tnh TCP/IP ca
mt giao din mng trn cc tng la.
d) Windows s gi mt NetBIOS broadcast n local segment (255.255.255.255)
bi v, theo mc nh, cc b nh tuyn khng cho php cc chng trnh
broadcast NetBIOS vt qua.
Khng bao gi cu hnh TMG vi mt a ch my ch DNS nhiu hn mt giao din
mng vt l. Nu bn c hai card giao din mng (Ni b v bn ngoi), a ch IP my ch
DNS phi c cu hnh trn giao din ch c mt v giao din phi c trn u trang ca
danh sch cc giao din mng.
9.1.1. Edge hoc Perimeter trong Workgroup
Khi bn c TMG trong mt nhm lm vic, bn vn cn phi gii quyt tn cho cc
ch ni b, v cc khuyn ngh chung DNS vn nh c: cu hnh DNS trong mt
din, nh th hin trong hnh II.9.1.1.1. Trong trng hp ny, bn c th cu
DNS tr n mt my ch DNS ni b v my ch DNS ny c cu
Forwarders
my
giao
hnh
hnh
Hnh II.9.1.1.1 Cu hnh DNS trong work group
_____________________________________________________________________________________
Trang 51

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Mc d y l kch bn ph bin nht v khuyn ngh chung cho nhm lm vic, trong
mt s kch bn khc truy cp n DNS ni b khng cho php bo mt chnh sch ca
cng ty. Trong nhng tnh hung ny, bn c th thc hin mt s phng php thay
th:
S dng mt my ch DNS: Cho php phn gii tn y cho bn trong v bn ngoi
ti nguyn bng cch thm mt my ch DNS c th s dng Forwarders c iu kin.
Mt forwarders iu kin l mt my ch DNS c th c s dng chuyn tip cc
truy vn DNS theo tn min DNS nhn c truy vn. V d, mt my ch DNS c th
c cu hnh chuyn tip tt c cc truy vn nhn c cho cc tn kt thc bng
contoso.com n a ch IP ca mt my ch DNS c th (v d, IP ca DNS ni b).
Ci t dch v DNS trn TMG: Trong thit lp ny, TMG c ci t dch v DNS v c
th c cu hnh s dng mt Forwarders c iu kin cho Internal Domain v
Forwarders cho External Domain. Mt la chn khc l to ra mt khu vc th 2 cho
Internal Domain v s dng Forwarders (hoc Root Hints) cho External Domains. Mc
d y l mt thay th kh thi, n khng thng c s dng bi v vic tch nhim
v v chi ph hnh chnh tng ln. V nhiu l do, bn khng mun thm dch v khc
vo firewall ca bn. L do chnh l by gi bn s c hai thnh phn c th khng c
cng mt ca s bo tr. V d, nu bn c k hoch cp nht dch v DNS ca bn
vi cc bn cp nht bo mt mi nht, bn c th cn phi khi ng li my ch, do
, tng la ca bn cng s c offline trong thi gian . Bng tm tt nhng li
ch v hn ch ca mi ty chn.
Bng II.9.1.1.1 Tm tt u v khuyt im ca cu hnh DNS
_____________________________________________________________________________________
Trang 52

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Kch bn khc bao gm mt network m khng c cc dch v DNS ni b v da trn

chng trnh broadcast phn gii tn ni b. Trong trng hp ny, TMG da trn
mt my ch DNS ca ISP bn ngoi phn gii tn. y l tnh hung duy nht m bn
cu hnh TMG s dng mt my ch DNS bn ngoi.
9.1.2. Edge hoc Perimeter trong Domain
Trong mt mi trng Domain, bn c dch v DNS c s dng bi c s h tng
Active Directory ca bn. TMG nn c cu hnh s dng my ch DNS ni b v
cc a ch ca my ch DNS ni b nn c cu hnh trn giao din ni b ca TMG.
Kch bn c duy nht NIC (Workgroup hoc Domain): Trong mt mi trng TMG Single
NIC, bn cn phi cu hnh Preferred DNS Server ch cc my ch DNS ni b ca
bn v khng s dng cc my ch DNS bn ngoi.
9.2. nh hng ca DNS
Vn phn gii tn trong TMG l gim hiu sut. Duyt web chm hn, cng nh chng
thc ngi dng. Hai vn chnh vi phn gii tn trong TMG l:
Name Resolution Delay - Khi TMG s gi mt truy vn DNS khng tr li mt
cch kp thi, TMGs worker b chn trong khi ch phn ng DNS, lm cho s lng
cc gi d liu backlogged tng.
Authentication Delay - Cu hnh DNS sai cng c th gy ra cho TMG tr hon
hoc khng xc thc khi cc quy tc tng la yu cu chng thc.
9.3. DNS Cache trong TMG
TMG gi b nh cache DNS ca ring n trong wspsrv.exe ( l Dch v Firewall). Thnh
phn ny c xy dng trn u trang ca Windows DNS Resolver v c s dng
gim s lng truy vn DNS, TMG thc hin gii quyt mt tn. Hnh II.9.3.1 cho
thy Cc thnh phn b nh DNS Cache trong TMG.
Hnh II.9.3.1 DNS cache trong TMG
TMG s dng mt c ch xc nh cc mc cn c loi b t DNS Cache. C ch s

dng cc thng s sau y:
_____________________________________________________________________________________
Trang 53

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
DnsCacheNegativeTtl - kim tra TTL (c a ra bi cc my ch DNS).

DnsCacheRecordMaxKB - kim tra kch thc b nh cache n mt s ti a
ngng mc nh l 10.000. Nu iu ny l ng, 25% ca cc mc s c g b
t b nh cache.
DnsCacheSize - TMG kim tra liu hai s kin trc khng xy ra v sau
cc dch v tng la qut ba cache mt ln mi 30 pht (mc nh) loi b cc
mc cache TTL.
Khi x l s c cc
tnh cc b. Bi v
sch s, bn cng
cch chy cc lnh
vn phn gii tn, chy lnh ipconfig/flushdns xa DNS cache my

TMG c b nh cache, bn cn phi nh rng c mt b nh cache
cn phi khi ng li dch v Firewall. Bn c th lm iu ny bng
net stop fwsrv && net start fwsrv.
10. CHN NETWORK TEMPLATE

10.1.
Edge Firewall Template
Bng cch s dng Edge Firewall network template, bn p dng mt cu hnh phn nh
mc tiu chnh ca TMG v tr cnh ca bn. Mu ny gi nh rng bn c hai giao din:
mt kt ni ni b mng v mt kt ni vi mng bn ngoi. Thng thng cc giao din
bn ngoi l mt trong nhng kt ni trc tip vi Internet (thng qua mt b nh tuyn),
nhng n cng c th c t ng sau mt thit b tng la hoc NAT. Thng thng,
giao din bn ngoi l NIC cu hnh vi mt cng mc nh.
Khi bn chy Getting Started Wizard, chn mu Edge Firewall, nh c hin th trong hnh
II.10.1.1.
Hnh II.10.1.1 Edge Firewall Template
Mu ny cung cp nhng li ch sau y:

_____________________________________________________________________________________
Trang 54

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
TMG chn tt c cc truy cp tri php vo mng ni b t Network mc nh bn

ngoi.
TMG n Mng ni b mc nh t bn ngoi.
Bn c kh nng cung cp truy cp an ton ti cc my ch ni b bng cch
publish chng.
Cu hnh d dng.
10.2.
3-Leg Perimeter mng Template
3-Leg Perimeter h tr bn trong vic thc hin mt mng vnh ai, c gi l khu vc
phi qun s hoc DMZ. Mng vnh ai ny c s dng phi by an ton ti nguyn
c chia s bi nhng ngi dng n t cc mng khng tin cy (chng hn nh
Internet) v mng ng tin cy (mng bo v TMG). Mu thit lp TMG vi ba giao din
mng: Mt card mng c kt ni vi Internet (bn ngoi mng), mt kt ni vo mng
ni b, v mt kt ni vi mng vnh ai. Ty chn 3-Leg Perimeter l khng c sn nu
bn c t hn ba NIC c ci t trn TMG. Khi bn chy Getting Started Wizard, bn c
th chn mu Perimeter-3 Leg, nh th hin trong Hnh II.10.2.1.
Hnh II.10.2.1 3-Leg Perimeter Template
Bng cch chn mu trong Getting Started Wizard, bn s phi xc nh b chuyn i

c kt ni vi vnh ai nh th hin trong Hnh II.10.2.2.
_____________________________________________________________________________________
Trang 55

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.10.2.2 Cu hnh cc lp mng trong m hnh 3-Leg
Trong qu trnh la chn ny, bn cn phi xc nh xem cc a ch IP c s dng trn

mng Perimeter l public hay private. y l mt quyt nh quan trng bi v n cng nh
hng n mi quan h gia cc mng vnh ai vi cc mng ni b v bn ngoi. Mng
vnh ai thng s dng a ch IP ring v bn mun n a ch IP thc ca ngun ti
nguyn t Internet.
N bo v mng ni b mc nh t cc cuc tn cng bn ngoi.
Cho php bn publish mt cch an ton cc dch v Internet bng cch t chng
trong mt khu vc perimeter.
Ngi dng bn ngoi c th truy cp ti nguyn nm trong mng vnh ai trong
khi vn ang b ngn chn truy cp vo ti nguyn ni b.
10.3.
Back Firewall Template

Kim sot truy cp
Nhiu lp bo v
Tch nhim v (Mi firewall chu trch nhim cho cc cu hnh giao thng khc
nhau)
Khi bn chy Getting Started Wizard,bn c th chn cc mu Back Firewall, nh th hin
trong hnh II.10.3.1.
_____________________________________________________________________________________
Trang 56

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.10.3.1 Back Firewall Template
Khi bn chn mu ny bng cch s dng Getting Started Wizard, bn c xc nh cc

b chuyn i c kt ni vi mng ni b mc nh v b chuyn i c kt ni vi
mng perimeter.
10.4.
Single NIC Template
S dng mu Single NIC khi bn mun gii hn bc tng la vi mt hoc nhiu vai tr
sau y :
A
A
A
A
forward Web proxy server

Web caching server
reverse Web proxy (Web publishing-HTTP/HTTPs, RPC trn HTTPS, FTP)
VPN remote-access client server
Bn khng th s dng mt TMG Single NIC bo v cc cnh mng ca bn. TMG Single
NIC khng c khi nim ca mt mng bn ngoi, bi v n ch c mt giao din mng v
cng mc nh cho kt ni vt ra ngoi mng ring ca bn nm trn cng mt card
mng. Do , cc mng ch c localhost (bn thn TMG) v ni b. Ngoi ra, Single NIC
khng c h tr 1 s tnh nng:
Application Filtering - Mc d TMG c xy dng trong s kim tra lp ng

dng. S kim tra lp ng dng ch cho HTTP/HTTPS, FTP v lu lng truy cp
qua giao thc HTTP.
Publishing Server - Cc tnh nng Server Publishing i hi hai giao din mng
(NIC), mu ny ch h tr mt NIC duy nht.
TMG Client - khng c h tr.
SecureNET Client - khng c h tr.
_____________________________________________________________________________________
Trang 57

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Thm ch nu bn cu hnh mt b chuyn i mng s dng hai hoc nhiu a ch IP

hoc bn thm mt b chuyn i mng th hai v sau v hiu ha n trong mt s
trng hp hn ch mt s ngi lm vic xung quanh, cu hnh ny vn khng h tr
thm cho cc yu cu trn. Khi bn chy Getting Started Wizard, bn c th chn mu
Single NIC th hin trong hnh II.10.4.1.
Hnh II.10.4.1 Single Network Adapter Template
Sau khi bn p dng mu Single NIC, cc a ch sau y c loi tr t mng:
0.0.0.0
255.255.255.255
127.0.0.0 - 127.255.255.255
224.0.0.0 - 254.255.255.255
_____________________________________________________________________________________
Trang 58

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
10.5.
Join Firewall TMG vo Domain hoc Workgroup
Bng Domain v Workgroup a ra nhng u im v khuyt im ca TMG hot ng

trong Domain hoc Workgroup.
Bng II.10.5.1 u v khuyt im khi ci Forefront trong Domain v Workgroup
_____________________________________________________________________________________
Trang 59

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
11. Di tr TMG
TMG ch chy trn Windows 2008 SP2 hoc R2 x64. Bi v ISA Server ch chy trn Windows
2000 (ISA 2004 SE) hoc Windows 2003 x86, mt my ch hon ton xy dng li (hoc
thay th nu cc b vi x l 32-bit) l bt buc trc khi TMG c th c ci t trn n.
Bi v vic di tr t ISA Server ln TMG yu cu mt h iu hnh hon ton mi, nng cp
ti ch ln TMG khng h n gin. Bn phi p ng cc iu kin sau y cho cc k
hoch chuyn i ca bn:
Tt c cc thnh vin trong mng phi s dng mc cp nht h thng iu hnh tng
t, bt u vi Windows Server 2008 Service Pack 2.
Tt c cc thnh vin trong mng phi s dng cng mt phin bn Windows. Bn khng
th kt hp my tnh chy h iu hnh Windows Server 2008 (SP2) v Windows Server
2008 R2 trong cng mt mng.
Ngoi ra, trc khi bn bt u chuyn i, bn phi nng cp cho my ch ISA ca bn
mi nht, h tr mc cp nht nh chi tit trong Bng cp nht.
Bng II.11.1 Yu cu update ti thiu nng cp ln TMG 2010
Di c t TMG MBE trn Windows Server Essential Business Server (EBS) ln TMG
2010 khng c h tr ca EBS uprgrade Wizard.
Bng patchs tm tt cc con ng di c c h tr bn c th lm theo.
Bng II.11.2 Thng tin patch gia cc phin bn ISA v TMG
Du (*) ch TMG 2010 Enterprise Edition Standalone Array. Du hiu thng (#) ch
Windows Essential Business Server (EBS).
_____________________________________________________________________________________
Trang 60

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bn c th nhn thy t Bng patchs rng bn khng th di chuyn trc tip t ISA Server
Standard, TMG Enterprise Edition (SE), TMG Medium Business Edition (MBE), hoc TMG
2010 SE trc tip ln TMG Enterprise Edition (EE) EMS-managed arrays. iu ny l do di
chuyn n mt EMS-Managed Array, trc tin bn phi nng cp ln TMG Enterprise hay
Standard Edition, sau bn c th join TMG n mt Enterprise Edition EMS-Managed
Array. Khng c nng cp t TMG MBE trn Windows Essential Business Server (EBS) m
khng c vic s dng cc WEBS R2 Upgrade Wizards.
Hnh II.11.1 xc nh traffic profile n gin ha cho v d di tr. Giao thc SIP l mt b
sung cho vic trin khai cc dch v v TMG h tr giao thc ny trong khi ISA Server
khng.
SIP, t vit tt ca Session Initiation Protocol (Giao thc Khi to Phin) l mt giao thc
tn hiu in thoi IP dng thit lp, sa i v kt thc cc cuc gi in thoi VOIP.
SIP c pht trin bi IETF v ban hnh trong ti liu RFC 3261. SIP m t nhng giao
tip cn c thit lp mt cuc in thoi. Giao thc ny ging nh giao thc HTTP, l
giao thc dng vn bn, rt cng khai v linh hot.
Hnh II.11.1 V d v di tr
12. CC LOI TMG CLIENT

12.1.
Web Proxy Client
Trong h iu hnh Windows, WinInet ca hng ci t c s dng cho mc ch Web

Proxy trong registry. Nu bn thay i cc thit lp Internet Explorer, WinInet cp nht sau
y ng k:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Interne
t Settings.
_____________________________________________________________________________________
Trang 61

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
V d, ng k c cp nht khi bn thay i cc thit lp sau y, nh th hin trong

Hnh 41.
ProxyEnable Nu gi tr DWORD l 0, trnh duyt cn truy cp vo Internet trc
tip. Nu gi tr l 1, cc trnh duyt ang s dng mt proxy truy cp Internet.
ProxyServer gi tr REG_SZ ny quy nh c th tn v cng c s dng my
ch Proxy.
ProxyOverride S dng gi tr REG_SZ qun l cc a ch a phng v khng
nn vt qua my ch Proxy.
INTERNET_OPEN_TYPE_DIRECT, c ngha l cc ng dng s khng s dng mt Web
proxy v s truy cp Internet trc tip. ng dng cng c th s dng cc thit lp
registry
hin
ti
cho
proxy
bng
cch
s
dng
loi
truy
cp
INTERNET_OPEN_TYPE_PRECONFIG.
Hnh II.12.1.1 Thit lp proxy cho Internet Explorer
12.2.
Web Proxy Client lm vic nh th no?
Nhiu ng dng c th hot ng nh mt my khch Web proxy. Tuy nhin, trnh duyt
Web l thng s dng ng dng cu hnh lm nh vy. V d sau y s dng mt
trnh duyt Web chng minh lm th no mt client Web proxy s gi mt yu cu HTTP
n TMG. Trong v d ny, cc trnh duyt Web c cu hnh s dng TMG nh l mt
Proxy Web v ngi dng truy cp http://www.contoso.com.
Client gi mt HTTP GET yu cu TMG trn cc cng lng nghe client Web proxy yu cu.
Theo mc nh, TMG c cu hnh cho php cc kt ni client Web proxy trn TCP
cng 8080. Sau khi TMG nhn c cc kt ni t my khch Web Proxy, Microsoft Firewall
kim tra quy tc truy cp xc nh nhng quy tc p dng cho HTTP c xc nh
trc giao thc nh ngha (port 80). iu ny xc nh xem yu cu c cho php hoc b
t chi t ngun n cc my ch ch.
_____________________________________________________________________________________
Trang 62

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Trong khi thc hin vic kim tra dch v Firewall thc hin phn gii tn DNS xc nh
xem mt quy tc da trn a ch IP ny p dng cho yu cu. Nu yu cu l c cho
php, Firewall chuyn tip dch v yu cu n b lc Web Proxy, kt ni n my ch ch
trn cng quy nh trong URL (mc nh cng 80).
Nu cn thit, TMG cng s yu cu client cho cc thng tin bng cch s dng HTTP
xc thc (NTLM, Negotiate, Basic, Digest, Kerberos)
TMG thc hin lc lp ng dng cho cc yu cu HTTP t cc client Web Proxy. Hnh
II.12.2.1 cho thy cc thnh phn ct li c s dng bi TMG cho yu cu ny.
Hnh II.12.2.1 Thnh phn ct li ca TMG trong x l HTTP request t web proxy client
Trnh t sau y c s dng khi mt client Web proxy yu cu mt ngun ti nguyn

HTTP. Tuy nhin, nu ngi dng ang s dng giao thc HTTPS (HTTP trn SSL) trong
mt URL, trnh t l hi khc nhau. Bt k trnh duyt Web CERN tun th bt u yu cu
kt ni SSL bng cch gi HTTP CONNECT (CONNECT host_name: cng HTTP/1.1), tip
theo l cc bc sau:
1) Trnh duyt s gi mt yu cu HTTP CONNECT n Web Listener TMG proxy.
2) Cc dch v kim tra chnh sch xc nh xem yu cu c th c gi t ngun
(client) n cc im n (Web Server) s dng giao thc HTTP.
3) Gi s rng yu cu l c cho php, Firewall chuyn tip dch v yu cu b lc
Web Proxy.
4) Cc b lc Web Proxy xc nh liu cc port quy nh trong yu cu CONNECT c
bao gm trong mt phm vi cng ng hm c xc nh trong TMG. (Theo mc
nh, ch c TCP port 443 cho php cc kt ni SSL). Nu s cng yu cu ca client
c cho php, b lc Web Proxy kt ni vi cc my ch ch trn cng .
5) Yu cu c gi n cc my ch ch.
6) Khi hot ng ny thnh cng, TMG phn ng vi mt m trng thi HTTP 200
thng bo cho client bit kt ni c thit lp.
_____________________________________________________________________________________
Trang 63

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Sau TMG i vo ch ng ngm tin hnh bt tay SSL gia cc Clients v my

ch ch. Hnh II.12.2.2 minh ha cc bc sau.
Hnh 1 HTTP request t web proxy client n TMG
Theo mc nh ch c hai cng c cho php bi TMG cho SSL ng hm: cng
TCP 443 v cng TCP 593.
12.3.
Cu hnh Server-Side
Theo mc nh, TMG cho php truy cp cho Web Proxy Client nm trn mng ni b
mc nh. Cng mc nh lng nghe l TCP cng 8080. Bn c th xc nhn iu ny bng
cch lm theo cc bc sau:
1) M Forefront TMG Management Console.
2) M rng nt Forefront TMG (Name Server) trong khung bn tri.
3) Nhp vo nt mng khung bn tri v sau nhp vo tab mng gia ca s.
Nhp vo mng ni b.
4) Nhp vo chnh sa mng c la chn trong khung bn phi.
5) Trong hp thoi Internal Properties, nhn vo tab Web Proxy.
_____________________________________________________________________________________
Trang 64

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.12.3.1 Cu hnh web proxy trong TMG
12.4.
S dng Web Proxy Client
Bng II.12.4.1 thng k nhu cu vi TMG client
_____________________________________________________________________________________
Trang 65

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Mc d s dng cu hnh Web proxy my khch c nhiu u im song n cng c mt s

hn ch. Cc hn ch chnh l h tr giao thc. Web Proxy Client h tr cc giao thc sau
y: Hypertext Transfer Protocol (HTTP), HTTP qua SSL (HTTPS), File Transfer Protocol
(FTP) yu cu ti v (My vi tnh cu hnh l Web proxy client khng h tr upload) iu
ny c ngha rng nu bn cn truy cp vo mt ng dng s dng Winsock, Web Proxy
Client s khng lm vic cho yu cu .
12.5.
SecureNET Clients
Bt k my tnh vi mt chng mng TCP/IP c th c cu hnh nh mt client

SecureNET. Yu cu duy nht l cu hnh cng mc nh nh tuyn tt c lu lng
truy cp n Internet thng qua TMG. Lu lng truy cp c th c chuyn thng qua
mt b nh tuyn nu my tnh c subnet khc vi TMG.
i vi TMG h tr client SecureNET, n cn t nht hai card mng. SecureNET Client tham
gia vo mt trong hai loi mng:
Mng n gin - trong cu hnh c hin th trong hnh II.12.5.1, client v TMG
l trn cng mt mng con, v tt c nhng g cn phi c cu hnh trn my
khch l gateway mc nh a ch IP trn giao din mng ni b ca TMG.
Hnh II.12.5.1 M hnh mng n gin
Mng phc tp - trong cu hnh c hin th trong Hnh II.12.5.2, TMG v

SecureNET Client c t trn cc mng con khc nhau, vi mt hoc nhiu b
nh tuyn ngn cch cc SecureNET Client t TMG. Trong mng ny, cc b nh
tuyn trong chui gia client v TMG cn phi c cng mc nh ca n ch n a
ch IP ni b ca TMG.
_____________________________________________________________________________________
Trang 66

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.12.5.2 M hnh mng phc tp
12.6.
SecureNet Client lm vic nh th no?
Cc dch v Firewall x l cc yu cu t SecureNET Client. Giao thng SecureNET nhn

c NDIS TMG Miniport, thng qua cc b lc gi tin, v sau thng qua cc dch v
Firewall xc nh xem yu cu c cho php hoc b t chi. Ti thi im ny, cc
dch v Firewall xc nh xem cc yu cu nn c lu tr hay nhng ni dung cn c
tr li t b nh cache. Nu chnh sch TMG cho php lu lng truy cp ny, n c
thng qua gi lc TMG, ni m bn gc SecureNET IP ca client c thay th bng mt
a ch IP bn ngoi.
Name resolution for SecureNet Clients
Hnh II.12.6.1 Loopback DNS
_____________________________________________________________________________________
Trang 67

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
1) Cc client SecureNET s gi mt yu cu truy vn DNS n my ch DNS gii quyt

tn Web ca my ch.
2) Cc my ch DNS tr li vi a ch IP ca TMG bn ngoi.
3) SecureNET chuyn tip yu cu client n a ch IP ni b ca TMG.
4) Yu cu vng tr li t a ch IP TMG bn ngoi ch IP ni b ca TMG.
5) TMG chuyn tip yu cu n my ch Web ni b.
Bn c th trnh tnh hnh Loopback bng cch s dng mt c s h tng DNS phn chia
hoc bng cch bo m rng my ch DNS m client SecureNET c cu hnh s
dng gii quyt tn ca my ch Web Publish n a ch IP ni b ca my ch web ring
ca mnh. V vy yu cu i trc tip n my ch Web thay v c nh tuyn thng qua
TMG.
12.7.
SecureNet Client advantages
Cc client SecureNET l la chn duy nht ca bn h tr cc giao thc khng phi Web
cho Non-Windows Client. Vn l TMG client khng c h tr client khng phi
Windows. Nh vy, client SecureNET l la chn duy nht ca bn h tr giao thc web
cho client khng phi l Windows. Cc client SecureNET l loi client duy nht c h tr
giao thc Non-TCP/UDP. Hai cc giao thc Non-TCP/UDP ph bin nht c s dng bi
cc qun tr vin TMG l ICMP v PPTP. PPTP s dng mt s kt hp ca cng TCP 1743
v Generic Routing Encapsulation (GRE), trong s dng giao thc IP 47. ICMP v GRE
thay th UDP hoc TCP nh trong phn giao thc vn chuyn ca mng stack v do
khng th b chn v nh gi bi phn mm my khch TMG.
12.8.
SecureNet Client Disadvantages
Nhc im ln nht ca client SecureNET l khng c kh nng xc thc n TMG.

TCP/IP lp 4 (m hnh OSI) khng cung cp xc thc ngi dng v i hi mt thnh
phn ng dng gi thng tin ngi dng. Khng ging nh cc TMG client hoc proxy
Web client c kh nng gi thng tin ngi dng, SecureNET client khng th thc thi cc
quy tc da trn ngi dng hoc nhm. Cch duy nht cung cp hn ch truy cp cho
cc client SecureNET l thit lp cc quy tc da trn a ch IP ngun v a ch IP ch v
domains. SecureNET client yu cu b lc ng dng TMG h tr cc giao thc phc tp
(giao thc i hi phi c nhiu kt ni chnh hoc th cp).
_____________________________________________________________________________________
Trang 68

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.12.8.1 u v nhc im ca SecureNET Client
12.9.
Forefront TMG Client
Hnh II.12.9.1 cho thy tab Forefront TMG client trong hp thoi Default Internal Network
Properties.
Hnh II.12.9.1 Forefront TMG Client tab
Nhp tn vo trng Forefront TMG name or IP address TMG xc nh cc thit lp ny.

Nu khng, TMGC s khng th kt ni vi TMG. Ngoi ra, bn c th nhp a ch IP
c s dng bi TMG trong mng ny trnh cc vn phn gii tn.
Hnh II.12.9.2 cung cp mt v d v hp thoi TMG Forefront Client Settings.
_____________________________________________________________________________________
Trang 69

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II 12.9.2 Forefront TMG Client Setting
TMG Client Authentication s dng mt trong hai c ch xc thc:

Nu TMGC l mt thnh vin khng thuc domain, NTLM SSPI c s dng.
Nu TMGC v TMG l trong cc domain tin cy, Kerberos SSPI c s dng.
Bng II.12.9.1 u tin khi la chn TMG client
_____________________________________________________________________________________
Trang 70

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bng II.12.9.2 Nhng phin bn Client ph hp vi tng nhu cu
SECURE NAT
FIREWALL
CLIENT
WEB PROXY
Khng cn ci t ng
dng no
Khng cn ci t ng
dng
Khai bo Default gateway

nh tuyn n Internal
ca TMG
Khai bo tn hoc IP
v port 8080 cho
Proxy Server
H iu
Hnh
H tr TCP/IP
H tr trnh duyt web
windows
Giao Thc
Cc giao thc Multiconnections nu TMG kch

hot application filter
tng ng
HTTP, HTTPS, FTP &

FTPS
Mi giao thc
Chng Thc
Khng
Ci t
Ci t chng
trnh Firewall
Client
Bng II.12.9.3 So snh nhng tnh nng gia SecureNAT, Web Porxy v Firewall Client
_____________________________________________________________________________________
Trang 71

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
13. GIAO DIN TMG

13.1.
TMG 2010
Hnh II.13.1.1 cho thy TMG chnh 2010 giao din iu khin.
Hnh 2 II.13.1.1 Giao din chnh ca TMG 2010
Cc khung bn tri cho thy cc nt c thm vo hoc sa i t TMG MBE, l:

E-Mail Policy ty chn ny cho php bn cu hnh bo v SMTP "Tng cng bo
v E-Mail".
Intrusion Prevention System y bn c th cu hnh bo v mng "Mng li
kim tra h thng."
Remote Access Policy (VPN) ty chn ny c gi l Virtual Private Network
(VPN), cho php truy cp t xa thng qua TMG.
Logs & Reports y khng phi l mt ty chn mi. Hnh II.13.1.2 so snh TMG
MBE v TMG 2010.
_____________________________________________________________________________________
Trang 72

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.13.1.2 Nhng tnh nng mi trong TMG 2010 so vi TMG MBE
13.2.
Monitoring
Cc ty chn c hin th trong hnh II.13.2.1.
Hnh II.13.2.1 Cc tab trong Monitor
Vo tab Services, cch TMG trnh by chy dch v cng thay i. By gi cc dch v
bo co c chia thnh cc nhm ring. iu ny l c li trong vic gip bn hiu thnh
phn nhu cu cc dch v. Hnh II.13.2.2 cho thy cc mc mi trong tab Services.
Hnh II.13.2.2 Services tab
13.3.
Firewall policy
Thanh cng c mi b sung la chn c th gip bn nhanh chng truy cp vo cc nhim

v lin quan. Hnh II.13.3.1 cho thy thanh cng c c sn khi bn click vo Firewall Policy.
Hnh II.13.3.1 Thanh cng c Firewall Policy
Nhng thay i khc c t trong ca s nhim v v cng c lin quan n tnh nng
mi ca TMG 2010, chng hn nh ty chn cu hnh Voice over Internet Protocol (VoIP).
_____________________________________________________________________________________
Trang 73

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
13.4.
Chnh sch Web Access
Chnh sch Web Access khng thay i iu trong TMG 2010 n l mt tnh nng mi
trong TMG MBE. Ch thm cc ty chn truy cp vo lc URL v kim tra HTTPS, nh th
hin trong hnh II.13.4.1.
Hnh II.13.4.1 Cc ty chn trong Task web Protection
Ngoi ra, nhng thay i thanh cng c khi bn chn Web Access Policy v cung cp cc
phm tt mi cho cc ty chn khc, nh th hin trong hnh II.13.4.2.
Hnh 3 II.13.4.2 Thanh cng c Web Access
13.5.
E-Mail Policy
E-mail bo v l mt trong nhng lnh vc chnh TMG 2010 gii thiu tp hp cc tnh nng
mi. Ty chn ny c thit k cung cp truy cp d dng cu hnh chnh sch
E-mail, lc th rc, virus v lc ni dung. Tab u tin (E-Mail Policy) c cc ty chn
to mt hnh mi chnh sch v kt hp n n my ch SMTP ni b. Hnh II.13.5.1 cho
thy cc ty chn cho E-Mail Policy tab.
Khi bn nhp vo tab E-Mail Policy, ca s nhim v cho cc ty chn c hin th trong
Hnh II.13.5.2.
Hnh II.13.5.1 Tab E-mail Policy
_____________________________________________________________________________________
Trang 74

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.13.5.2 E-mail policy task
Hnh II.13.5.3 v II.13.5.4 cho thy cc ty chn c sn cho hai tab khc.
Hnh II.13.5.3 Tab Spam Filtering
Hnh II 13.5.4 Tab Virus and Contenfiltering
_____________________________________________________________________________________
Trang 75

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
13.6.
Intrusion Prevention System
Mng li bo v c cung cp bi TMG 2010 c cu hnh bng cch s dng Network

Inspection System (NIS). Ty chn ny cho php bn cu hnh ch k v cng c th cu
hnh hnh ng (phn ng) khi TMG 2010 pht hin mng li giao thng ph hp vi mt
ch k nh vy. Hnh 66 hin th mn hnh chnh ca IPS, c chia thnh hai tab: Network
Inspection System (NIS) (hnh II.13.6.1) v Behavioral Intrusion Detection (hnh II.13.6.2).
Hnh II.13.6.1 Network Inspection System tab
Hnh II.13.6.2 Behavioral Intrusion Detection tab
Sau khi cch nhn vo Tab Network Inspection System, bn c cc ty chn c hin th
trong Hnh II.13.6.3.
_____________________________________________________________________________________
Trang 76

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.13.6.3 Cc thnh phn cu hnh trong NIS tasks
Hnh II.13.6.4 cho thy cc tab mi trong TMB 2010.
Hnh 4 II.13.6.4 Tab Network Adapter and Routing
Tab Network Adapter, cho php bn xem cu hnh IP ca giao din mng trn my tnh
TMG. iu ny c th gip bn tit kim thi gian nu bn mun nhanh chng xem xt cu
hnh TCP/IP ca bn bi v bn khng cn phi m Control Panel ca Windows v m
Network and Sharing Center. Hnh II.13.6.5 cho thy iu ny.
Hnh II.13.6.5 Thng tin trong tab Network Adapter
B sung tuyt vi khc l by gi bn c th xem bng nh tuyn ca bn m khng cn

phi s dng lnh route print t du nhc lnh.
_____________________________________________________________________________________
Trang 77

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.13.6.6 Thng tin trong tab Routing
Tab cui cng, ISP Redundancy, s c tt theo mc nh, nh th hin trong hnh
II.13.6.7.
Hnh II.13.6.7 ISP Redundancy tab
Cc ty chn c sn trong ca s nhim v cho tnh nng ny c th hin trong hnh

II.13.6.8.
_____________________________________________________________________________________
Trang 78

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.13.6.8 Cc thnh phn cu hnh trong ISP Redundancy Tasks
14. NEW WIZARDS

14.1.
The Getting Started Wizard
Hnh II.14.1.1 Getting started wizard
Winzard ny cho php bn xc nh thit lp TMG c bn bng cch cung cp truy cp d

dng n bn wizards khc:
Network Setup Wizard

System Configuration Wizard
Deployment Wizard
Web Access Policy wizard
Cc trnh thut s gip n gin ha cc nhim v cu hnh TMG h tr cc nhu cu ca

vic trin khai. Mc d bn c th thc hin Getting Started Wizard bt c lc no bn
thch. Getting Started Wizard c hin th trong hnh II.14.1.2.
_____________________________________________________________________________________
Trang 79

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.14.1.2 Cc bc cu hnh trong Getting Started Wizard
Khi bn nhn thy Getting Started Wizard cho ln u tin, ba nhim v chnh c th c
thc hin theo th t c trnh by. Khi nhng cng vic ny c hon thnh, bn c
th s dng chng trong bt k th t bn mun.
14.2.
Network Setup Wizard
Network Setup Wizard l mt m rng ca ISA Server 2006 Network Template Wizard.
Cng ging nh ISA Server 2006 Network Template Wizard, bn c th la chn bn mng
cu hnh c bn:
Edge Firewall
3-Leg Perimeter ( b v hiu ha trong EBS)
Back Firewall
Single-Network Adapter
Khng ging nh ISA Server 2006 hng dn Network Template, TMG Network Setup
Wizard cng cho php bn xc nh cc thit lp IP cho NIC mi khi bn lin kt n vi TMG
lin quan mng.
Mt ci tin khc trn ISA Server 2006 Network Template Wizard c trnh by khi bn
chn 3-Leg hoc mu Back Firewall. Trong nhng trng hp ny, Network Setup Wizard
cung cp cho bn kh nng la chn cc mi quan h mng cho chu vi mng. y l mt
ci tin ln, trn mng ISA Server 2006 Mu Wizard trong khng c gi nh v mi quan
h ny, l s la chn ca bn lm mt mi lin kt NAT hoc Route. Hnh II.14.2.1
minh ha nhng b sung ny.
_____________________________________________________________________________________
Trang 80

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.14.2.1 Network Setup Wizard
14.3.
System Configuration Wizard
System Configuration Wizard cho php bn xc nh tnh cht hot ng cho TMG:
Computer name
Domain or workgroup membership
Primary DNS suffix
14.4.
Deployment Wizard
The Deployment Wizard cung cp truy cp n nm kiu cu hnh:

Microsoft Update Setup Cho php bn chn s dng Microsoft Update hoc
mt qu trnh cp nht hng dn s dng c c cp nht nh ngha phn
mm c hi TMG. iu ny khng nh hng n qu trnh cp nht b lc URL
da trn ng k.
TMG Protection Features Settings Cho php bn xc nh cp giy Intrusion
Protection System (IPS), bo v truy cp Web, bo v E-mail, lc truy cp web v Email.
Customer Feedback cung cp t ng tri nghim khch hng phn hi v m
hnh s dng TMG v cu hnh.
Microsoft Telemetry Service cho php bn chn xem bn c mun tham gia
chng trnh bng cch s dng hai thnh vin la chn c bn hoc nng cao hoc
khng tham gia tt c.
_____________________________________________________________________________________
Trang 81

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
14.5.
The Web Access Policy Wizard
Web Access Policy Wizard c th truy cp nh l mt bc ty chn trong Getting Started

Wizard hoc t menu chut phi truy cp bng cch kch chut phi vo Web Access Policy
bn tri ca s, nh th hin trong hnh II.14.5.1.
Hnh II.14.5.1 Cu hnh Web Access Policy
Web Access Policy Wizard cung cp mt phng php hng dn thng qua bn c th
nh ngha HTTP truy cp da trn quy tc. N cng cho php bn cu hnh chnh sch ny
trong bi cnh ca phn mm kim tra c hi. Bn c th chnh sa cc chnh sch ny
ph hp vi yu cu c th ca bn.
14.6.
The Join Array and Disjoin Array Wizards (TMG 2010 only)
Join Array Wizard nm trong ca s nhim v khi bn chn Forefront TMG (ArrayName).
Hnh II.14.6.1 cho thy cc mng lin kt tham gia, trong khi Hnh II.14.6.2 cho thy cc
mng lin kt chia r.
Hnh II.14.6.1 Join Array
Hnh II.14.6.2 Disjoin array
Hng dn ny cung cp cc phng tin di chuyn gia c lp hoc mng doanh

nghip hot ng v ngc li tng i d dng.
_____________________________________________________________________________________
Trang 82

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
14.7.
The Connect to Forefront Protection Manager 2010 Wizard (TMG 2010
only)
Lin kt vi Forefront Protection Manager (FPM) 2010 cung cp cc phng tin tham
gia Forefront TMG Array ca h thng FPM 2010
Hnh II.14.7.1 Forefront Protection Managerment Intergration page link
14.8.
The Configure SIP Wizard (TMG 2010 only)
Wizard ny cho php bn cu hnh TMG h tr lu lng VoIP bng cch s dng giao
thc tnh hiu khi xng (SIP). Hnh II.14.8.1 cho thy cc lin kt n Configure SIP
Wizard.
Hnh II.14.8.1 SIP Configure
_____________________________________________________________________________________
Trang 83

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
14.9.
The Configure E-Mail Policy Wizard (TMG 2010 only)
Wizard ny gip bn xc nh Spam E-mail v phn mm c hi
Hnh II.14.9.1 E-mail Policy Task
14.10.
The Enable ISP Redundancy Wizard (TMG 2010 only)
Wizard ny cho php bn cu hnh Forefront TMG s dng hai kt ni ISP c th s dng
mt trong hai cch sau:
ISP Redundancy ch ny cho php TMG s dng ng thi c hai kt ni
ISP v do cung cp bng thng ln hn.
ISP Failover ch ny cho php TMG s dng mt ISP kt ni ti mt thi im
v chuyn sang cc kt ni khc nu kt ni chnh b li.
Hnh II.14.10.1 Cu hnh ISP redundancy
15. CU HNH TMG NETWORKS

15.1.
Route Relationships
Cc trng a ch IP nh l traffic i gia ngun v my ch ch. V vn ny, TMG c

x ging nh mt b nh tuyn mng c bn. Hnh II.15.1.1 m t lu lng traffic c bn
trong mt mi quan h tuyn ng.
Hnh II.15.1.1 Route Relationships
_____________________________________________________________________________________
Trang 84

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
15.2.
NAT Relationships
Mt mi quan h NAT thng bo TMG rng n phi p dng chnh sa a ch IP cho traffic
mng khi n i gia cc my ch.
Mt mi quan h NAT nh ngha mt mi quan h mt chiu traffic qua TMG, c ngha l,
a ch IP i din cho cc my ch pha ngun ca mi quan h s lun lun c thay
i. Cc hnh vi cho cc a ch IP my ch pha ch ca mi quan h ph thuc vo loi
quy tc tng la c s dng x l lu lng truy cp. Bn c th xc nh hai hnh
thc NAT:
Full-NAT Trong trng hp ny, a ch ch l thay i ph hp vi a ch IP
cc my ch c cng b v a ch IP ngun c thay i phn nh TMG mc
nh a ch IP trong mng c lin quan.
Half-NAT Trong trng hp ny, ch c a ch ch l thay i ph hp vi a
ch IP cc my ch Publish. Cc a ch ngun khng thay i.
Hnh II.15.2.1 v loi qui tc danh sch sau minh ha cho hnh vi lu lng truy cp khc
nhau trn ton mt mi quan h NAT.
Hnh II.15.2.1 NAT Relationships
Access Rules Cc a ch IP cho cc my ch trong mng ch s vn khng

thay i cho tt c lu lng truy cp. a ch IP cho cc my ch trong mng
ngun s c thay i theo cu hnh mng quy tc mi quan h.
Publishing Rules a ch IP cho cc my ch trong mng ch s c thay
i theo cc thit lp c minh ha trong hnh II.15.2.2 v II.15.2.3.
_____________________________________________________________________________________
Trang 85

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.15.2.2 Half NAT publishing (default)
Hnh II.15.2.3 Full NAT publishing
_____________________________________________________________________________________
Trang 86

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.15.2.4 m t cc ty chn mc nh cho bt k quy tc mng NAT
Hnh II.15.2.4 La chn a ch NAT mc nh
TMG cung cp ba s la chn cho hnh vi ny:

Lun lun s dng a ch IP mc nh ty chn ny gy ra TMG hnh vi ng x ging nh
ISA 2006. Lu lng c ngun gc t mng ngun c s dng trong quy tc ny s
c nhn trong cc mng ch vi mt a ch IP ngun i din mc nh ca TMG a
ch IP trong mng ch. Hnh II.15.2.5 minh ha hnh vi ny bng cch s dng
192.168.0.1 l a ch IP mc nh TMG.
Hnh II.15.2.5 Default NAT
_____________________________________________________________________________________
Trang 87

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
S dng a ch IP c la chn ty chn ny s cu hnh tng la TMG hoc proxy

hoc mt mng TMG kch hot NLB s dng mt a ch IP (IP o cho cc cm NLB) i
din cho traffic c ngun gc t mng ngun. Hnh 90 minh ha iu ny hnh vi cho mt
mng TMG NLB cho php s dng 192.168.0.3 l a ch IP o.
Hnh II.15.2.6 Single-IP (NLB) NAT
S dng a ch IP c la chn cho mi mng ty chn ny gy ra TMG s dng mt a

ch IP duy nht cho mi TMG tng la hoc proxy trong mt mng i din cho lu
lng truy cp c ngun gc t mng ngun. Hnh 91 minh ha hnh vi ny.
Hnh II.15.2.7 IP ring cho mi my ch NAT
15.3.
Mng Rules
Th t cc quy tc mng l rt quan trng sa cha nh gi lu lng truy cp ca

TMG. Hnh II.15.3.1 minh ha quy tc mng mc nh to ra cho Edge Firewall.
Hnh II.15.3.1 Default Network Rules for Edge Deployment
_____________________________________________________________________________________
Trang 88

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Tt c cc quy tc mng hot ng trong bi cnh ca cc i tng mng. iu ny c

th bao gm hu ht cc tiu ch gi chung trong chnh sch tng la nh l cc i
tng mng. Khi bn chy Rule Network Wizard, bn c th la chn mt tp hp i
tng network ca chnh sch Firewall, nh th hin trong hnh II.15.3.2.
Hnh 5 II.15.3.2 Network Entities selection dialog box
15.4.
Built-In Mng
Khi bn ci t TMG, bn c yu cu xc nh mng ni b ca bn. Sau khi ci t TMG

bn s nhn thy rng mt s mng c xy dng trn tab Networks. Cc mng ny
khc nhau ty thuc vo mu mng p dng. Trc khi chng ti tho lun v cc mng
li c to ra trong khi ci t, chng ta hy nhn vo nhng g mi mng c xy
dng i din.
Local Host bao gm bt k a ch IP c s dng bi my tnh m TMG c ci
t.
Internal Network mng ny c to ra trong qu trnh ci t v nh ngha mt
mng bao gm cc a ch c s dng bi mt tp hp cc Clients bo v v kim
sot bi chnh sch TMG
VPN Clients Network Mng li bao gm tt c cc a ch IP c gn vi VPN
client kt ni vi my tnh TMG. Nu nh tuyn v dch v truy cp t xa trn TMG
c thit lp phn b a ch cho client t mt DHCP my ch, network ny l
nng ng v a ch c t ng thm vo v loi b khi cc client VPN kt ni v
ngt kt ni.
Quarantined VPN Clients Network Mng ny bao gm tt c cc a ch IP c
VPN client cch ly v c th truy cp hn ch. C ngha l mt mng Dynamic da
trn cc my tnh c cch ly v a ch c thm vo v loi b nh cc Clients
VPN c thm vo hoc g b t danh sch cch ly.
Perimeter mng ny bao gm cc a ch IP ca mng Perimeter ca bn. Bn c
th to ra nhiu mng Perimeter min l bn c mt giao din vt l trn TMG phm
vi cng mt a ch.
External mng bn ngoi ny bao gm tt c cc a ch IP khng c nh ngha
trong bt k cc mng khc.
_____________________________________________________________________________________
Trang 89

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh Bng II.15.4.1 Thng tin tm tt cc mng lin kt
Hnh II.15.4.1 Giao din iu khin lp mng
_____________________________________________________________________________________
Trang 90

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
15.5.
Cu hnh mng c bo v ca bn
Tt c cc mng sau TMG c bit n nh mng li bo v. Hnh II.15.5.1 cho thy mt

v d v cc lp mng v phn loi.
Hnh II.15.5.1 M hnh cc lp mng c bo v
Sau khi chy Getting Started Wizard v truy cp Web Wizard, bn sn sng s dng
TMG. Tuy nhin, bn c th cu hnh mt s ty chn b sung sau . truy cp vo la
chn cho mng li bo v ni b, thc hin theo cc bc sau:
1. Trn my tnh TMG, m Forefront TMG Management Console.
2. Nhp vo Forefront TMG (Server Name) trong khung bn tri.
3. Nhp vo nt mng trong khung bn tri ca giao din iu khin v sau nhp vo
Internal Tab trong gia Panel.
4. Nhp vo chnh sa mng c la chn trong khung bn phi v bn s thy mt hp
thoi tng t mt hin th trong hnh II.15.5.2.
_____________________________________________________________________________________
Trang 91

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.15.5.2 Internal Properties dialog box
15.6.
Chng thc Traffic t mng c bo v
truy cp vo ty chn xc thc cho mng ni b mc nh trong Web proxy, hy lm

theo cc bc sau:
2. Nhp vo Forefront TMG (Server Name) trong khung bn tri.
3. Nhp vo nt mng trong khung bn tri ca giao din iu khin v sau nhp
vo Internal tab trong panel gia.
4. Nhp vo chnh sa mng c la chn trong khung bn phi.
5. Nhp vo tab Web Proxy v sau nhp vo nt xc thc. Bn s thy mt hp
thoi tng t nh th hin trong hnh II.15.6.1.
Hnh II.15.6.1 Ty chn xc thc cho mng ni b
_____________________________________________________________________________________
Trang 92

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
16. CN BNG TI
16.1.
ISP Redundancy l g?
ISP Redundancy l mt tnh nng trong TMG cung cp tnh sn sng cao hoc chia s ti
trng ca kt ni Internet bng cch s dng ca hai link ISP. Tnh nng ny m bo rng
nu link ISP chnh b down, TMG s di chuyn tt c cc kt ni khch hng n link ISP
th cp. Sau khi link ISP chnh l tr li, TMG di chuyn tt c cc kt ni tr li link ISP
chnh, nh th hin trong hnh II.16.1.1. C hai kch bn khc nhau trong ISP-R:
ISP Failover Trong kch bn ny bn c th cu hnh chuyn i d phng t mt
link ISP chnh mt link ISP th. Cc link ISP th cp hoc d phng ch c s
dng khi chnh l khng c. iu ny c bit hu ch khi bn tr tin cho lu
lng truy cp kt ni nh l mt bn sao lu, c s dng ch khi cc ISP link l
down. ISP Failover khng cung cp kh nng cn bng ti.
ISP Load Balancing Trong kch bn ny, bn c th cu hnh cn bng ti gia hai
ISP link lu lng truy cp c th c cn bng gia chng. ISP Load Balancing
cho php bn s dng tt c cc ISP c sn bng thng cng nh cung cp kh
nng chuyn i d phng ISP. Vi cn bng ti ISP, bn c th cung cp cho mi
ISP s dng iu khin giao thng bng cch xc nh mt t l trng lng tng
i mi ISP kt ni.
Hnh II.16.1.1 Tnh nng ISP redundancy trong TMG
16.2.
Enabling ISP-R
Bn cho php ISP-R thng qua cc link c sn trn tab Nhim v khi cc nt mng chn
trong khung bn tri cu hnh, nh th hin trong hnh II.16.2.1.
Hnh II.16.2.1 Cu hnh ISP redundancy
_____________________________________________________________________________________
Trang 93

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
16.3.
NLB Kin trc
NLB hot ng nh mt trnh iu khin NDIS n c th x l lu lng truy cp trc

khi giao thc TCP/IP nhn thy n. Mi nt l mt phn ca mt cm NLB c mt a ch IP
duy nht, c bit n nh l a ch IP chuyn dng (DIP) a ch. Tt c cc nt trong
mt dy NLB chia s mt tp hp cc a ch IP ph bin, c gi l a ch IP o (VIP).
Hnh II.16.3.1 cho thy s kin trc c bn cho NLB.
Hnh II.16.3.1 Kin trc c bn ca NLB
NLB c ba ch hot ng, c s dng xc nh NLB s giao tip vi khch hng v

gia cc nt trong dy NLB. Ba ch unicast, multicast, v multicast vi IGMP. Bt k ch
, cc a ch MAC trong giao thng li mt my ch lu tr trong mng NLB c
thit lp gi tr nh nhau trn tt c cc nt. NLB trn TMG c th hot ng trong ch
tch hp v khng tch hp. Khi bn kch hot NLB tch hp mc nh ch hot ng
l unicast. Trong ch unicast, cc gi d liu c cung cp song song vi tt c cc
nt v sau cc b lc iu khin NLB ra cc gi tin khng c nh c x l bi
mt nt c th. NLB cng h tr ch multicast, c thm mt truy cp MAC multicast
b iu hp ca nt trn tt c cc my ch ny l mt phn ca cm NLB. Mc d tt c
cc nt s chia s mt ph bin a ch MAC multicast, cc nt cng gi li a ch MAC gc
ca chng.
Hnh II.16.3.2 S khc bit gia MAC unicast v multicast
_____________________________________________________________________________________
Trang 94

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
16.4.
S dng TMG Management Console
Bn c th xem trng thi ca cc dch v NLB trong mng a phng hoc mt thnh vin
khc ca mng trn tab vo nt Monitoring trong phn panel bn tri ca giao din iu
khin. Trong Console TMG, Gim st t tab Services, bn c th xem cc ty chn c
hin th Hnh II.16.4.1. Bn c th s dng cc ty chn trong mt s tnh hung x l s
c, chng hn nh nhng ngi th hin trong hnh II.16.4.2.
Hnh II.16.4.1 Ty chn kim sot NLB
Hnh II.16.4.2 ngha cc ty chn kim sot NBL
Bn c th s dng cc ty chn ny khi bn mun c lp cc nt NLB l c vn

hoc bn mun buc ngi dng phi kt ni vi mt thnh vin NLB khc nhau. Khi
TMG pht hin cu hnh sai st trong NLB hoc khng thng nht gia cc thnh vin NLB
c hin th trong tab Alerts. Bn c th s dng nhng cnh bo xc nh cc vn
c th xy ra v bt u x l s c chng. Hnh II.16.4.3 cho thy mt v d v nhiu mc
trn tab Alerts NLB dch v.
_____________________________________________________________________________________
Trang 95

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.16.4.3 Cnh bo trong NLB
Cnh bo u tin c chn trong hnh II.16.4.3 cho thy mt s tht bi cu hnh gy ra
NLB ngng lm vic. di cng ca ca s, bn c th xem thng tin cnh bo vi cc
chi tit v vn ny.
17. NETWORK INSPECTION SYSTEM
Kim tra h thng mng (NIS) l mt c ch phn tch giao thng mi c trong TMG. NIS
c xy dng trn cng vic phn tch giao thc mng c thc hin bi Microsoft
nghin cu trn Generic Application-Level Protocol Analyzer (GAPA)
Khi mi gi tin nhn c bi TMG, n c lc qua cc cng c chnh sch v giao thc b
lc trc khi c x l bi NIS. Khi c kch hot mt ch k NIS, NIS c kh nng
ng mt kt ni nu pht hin NIS cho vic k kt c thit lp Chn.
_____________________________________________________________________________________
Trang 96

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.17.1 Chc nng hot ng ca NIS
Cc hot ng NIS c iu khin bi cc nh ngha ch k. Nhng ch k c to ra

bi Microsoft Malware Protection Center (MMPC) phn tch phn mm c hi bng cch s
dng mt s kt hp ca d liu t xa TMG v cc ngun khc v mt ngn ng nh
ngha giao thc. Ch k NIS c pht trin v th nghim nh phng php tn cng
ang gp phi v nhng ch k ny c phn phi thng qua cc thng tin cp nht ca
Microsoft.
17.1.
Thc hin kim tra h thng mng
cu hnh (NIS) trong TMG c chia thnh ba la chn chnh: cu hnh chung, trng hp
ngoi l, v cp nht. Trc tin, bn nn xc nh hnh vi chung t NIS, sau bn thm
ngoi l cho quy lut chung, v cui cng bn c th cu hnh nh th no NIS s kim tra
cc bn cp nht ch k.
cu hnh h thng kim tra mng, m Console TMG v i n Intrusion Prevention
System node trong khung bn tri ca giao din iu khin.
_____________________________________________________________________________________
Trang 97

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.17.1.1 Network inspection system main page
Ca s ny cho thy cc lnh vc sau y trong phn pane gia:
Name Hin th tn ca cc b lc theo quy nh ca Microsoft Security.

Attention Hin th mt l c khi ch k c nh du cho s ch v mt l
c mu xm khc.
Status Hin th trng thi hin ti cho ch k, c th c kch hot hoc Disabled.
Response Hin th cc loi hin hnh ca phn ng s c thc hin nu ch k
ny l trigged. N c th c thit lp pht hin hay Block.
Policy Type Hin th cc loi chnh sch c chn. Thit lp ny bc u xc
nh Getting Started Wizard.
Date Published Hin th cc ngy d b tn hi c ch k ny Publish.
Related Bulletins Hin th s lng bn tin bo mt ca Microsoft kt hp vi l
hng ny.
CVE Number cc l hng thng gp v tip xc (CVE) s lin quan vi l hng
ny.
_____________________________________________________________________________________
Trang 98

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
17.2.
Cc kiu tn cng
Hnh Bng II.17.2.1 Thng tin v cc kiu tn cng mng
_____________________________________________________________________________________
Trang 99

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bng II.17.2.2 Thng tin cc kiu tn cng DNS
18. CACHING
18.1.
Hiu bit v cache Proxy
Forefront TMG 2010 cung cp tnh nng b nh m Web cung cp hiu sut tt hn v
thi gian p ng cho cc yu cu Web. Bn c th cu hnh Forefront TMG 2010 Web b
nh cache i tng thng xuyn c yu cu ca ngi dng cui. Khi mt ngi s
dng cui cng yu cu Internet, Forefront TMG 2010 c th phc v cc yu cu t b
nh cache ca n thay v thc hin mt yu cu Internet. B nh m Web c th cung cp
hai li ch chnh:
Nhanh hn truy cp Internet Bi v cc yu cu web c phc v t b nh cache
ca a phng thay v c gi n mt my ch Web t xa trn Internet, b nh
m Web cung cp truy cp nhanh ni dung web cho ngi dng cui. B nh m
cung cp truy cp nhanh hn cho ngi s dng Internet bng cch tr li ni dung
t b nh cache thay v yu cu t Web Server do gim ti trn my ch Web.
Gim lu lng truy cp Internet Bi v thng xuyn yu cu ni dung c th c
phc v t b nh cache, bng thng c lu bng cch gim s lng lu lng
gi n Internet.
18.2.
Cng vic Caching nh th no?
Forefront TMG 2010 c th c cu hnh duy tr mt b nh cache ca cc i tng

web v thc hin Web yu cu t b nh cache ca n. Nu yu cu khng th c thc
hin t b nh cache, Forefront TMG 2010 khi to mt yu cu n my ch Web trn
thay mt cho khch hng. Sau khi my ch Web p ng yu cu, Forefront TMG 2010 lu
tr cc phn ng v chuyn tip p ng cho ngi dng cui. Theo mc nh, b nh m
_____________________________________________________________________________________
Trang 100

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
l khng c kch hot trn Forefront TMG 2010 v khng c khng gian a c phn b
cho b nh m. Khi b nh m c kch hot, mt qun tr vin c th nh ngha cc
quy tc b nh cache xc nh ni dung t cc trang web c ch nh c lu gi v ly
ra t b nh cache Forefront TMG 2010.
Nu yu cu l cho php truy cp, Forefront TMG 2010 phn tch ca n cu hnh b nh
cache v cc i tng lu tr xc nh xem mt yu cu cn c phc v t b nh
cache hoc ly t my ch Web. Nu i tng khng c mt trong b nh cache,
Forefront TMG 2010 kim tra cc quy tc Web Chaining xc nh xem yu cu cn c
chuyn trc tip n my ch Web yu cu, mt my ch proxy hoc mt im n thay
th. Nu yu cu hin ti trong b nh cache, Forefront TMG 2010 thc hin cc bc sau
y:
1. Forefront TMG 2010 kim tra xem i tng c gi tr. Nu i tng l hp l
Forefront TMG 2010 ly cc i tng t b nh cache v tr v cho ngi s dng.
Forefront TMG 2010 xc nh xem i tng c gi tr bng cch thc hin cc kim
tra sau:
Time to Live (TTL) quy nh ti ngun cha ht hn.
TTL cu hnh trong cng vic ti ni dung ht hn.
TTL c cu hnh cho cc i tng ht hn.
2. Nu i tng khng hp l, Forefront TMG 2010 kim tra cc quy tc Web
Chaining.
3. Nu mt quy tc Web Chaining ph hp vi yu cu, Forefront TMG 2010 thc hin
cc hnh ng quy nh c th cc quy tc Web Chaining; v d, tuyn ng yu
cu trc tip n mt my ch Web quy nh, mt proxy, mt my ch thay th quy
nh.
4. Nu cc quy tc Web Chaining c cu hnh nh tuyn yu cu n mt my
ch Web, Forefront TMG 2010 xc nh xem my ch Web c th truy cp.
5. Nu my ch Web khng th truy cp, Forefront TMG 2010 xc nh liu b nh
cache c cu hnh tr v cc i tng ht hn. Nu b nh cache c
cu hnh cho php Forefront TMG 2010 tr v mt i tng ht hn min l
ti a c th ht hn thi gian khng c thng qua, i tng c tr v t
b nh cache cho ngi dng cui.
6. Nu my ch Web c sn, Forefront TMG 2010 xc nh xem i tng c th c
lu tr ty thuc vo vic cc quy tc b nh cache c thit lp b nh cache
phn ng. Nu c, Forefront TMG 2010 lu tr cc i tng v tr v i tng
cho ngi dng cui.
_____________________________________________________________________________________
Trang 101

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
19. MALWARE INSPECTION

19.1.
Tm hiu v Inspection Malware trong TMG
TMG Malware Inspection c thit k pht hin v ngn chn cc bit c hi trong
HTTP c gi cho khch hng trong cc mng c bo v trc khi cc bit c hi ny
c th truy cp my tnh ngi dng khng nghi ng v ly lang thit hi khng th khc
phc.
Hnh II.19.1.1 Web Filters tab
V tr ca cc b lc trong cc thit lp b lc Web l rt quan trng. Bn khng nn

thay i th t cc b lc m khng c hng dn c th ca Microsoft.
Hnh II.19.1.2 Malware Inspection Filter properties dialog
_____________________________________________________________________________________
Trang 102

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cc mc tiu chnh ca Malware Inspection TMG l:
Gim
Cung
Gim
Cung
thiu cc mi e da i vi Web c ngun gc malware

cp chnh sch malware cho cc host trong mng c bo v TMG
thiu cc tc ng trn TMG
cp mt c ch ng tin cy v linh hot
cung cp s linh hot ti a, Malware Inspection c th c kch hot trn ton cu

hoc trn mt quy tc, ngun, hoc c s ch. Bng cch kt hp cc kha cnh ny vi
ngi s dng v quy nh trong cc quy tc ca trang web truy cp, thm ch bn c th
quyt nh ngi dng c th c li hoc min Malware Inspection.
Ngoi ra, bn c th thc hin kim sot chi tit hn bng cch xc nh kch c, kiu, lu
tr chiu su, v cc tp tin c qut cng nh bt k tp tin no m b lc xc nh
Malware khng c th c qut sch.
Bo co Specificly Inspection Malware n bn mt cch nhanh chng v c th d dng
xc nh nhng mi e da ngi dng ca bn c th l i tng cng nh tc ng ca
cc mi e da ny.
Hnh II.19.1.3 V d v Malware Inspection
_____________________________________________________________________________________
Trang 103

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
19.2.
Cc ty chnh trong Malware Inspection
19.2.1.
Inspection Settings
truy cp vo ty chn ny, m ca s inspection malware s dng cc bc t 3

n 5 trong th tc trc v nhp vo Ci t gim st. Hnh II.19.2.1.1 cho thy cc
ty chn c cung cp.
Hnh II.19.2.1.1 Malware Inspection Settings
Cc ty chn sau c sn trong ca s ny:

Attempt To Clean Infected Files TMG s c gng lm sch mt tp tin b
nhim v nu hnh ng ny b li, TMG s trnh by mt trang HTML gi n
ngi s dng cui cng v ni rng tp tin b chn bi v n b nhim.
Block Files With Low And Medium Severity Threats (Higher Level
Threats Are Blocked Automatically) Theo mc nh TMG kho cc mi e
da khi kim tra cc phn mm c hi. Bng cch chn ty chn ny, bn cng
lm gim thiu c mi e do c coi l nh hng thp hoc trung bnh.
Block Suspicious Files tp tin c qut v b nghi ng b nhim s b chn
ng khi ty chn ny c chn. TMG s phn loi mt tp tin l ng ng khi
n khng tm thy malware c th nhng kt qu kim tra ch ra rng tp tin
ny c th b nhim.
Block Corrupted Files Nu TMG xc nh rng mt tp tin c qut l hng,
TMG s chn n.
Block Files That Cannot Be Scanned bt ty chn ny nu bn mun TMG
chn cc tp tin khng th qut. Mt v d ca mt tp tin rng TMG khng c
th qut l mt kho lu tr mt khu bo v. Bi v cc ni dung tp tin khng
th c truy cp m khng c mt khu, TMG khng c th qut cc tp tin
_____________________________________________________________________________________
Trang 104

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
malware. La chn ty chn ny c th to ra mt s hnh ng ngn chn sai

cho ni dung nu khng hp php. Ty chn ny b v hiu ha theo mc nh
v l do ny.
Block Encrypted Files Chn tp tin c m ha vi mt khu bo v lu tr,
TMG khng c kh nng qut cc tp tin n khng th gii m.
Block Files If Scanning Time Exceeds (Seconds) ti u ha ngi dng
cui, TMG cho php bn cu hnh mt thi gian ch qut tp tin. Gi tr mc
nh l 300 giy (5 pht).
Block Files If Archive Depth Level Exceeds Ty chn ny l mt cch cho
ngi dng cao cp hoc nhng trang web c hi trn trnh, gy ra iu
kin trn qut cc c ch. Ty chn ny cho php bn gim thiu nhng n
lc bng cch thit lp mt mc lu tr su ti a TMG s tm kim
trc khi ngn chn cc tp tin.
Block Files Larger Than (MB) Theo mc nh TMG kho cc tp tin ln hn
1.000 MB (1 GB). Thit lp mc nh ny s gip lm gim nh hng n hiu
sut v thi gian qut file ln.
Block Archive Files If Unpacked Content Is Larger Than (MB) TMG s gii
nn tp tin lu tr cc ni dung c th c qut. hn ch tc ng thc
hin TMG, bn nn gi gi tr ny thp. Theo mc nh, gii hn ny l 4.095 MB
(4 GB).
19.2.2.
Content Delivery
Hnh II.19.2.2.1 Content Delivery tab trong Malware Inspection
Phng php ny s dng giao gi tin chm cho ngi dng gi kt ni cn sng v
do trnh s tht bi ng dng.Phng php khc c sn cho phn phi ni dung
c gi l nhanh nh git. Nu bn chn phng php ny TMG gi d liu cho ngi
dng cng nhanh cng tt, nhng trong phn cui cng ca chuyn giao d liu c
_____________________________________________________________________________________
Trang 105

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
t chc cho n khi TMG hon thnh qu trnh qut. Bn cng c th xc nh loi ni
dung s c loi tr t Malware Inspection.
19.2.3.
Storage
Khi TMG kim tra mt tp tin th tm thi lu tr tp tin ny trong

%systemroot%\temp\ScanStorage l th mc mc nh. Bn c th thay i rng ci
t bng cch s dng cc tab lu tr, nh th hin trong hnh II.19.2.3.1.
Hnh II.19.2.3.1 Storage tab trong Malware Inspection
19.2.4.
Update Configuration
Theo mc nh, TMG s kim tra v ci t cc bn cp nht mi t ng, l la

chn c ngh. Bn c th s dng trnh n th xung thay i cc thit lp.
Ngoi ra mc nh, cc ty chn c sn l:
Only Check For Updates Ty chn ny s khng ci t mi cp nht, n ch
kim tra v thng bo rng bn cp nht mi c sn.
Do Nothing Automatically qun tr vin c th t kim tra cc bn cp nht
mi.
Cc ty chn t ng c 15 pht, 30 pht, 45 pht, 1 gi, hoc 4 gi. ngh l
li mc nh (15 pht) m bo rng TMG c ch k mi nht.
_____________________________________________________________________________________
Trang 106

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.19.2.4.1 Defination Updates tab trong Malware Inspection
19.2.5.
License
nhn c cc nh ngha mi thng qua dch v cp nht, bn cn phi c mt

ng k hp l vi Microsoft. Bng cch nhn vo License Details tab, bn c th xc
minh giy php v ngy ht hn ca n, nh th hin trong hnh II.19.2.5.1.
Hnh II.19.2.5.1 Malware Inspection License Detail tab
_____________________________________________________________________________________
Trang 107

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
19.3.
URL Filtering
19.3.1.
How URL Filtering Works
URL filtering chnh sch iu khin truy cp cc trang Web c da trn cc thnh vin
loi URL. Khng ging nh cc chnh sch da trn b tn min hoc b URL, tnh nng
ny hot ng t ng. Cc trang web c phn loi theo cc Microsoft Reputation
Service (MRS) c ng Microsoft Update (MU) v ti v t MU bi TMG. MRS tp hp
d liu t nhiu nh cung cp v s dng t xa ci thin tnh chnh xc ca d liu.
Hnh II.19.3.1.1 cho thy mi quan h gia hnh ng filtering URL v cp nht.
Hnh II.19.3.1.1 URL Filtering decision flow
Cc bc sau y cung cp mt ci nhn tng quan filtering URL:

1. Ngi dng s gi mt yu cu mt trang web.
2. TMG chn cc yu cu v xc nh vic phn loi URL l cn thit. TMG cn phi
xc nh loi URL ny c cho php hoc t chi lu lng truy cp da trn
cc quy tc c sn.
3. Nu phn loi URL l cn thit, phn gii tn c thc hin cho URL v URL
c kt hp vi mt danh mc c th.
4. Khi phn loi URL khng cn thit, TMG nh du yu cu khng phn loi v
cc bn ghi danh mc c s dng trong trng hp cn phi gi mt t
chi cho ngi s dng.
5. Cc quy tc cho php cc yu cu sau c ph hp v TMG xc nh liu
quy nh cho php hoc t chi.
_____________________________________________________________________________________
Trang 108

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
6. Mt yu cu c nh du khng phn loi b chn li v t chi c gi cho

ngi s dng, nu khng, nguyn tc xc minh cc th loi ph hp v sau
TMG cho php hoc t chi hnh ng da vo vic quy nh cho php danh
mc . Biu hin th trong hnh 116 cng m t dng chy quyt nh tng
t cho TMG, nh c tho lun trong cc bc trc khi khi nhn c yu
cu t khch hng truy cp mt trang web.
Hnh II.19.3.1.2 Biu x l ca URL filtering
hiu lm th no filtering URL, chng ta hy xem xt cc kch bn mu sau y:

_____________________________________________________________________________________
Trang 109

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Mt khch hng trong mng ni b s gi mt yu cu mt trang web vi

http://www.fabrikam.com/patha/pathb URL TMG. Khi nhn c URL ny, TMG cn
xc nh loi URL ny cho php hoc t chi theo cc quy tc chnh sch truy cp.
lm nh vy, TMG ct gim URL ny vo cc b phn c gi l cc bin th trong
thut ng ca MRS. Cc bin th cho URL ny s l:
Com
fabrikam.com
www.fabrikam.com
www.fabrikam.com/patha
www.fabrikam.com/patha/pathb
TMG s gi danh sch cc bin th MRS xc nh tn tui ca chng. MRS tr li

TMG vi phn ng sau y:
Com unknown
fabrikam.com general business
www.fabrikam.com unknown
www.fabrikam.com/patha phishing (Not inherited)
www.fabrikam.com/somepath/pathb anonymizer
Trong phn ng trc, khng tha kc ngha l

http://www.fabrikam.com/patha
khng
c
tha
k
http://www.fabrikam.com/patha/pathb
xc nh
Subpath
cho
nh
Da trn nhng phn ng, TMG bit rng hai loi c th p dng cho URL ny:
General business
Anonymizer
Trong v d ny, chng ta c th xem xt loi Anonymizer c th l th loi quan trng
nht, c ngha l th loi m mt qun tr vin c th mun chn truy cp vo. Cc th
loi URL thng tin thu c t MRS sau c s dng ti cc a im khc nhau
trong TMG nh sau:
Firewall rules - Cho php hoc t chi theo cc th loi
Web Proxy Log - loi ng nhp ny c vit trong nht k cho mi yu cu
(s c s dng bo co)
Enterprise Malware Protection (EMP) - danh sch loi tr
Danh sch loi tr HTTPS (V d, chng ti khng mun kim tra cc trang
web thuc v th loi ti chnh)
_____________________________________________________________________________________
Trang 110

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
19.3.2.
Cc thnh phn Tham gia trong URL Filtering
Phn loi URL ch c gi nu c hai iu kin sau y c p ng:
URL Filtering c kch hot

Th loi c yu cu bi cc quy tc chnh sch hoc log
URL filtering hot ng nh mt phn ca dch v Microsoft Firewall (wspsrv exe).

Thnh phn categorizer c mt vai tr quan trng trong ton b qu trnh URL filtering,
bi v n l chu trch nhim v tng tc vi cc thnh phn ct li TMG tham gia vo
qu trnh ny (rules engine, malware protection exception, HTTPS exception, category
query, and deny page). Cc thnh phn khc ng mt vai tr quan trng trong
qu trnh phn loi l MRS categorizer, tp hp thng tin t cc dch v MRS cung cp
bi Microsoft s dng Windows Web Services API (WWSAPI) thng qua cc cuc gi
n WinHTTP.
Hnh II.19.3.2.1 cho thy mt s vi cc thnh phn ny.
Hnh II.19.3.2.1 Cc thnh phn b nh hng bi URL filtering
_____________________________________________________________________________________
Trang 111

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
19.4.
E-Mail Protection
Cch SMTP Protection lm vic trong TMG

TMG SMTP bo v da trn ba c ch:
Exchange 2007 SPAM protection Exchange 2007 cung cp kh nng lc
mnh m, chng hn nh kt ni lc, lc ngi gi, ngi nhn v ngi gi ID.
Mc d cc tnh nng ny kh hiu qu nhng thiu st trong vic pht hin
phn mm c hi.
Forefront Protection 2010 for Exchange Server Forefront Exchange Server
2010 m rng cho Exchange Server 2007 kh nng lc E-mail bng cch
thm phn mm bo v c hi tng cng thng qua vic s dng cc cng
c chng phn mm c hi.
TMG SMTP filter and centralized management ng dng b lc SMTP xc
nhn cuc hi thoi SMTP bng cch xc nhn cc hnh ng SMTP chng li
mt danh sch c xc nh trc v cc giao thc SMTP. TMG cng cung cp
mt ni qun l cc tnh nng bo v E-mail trong Exchange 2007 nh chng
th rc, bo v v chng virus.
Cc bc sau y phc tho cc dng th c bn thng qua Bo v TMG SMTP cho mt
hnh ng "sch".
Hnh II.19.4.1. Cc bc kim tra E-Mail vi TMG
1. E-mail mang phn mm c hi c nhn ti TMG, tnh trng SMTP c xc

nhn.
2. E-mail c chuyn tip sang Exchange Server 2007 trn my tnh a phng.
3. Phn mm c hi c phn lp t e-mail.
4. Lm sch E-mail c gi tr li TMG.
5. Lm sch E-mail c chuyn tip n my ch SMTP nhn, SMTP mt ln na
c xc nhn.
_____________________________________________________________________________________
Trang 112

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Trong Exchange Server, cc lung mail hot ng nh th hin trong hnh II.19.4.2 v
m t trong cc bc sau y.
Hnh II.19.4.2 Cc bc kim tra E-mail
1. E-mail mang phn mm c hi c nhn bi Exchange 2007.

2. E-mail c gi n Forefront Protection 2010 for Exchange Server.
3. Forefront Protection 2010 for Exchange Server c lp cc phn mm c hi t
cc E-mail.
4. Lm sch E-mail c gi tr li sang Exchange Server 2007.
5. Lm sch E-mail c chuyn tip n my ch SMTP nhn.
Khi c trin khai vi vai tr Edge Exchange 2007, TMG kt hp Exchange 2007 v
Forefront Protection 2010 for Exchange Server cung cp vn chuyn E-mail an ton
hn rt nhiu hn so vi ISA Server 2006.
_____________________________________________________________________________________
Trang 113

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
20. HTTP AND HTTPS INSPECTION TRONG NG DNG LC WEB PROXY
Hnh II.20.1 Kin trc TMG
Hnh II.20.2 Web Proxy Engine
_____________________________________________________________________________________
Trang 114

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
21. PUBLISHING SERVERS

21.1.
Lm th no Publish mt my ch Web?
Hnh II.21.1.1 S mng Contoso
Hnh II.21.1.2 Bng m t my ch web
21.2.
Publishing a Web Server Using HTTPS
Phn th hai ca yu cu Contoso cho vic publish cc my ch web l lm cho bin ch

h thng c sn cho ngi dng bn ngoi thng qua TMG s dng m ha. p ng
yu cu ny bn cn c c mt giy chng nhn v ci t n trn TMG bn c
th kt hp chng ch ny vi ngi nghe Web s c s dng cho quy tc publish my
ch Web.Giy chng nhn c th c pht hnh bi mt Certificate Authority ni b (CA)
hoc bi mt CA thng mi bn ngoi.
_____________________________________________________________________________________
Trang 115

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Trc khi chng ta bt u cu hnh cc quy tc publish HTTPS, bn cn phi:

C c mt chng ch t mt CA bn trong hoc bn ngoi.
Ci t chng ch m ngi nghe Web ca TMG s s dng my tnh a phng
ca TMG giy chng nhn lu tr. Bn cn phi lm cho chc chn rng bn c giy
chng nhn vi mt kha ring.
Nu my tnh TMG khng tin tng gc (v trung cp nu c) CA, bn cn ci
t cc chui Giy chng nhn cho CA gc trong my tnh a phng ca TMG my
tnh Trusted Root Store. i vi kch bn ny c th, c hai u c th cht nm
trong th mc C:\certs th mc trn TMG-chng ch s c s dng trong ngi
nghe Web ca TMG (bin ch. Pfx) c cha kha ring v CA gc Giy chng nhn
(rootca. CER).
21.3.
Installing Certificates on TMG
1. Trn my tnh TMG Server, click Start, g mmc, v sau nhn Enter hoc click OK.
Mt hp thoi MMC tng t nh Hnh II.21.3.1.
Hnh II.21.3.1 Hp thoi MMC
2. Nhp vo trnh n File v sau nhp vo Add/Remove Snap-in hoc nhn Ctrl+M.
3. Theo Snap-in c sn, bm vo giy chng nhn v sau nhn Add nh th hin
trong hnh II.21.3.2.
_____________________________________________________________________________________
Trang 116

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.3.2 Thm Certificates Snap-in vo MMC
4. Chn ti khon my tnh v sau kch Next, nh th hin trong hnh II.21.3.3.
Hnh II.21.3.3 Qun l Certificates bng Computer account
5. Click vo my tnh local computer v sau nhn Finish, nh th hin trong hnh
II.21.3.4.
_____________________________________________________________________________________
Trang 117

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.3.4 La chn ni qun l Certificates (local computer)
6. Kch OK trong hp thoi Add Or Remove Snap-in, nh th hin trong hnh II.21.3.5.
Hnh II.21.3.5 Add Certificates
7. M rng Certificates (Local Computer), sau m rng c nhn, v sau m rng

Giy chng nhn. Kch chut phi vo nt Certificates, chn All Tasks, v sau
chn Yu cu Giy chng nhn mi nh th hin trong hnh II.21.3.6.
_____________________________________________________________________________________
Trang 118

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.3.6 To mi Certificate
8. Hp thoi Welcome to the Certificate Import Wizard xut hin. Nhn Next.
9. File Import, loi v tr ni m giy chng nhn c v tr nh th hin trong hnh
II.21.3.7 v kch Next.
Hnh II.21.3.7 Hp thoi chn Import Certificate
10. Trn trang Password, g mt khu c cung cp bi cc t chc pht hnh ny

giy chng nhn nh trong hnh II.21.3.8 v kch Next.
_____________________________________________________________________________________
Trang 119

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh 6 II.21.3.8 To Private key
11. Trn trang Certificate Store xc nhn v tr l c nhn, nh trong Hnh

II.21.3.9. Nhn Next.
Hnh II.21.3.9 Chn ni lu Certificate
12. Cc Hon thnh Giy chng nhn trang Import Wizard s xut hin vi mt bn tm
tt la chn ca bn. Xem li cc trang v nhn Finish.
Ti thi im ny, giy chng nhn c ci t trong ca hng my tnh a phng
ca TMG v snap- s hin th cc chng ch mi trong khung bn phi. xc nhn
rng chng ch ny l hp l, kch chut phi vo n v chn Open. Nu chng ch ny
c ban hnh da trn mt mu CNG, li TMG s ch ra mt loi kha khng chnh
xc, nh th hin trong hnh II.21.3.10.
_____________________________________________________________________________________
Trang 120

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.3.10 Li kha khng chnh xc
gii quyt vn ny, bn cn c c mt giy chng nhn xc thc my ch

cp t Windows 2000 hoc Windows 2003 mu v ci t n trn tt c cc my tnh
TMG nh c m t trc . Khi iu ny c thc hin, v giy chng nhn hp l
c la chn, giy chng nhn la chn trang s xut hin nh trong hnh II.21.3.11.
Hnh II.21.3.11 Chng ch hp l
_____________________________________________________________________________________
Trang 121

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cu hnh TMG ca bn s c sn sng cho bc tip theo, m l to ra mt Web nghe

cho HTTPS s dng giy chng nhn (pfx) c nhp khu. Tuy nhin, trc khi chng ti di
chuyn trn, iu quan trng l cp n mt vi khuyn ngh v cc chng ch:
Nu bn c mt mng vi nhiu nt, bn cn phi thc hin cc th tc trn tt c
cc cc nt. Nu khng, bn s khng th to ngi nghe cho HTTPS tr khi bn c
ch c mt a ch IP bn ngoi trn tt c cc nt v bn chn ton b a ch IP
trn ngi nghe.
Nu bn c bt k thit b giao thng lc gia TMG v cc gc URL CA CRL, bn cn
m bo rng thit b ny cho php kt ni vo cng 80 vi im n TMG c
th xc nhn cc CRL (Thu hi Giy chng nhn Danh sch).
21.4.
Creating an https Web Listener
Thc hin theo cc bc sau to ra mt Web listener mi TMG s dng HTTPS:

2. Click vo Forefront TMG (mng Name) trong khung bn tri v nhp vo Firewall
Policy.
3. Trong ca s bn phi bm vo tab Toolbox, kch chut phi vo Web Listener thuc
mng i tng, v sau nhp vo New Web Listener nh th hin trong hnh
II.21.4.1.
Hnh II.21.4.1 To mi Web Listener
4. Trang web Wizard Listener mi xut hin. Nhp tn cho Web listener ny v kch
Next.
_____________________________________________________________________________________
Trang 122

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5. la chn ty chn mc nh (SSL), nh th hin trong hnh II.21.4.2, v kch

Next.
Hnh II.21.4.2 Chn SSL cho Web Listener
6. Trn trang Web Listener a ch IP, chn bn ngoi nh th hin trong hnh II.21.4.3
v click Next.
Hnh II.21.4.3 Chn Interface cho Web Listerner
7. Trn trang Listener Giy chng nhn SSL, nhp vo Chn Giy chng nhn, giy
chng nhn cho nghe ny, v sau nhp vo Chn nh trong hnh II.21.4.4.
_____________________________________________________________________________________
Trang 123

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.4.4 Chn chng ch s dng cho web listener
8. Trn trang Listener SSL Giy chng nhn, xc nhn rng chng ch c chn xut
hin nh th hin trong hnh II.21.4.5 v kch Next.
Hnh II.21.4.5 Cp chng ch cho Web Listener
_____________________________________________________________________________________
Trang 124

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
9. Trn trang Ci t xc thc, chn xc thc Form HTML t hp th xung. li cc

ty chn khc ti cc la chn mc nh, nh hnh II.21.4.6, v nhn Next.
Hnh II.21.4.6 Cu hnh phng php chng thc
10. Vi mc ch ca v d ny v hiu ha SSO ci t, nh th hin trong hnh

II.21.4.7. Nhn Next.
Hnh II.21.4.7 Tt chc nng SS0
_____________________________________________________________________________________
Trang 125

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
11. Trn cc Hon thnh trang web Hng dn mi Listener, xem xt cc la chn nh
th hin trong hnh II.21.4.8. Nhn Finish v sau nhn Apply xc nhn thay
i.
Hnh II.21.4.8 Hon tt qu trnh ci t
21.5.
Creating a Secure Web publishing rule
Thc hin theo cc bc sau to ra mt quy tc Web Publishing an ton trn TMG bng
cch s dng ngi nghe to ra trc :
1. M rng Forefront TMG (mng Name) trong khung bn tri.
2. Kch chut phi vo Firewall Policy, chn New, v nhn vo Web Site Publishing Rule
nh th hin trong Hnh II.21.5.1.
Hnh II.21.5.1 To mi Web Publishing Rule
3. Welcome To trang Web Publishing Rule Wizard xut hin. Nhp tn cho nguyn tc
ny publish v kch Next.
_____________________________________________________________________________________
Trang 126

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
4. Trn trang Select Rule Action, li la chn mc nh (Cho php) nh th hin

trong Hnh II.21.5.2 v kch Next.
Hnh II.21.5.2 Chn hnh ng cho rule
5. Trn trang Loi publish, li cc ty chn mc nh nh th hin trong hnh

II.21.5.3 v nhn Next.
Hnh II.21.5.3 Chn kiu publish
6. Trn trang Server bo mt kt ni, bn ch nh xem TMG s s dng SSL kt ni

n my ch Web c cng b. i vi quy tc ny, li cc ty chn mc nh
nh th hin trong Hnh II.21.5.4 v kch Next.
_____________________________________________________________________________________
Trang 127

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.21.5.4 Chn cch thc bo mt
7. Trn trang Internal Publishing Details, g tn trang web ni b v kch Next.

Tn m bn ch nh trn trang ny phi ph hp vi tn ch hoc mt trong San
ghi trong Giy chng nhn c ci t trong cc my ch Web mc tiu.
8. i vi cc trang web m chng ti c publish, mc tiu l cho php truy cp tt
c ni dung bn trong cc my ch Web. V vy, con ng nn c /* nh trong
hnh II.21.5.5. Nhn Next.
Hnh II.21.5.5 ng dn n th mc publish
_____________________________________________________________________________________
Trang 128

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
9. Trn trang Thng tin chi tit Tn cng cng, bn cn phi ch nh tn m client t
xa s s dng ni vi my ch publish. G vo payroll.contoso.com, ri khi
ty chn nh mc nh nh th hin trong hnh II.21.5.6, v kch Next.
Hnh II.21.5.6 To publish name cho rule
10. Trn trang Select Web Listener, chn HTTPS Listener (Web Listener That Was To
Trc y) t Web Listener danh sch th xung, nh th hin trong hnh II.21.5.7.
Nhn Next.
Hnh II.21.5.7 Chn web listener
_____________________________________________________________________________________
Trang 129

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
11. Trn trang Authentication on, nhp vo danh sch th xung v chn Basic
Xc thc, nh trong hnh II.21.5.8. Nhn Next.
Hnh II.21.5.8 Chn phng php chng thc
Cc phng php m bn chn trn trang on xc thc, hin th trong hnh

II.21.5.8, phi ph hp vi xc thc c s dng bi cc my ch web m bn ang c
publish. y l thng tin m bn cn phi thu thp trong giai on lp k hoch.
12. Trn trang User Sets, li cc ty chn mc nh thc thi tt c ngi dng
xc thc trc khi truy cp vo my ch web ni b nh th hin trong hnh
II.21.5.9. Nhn Next tip tc.
Hnh II.21.5.9 Cu hnh user truy cp
_____________________________________________________________________________________
Trang 130

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
13. Cu hnh hon tt public rule, tm tt trong nhng la chn cho quy tc ny. xc
nhn rng cc quy tc publish ang lm vic ng, bm vo Test Rule. Nu tt c
mi th c cu hnh ng, kt qu s tng t nh nhng g th hin trong hnh
II.21.5.10. Nhn Finish v sau nhn Apply xc nhn thay i.
Hnh II.21.5.10 Kim tra rule
22. REMOTE ACCESS

22.1.
khi nim VPN
VPN l mt mng ring o s dng h thng mng cng cng (thng l Internet) kt
ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v
dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c
truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng
xa. Cc giao thc VPN c s dng khc nhau ty theo kh nng ca VPN client v my
ch cng nh cc yu cu chc nng v an ninh ca t chc.
Bi v cc ng hm VPN c nh c an ton v ng tin cy, cung cp m ha
mnh m v phng php xc thc. Ngoi ra, n s dng qun l ng hm kim sot
lu lng giao thng qua ng hm. Hnh II.22.1.1 minh ha mi quan h gia cc chc
nng VPN.
Hnh II.22.1.1 Kt ni VPN
_____________________________________________________________________________________
Trang 131

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Thay i gn y trong cng ngh khc nhau dn n s xut hin ca mt phng

php ng hm an ton gi chung l SSL-VPN. Ty thuc vo thit k sn phm ca nh
cung cp, h c th cung cp mt gii php VPN hn ch hoc hon ton. Bi v TMG
khng cung cp mt gii php SSL-VPN, nn chng ta tho lun v nhng giao thc v cc
kch bn i vi cc cng ngh VPN c in.
22.1.1.
Tunnel types
Ni chung, cc ng hm VPN ri vo hai ch hot ng: Transport mode v

Tunnel mode. Khng phi tt c cc cng ngh ng hm VPN cung cp c hai ch .
S khc bit chnh gia cc ch l cch c s dng:
Transport mode: Ch ny hot ng trong bi cnh ca hai im u
cui, ngha l, n khng th c s dng nh tuyn lu lng gia hai
mng t xa. y l ch hot ng thng c s dng cho Dial-OnDemand VPN gia ngi s dng c nhn v mt VPN Terminator.
Tunnel mode: ch ny c thit k cung cp nh tuyn gia hai
mng cng nh gia hai im u cui. Ch hot ng ny thng c s
dng cho cc kt ni VPN Site-To-Site, ni m mng li phn chia cn phi
giao tip. Trong ch ny, Non-VPN Hosts trong mi mng phi s dng thit
b u cui VPN ca h nh mt con ng kt ni t xa ca ng hm
nu h mun giao tip vi nhau.
22.1.2.
Protocols
Windows Server 2008 v TMG h tr ba giao thc VPN

22.1.2.1. point-to-point tunneling protocol (pptp)
PPTP c nh ngha trong RFC 2637 v c thc hin hai giao thc: PPTP, hot
ng trn cng TCP 1723, v ng gi nh tuyn chung (GRE) giao thc IP 47
(port 47). Giao thc PPTP phc v nh cc giao thc qun l, trong khi GRE cung
cp cho ng hm an ton gia my khch v my ch. NAT traversal i hi mt
trnh son tho PPTP trong thit b NAT gia khch hng v my ch. Cc kt ni
PPTP bt u vi cc khch hng thit lp mt kt ni PPTP knh iu khin n
my ch VPN. Khch hng xc thc n my ch v h m phn cc kha m ha
c s dng trn cc ng hm GRE. Khch hng thit lp mt kt ni th hai
n my ch bng cch s dng GRE. Tt c lu lng truy cp ca khch hng
ngoi tr cc knh iu khin PPTP c thc hin trong cc ng hm GRE m
ha cho n khi phin kt ni kt thc. PPTP khng cung cp chc nng c bit
cho NAT traversal v ph thuc vo tr thng minh (hoc thiu ca n) trong cc
thit b NAT gia khch hng v my ch x l iu ny ng.
_____________________________________________________________________________________
Trang 132

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
22.1.2.2. Layer-two tunneling protocol Over Ipsec (L2tp/Ipsec)

L2TP c m t trong RFC 2661 v hot ng cng vi Internet Key Exchange
(IKE) v IPsec cung cp mt ng hm an ton. IPsec cung cp my cp chng
thc v m ha bng cch s dng giao thc IP 50 (ESP) hoc giao thc IP 51
(Authentication Header, hoc AH), trong khi L2TP cung cp qun l ng hm qua
cng UDP 1701. IPsec bo v cc ng hm giao thng. NAT traversal c thc
hin thng qua vic s dng IPsec NAT-T, hot ng c s dng UDP 500 v 4500.
i vi bnh thng (khng NAT) phin L2TP/IPsec, khch hng thit lp mt kt
ni n my ch bng cch s dng UDP port 500. Cc khch hng v trao i cc
phm m ha my ch s dng giy chng nhn hoc cc phm trc khi chia s.
Mt khi iu ny c hon thnh, khch hng thng lng phin L2TP vi my
ch trong ng hm IPsec m ha trn giao thc IP 50 (ESP) hoc giao thc 51
(AH). Tt c cc giao thng gia khch hng v my ch, bao gm c qun l giao
thng L2TP, c thc hin trong ng hm IPsec. L2TP/IPsec cung cp cho hnh
vi c bit i vi nhng ln khi NAT Traversal c yu cu. Trong trng hp
ny, khch hng kt ni n my ch VPN bng cch s dng UDP cng 500 n
thng lng m ha, sau vt qua L2TP v giao thng khch hng thng qua
cng UDP 4500.
22.1.2.3. Secure Socket Tunneling Protocol (SSTP)
Giao thc ny s dng Point-to-Point Protocol (PPP) trn HTTP, m ha bng SSL.
HTTP cung cp qun l ng hm v ng hm giao thng. u im ln nht
SSTP mang li l kh nng ca mnh s dng mt proxy web tip cn vi my
ch VPN. l gi tr lu rng SSTP khng c th xc thc Web proxy, v vy nu
Web proxy a phng yu cu xc thc, SSTP khng c chc nng thng qua n.
Cc khch hng SSTP kt ni n my ch VPN bng cch thit lp mt kt ni trn
cng TCP 443, m phn bt tay SSL, sau pht hnh mt yu cu HTTP n my
ch VPN ch ra rng y l mt kt ni SSTP. Tt c lu lng truy cp ca khch
hng l thng qua thng qua ng hm HTTPS.
22.1.2.4. Authentication
Password Authentication Protocol (PAP) C sn s dng trong tt c
cc giao thc VPN, PAP l yu nht ca tt c cc giao thc xc thc ngi
dng bi v ngi s dng thng tin c gi trong vn bn gc, c kh
nng lm cho h c sn kt ni mng. Tt nhin, nu ng hm c
m ha trc khi bt u xc thc ngi dng, iu ny tr nn t mt vn
.
Challenge Handshake Authentication Protocol (CHAP) CHAP s dng
mt thut ton bm MD5 bo v cc thng tin trong khi h ang thng
qua gia khch hng v my ch. Cng ging nh xc thc Digest, phng
php xc thc yu cu mt khu ngi dng trong Active Directory c lu
_____________________________________________________________________________________
Trang 133

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
tr bng cch s dng m ha o ngc. CHAP c nhiu im yu trong

mng LAN Manager (LANMAN) v NT LAN Manager (NTLM) giao thc xc
thc v1.
Microsoft Challenge Handshake Authentication Protocol Version 2
(MS-CHAPv2) MS-CHAPv2 gii quyt nhiu trong nhng im yu an ninh
trong CHAP bng cch m ha cc thng tin bng cch s dng mt gi tr
duy nht mi ln nh vy cc kha m ha c tnh, n to ra mt gi tr
khc nhau. iu ny c hiu qu gim nh bt k mt khu bm da trn
on cc cuc tn cng.
Extensible Authentication Protocol (EAP) phng thc xc thc ny l
thc s c to thnh t ba c ch xc thc khc nhau:
MD5-Challenge ny l c hiu qu ging ht nhau PPP-CHAP,
nhng c gi nh mt EAP tin nhn.
EAP-TLS Phng php ny s dng giy chng nhn xc thc ln
nhau ca ngi gi v my ch. Trao i giy chng nhn c s
dng ng cc tin nhn. iu ny xc thc phng php l cn
thit s dng th thng minh cho VPN.
EAP-RADIUS Phng php ny s dng mt my ch RADIUS l c
quan thng tin.Cc thng tin thc t c thng qua bng cch s
dng MD5-Challenge hoc TLS v hi lng thng qua mt cuc gi
n my ch RADIUS quy nh.
Internet Key Exchange Version 2 (IKEv2) giao thc xc thc cung cp
phng tin cho ngi gi v my ch m ha kt ni ban u tt c cc
thng tin lin lc khc c th c gi m khng c bt k mi quan tm rng
h c th c c ra khi mng. iu ny i hi phi chia s ngi gi v
my ch ng tin cy ph bin CA gc v giy chng nhn ca h c pht
hnh cho mc ch m phn IPsec.
_____________________________________________________________________________________
Trang 134

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
22.1.3.
So snh Cng ngh VPN
Di y l hnh cung cp mt so snh ca cng ngh VPN ng hm khc nhau c

h tr trong Windows Server 2008 v TMG.
Bng II.22.1.3.1 So snh cc giao thc bo mt VPN
_____________________________________________________________________________________
Trang 135

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
22.1.4.
Tch hp NAP
Windows Server 2008 Network Access Protection (NAP) l mt nn tng thc thi ph
hp vi yu cu sc khe my tnh truy cp mng. Forefront TMG tch hp vi iu
bng cch hnh ng nh mt my ch VPN, nh th hin trong hnh II.22.1.4.1.
Hnh II.22.1.4.1 TMG hnh ng nh mt my ch VPN trong cc c s h tng NAP
TMG vai tr quan trng trong c s h tng NAP l yu cu cc thng tin t khch hng
VPN v gi yu cu xc thc cho Network Policy Server (NPS). Nu kt ni c chp
thun v khch hng l ph hp, NPS TMG cho php lu lng truy cp t my ch
ph hp vi cc chnh sch giao thng hin c ca TMG. TMG chp nhn kt ni v
chuyn tip p ng truy cp vo my tnh ca khch hng. Vic nng cao c thm
vo ca TMG l kh nng kim tra VPN giao thng v cung cp cc quy tc truy cp
hn ch truy cp t khch hng t xa.
_____________________________________________________________________________________
Trang 136

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
23. Gii thiu v UAG DirectAccess

DirectAccess l mt k thut truy cp t xa mi c trong Windows 7 v Windows Server
2008 R2, k thut ny cho php ngi dng c th kt ni vi mng cng ty bt c thi
im no. T quan im ca ngi dng, tri nghim h c c l hon ton ging nhau
m khng b ph thuc vo a im kt ni. Ngi dng c th di chuyn t mng cng ty
sang mng ca mt khch sn, mt qun c ph hay trung tm hi tho no c cung
cp kt ni khng dy. Ch cn c kt ni Internet, h c th truy cp c cc
ti nguyn trong mng ni b, nh th ang truy cp trc tip n cc ti nguyn thng
qua kt ni Ethernet hoc kt ni khng dy 802.11.
Kha cnh always-on ca DirectAccess c cho l phn quan trng nht ca gii php
ny. Ngi dng khng cn khi to kt ni VPN; h khng cn nh URL ca SSL VPN
gateway (thm ch SSL VPN gateway l mt UAG server). H khng cn thc hin bt c
th g ch cn kch cc lin kt trong email hoc trn desktop hay nh vo tn my ch
mun s dng, sau thc hin kt ni. Mt kt ni xuyn sut nh vy chc chn s to
nng sut cho cng vic.
Mc d vy, DirectAccess cn cung cp nhiu hn nh nhng g c gii thiu trn. Do
kt ni DirectAccess l lin kt hai chiu, bn qun tr vin mng s c kh nng kt ni
vi cc my khch DirectAccess qua Internet. Bt c khi no mt my khch DirectAccess
c bt, bn u c th kt ni v qun l my khch ny. Ngi dng khng cn phi
ng nhp bn c th kt ni vi cc my khch DirectAccess t bn trong mng cng
ty. iu ny c ngha rng, c s h tng qun l m bn s dng iu khin v cu
hnh cc host trn mng cng ty lc ny s lun trong tnh trng sn c (available) i vi
vic qun l cc my tnh c kt ni thng qua DirectAccess.
Hnh II.23.1 Forefront UAG Directaccess Server
23.1.
DirectAccess lm vic nh th no?
Cng vi DirectAccess, ngi dng Windows 7 v Windows Server 2008 R2 s gp mt s

cng ngh mi ca cc h iu hnh ny. Mt s cng ngh ny c th mi c, mt s c
_____________________________________________________________________________________
Trang 137

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
th c bit n t lu. Mc d vy, d ang lm vic vi cng ngh c hay mi th tt

c chng u khng qu phc tp. Cn trnh mt s quan im cho rng DirectAccess
khng ng vi nhng g phc tp m ngi dng n phi n lc vt qua.
Nhn thc ny l v trc khi UAG 2010 c pht hnh, ch c mt cch duy nht c th
trin khai DirectAccess l s dng gii php Windows DirectAccess i km. Gii php ny
tn ti mt s hn ch so vi gii php ca UAG DirectAccess:
Windows DirectAccess h tr hn ch kh nng sn c cao, c ch thng dng
lin quan n vic s dng Hyper-V v Windows failover cluster nhm cung cp kh
nng stand-by tt. Bn cnh cng khng c s h tr cho vic cn bng ti trng
trong mng (Network Load Balancing).
Windows DirectAccess khng h tr cc mng DirectAccess. Nu mun thit lp
nhiu my ch Windows DirectAccess, bn cn cu hnh v qun l chng mt cch
ring bit. Tri ngc li, cc my ch UAG DirectAccess li c th c cu hnh
theo mng.
My ch Windows DirectAccess khng h tr cc my ch ch h tr IPv4 (IPv4
only). My khch DirectAccess trn Internet cng khng th kt ni vi cc my ch
dng ny. iu c ngha rng, nu mun s dng gii php Windows
DirectAccess, bn cn nng cp cc my ch ca mnh ln Windows Server 2008
hoc mi hn. Ngc li, gii php UAG DirectAccess li h tr y cc my ch
IPv4 trong mng cng ty.
Nu c k hoch trin khai DirectAccess trong mng cng ty ca mnh, cch tt nht
thc hin iu l s dng gii php UAG DirectAccess.
23.2.
Kt ni my khch DirectAccess
IPv6 chnh l vn ct li ca gii php DirectAccess, y l mt trong nhng l do khin

nhiu qun tr vin c cm gic khng th trin khai gii php vo thi im ny. IPv6 r
rng phc tp hn v vi s ct gim kinh ph ln nhn lc CNTT th y qu thc l mt
tr ngi. Mc d vy, vi UAG, bn khng cn phi tr thnh mt chuyn gia IPv6, gii
php UAG DirectAccess s t ng trin khai c s h tng IPv6 cn thit.
Khi my khch DirectAccess c kt ni vi Internet, n s c gng thit lp hai tunnel
Ipsec n my ch UAG DirectAccess. Hai tunnel ny s s dng ch IPsec tunnel v
giao thc Encapsulating Security Payload (ESP) cng m ha AES 192bit bo v s ring
t.
Hai kiu tunnel y l:
Infrastructure
nhng trc lc
vin min v ti
my tnh v xc
tunnel: Infrastructure tunnel bt u khi my tnh khi ng

ngi dng ng nhp. My tnh DirectAccess lun l mt thnh
khon ca n c s dng ng nhp thng qua chng ch
thc NTLMv2. Thm vo , n phi thuc nhm bo mt dnh
_____________________________________________________________________________________
Trang 138

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
ring cho cc my khch DirectAccess. tunnel ny c kt ni hai chiu v cc tc

nhn qun l trn my khch c th gi n my ch qun l trn mng cng ty.
My ch qun l c th khi to cc kt ni n my khch DirectAccess khi tunnel
Infrastructure tunnel c thit lp. My khch DirectAccess ch c th kt ni thng
qua tunnel ny truy cp cc my ch m bn ch nh. tunnel ny khng cho
php truy cp m i vi ton b mng ni b.
Intranet tunnel: Intranet tunnel c thit lp sau khi ngi dng ng nhp.
tunnel ny cng c m ha bng ESP v AES 192. Vic xc thc c thc hin
bng chng ch my tnh (ging infrastructure tunnel) v xc thc Kerberos cho ti
khon ngi dng. Intranet tunnel cho php ngi dng c th truy cp ti bt c
ti nguyn no nm trong mng ni b m h c thm quyn.
C hai kiu truy nhp bn c th s dng khi kch hot cc my khch DirectAccess
kt ni n mng ni b. Bn c th chn end to edge hoc end to end ty . Chng
ta hy i xem xt hai kiu ny:
End to Edge: Khi s dng kiu kt ni end to edge, my khch DirectAccess s
thit lp mt lin kt ch IPsec tunnel xc thc n my ch UAG DirectAccess.
Sau khi hon thnh kt ni Ipsec ti my ch DirectAccess, vic chuyn ri lu
lng t my ch DirectAccess n cc my ch trong mng ni b c xc thc
hoc c m ha mc mng.
End to End: Kiu bo mt mng end to end cho php bo mt cc kt ni vi
Ipsec mt cch xuyn sut. Kt ni gia my khch v my ch DirectAccess s
c m ha v c xc thc bng ch IPsec tunnel. Sau khi lu lng ri my
ch DirectAccess n my ch khc trong mng ni b, kt ni s c
chuyn qua mng ni b bng ch IPsec transport. Mc d vy, thit lp mc
nh ch xc thc cho im kt cui; kt ni ch transport khng c m ha
IDS mng v cc thit b bo mt khc c th nh gi chng trn mng. iu
ny s lm gim mt s x l khng ng c (overhead) lin quan n kt ni
Ipsec.
Ngoi chng ch my tnh, ti khon my tnh (NTLMv2) v xc thc ti khon ngi dng
c s dng trong qu trnh to cc tunnel DirectAccess, bn cng c ty chn buc ngi
dng phi s dng xc thc Smart Card thit lp intranet tunnel, nng cao kh nng bo
mt cho gii php. Nu xc thc bng th thng minh khng an ton so vi yu cu,
bn c th thc thi mt s chnh sch trn my khch DirectAccess bng NAP, lc ny my
khch khng iu kin s b cch ly trc khi cho php thit lp cc tunnel infrastructure
tunnel v intranet tunnel.
Mt iu quan trng cn lu y l kt ni End to Edge h tr tt c cc mng, iu
ny khng bt buc bn phi c cc host h tr IPv6 trong mng ni b. Mc d vy, nu
mun trin khai bo mt end to end vi ch IPsec tunnel v IPsec transport th bn
cn phi c cc my ch Windows Server 2008 pha sau my ch DirectAccess. Ngoi ra,
_____________________________________________________________________________________
Trang 139

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
bn c th s dng ln cc kiu kt ni End to Edge v End to End; chng khng loi tr

ln nhau.
Tt c lu lng di chuyn gia my khch v my ch DirectAccess u l lu lng IPv6.
Ng y l rng, d cc my ch pha sau UAG DirectAccess khng nhn bit IPv6 (IPv6
aware) th cc ng dng my khch phi h tr giao thc ny. p ng iu , bn
cn m bo cc ng dng my khch tng thch IPv6 trc khi trin khai DirectAccess.
Chng ta cn lm r cc thut ng nh IPv6 aware, IPv6 capable, IPv6 only v
native IPv6. Khi ni n cc mng native IPv6, chng ta cn hiu rng tt c c s h
tng mng y (routers, DNS, DHCP,) cng nh cc my khch v my ch h tr IPv6
mt cch hon chnh. Ngc li, thut ng IPv6 aware ni n vic khng s dng IPv6
mt cch xuyn sut, ch c cc ng dng my khch v my ch c th li dng u im
ca cc k thut chuyn tip IPv6 c th lm vic trn cc mng IPv4. Trong khi cc
mng IPv6 capable c cc host h tr the Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP) cc tin nhn IPv6 c th c gi qua mng IPv6. Khi ci t UAG lm my ch
DirectAccess, n s t cu hnh mt ISATAP router cc tin nhn IPv6 c chuyn i bn
trong mt header Ipv4 qua mng IPv4, chnh v vy khng cn nng cp router v switch
DNS cng nh DHCP server lm vic vi kt ni IPv6.
_____________________________________________________________________________________
Trang 140

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
III.
PHN TCH NI DUNG TI
1. KHO ST NHU CU D N
1.1. Tnh hung ti:
Cng Ty C Phn Thng Mi Dch V D.M.A Computer Technology c mt tr s ti Q1,
Tp. HCM v mt tr s khc ti H Ni vi tn min dma.vn. D.M.A chuyn:
Kinh doanh cc mt hng thit b in t my tnh
Cung cp thit b my tnh cho doanh nghip, trng hc
T vn h tr khch hng qua mng
Cng ty c phn thng mi dch v D.M.A Computer Technology c sng h tng h
thng cng ngh thng tin. Vi nhu cu pht trin, m rng v i hi tnh n nh, an ton
v hiu qu trong kinh doanh. B phn IT kho st tng th v a ra m hnh trin
khai nh sau:
Hnh III.1.1.1 M hnh tng qut cng ty D.M.A Computer Technology
_____________________________________________________________________________________
Trang 141

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
1.2. M hnh mng logic ti tr s
Hnh III.1.2.1 M hnh logic ti cc tr s
_____________________________________________________________________________________
Trang 142

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
1.3. S lun l chi tit
Hnh III.1.3.1 S lun l chi tit ti cc tr s
1.4. S t chc ca cng ty
Hnh III.1.4.1 S t chc ca cng ty D.M.A Computer Technology
_____________________________________________________________________________________
Trang 143

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
1.5. Nhu cu ca cty D.M.A:

Tng cng bo mt ton din cho h thng mng doanh nghip
H tr ngi dng di ng lm vic hiu qu
H tr kt ni an ton gia cc site vi vpn thng qua mi trng internet
Qun l theo di cc loi traffic ra vo h thng
Thit lp c ch pht hin v ngn chn cc nguy c xm nhp tri php vo h
thng mng
Lc v ngn chn spam v virus cho h thng email
Lc v ngn chn virus mailware xm nhp vo h thng mng
2. XUT GII PHP
Vi nhu cu pht trin, m rng v i hi tnh n nh, an ton, hiu qu trong kinh
doanh, chng ti xin a ra gii php nhm p ng nhng nhu cu v bo mt ca cty vi
ms forefront tmg v y l sn phm cung cp tnh nng bo mt tch hp gia Internet
Security and Acceleration Server (ISA), Forefront Client Security, Forefront Security for
Exchange Server, Forefront Security for SharePoint. Vi nhng tnh nng u vit , ms
ForeFront c th p ng c nhu cu sau:
2.1. Cc tnh nng mi:
Tnh nng
M t
Tnh tng
thch vi
Windows Server
2008, 64-bit
TMG ch c th chy trn Windows Server 2008 64-bit, do c

tha hng s dng tt c nhng c tnh mi ca Windows 2008
nh:
Active Directory - em ti cc phng tin qun l thng
tin nhn dng v cc mi quan h cu thnh nn h thng
mng trong t chc, cung cp nhng tnh nng sn c cn
thit cu hnh v qun tr h thng, ngi dng v cc
thit lp ng dng mt cch tp trung.
Hyper-V (o ha v Hp nht) - cung cp mt nn
tng o ha tin cy cho php khch hng o ha c s h
thng ca h v gim bt chi ph, cng ngh o ha th h
mi da trn hypervisor dnh cho my ch, cho php tn
dng ti a cc khon u t phn cng my ch bng
cch hp nht nhiu vai tr my ch nh cc my o ring
bit (VM) chy trn mt my ch vt l duy nht.
Chi nhnh v vn phng ton cu - i vi cc t chc
m rng phm vi hot ng v c cc vn phng chi
nhnh phn tn v mt a l, vic qun tr cc ngun ti
nguyn trong h thng h tng cng ngh thng tin phn
_____________________________________________________________________________________
Trang 144

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
tn v vic ti u ha cc knh truyn thng c th to ra

nhng thch thc ln. Vi Windows Server 2008, bn c
th duy tr nhng li ch v mt hiu nng, kh nng sn
c v hiu sut ca cc dch v ti vn phng chi nhnh,
gip bn hp l ha vic trin khai, m bo kt ni tin
cy v tnh bo mt cao, ng thi h thp chi ph qun l,
ng thi khc phc c mt s kh khn gn vi vic
qun l mt mi trng kt hp ca vn phng chi nhnh
v vn phng ton cu.
C s h tng li - Windows Server 2008 duy tr v tng
cng cc dch v c s h tng li, cc dch v ny lun
l mt phn ca Windows Server, em ti mt nn tng
vng chc cho doanh nghip ca bn: Cc dch v File v
in n, Internet Information Server 7 (IIS 7.0), Domain
Name System (DNS), Dynamic Host Control Protocol
(DHCP), Windows Internet Name Service (WINS), Active
Directory (AD), Sao lu v Khi phc.
Bo mt v thc thi chnh sch - Bo v mng l mt
trong nhng thch thc kh khn nht trong ngnh CNTT
ngy nay. Qun tr mng cn thit lp v thc thi cc chnh
sch bo mt em ti kh nng bo v chc
chn, ng thi linh hot p ng cc nhu cu kt
ni khi s lng ngi dng bn trong v bn ngoi t
chc, s loi thit b, cu hnh h thng v hnh thc kt
ni mng ngy cng tng. Bn cnh nhiu tnh nng nng
cao i vi Active Directory gip qun l Nhn dng v
Truy cp hiu qu hn.
Qun l my ch - qun tr mt my ch duy nht,
Server Manager l mt Microsoft Management Console
(MMC) mi, em ti cc kh nng qun l sun s v tch
hp. Trong cc doanh nghip c quy m ln hn, c th t
ng ha vic qun l nhiu my ch bng cch s dng
Windows PowerShell, gm shell kiu dng lnh v ngn
ng kch bn mi c thit k c bit t ng ha
cc tc v qun l i vi cc vai tr my ch, nh l
Internet Information Services (IIS) v Active Directory. Bt
c t chc no cng c th hng li t Windows
Deployment Services, Windows Performance v Reliability
Monitor.
o ha trnh din vi Terminal Services - Terminal
Services trong Windows Server 2008 c th mang li kh
nng truy cp tp trung ti cc ng dng m khng cn
_____________________________________________________________________________________
Trang 145

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
cung cp mt desktop y t xa: i vi ngi dng

cui, ng dng xut hin nh th ang hot ng trn
desktop ti ch, trong khi , trn thc t, ngi dng ch
ang thao tc vi phn trnh din ca ng dng ang chy
t xa ny. Vi Terminal Services trong Windows Server
2008, t chc c th cung cp kh nng truy cp bo mt
hn ti cc ng dng c tp trung ha m khng cn
mt mng ring o (VPN) v khng cn phi m ht cc
cng khng mong mun trn trn cc tng la. iu ny
gim bt tnh phc tp cn thit cung cp kh nng
truy cp bo mt t xa ti cc ng dng v d liu.
Trng hp trin khai vi nhiu my ch, cc tnh nng
mi v cn bng ti em ti mt phng thc n gin
m bo hiu nng ti u bng cch m rng cc phin
trong cc ngun ti nguyn c sn, chu ti t nht.
Cc gii php Nhn dng v Truy cp ca Microsoft
- Vic qun l thng tin nhn dng ca ngi dng l u
tin hng u i vi nhiu doanh nghip ngy nay. Mi
ngi cn truy cp ti nhiu h thng v ti nguyn trn
mng cng ty, s dng nhiu loi thit b. Tuy nhin, nhiu
h thng trong s ny khng giao tip c vi nhau, v
tnh trng mt ngi dng c nhiu ID l kh ph bin. Do
vy, vic qun l cc ID d phng ny tr nn phc tp,
mt thi gian, v lm tng thm cc ri ro v bo mt do
li gy ra.
Hiu nng cao - Phng thc tnh ton truyn thng
c thc hin di hnh thc mt ng dng chy trn
mt my ch hay mt workstation.Tt c cc lnh ca mt
ng dng u c x l trn h thng cc b. Trong khi
, tnh ton hiu nng cao (HPC) li s dng sc mnh
x l ca nhiu h thng x l cc lnh ca mt ng
dng. Vic phn phi khi lng x l trn nhiu h thng
s gip tng tc x l d liu. Li ch v cc khon tit
kim chi ph ca Windows Server 2008 m rng ti
Windows HPC Server 2008 phc v cho mi trng tnh
ton hiu nng cao (HPC) ca bn. Windows HPC Server
2008 c xy dng trn nn Windows Server 2008, cng
ngh 64 bit v c th m rng mt cch hiu qu ti hng
nghn li x l vi tnh nng c sn ci thin hiu sut,
v gim tnh phc tp ca mi trng HPC. Windows HPC
Server 2008 cho php trin khai rng ri hn bng cch
em ti cho ngi dng cui nhng tri nghim phong ph
_____________________________________________________________________________________
Trang 146

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
v tch hp, m rng t ng dng my bn ti cc cm

my, v bao gm mt b trn vn cc cng c trin khai,
qun tr v gim st. Cc cng c ny d trin khai, qun
l v tch hp vi h tng mng Cng ty.
Tnh sn c cao - Vic cung cp kh nng sn c cao cho
cc ng dng, dch v, v d liu quan trng l mc tiu
chnh mang li thnh cng cho hot ng ca b phn
CNTT. Khi dch v ngng hot ng hoc b trc trc, hot
ng kinh doanh s b gin on, v c th gy ra nhng
tn tht ng k. Windows Server 2008 h tr nhiu c
tnh then cht, sn c cao gip cc t chc p ng
c nhng yu cu ring ca mnh i vi cc h thng
quan trng, nh Failover Clustering, Network Load
Balancing (NLB), Shadow Copy, Windows Server Backup v
mt cng c mi, Windows Recovery Environment.
Ngoi Hardware
TMG, cn trang
b software
Antivirus,
Antimalware
cho h thng l
Kaspersky
Internet
Security 2012.
Kaspersky Internet Security 2012 l mt gii php bo mt cao

cp nht nm trong gi bo mt mi Kaspersky 2012 Final ca
Kaspersky Lab ZAO. Kaspersky Internet Security 2012 n tng
hn v giao din chng trnh, chim t ti nguyn hn, cung cp
kh nng bo v cao cp chng li virus, Trojan, spam, hacker,
Cng ngh bo mt tin tin kt hp vi cng ngh in ton m
my y sng to mang n cho ngi dng tc nhanh hn v
hiu qu hn chng li cc mi e da y phc tp ang
ngy cng pht trin hin nay. Cc tnh nng tiu biu:
Qut nhng file b ly nhim
Ngn chn nhng file b nghi ng
Ngn chn nhng file tm thy b hng
Ngn chn nhng file khng th scan
Ngn chn tt c file c m ha
Ngn chn nhng file vt qu thi gian admin qui nh
cho php qut
Ngn chn nhng file c kch thc ln do admin qui nh
Loi b cc trang web mt cch linh hot da trn a ch
IP, tn domain, cc URL do admin nh ngha.
Kim sot ni dung vi TMG: nhng s ly nhim t
malware, virus c th gy ra chm tr trong vic truyn ti
ni dung t server n client. TMG s kim sat ni dung
trong khi qut nhm gip pht hin cc phn mm c
hi. Nu nh vic truyn ti d liu t server n client b
chm tr, TMG s t ng thng bo tin trnh ang qut
n client, chng hn nh Ni dung ang c kim tra
_____________________________________________________________________________________
Trang 147

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cu hnh qun
l truy cp web
Cho php cu hnh qun l vic truy cp web ch bng 1 thao tc.
Mt trong nhng tnh nng ni tri ca Forefront TMG 2010 so vi
Microsoft ISA Server l Secure Web Gateway (SWG). SWG c chc
nng lc & kim sot nhng chng trnh c hi (malware),
virus, cc website c hi.. t nhng phin kt ni internet ca
ngi s dng trong h thng mng doanh nghip. Ngoi ra SWG
c th p t chnh sch cho php nhn vin s dng ti nguyn
internet mt cch an ton & hiu qu. Trn Forefront TMG 2010,
SWG bao gm 3 thnh phn chnh:
URL filtering - phn loi cc website c bit n vo
cc nhm, kch hot bo co ton din cng nh kha
mt s website, hoc website c cho php truy cp,
nguy c bo mt
Malicious code filtering - loi b tt c m c v
khng mong mun t vic truy cp Web.
Web application-level control - cho php cc doanh
nghip qun l c phng php v s dng cc ng dng
cng cng trn nn tng Internet, nh IM, Internet
telephony, lu tr web, peer-to-peer, web conferencing,
chat,
Forefront TMG cung cp kh nng bo v ton din i vi nhng
nguy c t internet, lc URL, kim tra m c, kh nng phng
chng xm nhp n web client.
Forefront TMG d dng trin khai vi doanh nghip vi mi quy
m.
Ci thin tnh nng bo co t ISA Server bng cch s dng SQL
Reporting Services to cc bo co ty chnh hoc tng hp
bo co.
Ngi qun tr vin c th dng Web Access Wizard cu hnh
Forefront TMG p t chnh sch ca t chc cho vic truy cp
Web.
Forefront TMG cung cp vic qun l h thng cp
enterprise, lin kt lin mch vi Active Directory dng cho vic
chng thc, cp quyn.
Ngn chn vic

truy cp n 1
a ch c
HTTPS Inspection: bt tnh nng kim tra cc kt ni m ha

HTTPS chng m c v tn cng khai thc l hng bo mt.
_____________________________________________________________________________________
Trang 148

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
nh trc
Bt tnh nng kim tra cc phn mm c hi v theo di lu

lng web
Bt tnh nng Web Cache
URL filtering - cho php hoc t chi truy cp da trn loi URL
(vd: ma ty, khiu dm, mua sm) Doanh nghip khng nhng
cm cc nhn vin trong cty truy cp nhng trang web c hi m
cn bo v hiu qu nng sut lm vic ca doanh nghip .
Network Inspection System (NIS): cho php nhng lun giao
thng mng c kim tra,ngn chn khai thc l hng ca
Microsoft. Da trn nhng phn tch cc giao thc, NIS c th
kha cc lp tn cng sai tri mt cch tch cc.
2.2. Nhng tnh nng ct li:

I.
Server Publishing: Bo mt truy cp n cc server trong h thng ni b

Tnh nng
M t
Tng la s to ra
nhng form bn
in vo bng cch
chng thc theo dng
form base
To ra cc form c khi truy cp vo nhng trang

Outlook Web Access da trn form base. iu ny tng
cng an ninh cho vic truy cp t xa vo Outlook Web
Access bng cch ngn nga nhng user khng c
chng thc lin lc n my ch Outlook Web Access.
Remote access n
Terminal Services bng
SSL
Nhng my tnh chy HH Windows Server 2003 h tr

RDP thng qua SSL cho php kt ni SSL n Windows
Server 2003 Terminal Services.
Mt trong nhng tnh nng mi c bt u vi Windows
Server 2008 l Remote Desktop Gateway n cho
php Remote Desktop client thnh lp kt ni remote qua
https vi Remote Desktop Gateway n hot ng nh
l RDP qua https proxy. Remote Desktop Getway s kt
ni RDP client vi giao thc RDP ti Remote Desktop
Session Host bn trong. y l mt tnh nng tuyt vi bi
v https l mt giao thc s dng rng ri v n khng b
chn bi tng la hoc cc thit b khc. Cng vi tnh
nng Remote DesktopWeb Access ngi dng c th kt
ni n mt trang web n cung cp truy cp cc ng dng
c xut bn. tng cng bo mt truy cp my tnh
t xa bn c th s dng Forefront TMG xut
bn Remote Desktop Web Access vi Remote Desktop
Getway.
_____________________________________________________________________________________
Trang 149

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Thi hnh cc kt ni
RPC trong Microsoft
Exchange t Microsoft
Outlook v client dng
kt ni MAPI
Publishing Rule cho php ngi s dng kt ni t xa n

Exchange Server bng cch s dng y chc nng
outlook MAPI client thng qua Internet. Client s c cu
hnh s dng an ton rpc . V th kt ni c m
ha
RPC policy cho php bn kha tt c nhng kt ni khng
c m ha.
Outlook Web Access

Publishing
Truy cp t xa thng qua cc hnh thc kt ni SSL ca

SSL VPNs
To mt bc tng la v to ra cc quy nh ca Outlook
Web Access SSL kt ni Exchange Server ca bn
Microsoft Office
SharePoint Server
Publishing
II.
Giao din wizard mi hng dn publishes nhiuWindows

SharePoint Services sites
Virtual Private Networking (VPN) (H tr ngi dung di ng v lm vic hiu qu,

H tr kt ni an ton gia cc site vi VPN thng ra Internet).
Tnh nng
M t
Kt ni n vn phng
chi nhnh bng VPN
T ng cu hnh kt ni VPN Site to site gia 2 vn

phng.
Tch hp gia VPN vi

dch v Microsoft
Firewall
Bao gm cc chc nng y ca VPN.
Thanh lc v kim tra

cho VPN
VPN Client c cu hnh nh mt vng mng ring

To chnh sch cho cc VPN client.
SecureNAT client h tr
cho VPN clients kt ni
n TMG VPN server
M rng h tr VPN Client bng cch cho php Secure

NAT truy cp Internet m khng yu cu Firewall Client
ci t trn my Client.
Tng cng an ninh mng cho cng ty, buc ngi s
dng da trn hoc nhm da trn firewall policy trn
VPN SecureNAT client.
VPN Quarantine
Dng cng c VPN quarantine trn Windows Server 2003

cho vic thanh lc v tch hp vo firewall policy.
Publishing VPN servers
Publish IP protocols v PPTP servers.

ng dng b lc Smart PPTP qun l cc kt ni phc
tp.
_____________________________________________________________________________________
Trang 150

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Publish Windows Server 2003 NAT-T L2TP over IPSec

VPN server bng cch s dng TMG 06 server publishing.
Ch IPSec tunnel h
tr cho kt ni site-tosite VPN links
III.
Pht trin site-to-site link dng ch IPSec tunnel nh

giao thc VPN
Cc tnh nng qun l

Tnh nng
M t
D dng s dng cc
tnh nng qun l
Bao gm cc tnh nng qun l nhm nng cao mc

an ninh mng
Giao din ngi dng quen thuc vi task panes,
context-sensitive Help panes, v Getting Started Wizard.
Export v import d liu

c cu hnh
Lu d liu c cu hnh thnh file.xml v sau c

th import file ny vo 1 server khc
y quyn cho firewall

administrator roles
Bn c th gn quyn qun l administrative roles cho

user hoc group.
TMG Microsoft
Operations Manager
(MOM) Management
Pack
MOM Management Pack cho php doanh nghip xem s

kin gim st v cng c cho cc bc tng la hot
ng.
M rng SDK
Bao gm mt b SDK ton din cho vic pht trin

nhng cng c xy dng trn TMG firewall, b nh m,
v cc tnh nng qun l.
M rng h tr cc sn
phm khc
Cung cp cc sn phm, chng hn nh qut virus, cng

c qun l, v lc cc ni dung v bo co, trn xy
dng v hi nhp vi TMG.
IV.
Monitoring and Reporting:
Gim st v bo co hiu qu hn (Qun l theo di cc traffic ra vo h thng, Thit lp c

ch pht hin v ngn chn cc nguy c xm hi tri php vo h thng mang, Lc v ngn
chn spam, virus cho h thng email, Lc v ngn chn virus, mailware xm nhp h thng
mng)
Tnh nng
Gim st vic
ng nhp
M t
Xem firewall, Web Proxy, v SMTP Message Screener logs
TMG Server Management hin th th trc quan cc mc ng
nhp ging nh ang quay li qu trnh ng nhp ca ngi
dng.
_____________________________________________________________________________________
Trang 151

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Xy dng truy
vn c s ng
nhp
Truy vn cc tp tin log bng cch s dng trong truy vn c s

ng nhp.
Truy vn cho cc bn ghi thng tin cha trong bt k lnh vc
no c ghi trong truy vn c s ng nhp..
Gii hn phm vi iu chnh ca cc truy vn n mt khung thi
gian c th.
Kt qu s c hin th trong TMG MBE Management, c th
c sao chp vo Clipboard v dn vo mt ng dng khc cho
phn tch chi tit hn.
Gim st v lc
session da trn
firewall sessions
Xem tt c cc hot ng kt ni n firewall. T vic xem mt

session, bn c th phn loi hoc ngt session ca 1 c nhn
hoc 1 group.
Kt ni xc thc
Xc minh kt ni bng cch thng xuyn theo di c th kt ni

ti mt my tnh hoc URL t TMG MBE bng cch s dng kt
ni xc thc. Bn c th cu hnh s dng phng php
xc nh loi kt ni: Ping, kt ni TCP n mt cng c th,
hoc HTTP GET.
Ty bin bo co
TMG
Tu bin nng cao tnh nng cho thm thng tin chi tit trong
firewall report
Report
publishing
Cu hnh TMG bo co mt cch t ng. Bn c th lu file bo

co ny vo folder c ch nh.
Map folders hoc file n Web site virtual directory ngi
dng c th xem cc bo co.
Thng bo bng
email sau khi to
ra bo co
Cu hnh email, sau khi mt bo co c hon thnh, TMG s

gi email cho bn
_____________________________________________________________________________________
Trang 152

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. DANH MC THIT B
3.1. Danh mc cc server
STT
Tn my ch
V tr
Chc Nng
intranet
My ch iu khin
min (domain
controller), m
nhim chc nng
lm active directory,
DHCP, DNS.
My ch th tn in
t
AD Server
Mail Server
Dmz
Web Server
Dmz
My ch web
FTP Server
Dmz
My ch chia s d
liu
File server
intranet
TMG 1
Local host
TMG 2
Local host
My ch lu tr v
share d liu ni b,
ng thi lm
addional domain
controller
Tng la bo v h
thng
Tng la bo v h
thng
H iu
Hnh
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
Windows
Server 2008
Standard
editions 64bit
3.2. Cu hnh phn cng ngh cho my ci t Forefront TMG

IBM System x3650M3 (7945 - L2A)
_____________________________________________________________________________________
Trang 153

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh III.3.2.1 IBM System x3650M3 (7945 - L2A)
Model: 7945L2A
Kiu my ch: Rack 2U
Vi x l: 1 x Intel Xeon Six Core Processor X5660, 2.80GHz, 12M L3
Bus h thng: Intel QuickPath Interconnect up to 6.4 GT/s
B nh: 3 x 4GB DDR3 1333 h tr ECC
cng: 300GB SEAGATE SAVVIO SAS2.0 6GB/S Hot Swap
H tr raid: 0, 1, 5, 10
a quang: IBM UltraSlim Enhanced SATA DVD-ROM
Card mng: Integrated dual Gigabit Ethernet (2 ports standard, plus 2 ports optional)
h tr 10BASE-T, 100BASE-TX, and 1000BASE-T, RJ45
Ngun: 1x Power Supply 675watt HS
3.3. Bng bo gi thit b

Tn thit b
IBM System x3650M3
(7945 - L2A)
Windows server 2008 with
services pack (sp2)
Forefront tmg 2010
enterprise edition
S lng
Tng tin (usd)
41848
2058
11998
Ghi ch
_____________________________________________________________________________________
Trang 154

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
IV.
THC HIN
1. Ci t forefront tmg 2010

Cc bc cu hnh:
Windows Server 2008 R2 Enterprise 64-bit ( update)
Chy Preparation Tool ci t cc Roles & Features cn thit cho Forefront TMG
Server
Ci t Forefront TMG 2010
Trc khi ci t Forefront TMG cn thc hin update server trc cp nht cc bn v
li cn thit.
Hnh IV.1.1 Update windows server 2008 trc khi ci t Forefront
Sau khi update hon tt, chy run preparation tool trn trang installation wizard ca
Forefront TMG 2010 ci t cc tnh nng cn thit trc khi ci Forefront TMG.
_____________________________________________________________________________________
Trang 155

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.1.2 Qu trnh chun b hon tt
Trong qu trnh ci t, Forefront TMG yu cu cu khai bo internal network
Hnh IV.1.3 TMG yu cu khai bo internal network trong qu trnh ci t
_____________________________________________________________________________________
Trang 156

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.1.4 Ci t hon tt
2. Cu hnh m hnh mng 3-Leg perimeter

ln khi ng u tin sau khi ci t, Forefront TMG yu cu thit lp h thng mng
thng qua Getting Started Wizard. Qu trnh cu hnh gm 3 bc chnh:
Cu hnh m hnh mng thng qua template
Cu hnh h thng
Cu hnh trin khai
1. Cu hnh m hnh mng thng qua Template
Hnh IV.2.1 Getting Started Wizard Configure network setting
_____________________________________________________________________________________
Trang 157

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Chn m hnh mng l 3-Leg perimeter theo m hnh cng ty D.M.A Computer
Technology
Hnh IV.2.2 3-Leg Perimeter template
2. Cu hnh cho h thng
Hnh IV.2.3 Getting Started Wizard Configure system setting
_____________________________________________________________________________________
Trang 158

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
nh ngha mi trng chy Forefront TMG l domain dma.vn
Hnh IV.2.4 nh ngha mi trng chy Forefront TMG l domain dma.vn
3. nh ngha cc phng thc trin khai
Hnh IV.2.5 Getting Started Wizard Define deployment options
_____________________________________________________________________________________
Trang 159

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cc bc trin khai trong cu hnh ny bao gm: cu hnh dch v update v cc tnh
nng bo v h thng.
Hnh IV.2.6 Cu hnh Windows Update (mc nh)
Hnh IV.2.7 Cu hnh nhng tnh nng bo v h thng
_____________________________________________________________________________________
Trang 160

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.2.8 Hon tt 3 bc cu hnh ban u trong Forefront TMG
Giao din Forefront TMG
Hnh IV.2.9 Giao din Forefront TMG
3. Cu hnh cc Access Rule

3.1. Web Access
Cn hnh access rule cho php truy cp internet
Theo mc nh khi ci t tng la thnh cng th tng la s kha truy cp internet cho
n khi ngi qun tr thc hin to access rule cho php truy cp.
_____________________________________________________________________________________
Trang 161

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.1.1 To mi mt Access rule
Hnh IV.3.1.2 t tn cho rule mi
_____________________________________________________________________________________
Trang 162

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.1.3 Thit lp iu kin cho rule l Allow
Hnh IV.3.1.4 Cc giao thc c p dng cho rule
_____________________________________________________________________________________
Trang 163

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.1.5 Ty chn cu hnh Malware Inspection cho rule
Hnh IV.3.1.6 Cu hnh source v destination network cho rule
_____________________________________________________________________________________
Trang 164

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.1.7 Thm cc user p dng rule
Hnh IV.3.1.8 Cu hnh hon tt, apply lu cu hnh trn Forefront
_____________________________________________________________________________________
Trang 165

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3.2. DNS Query

Cu hnh thc hin cho php mng ni b ra ngoi internet thc hin phn gii tn
min.
Hnh IV.3.2.1 To mi Access rule
Hnh IV.3.2.2 Khai bo tn v xc nh hnh ng cho rule
_____________________________________________________________________________________
Trang 166

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.2.3 Chn giao thc l DNS
Hnh IV.3.2.4 Cu hnh source v destination cho rule
_____________________________________________________________________________________
Trang 167

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.2.5 Xc nh user c p dng rule
Hnh IV.3.2.6 Lu cu hnh
_____________________________________________________________________________________
Trang 168

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3.3. Malware Inspection

Cc bc cu hnh:
Bt tnh nng malware inspection
Update Malware Inspection
Cu hnh Malware Inspection
Kim tra
1. Bt chc nng Malware Inspection trong TMG
Hnh IV.3.3.2 Bt tnh nng Malware Inspection
_____________________________________________________________________________________
Trang 169

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2. Cu hnh v thc hin update cc engine v signature cho vic ngn chn malware xm
nhp vo h thng.
Hnh IV.3.3.3 Cu hnh t ng update cho Malware Inspection
Hnh IV.3.3.4 Tin hnh update chc nng Malware Inspection
_____________________________________________________________________________________
Trang 170

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. Cu hnh Malware Inspection cho rule Access Internet
Hnh IV.3.3.5 Thc hin cu hnh trong mc Properties
Hnh IV.3.3.6 Hp thoi cu hnh Malware Inspection
_____________________________________________________________________________________
Trang 171

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.3.7 Cc ty chn nng cao ca Malware Inspection vi Rule Setting
4. Thc hin kim tra cu hnh Malware inspection vi file virus mu download t trang
eicar.org
Hnh IV.3.3.8 Trang eicar.org cung cp mu virus th nghim tng la
Forefront chn ngay khi chng ta download file v
_____________________________________________________________________________________
Trang 172

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.3.9 Forefront thc hin block chc nng download ngay khi pht hin virus
3.4. HTTPS Inspection

Cc bc thc hin:
bt tnh nng HTTPS Inspection
ci t chng ch nhn dng m c
kim tra cu hnh
1. bt tnh nng HTTPs Inspection
Hnh IV.3.4.1 Cu hnh tnh nng HTTPs Inspection trong Task Web Access Policy
_____________________________________________________________________________________
Trang 173

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.4.2 Bt tnh nng HTTPs Inspection
2. Ci t chng ch dng xc nh m c cho HTTPS Inspection (click Generate

trong hp thoi HTTPS Outboun Inspection tab Genral )
Hnh IV.3.4.3 Cu hnh ci t chng ch nhn din m c
_____________________________________________________________________________________
Trang 174

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.4.4 Ci t chng ch
Hnh IV.3.4.5 Lu tr chng ch
_____________________________________________________________________________________
Trang 175

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.4.6 Ci t chng ch thnh cng
Hnh IV.3.4.7 Trin khai chng ch trn domain
_____________________________________________________________________________________
Trang 176

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.4.8 Trin khai chng chi trn domain dma
Hnh IV.3.4.9 Trin khai chng ch trn domain dma thnh cng
_____________________________________________________________________________________
Trang 177

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. Thc hin kim tra tnh nng HTTPS va cu hnh vi trang eicar.org
Hnh IV.3.4.10 Download file t eicar.org s dng giao thc bo mt
Hnh 7 IV.3.4.11 IE thng bo chng ch c vn
Hnh IV.3.4.12 Forefront block download
_____________________________________________________________________________________
Trang 178

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3.5. Caching (tng tc truy cp web)

Cc bc cu hnh:
Bt tnh nng web caching
Cu hnh dung lng lu tr
Cu hnh cache rule
Cu hnh Download Job
1. Bt tnh nng web caching
Hnh IV.3.5.1 Cu hnh Web Caching trong Web Access Policy
2. Cu hnh dung lng lu tr cho cache
Hnh IV.3.5.2 Cu hnh dung lng lu tr cho Web Caching
_____________________________________________________________________________________
Trang 179

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. Cu hnh cache rule
Hnh IV.3.5.3 To Cache rule
Hnh IV.3.5.4 Cu hnh request detination cho cache
_____________________________________________________________________________________
Trang 180

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cu hnh Content Retrieval l ni lu tr cc i tng c cache. Cc ty chn ny gm:

Ch cha cch phin bn hp l tn ti trong cache, nu khng c s gi yu cu
n server
cha tt c cc phin bn tn ti ca i tng trong cache, nu khng c s gi yu
cu ln server
Cha bt k phin bn ca i tng tn ti trong cache , nu ko c s khng gi
yu cu ln server
Hnh IV.3.5.5 Cu hnh lu tr cc i tng cache
Hnh IV.3.5.6 Cu hnh cache content
_____________________________________________________________________________________
Trang 181

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
4. Cu hnh Content Download Job
Hnh IV.3.5.7 t tn cho job
Hnh IV.3.5.8 Lp lch v thi gian download
_____________________________________________________________________________________
Trang 182

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.5.9 Cc ty chn download site
Hnh IV.3.5.10 Cc ty chn trong Content Caching
_____________________________________________________________________________________
Trang 183

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh 8 IV.3.5.11 Apply lu cu hnh cache
Hnh IV.3.5.12 Chn lu v khi ng li dch v
_____________________________________________________________________________________
Trang 184

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3.6. URL Filtering

1. Thc hin disable cc URL category tng ng trong rule Access Internet.
Hnh IV.3.6.1 Add cc URL catergory cn disable vo mc Exceptions
Hnh IV.3.6.2 Network Objects
_____________________________________________________________________________________
Trang 185

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2. Cu hnh thuc tnh cho i tng Chat va disable. Trong mc URL Catalogy
Override, chn Add, nhp vo URL: vietfun.com/* v lu cu hnh va to.
Hnh IV.3.6.3 Cu hnh cm chat trong trang vietfun.com
3.7. DMZ join Domain

Cu hnh Access Rule cho php my server vng DMZ c Join vo Domain Controllers
(Internal).
Cc bc cu hnh:
To rule cu hnh cho php cc giao thc: DNS, LDAP, LDAP (UDP, Global Catalog),
UDP (Adm/Sec/CIFS), TCP (Sec/CIFS), NTP (UDP), RPC (All Interfaces), PING. c
lu thng gia vng Perimeter v Internal cc server trong vng internal c th
join vo domain thng qua cc giao thc trn.
Thc hin join cc server trong vng perimeter vo domain dma.vn
1. To rule.
Hnh IV.3.7.1 To New Access Rule
_____________________________________________________________________________________
Trang 186

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.7.2 t tn cho rule
Hnh IV.3.7.3 Chn Allow trong mc rule action
_____________________________________________________________________________________
Trang 187

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.7.4 Thm vo cc giao thc
Hnh IV.3.7.5 Xc nh ngun cho rule l Perimeter
_____________________________________________________________________________________
Trang 188

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.7.6 ch n l Internal
Hnh IV.3.7.7 Cu hnh chng thc user
_____________________________________________________________________________________
Trang 189

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.3.7.8 Cc rule to
Kim tra rule: cho cc my client trong vng perimeter join vo domain
Hnh IV.3.7.9 Cc Client trong vng Perimeter join domain thnh cng
4. Cu hnh network ispection system (NIS)

Cc bc cu hnh:
Bt tnh nng NIS
Cu hnh NIS (Network Inspection System)
Gim st NIS
1. Bt tnh nng NIS
_____________________________________________________________________________________
Trang 190

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.4.1 NIS Tasks
Hnh IV.4.2 Bt tnh nng NIS
_____________________________________________________________________________________
Trang 191

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2. Cu hnh NIS
Hnh IV.4.3 Thm dy a ch ip cn gim st
Hnh IV.4.4 a dy a ch ip va cu hnh vo Managerment Server
_____________________________________________________________________________________
Trang 192

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.4.5 Cho php NIS phn ng li trc nhng traffic bt thng
Hnh IV.4.6 Lu cu hnh va to
_____________________________________________________________________________________
Trang 193

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
3. Gim St NIS
Thc hin gim st NIS thng qua log and report
Hnh IV.4.7 Logging Tasks
Hnh IV.4.8 Edit Filter
_____________________________________________________________________________________
Trang 194

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.4.9 Nhp a ch IP cn gim st
Hnh IV.4.10 D liu client cn gim st c ghi nhn bi NIS
_____________________________________________________________________________________
Trang 195

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
5. Cu hnh kt ni vpn site to site

Cc bc thc hin:
To user chng thc trn c hai chi nhnh
Thc hin cu hnh kt ni VPN site to site
Kim tra cu hnh
HCM site:
1. To user chng thc trn site HCM
Hnh IV.5.1 To user chng thc trn site HCM
Hnh IV.5.2 Cu hnh cho php user access t bn ngoi
_____________________________________________________________________________________
Trang 196

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cu hnh kt ni VPN trn site HCM
Hnh IV.5.3 t tn cho kt ni VPN
Chn giao thc kt ni bo mt PPTP
Hnh IV.5.4 Cu hnh kt ni bo mt PPTP
_____________________________________________________________________________________
Trang 197

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.5.5 Cu hnh dy a ch cho client kt ni vo
Hnh IV.5.6 Cu hnh remote site gateway
_____________________________________________________________________________________
Trang 198

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.5.7 Cu hnh chng thc user kt ni bn site HN
Hnh IV.5.8 Cu hnh dy a ch ip cho kt ni VPN
_____________________________________________________________________________________
Trang 199

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.5.9 To rule kt ni
Hnh IV.5.10 Cu rule cho php VPN client kt ni vo
_____________________________________________________________________________________
Trang 200

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.5.11 Hon tt cu hnh
HN site:
Cc bc cu hnh tng t HCM site tuy nhin cn lu user chng thc cn phi
trng vi user bn HCM site to.
Hnh IV.5.12 Cu hnh chng thc kt ni
Kim tra kt ni VPN
_____________________________________________________________________________________
Trang 201

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.5.14 Kim tra kt ni VPN t site HN n HCM
Hnh IV.5.15 Kim tra kt ni t client site HCM n HN
_____________________________________________________________________________________
Trang 202

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
6. Cu hnh kt ni vpn client to site

Cc bc cu hnh vpn client to site:
To 1 account trn DC cho Client bn ngoi kt ni vo.
Cu hnh VPN Client To Site trn TMG
To 1 kt ni Dial in trn my Client VPN vo.
1. To user v cho php user ng nhp Domain t bn ngoi vo
Hnh IV.6.1 To user
Hnh IV.6.2 Cu hnh cho php user vpn1 ng nhp domain t bn ngoi
_____________________________________________________________________________________
Trang 203

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Trong Remote Access Policy (VPN) chn Select Access Networks
Hnh IV.6.3 Select Access Networks
Nhp vo dy a ch ip, dy a ch cc my client s c cp khi ng nhp t ngoi

internet vo domain
Hnh IV.6.4 Hp thoi cu hnh dy a ch ip cho kt ni vpn
_____________________________________________________________________________________
Trang 204

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bt chc nng VPN Client Access
Hnh IV.6.5 Tnh nng VPN Client Access
To Access Rule cho php vpn client truy cp t ngoi vo
Hnh IV.6.6 VPN client access rule
_____________________________________________________________________________________
Trang 205

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Ti my Client ta to 1 kt ni o n my ch
Hnh IV.6.7 Thc hin kt ni thng qua VPN
VPN c kt ni v di y l thng tin ca my VPN, a ch c cp l

192.168.10.101.
Hnh IV.6.8 Kim tra kt ni
_____________________________________________________________________________________
Trang 206

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
7. Cu hnh Intrusion Detection

Cc bc cu hnh:
Cu hnh pht hin tn cng
Thc hin tn cng c bn v xem kt qu Forefront TMG ghi nhn
1. Cu hnh pht hin tn cng
Trong mc Intrusion Prevention System, chn Config Detection Settings for Common
Network Attacks.
Hnh IV.7.1 Behavioral Intrusion detection
Trong mc Common Attacks, click vo trng Port Scan
Hnh IV.7.2 Cu hnh pht hin tn cng
_____________________________________________________________________________________
Trang 207

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
2. Thc hin tn cng vi SuperScan4
Hnh IV.7.3 Giao din SuperScan4
Tip n chn nt Play chng trnh bt u d, Kt qu cho thy tm c 1

host l my TMG.
Hnh IV.7.4 Kt qu Scan
my TMG01 vo mc Monitoring, TMG pht hin c chng trnh PortScan tn

cng.
_____________________________________________________________________________________
Trang 208

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.7.5 Thng tin tn cng c TMG ghi nhn
8. Bo mt h iu hnh vi forefront client security

Cc bc thc hin:
Ci t v cu hnh cho Wsus 3.0
ng b ha v xc nhn Forefront Client Security
Ci t gi Wsus 3.0
Hnh IV.8.1 Ci t WSUS 3.0
Sau khi ci t hon tt, tin hnh update trong mc update source and proxy server
_____________________________________________________________________________________
Trang 209

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.8.2 Update vi WSUS
Chn nhng gi ci t cn update, y l windows XP v Forefront Security Client

(FCS)
Hnh IV.8.3 Chn cc gi update
_____________________________________________________________________________________
Trang 210

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cho php t ng b ha
Hnh IV.8.4 Cu hnh ng b
Hnh IV.8.5 ng b ha hon tt
_____________________________________________________________________________________
Trang 211

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Aproved cho nhng update cn thit ci t FCS
Hnh IV.8.6 Tin trnh approval
Duyt thnh cng cho cc gi Forefront Client security
Hnh IV.8.7 Hon tt approval
_____________________________________________________________________________________
Trang 212

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bt u ci t FCS
Hnh IV.8.8 Thc hin ci t Forefront Client Security
_____________________________________________________________________________________
Trang 213

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
9. Cu hnh forefront unifiel access gateway 2010

Cc bc thc hin:
Cu hnh global security group
Ci t Forefront UAG
Thc hin cu hnh.
To Global Security Group
Hnh IV.9.1 To global security group
Hnh IV.9.2 Add cc my client lm member ca group DMA_DA
_____________________________________________________________________________________
Trang 214

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Tip theo ci t Forefront UAG
Hnh IV.9.3 Giao din ty chn ci t Forefront UAG
Hnh IV.9.4 Ci t UAG
_____________________________________________________________________________________
Trang 215

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.9.5 Chn th mc ci t
Hnh IV.9.6 Tin trnh ci t UAG
_____________________________________________________________________________________
Trang 216

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cu hnh Directaccess trong UAG
Hnh IV.9.8 Cc bc trin khai cu hnh
_____________________________________________________________________________________
Trang 217

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.9.9 Khi ng cu hnh sau khi hon tt
Sau khi ci t v hon thnh cu hnh c bn trong getting started wizard, chng ta
tin hnh cu hnh UAG lm directaccess server.
Bc 1: Cu hnh Client v GPOs
Hnh IV.9.10 Cu hnh Client v GPOs
_____________________________________________________________________________________
Trang 218

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bc 2: Cu hnh
Hnh IV.9.11 Thc hin cu hnh DirectAccess Server
Bc 3: Cu hnh Infastructure Server
Hnh IV.9.12 Cu hnh Infastructure Server
_____________________________________________________________________________________
Trang 219

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
10. Bo mt my ch Exchange
Tin hnh ci t Forefront Security for Exchange Server
Hnh IV.10.1 Giao din ci t Forefront Security for Exchange
Forefront Security cho php tch hp vi nhng chng trnh ca hng th 3 (nh
Kaspersky, Norman, Sophos, v.v.)
Hnh IV.10.2 Ci t cc b Engines i km
_____________________________________________________________________________________
Trang 220

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Sau khi ci t ta tin hnh cu hnh bo mt cho h thng

Cu hnh cch ly virus nh km th
Transport scan job
Realtime scan job
Thit lp thi gian ti a lu file nh km trong khu vc cch ly
Cu hnh lu file sau khi qut
Cu hnh xa file nn c mt m
Cu hnh manual scan job
Qut cc th nhn
Cu hnh background scan job
Lp lch biu kch hot background scan job
Ngn chn file ch nh
_____________________________________________________________________________________
Trang 221

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV Giao din Forefront security for Exchange Server
11. Cu hnh ISP Redundancy (Load balancing)

Cc bc cu hnh:
Card Wan s NAT trc tip ra mng Internet bng Wifi (Dng line 1)
card DMZ s dng card Bridge vi Card mng tht ca my tht (Dng line 2)
Vo mc Networking, chn n tab ISP Redundancy, Click Configure ISP Redundancy.
Mn hnh Welcome, Click Next
Hnh IV.11.1 Cu hnh ISP redundancy
_____________________________________________________________________________________
Trang 222

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.11.2 Chn Load balancing with failover capability (mc nh)
Ti ISP Connection 1
Hnh IV.11.3 Cu hnh IP cho ISP connection 1
_____________________________________________________________________________________
Trang 223

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Ti ISP Connection 2, t tn l Line2, chn card mng l DMZ v Next.
Hnh IV.11.4 Cu hnh cho ISP connection 2
Cu hnh cho ISP Connection 2
Hnh IV.11.5 Cu hnh IP cho ISP connection 2
_____________________________________________________________________________________
Trang 224

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.11.6 Cu hnh hon tt
V Rule Load Balancing c to thnh cng.
Hnh IV.11.7 To rule load balancing
_____________________________________________________________________________________
Trang 225

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
12. Thc hin backup v restore

Thc hin Backup h thng
Trong mc Action, chn Export Firewall Policy
Hnh IV.12.1 Thc hin export file cu hnh
Hnh IV.12.2 Trang export welcome wizard
_____________________________________________________________________________________
Trang 226

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Check vo export confidental infomation
Hnh IV.12.3 Ty chn bo v file cu hnh
Nhp password bo v cho file cu hnh
_____________________________________________________________________________________
Trang 227

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.12.4 Nhp password bo v file cu hnh
Click Browse chn ni lu tr file backup
Hnh IV.12.5 Chn ni lu file cu hnh
_____________________________________________________________________________________
Trang 228

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.12.6 Tin trnh export file cu hnh
Restore file Backup ca h thng

Vo menu Action\import firewall policy tin hnh cc bc restore file cu hnh
Hnh IV.12.7 Trang import welcome wizard
_____________________________________________________________________________________
Trang 229

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Chn n ni ang gi file Backup
Hnh IV.12.8 Chn ni lu tr file backup
Mc Import Server mc nh v nhp Password lc backup ca s Enter password
Hnh IV.12.9 Xc nhn mt khu bo v file cu hnh
_____________________________________________________________________________________
Trang 230

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh IV.12.10 Hon tt import file cu hnh
Hnh IV.12.11 Tin trnh import file cu hnh
_____________________________________________________________________________________
Trang 231

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Giao din Rule sau khi to xong.
Hnh IV.12.12 Cc mc cu hnh sau khi restore
_____________________________________________________________________________________
Trang 232

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
V.
NH GI V HNG PHT TRIN
1. NH GI TI
1.1. Kh nng p dng v m rng:
1.1.1. Kh nng p dng ca Forefront:
Microsoft Forefront cung cp ton din, cc gii php end-to-end, c hai c s v trong
m my, gip bo v ngi dng v cho php truy cp an ton hu nh bt c ni
no. Vi danh mc u t tch hp bo v ca chng ti, nhn dng, v cc sn phm
truy cp, bn c th bo v mi trng ca bn v qun l truy cp trn cc d liu,
ngi s dng, v h thng.
Bo v nhiu lp Forefront cung cp gii php phn mm c hi bo v hng u
trn ton nhn tin, thit b u cui v my ch ng dng cng tc v cnh mng.
Forefront Endpoint Protection 2010 Cc phin bn tip theo ca Forefront
Client Security, gip cho php cc doanh nghip n gin ha v ci thin bo v
thit b u cui trong khi lm gim ng k chi ph c s h tng.
Forefront Protection 2010 cho Exchange Server Kt hp nhiu c my qut t
cc i tc hng u ngnh cng nghip vo mt gii php duy nht pht hin
virus v spyware nhanh hn v hiu qu hn cc gii php mt ng c.
Forefront Bo v trc tuyn cho Exchange Cung cp cc cng ngh lp tch
cc gip bo v cc doanh nghip trong v ngoi e-mail t th rc, virus, la
o phishing, v vi phm chnh sch e-mail.
Forefront Protection 2010 cho SharePoint Kt hp nhiu cng c qut chng
phn mm c hi t cc i tc an ninh ngnh cng nghip hng u th gii vi
tp tin v t kha lc gip cung cp bo v ton din chng li cc mi e da
mi nht.
Forefront Threat Management Cng 2010 Cung cp mt cng web an ton
bo v ngi dng t phn mm c hi v cc mi e da da trn web khc.
Truy cp da trn nhn dng Microsoft da trn nhn dng ca cng ngh truy
cp v cc gii php Forefront xy dng da trn c s h tng Active Directory
cho php ngi dng truy cp da trn chnh sch cc ng dng, thit b, v
thng tin.
Microsoft Forefront Identity Manager 2010 Cung cp mt gii php ton din
cho bn sc qun l, thng tin, v chnh sch nhn dng truy cp da trn mi
trng khng ng nht.
Cng Forefront truy cp hp nht 2010 Cung cp truy cp ton din, an ton t
xa n cc ti nguyn cng ty cho nhn vin, i tc v nh cung cp trn c hai
my tnh c nhn qun l v khng c qun l v cc thit b di ng.
_____________________________________________________________________________________
Trang 233

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
n gin ha qun l Microsoft Forefront sn phm bao gm kh nng qun l

tch hp vi mi trng hin ti ca bn lm cho n d dng hn trin khai v
qun l bo v doanh nghip ca bn v duy tr tun th.
Forefront Bo v Server Management Console 2010 Cung cp my ch qun
l a cho Forefront Protection 2010 cho Exchange Server v 2010 Bo v Forefront
dnh cho SharePoint. Giao din iu khin qun l cung cp mt d s dng giao
din ha cho my ch pht hin, cu hnh trin khai, bo co, qun l kim dch,
ng c v trin khai cp nht nh ngha v hi nhp vi bo v Forefront trc
tuyn cho Exchange.
1.1.2. Kh nng m rng ca Forefront
cn s dng cc cng c Forefront TMG SDK m rng cc chc nng ca Forefront
TMG v mt s thng tin m SDK cung cp v cch lm vic ca Forefront
TMG.Forefront TMG 2010 SDK gm c cc th vin, cng c, cc mu v ti liu tr
gip cc chuyn gia pht trin v cc qun tr vin h thng trin khai, cu hnh, ty
chnh, m rng mi trng Forefront TMG ca h.
Cng c ADAM Sites cho Forefront TMG Enterprise
Auto Discovery Configuration
Cache Directory
CertTool
DNS Cache
EE Single Server Conversion
MSDEToText
Remote Access Quarantine
RSA Test Authentication
Nng cp Security Configuration Wizard (SCW) cho Forefront TMG phin bn
Standard v Enterprise
Forefront TMG 2010 SDK
ISASDK.CHM
Th mc Samples/Admin
1.2. Khc phc nhng mt cn hn ch
n gin ha v ci thin Endpoint Protection:
Forefront Endpoint Protection 2010 n gin ha v ci thin bo v thit b u cui trong
khi lm gim ng k chi ph c s h tng, c xy dng trn h thng Center.
Configuration Manager 2007 cung cp cho bn vi mt giao din duy nht cho qun l v
bo v my tnh bn gim phc tp v ci thin x l s c v bo co nhng hiu
bit. C s h tng c chia s nycng gip loi b cc chi ph mua v duy tr mt c s
h tng bo mt c lp.
_____________________________________________________________________________________
Trang 234

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Cc cng c chng phn mm c hi trong Endpoint Protection Forefront 2010

bo v chng li cc phn mm c hi mi nht v rootkit vi t l dng tnh gi
thp. ng c ny c xp hng cao trong cc bi kim tra ca bn th ba c lp,
chng hn nh nhng ngi bi AV Comparatives v VirusBulletin. ng c ny gip
cho nhn vin ca bn sn xut vi chc nng qut c t nh hng ti hiu nng h thng.
Vi cc gii php im mi an ninh nhn trong c s lng v phc tp, bn s ngh rng
cc t chc s c tt c cc bo v m h cn. Tuy nhin, vn an ninh kinh doanh tip
tc pht trin, do phn ln nhng thch thc hot ng in hnh bn phi i mt hng
ngy, chng hn nh:
Tch hp sn phm bo mt ca bn h lm vic tt vi nhau v thc y nhau.

Tch hp sn phm bo mt ca bn vo trc c s h tng CNTT hin c.
Qun l v trin khai an ninh mt cch n gin, khp ni, v khng c nhng sai
lm.
Qun l bo mt nh l mt gii php duy nht thay v mt b su tp cc sn
phm khc nhau.
Forefront cung cp cho Cng ty, doanh nghip ton din cc sn phm bo mt c hiu qu
cao. Bng cch tp trung cc n lc ca chng ti vo cc kha cnh hi nhp v qun l an
ninh, cc sn phm Forefront c th gip ngn nga sai, cho php t chc trin khai sn
phm bo mt hn khp ni, v cung cp cho bn mt ci nhn thng nht vo tnh trng
bo mt ca mng ca bn. Bng cch gii quyt vn hot ng Forefront gip lm cho
mng ca bn an ton hn. Cu hnh chnh xc, an ninh, c trin khai, ni n l cn
thit, v qun l v bo co c n gin ha.
1.3. Hn ch ca gii php hin ti:
Mt s h s nh hng n s n nh v hiu sut ca tng la TMG: Tng la
Forefront Threat Management Gateway (TMG) 2010 l mt cng bo mt tch hp c kh
nng cung cp cc dch v bo mt lp ng dng v lp mng nng cao. N c th thc
hin thanh tra giao thc mc thp, thanh tra lu lng ln ng dng, xc thc ngi
dng, cho php iu khin da trn danh ting v thanh tra truyn thng HTTPS. Cc tnh
nng nng cao ny tiu tn rt nhiu ti nguyn v c th cn tr thng lng v lm chm
nu h thng c cu hnh khng ng hoc c kch thc khng thch hp.
1.3.1. Cu hnh phn cng:
Trc khi bt u bt c tho lun no v tng la TMG v hiu sut, mt iu quan
trng cn lu l phn cng nm bn di i vi nhim v h tr ca TMG trong
vai tr m n c trin khai. Cch tt nht l chng ta nn s dng phn cng lp
my ch cht lng cao hoc thit b bo mt chuyn dng. c kt qu tt nht,
phn cng cn phi c kch thc ng cch cho mi trng ca n v c lng ti
thch hp. Tnh nng thanh tra lp ng dng v lp mng nng cao ca TMG c th lm
dng ng k ti nguyn ph thuc vo h thng, v vy c c sc mnh x l
_____________________________________________________________________________________
Trang 235

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
tha ng, b nh, dung lng a v mng chnh l iu quan trng mang tnh nn
tng i vi s n nh v hiu sut cao ca gii php.
Vic xc nh c dung lng phn cng yu cu l bao nhiu cho mt thc thi c th
l ht sc kh khn, nguyn nhn l mi mt trin khai mang tnh duy nht v c nhiu
h s ph thuc. h tr vic xc nh cc yu cu v phn cng, Microsoft gii
thiu cng c Forefront TMG Capacity Planning Tool. Cng c ny cho php bn c th
nhp vo cc chi tit c th v mi trng ca mnh cn li n s cung cp li khuyn
v cc chi tit k thut phn cng bng cch da trn s lng ngi dng mong i v
bng thng m bn c cng nh cc tnh nng bo v s c s dng. Cn c mt k
hoch d tha i vi CPU v b nh bo m c c hiu sut tt nht, y cng
l bin php d phng trong cc trng hp cn m rng sau ny.
1.3.2. Cc dch v c s h tng
Tng la TMG da phn ln vo vic h tr cc dch v c s h tng thc hin cc
nhim v ca n. Hiu sut tng th ca gii php ph thuc vo cch cc dch v
chng hn nh Active Directory v DNS hot ng tt nh th no. Nu tn ti cc vn
vi Active Directory hay DNS s khng c cch no iu khin TMG khc phc
c vn hiu sut. Tuy c nhiu th c th i sai lnh i vi Active Directory hoc
DNS nhng chng ti s khng cung cp mt danh sch ton din nhng vn m ch
nu mt s vn chung c th lm gim ng k hiu sut ca TMG l:
Kt ni mng Hiu sut c th b nh hng kh tiu cc nu tng la TMG
khng c kt ni mng tin cy vi Active Directory hoc DNS. TMG cn phi
c kt ni tt vi cc dch v ny; l tng khi chng c t trong cng v
tr vt l v c kt ni tc gigabit. Cn bo m tt c cc thit b trung gian
nh router, switch, u lm vic tt v khng c xut hin du hiu li.
Cu hnh site Active Directory i khi hiu sut ngho cng c th do tng
la TMG thc hin xc thc cc domain controller nh v trong cc vng a l
khc nhau. iu ny b gy ra bi cch cu hnh cc site Active Directory khng
ng. Do cn bo m rng cc Active Directory IP subnet phi c nh
ngha ng v site Active Directory c cu hnh c cha cc domain controller
nm cng vi tng la TMG.
1.3.3. Ni mng
mc thp nht, TMG l mt tng la nh tuyn c tc dng phn phi d liu t
mt giao din ny ti giao din khc nu chnh sch cho php. Nh vy cu hnh mng
ng vai tr quan trng trong vn hiu sut ca h thng. y l mt s thit lp
cu hnh chnh v cc khuyn ngh ti u thng lng cng nh hiu sut mng:
Tc cng v ch song cng - Li tc cng hoc thit lp song cng
(duplex) s lm gim hiu sut mng mt cch khng khip. hot ng
ng, cc thit lp ny phi ging nh ti cc kt ni. iu c ngha rng nu
_____________________________________________________________________________________
Trang 236

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
bn thc hin cu hnh th cng cc thit lp trn giao din mng ca tng la
TMG th bn cng phi thc hin thit lp nh vy trn switch m n c kt
ni n. Nu switch m n kt ni n l mt switch t do, bn cng phi t
cc thit lp ca giao din mng tng la TMG ch auto-negotiate (t
ng iu nh). Bn khng th cu hnh mt pha ny th cng v pha kia
t ng. D bt c tnh hung no cng khng nn s dng hub trong mi
trng sn xut.
Cu hnh DNS/Th t lin kt giao din mng - y l mt trong nhng li
cu hnh hay gp nht v c th gy nn tnh trng km hiu sut phn gii tn
cng nh hin tng xc thc khng tin cy. Cc my ch DNS cn c cu
hnh ch trn giao din mng bn trong. Thm vo , v c bn giao din mng
bn trong trn nhiu tng la cn c cu hnh trc trong danh sch th t
cc giao din mng.
Cc on mng c cch ly - Mt tng tuyt vi khi t cc giao din
mng ca tng la TMG trong cc on mng cch ly bt c khi no c th.
Bng cch ny chng ta c th ci thin c c hai vn hiu sut v bo
mt, lm gim ri ro ca kiu tn cng ARP cache poisoning v lm cho mng
tr nn kh b pht hin hn. Nu Network Load Balancing (NLB) c kch hot
th iu ny thm ch cn quan trng hn. Mc nh, NLB s qung b cc thng
tin ng b tt c cc host trn on mng c th thy. Cc tng la TMG
c cu hnh trong cc on mng cch ly s hn ch c s qung b, n s
ch qung b cho cc host yu cu n.
Cu hnh tng la pha sau - Tng la TMG khng phi l mt cu hnh ti
u di dng bo mt v hiu sut. Cc host b l din trc tip vi Internet u
c bo v bng cc b qut v kim tra. Vic cu hnh tng la TMG nh
mt tng la pha sau cho tng l khc c th gim s lng tp nhiu m n
phi x l. Cho v d, mt Cisco ASA ti network edge c cu hnh cho php
ch cc giao thc m TMG s x l s gii phng c rt nhiu ti nguyn
thc hin hnh ng xc thc v thanh tra lu lng lp ng dng nng cao.
Mt li ch na y l gim c s nhim bn ghi, lm cho d liu bn
ghi tr nn trong sng v d hiu hn, d nhn bit cc lu lng bt thng.
Web Proxy client - Vic cu hnh cc my client lm my Web Proxy client
mang li kh nhiu li ch v hiu sut, mc d nhiu qun tr vin thch cu
hnh SecureNAT client v n khng yu cu thay i phn mm client. Cc my
SecureNAT client v c bn s tiu tn lng ti nguyn trn tng la TMG
nhiu hn so vi cc my Web Proxy client v my Web Proxy client s thit lp t
kt ni TCP n cc b lng nghe web proxy ca tng la TMG nhm ly li ni
dung web hn. Cho v d, khi kt ni n mt trang web ph bin no (trong
v d ny l espn.com), my SecureNAT client thit lp 31 kt ni TCP
hin th trang chnh.
_____________________________________________________________________________________
Trang 237

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh V.1.3.3.1 V d v kt ni vi SecureNAT Client
Trong khi nu cu hnh mt Web Proxy client th ch c 6 kt ni TCP c yu

cu hin th cng trang .
_____________________________________________________________________________________
Trang 238

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh V.1.3.3.2 V d v kt ni vi Web Proxy Client
Do nu bn c hng nghn ngi dng, vic tng s lng cc kt ni TCP ny

s gii hng rt ln n hiu sut CPU.
_____________________________________________________________________________________
Trang 239

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
VI.
TI LIU THAM KHO
Cc Website V Cc Din n:
http://www.nhatnghe.com/forum
http://www.microsoft.com
http://technetvietnam.net/blogs/hoangho
http://quantrimangvnn.wordpress.com
http://forum.itlab.com.vn
http://technetvietnam.net/blogs/hieudd
http://msopenlab.com
http://tuonglua.net
http://quantrimaychu.vn/forum
Ebook Tham Kho:
Microsoft Forefront Threat Managerment Gateway (TMG) Administrators Companion
_____________________________________________________________________________________
Trang 240

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
VII.
PH LC
Danh mc cc bng v hnh nh

Hnh I.1.1 Forefront Threat Managerment Gateway ............................................................................ 13
Hnh I.1.2 Biu biu th s tng trng ca cc phn mm c hi ................................................ 14
Hnh I.1.3 M hnh tng quan 3 lp mng ca tng la .................................................................... 15
Hnh I.2.1.1 S pht trin ca Forefront TMG 2010 ............................................................................ 15
Hnh I.2.2.1 S pht trin ca Forefront TMG 2010 ........................................................................ 16
Hnh I.3.1 Thng tin prices v licenses ca cc phin bn Forefront .................................................... 17
Hnh I.3.2 Thng tin Price v Licenses ca Windows Server 2008 ........................................................ 17
Hnh I.4.1.1 Cc tnh nng chnh trong Forefront TMG 2010 ................................................................ 18
Hnh I.4.2.1 Nhng Tnh nng ni bt ca Forefront TMG 2010 ........................................................... 18
Bng I.4.2.1 So snh cc tnh nng trong Forefront TMG Standard v Enterprise ................................. 19
Bng I.4.2.2 So snh cc tnh nng gia ISA 2006 v Forefront TMG .................................................. 20
Bng I.4.3.1 Yu cu ci t ............................................................................................................. 20
Hnh I.5.1.1 Network setup wizard .................................................................................................... 21
Hnh I.5.2.1.1 Edge Firewall Template ............................................................................................... 22
Hnh I.5.2.2.1 3-Leg Perimeter Template ........................................................................................... 22
Hnh I.5.2.3.1 Back Firewall Template ................................................................................................ 23
Hnh I.5.2.4.1 Single Network Adapter Template ................................................................................ 23
Bng II.1.1 So snh cc tnh nng ca TMG MBE v TMG FULL ........................................................... 25
Hnh II.2.1 Giao din qun l ca Forefront TMG ................................................................................ 26
Hnh II.2.2 Giao din qun l ca ISA 2006 ........................................................................................ 26
Hnh II.3.1 MPEngine v cc bc x l ............................................................................................. 27
Hnh II.3.2 Qun l down load vi Forefront TMG ............................................................................... 28
Bng II.3.1 So snh chc nng trong TMG MBE v TMG 2010 ............................................................. 29
Hnh II.3.3 Giao din Intrusion Prevention System (IPS) ..................................................................... 31
Hnh II.3.4 Nat address Selection wizard ............................................................................................ 32
Bng II.3.2 so snh tnh nng gia ISA 2006 vi TMG MBE v TMG 2010 ............................................ 33
Hnh II.4.1.1 Thc hin kt ni VPN vi UAG...................................................................................... 34
Bng II.4.2.1 so snh tnh nng gia IAG v UAG .............................................................................. 35
Hnh II.4.3.2.1 Nhng tnh nng trong TMG v UAG ........................................................................... 36
Hnh II.4.3.2.2 V d thit lp UAG trong mng Back End.................................................................... 37
Hnh II.4.3.2.1.1 M hnh Edge Firewall ............................................................................................. 38
Hnh II.4.3.2.2.1 M hnh mng 3-Leg Perimeter ................................................................................ 38
Hnh II.4.3.2.3.1 M hnh mng Back Firewall .................................................................................... 39
Hnh II.4.3.2.4.1 M hnh mng Single NIC ........................................................................................ 40
Hnh II.7.1.1 V d v bng mng ................................................................................................. 45
Hnh II.7.2.1 Bng ng dung mng .............................................................................................. 46
Hnh II.7.2.2 Bn giao thc mng ................................................................................................. 47
Hnh II.7.2.3 Bn giao thc mng (2) ........................................................................................... 47
Hnh II.7.2.4 B lc ng dng trong TMG .......................................................................................... 48
Hnh II.8.1 M hnh lin k nhiu mng ............................................................................................. 49
Hnh II.9.1.1.1 Cu hnh DNS trong work group ................................................................................. 51
_____________________________________________________________________________________
Trang 241

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Bng II.9.1.1.1 Tm tt u v khuyt im ca cu hnh DNS ............................................................ 52

Hnh II.9.3.1 DNS cache trong TMG ................................................................................................... 53
Hnh II.10.1.1 Edge Firewall Template ............................................................................................... 54
Hnh II.10.2.1 3-Leg Perimeter Template ........................................................................................... 55
Hnh II.10.2.2 Cu hnh cc lp mng trong m hnh 3-Leg ................................................................ 56
Hnh II.10.3.1 Back Firewall Template ............................................................................................... 57
Hnh II.10.4.1 Single Network Adapter Template ................................................................................ 58
Bng II.10.5.1 u v khuyt im khi ci Forefront trong Domain v Workgroup ................................. 59
Bng II.11.1 Yu cu update ti thiu nng cp ln TMG 2010 ....................................................... 60
Bng II.11.2 Thng tin patch gia cc phin bn ISA v TMG ............................................................. 60
Hnh II.11.1 V d v di tr ............................................................................................................... 61
Hnh II.12.1.1 Thit lp proxy cho Internet Explorer ........................................................................... 62
Hnh II.12.2.1 Thnh phn ct li ca TMG trong x l HTTP request t web proxy client .................... 63
Hnh HTTP request t web proxy client n TMG ............................................................................... 64
Hnh II.12.3.1 Cu hnh web proxy trong TMG ................................................................................... 65
Bng II.12.4.1 thng k nhu cu vi TMG client ................................................................................. 65
Hnh II.12.5.1 M hnh mng n gin .............................................................................................. 66
Hnh II.12.5.2 M hnh mng phc tp .............................................................................................. 67
Hnh II.12.6.1 Loopback DNS ............................................................................................................ 67
Hnh II.12.8.1 u v nhc im ca SecureNET Client ...................................................................... 69
Hnh II.12.9.1 Forefront TMG Client tab ............................................................................................. 69
Hnh II 12.9.2 Forefront TMG Client Setting ....................................................................................... 70
Bng II.12.9.1 u tin khi la chn TMG client ............................................................................. 70
Bng II.12.9.2 Nhng phin bn Client ph hp vi tng nhu cu ....................................................... 71
Bng II.12.9.3 So snh nhng tnh nng gia SecureNAT, Web Porxy v Firewall Client ....................... 71
Hnh II.13.1.1 Giao din chnh ca TMG 2010 .................................................................................... 72
Hnh II.13.1.2 Nhng tnh nng mi trong TMG 2010 so vi TMG MBE ................................................ 73
Hnh II.13.2.1 Cc tab trong Monitor ................................................................................................. 73
Hnh II.13.2.2 Services tab................................................................................................................ 73
Hnh II.13.3.1 Thanh cng c Firewall Policy ...................................................................................... 73
Hnh II.13.4.1 Cc ty chn trong Task web Protection ...................................................................... 74
Hnh II.13.4.2 Thanh cng c Web Access ......................................................................................... 74
Hnh II.13.5.1 Tab E-mail Policy ........................................................................................................ 74
Hnh II.13.5.2 E-mail policy task ........................................................................................................ 75
Hnh II.13.5.3 Tab Spam Filtering ...................................................................................................... 75
Hnh II 13.5.4 Tab Virus and Contenfiltering ...................................................................................... 75
Hnh II.13.6.1 Network Inspection System tab ................................................................................... 76
Hnh II.13.6.2 Behavioral Intrusion Detection tab ............................................................................... 76
Hnh II.13.6.3 Cc thnh phn cu hnh trong NIS tasks ..................................................................... 77
Hnh II.13.6.4 Tab Network Adapter and Routing ............................................................................... 77
Hnh II.13.6.5 Thng tin trong tab Network Adapter ........................................................................... 77
Hnh II.13.6.6 Thng tin trong tab Routing ........................................................................................ 78
Hnh II.13.6.7 ISP Redundancy tab.................................................................................................... 78
Hnh II.13.6.8 Cc thnh phn cu hnh trong ISP Redundancy Tasks ................................................. 79
Hnh II.14.1.1 Getting started wizard ................................................................................................. 79
Hnh II.14.1.2 Cc bc cu hnh trong getting started wizard ........................................................... 80
Hnh II.14.2.1 Network Setup Wizard ................................................................................................ 81
_____________________________________________________________________________________
Trang 242

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.14.5.1 Cu hnh web access policy ......................................................................................... 82

Hnh II.14.6.1 Join Array ................................................................................................................... 82
Hnh II.14.6.2 Disjoin array ............................................................................................................... 82
Hnh II.14.7.1 Forefront Protection Managerment Intergration page link .............................................. 83
Hnh II.14.8.1 SIP Configure ............................................................................................................ 83
Hnh II.14.9.1 E-mail Policy Task ....................................................................................................... 84
Hnh II.14.10.1 Cu hnh ISP redundancy .......................................................................................... 84
Hnh II.15.1.1 Route Relationships .................................................................................................... 84
Hnh II.15.2.1 NAT Relationships ....................................................................................................... 85
Hnh II.15.2.2 Half NAT publishing (default) ....................................................................................... 86
Hnh II.15.2.3 Full NAT publishing ..................................................................................................... 86
Hnh II.15.2.4 La chn a ch NAT mc nh ................................................................................... 87
Hnh II.15.2.5 Default NAT ............................................................................................................... 87
Hnh II.15.2.6 Single-IP (NLB) NAT.................................................................................................... 88
Hnh II.15.2.7 IP ring cho mi my ch NAT .................................................................................... 88
Hnh II.15.3.1 Default Network Rules for Edge Deployment ................................................................ 88
Hnh II.15.3.2 Network Entities selection dialog box ........................................................................... 89
Bng II.15.4.1 Thng tin tm tt cc mng lin kt ............................................................................ 90
Hnh II.15.4.1 Giao din iu khin lp mng .................................................................................... 90
Hnh II.15.5.1 M hnh cc lp mng c bo v.............................................................................. 91
Hnh II.15.5.2 Internal Properties dialog box ...................................................................................... 92
Hnh II.15.6.1 Ty chn xc thc cho mng ni b ............................................................................ 92
Hnh II.16.1.1 Tnh nng ISP redundancy trong TMG .......................................................................... 93
Hnh II.16.2.1 Cu hnh ISP redundancy ............................................................................................ 93
Hnh II.16.3.1 Kin trc c bn ca NLB ............................................................................................ 94
Hnh II.16.3.2 S khc bit gia MAC unicast v multicast .................................................................. 94
Hnh II.16.4.1 Ty chn kim sot NLB .............................................................................................. 95
Hnh II.16.4.2 ngha cc ty chn kim sot NBL ............................................................................ 95
Hnh II.16.4.3 Cnh bo trong NLB .................................................................................................... 96
Hnh II.17.1 Chc nng hot ng ca NIS ........................................................................................ 97
Hnh II.17.1.1 Network inspection system main page ......................................................................... 98
Bng II.17.2.1 Thng tin v cc kiu tn cng mng .......................................................................... 99
Bng II.17.2.2 Thng tin cc kiu tn cng DNS .............................................................................. 100
Hnh II.19.1.1 Web Filters tab ......................................................................................................... 102
Hnh II.19.1.2 Malware Inspection Filter properties dialog ................................................................. 102
Hnh II.19.1.3 V d v Malware Inspection ...................................................................................... 103
Hnh II.19.2.1.1 Malware Inspection Settings ................................................................................... 104
Hnh II.19.2.2.1 Content Delivery tab trong Malware Inspection ........................................................ 105
Hnh II.19.2.3.1 Storage tab trong Malware Inspection ..................................................................... 106
Hnh II.19.2.4.1 Defination Updates tab trong Malware Inspection .................................................... 107
Hnh II.19.2.5.1 Malware Inspection License Detail tab ..................................................................... 107
Hnh II.19.3.1.1 URL Filtering decision flow ...................................................................................... 108
Hnh II.19.3.1.2 Biu x l ca URL filtering ................................................................................ 109
Hnh II.19.3.2.1 Cc thnh phn b nh hng bi URL filtering ........................................................ 111
Hnh II.19.4.1. Cc bc kim tra E-Mail vi TMG ............................................................................ 112
Hnh II.19.4.2 Cc bc kim tra E-mail .......................................................................................... 113
Hnh II.20.1 Kin trc TMG ............................................................................................................. 114
_____________________________________________________________________________________
Trang 243

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh II.20.2 Web Proxy Engine ....................................................................................................... 114

Hnh II.21.1.1 S mng Contoso................................................................................................. 115
Hnh II.21.1.2 Bng m t my ch web .......................................................................................... 115
Hnh II.21.3.1 Hp thoi MMC ......................................................................................................... 116
Hnh II.21.3.2 Thm Certificates Snap-in vo MMC ........................................................................... 117
Hnh II.21.3.3 Qun l Certificates bng Computer account .............................................................. 117
Hnh II.21.3.4 La chn ni qun l Certificates (local computer) ...................................................... 118
Hnh II.21.3.5 Add Certificates ........................................................................................................ 118
Hnh II.21.3.6 To mi Certificate ................................................................................................... 119
Hnh II.21.3.7 Hp thoi chn Import Certificate .............................................................................. 119
Hnh II.21.3.8 To Private key......................................................................................................... 120
Hnh II.21.3.9 Chn ni lu Certificate ............................................................................................. 120
Hnh II.21.3.10 Li kha khng chnh xc ........................................................................................ 121
Hnh II.21.3.11 Chng ch hp l..................................................................................................... 121
Hnh II.21.4.1 To mi Web Listener ............................................................................................... 122
Hnh II.21.4.2 Chn SSL cho Web Listener ....................................................................................... 123
Hnh II.21.4.3 Chn Interface cho Web Listerner .............................................................................. 123
Hnh II.21.4.4 Chn chng ch s dng cho web listener .................................................................. 124
Hnh II.21.4.5 Cp chng ch cho Web Listener ................................................................................ 124
Hnh II.21.4.6 Cu hnh phng php chng thc ............................................................................ 125
Hnh II.21.4.7 Tt chc nng SS0.................................................................................................... 125
Hnh II.21.4.8 Hon tt qu trnh ci t ......................................................................................... 126
Hnh II.21.5.1 To mi Web Publishing Rule .................................................................................... 126
Hnh II.21.5.2 Chn hnh ng cho rule .......................................................................................... 127
Hnh II.21.5.3 Chn kiu publish ..................................................................................................... 127
Hnh II.21.5.4 Chn cch thc bo mt ........................................................................................... 128
Hnh II.21.5.5 ng dn n th mc publish................................................................................ 128
Hnh II.21.5.6 To publish name cho rule ........................................................................................ 129
Hnh II.21.5.7 Chn web listener ..................................................................................................... 129
Hnh II.21.5.8 Chn phng php chng thc ................................................................................. 130
Hnh II.21.5.9 Cu hnh user truy cp .............................................................................................. 130
Hnh II.21.5.10 Kim tra rule .......................................................................................................... 131
Hnh II.22.1.1 Kt ni VPN .............................................................................................................. 131
Bng II.22.1.3.1 So snh cc giao thc bo mt VPN ....................................................................... 135
Hnh II.22.1.4.1 TMG hnh ng nh mt my ch VPN trong cc c s h tng NAP ........................ 136
Hnh II.23.1 Forefront UAG Directaccess Server ............................................................................... 137
Hnh III.1.1.1 M hnh tng qut cng ty D.M.A Computer Technology .............................................. 141
Hnh III.1.2.1 M hnh logic ti cc tr s ........................................................................................ 142
Hnh III.1.3.1 S lun l chi tit ti cc tr s ............................................................................. 143
Hnh III.1.4.1 S t chc ca cng ty D.M.A Computer Technology .............................................. 143
Hnh III.3.2.1 IBM System x3650M3 (7945 - L2A) ...................................................................... 154
Hnh IV.1.1 Update windows server 2008 trc khi ci t Forefront ................................................. 155
Hnh IV.1.2 Qu trnh chun b hon tt .......................................................................................... 156
Hnh IV.1.3 TMG yu cu khai bo internal network trong qu trnh ci t ....................................... 156
Hnh IV.1.4 Ci t hon tt ........................................................................................................... 157
Hnh IV.2.1 Getting Started Wizard Configure network setting ........................................................ 157
Hnh IV.2.2 3-Leg Perimeter template .............................................................................................. 158
_____________________________________________________________________________________
Trang 244

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
IV.2.3 Getting Started Wizard Configure system setting ......................................................... 158

IV.2.4 nh ngha mi trng chy Forefront TMG l domain dma.vn ........................................ 159
IV.2.5 Getting Started Wizard Define deployment options ...................................................... 159
IV.2.6 Cu hnh Windows Update (mc nh) ........................................................................... 160
IV.2.7 Cu hnh nhng tnh nng bo v h thng .................................................................... 160
IV.2.8 Hon tt 3 bc cu hnh ban u trong Forefront TMG ................................................. 161
IV.2.9 Giao din Forefront TMG ............................................................................................... 161
IV.3.1.1 To mi mt Access rule ............................................................................................ 162
IV.3.1.2 t tn cho rule mi .................................................................................................. 162
IV.3.1.3 Thit lp iu kin cho rule l Allow ............................................................................ 163
IV.3.1.4 Cc giao thc c p dng cho rule .......................................................................... 163
IV.3.1.5 Ty chn cu hnh Malware Inspection cho rule ........................................................... 164
IV.3.1.6 Cu hnh source v destination network cho rule ......................................................... 164
IV.3.1.7 Thm cc user p dng rule ....................................................................................... 165
IV.3.1.8 Cu hnh hon tt, apply lu cu hnh trn Forefront ............................................... 165
IV.3.2.1 To mi Access rule ................................................................................................... 166
IV.3.2.2 Khai bo tn v xc nh hnh ng cho rule .............................................................. 166
IV.3.2.3 Chn giao thc l DNS ............................................................................................... 167
IV.3.2.4 Cu hnh source v destination cho rule ...................................................................... 167
IV.3.2.5 Xc nh user c p dng rule ................................................................................ 168
IV.3.2.6 Lu cu hnh ............................................................................................................. 168
IV.3.3.2 Bt tnh nng Malware Inspection ............................................................................... 169
IV.3.3.3 Cu hnh t ng update cho Malware Inspection ........................................................ 170
IV.3.3.4 Tin hnh update chc nng Malware Inspection......................................................... 170
IV.3.3.5 Thc hin cu hnh trong mc Properties .................................................................... 171
IV.3.3.6 Hp thoi cu hnh Malware Inspection ....................................................................... 171
IV.3.3.7 Cc ty chn nng cao ca Malware Inspection vi Rule Setting ................................... 172
IV.3.3.8 Trang eicar.org cung cp mu virus th nghim tng la ........................................... 172
IV.3.3.9 Forefront thc hin block chc nng download ngay khi pht hin virus ....................... 173
IV.3.4.1 Cu hnh tnh nng HTTPs Inspection trong Task Web Access Policy ............................. 173
IV.3.4.2 Bt tnh nng HTTPs Inspection .................................................................................. 174
IV.3.4.3 Cu hnh ci t chng ch nhn din m c.............................................................. 174
IV.3.4.4 Ci t chng ch ....................................................................................................... 175
IV.3.4.5 Lu tr chng ch ...................................................................................................... 175
IV.3.4.6 Ci t chng ch thnh cng ..................................................................................... 176
IV.3.4.7 Trin khai chng ch trn domain................................................................................ 176
IV.3.4.8 Trin khai chng chi trn domain dma ........................................................................ 177
IV.3.4.9 Trin khai chng ch trn domain dma thnh cng ....................................................... 177
IV.3.4.10 Download file t eicar.org s dng giao thc bo mt................................................ 178
IV.3.4.11 IE thng bo chng ch c vn ............................................................................. 178
IV.3.4.12 Forefront block download ......................................................................................... 178
IV.3.5.1 Cu hnh Web Caching trong Web Access Policy .......................................................... 179
IV.3.5.2 Cu hnh dung lng lu tr cho Web Caching ............................................................ 179
IV.3.5.3 To Cache rule .......................................................................................................... 180
IV.3.5.4 Cu hnh request detination cho cache ........................................................................ 180
IV.3.5.5 Cu hnh lu tr cc i tng cache .......................................................................... 181
IV.3.5.6 Cu hnh cache content .............................................................................................. 181
_____________________________________________________________________________________
Trang 245

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
IV.3.5.7 t tn cho job.......................................................................................................... 182

IV.3.5.8 Lp lch v thi gian download .................................................................................... 182
IV.3.5.9 Cc ty chn download site ........................................................................................ 183
IV.3.5.10 Cc ty chn trong Content Caching ......................................................................... 183
IV.3.5.11 Apply lu cu hnh cache ..................................................................................... 184
IV.3.5.12 Chn lu v khi ng li dch v ............................................................................ 184
IV.3.6.1 Add cc URL catergory cn disable vo mc Exceptions ............................................... 185
IV.3.6.2 Network Objects ........................................................................................................ 185
IV.3.6.3 Cu hnh cm chat trong trang vietfun.com ................................................................. 186
IV.3.7.1 To New Access Rule ................................................................................................. 186
IV.3.7.2 t tn cho rule......................................................................................................... 187
IV.3.7.3 Chn Allow trong mc rule action ............................................................................... 187
IV.3.7.4 Thm vo cc giao thc ............................................................................................. 188
IV.3.7.5 Xc nh ngun cho rule l Perimeter .......................................................................... 188
IV.3.7.6 ch n l Internal ................................................................................................... 189
IV.3.7.7 Cu hnh chng thc user .......................................................................................... 189
IV.3.7.8 Cc rule to .......................................................................................................... 190
IV.3.7.9 Cc Client trong vng Perimeter join domain thnh cng .............................................. 190
IV.4.1 NIS Tasks .................................................................................................................... 191
IV.4.2 Bt tnh nng NIS ......................................................................................................... 191
IV.4.3 Thm dy a ch ip cn gim st .................................................................................. 192
IV.4.4 a dy a ch ip va cu hnh vo Managerment Server .............................................. 192
IV.4.5 Cho php NIS phn ng li trc nhng traffic bt thng ............................................. 193
IV.4.6 Lu cu hnh va to .................................................................................................... 193
IV.4.7 Logging Tasks .............................................................................................................. 194
IV.4.8 Edit Filter ..................................................................................................................... 194
IV.4.9 Nhp a ch IP cn gim st ......................................................................................... 195
IV.4.10 D liu client cn gim st c ghi nhn bi NIS ........................................................ 195
IV.5.1 To user chng thc trn site HCM ................................................................................ 196
IV.5.2 Cu hnh cho php user access t bn ngoi .................................................................. 196
IV.5.3 t tn cho kt ni VPN ................................................................................................ 197
IV.5.4 Cu hnh kt ni bo mt PPTP ..................................................................................... 197
IV.5.5 Cu hnh dy a ch cho client kt ni vo ..................................................................... 198
IV.5.6 Cu hnh remote site gateway ....................................................................................... 198
IV.5.7 Cu hnh chng thc user kt ni bn site HN ................................................................ 199
IV.5.8 Cu hnh dy a ch ip cho kt ni VPN ......................................................................... 199
IV.5.9 To rule kt ni ............................................................................................................ 200
IV.5.10 Cu rule cho php VPN client kt ni vo ..................................................................... 200
IV.5.11 Hon tt cu hnh ....................................................................................................... 201
IV.5.12 Cu hnh chng thc kt ni........................................................................................ 201
IV.5.14 Kim tra kt ni VPN t site HN n HCM..................................................................... 202
IV.5.15 Kim tra kt ni t client site HCM n HN ................................................................... 202
IV.6.1 To user ...................................................................................................................... 203
IV.6.2 Cu hnh cho php user vpn1 ng nhp domain t bn ngoi ........................................ 203
IV.6.3 Select Access Networks ................................................................................................. 204
IV.6.4 Hp thoi cu hnh dy a ch ip cho kt ni vpn ........................................................... 204
IV.6.5 Tnh nng VPN Client Access ......................................................................................... 205
_____________________________________________________________________________________
Trang 246

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
IV.6.6 VPN client access rule ................................................................................................... 205

IV.6.7 Thc hin kt ni thng qua VPN ................................................................................. 206
IV.6.8 Kim tra kt ni ............................................................................................................ 206
IV.7.1 Behavioral Intrusion detection ....................................................................................... 207
IV.7.2 Cu hnh pht hin tn cng ......................................................................................... 207
IV.7.3 Giao din SuperScan4 ................................................................................................... 208
IV.7.4 Kt qu Scan ................................................................................................................ 208
IV.7.5 Thng tin tn cng c TMG ghi nhn ......................................................................... 209
IV.8.1 Ci t WSUS 3.0 ......................................................................................................... 209
IV.8.2 Update vi WSUS ......................................................................................................... 210
IV.8.3 Chn cc gi update ..................................................................................................... 210
IV.8.4 Cu hnh ng b ......................................................................................................... 211
IV.8.5 ng b ha hon tt ................................................................................................... 211
IV.8.6 Tin trnh approval ....................................................................................................... 212
IV.8.7 Hon tt approval ......................................................................................................... 212
IV.8.8 Thc hin ci t Forefront Client Security ..................................................................... 213
IV.8.9 Ci t hon tt ........................................................................................................... 213
IV.9.1 To global security group .............................................................................................. 214
IV.9.2 Add cc my client lm member ca group DMA_DA ...................................................... 214
IV.9.3 Giao din ty chn ci t Forefront UAG ....................................................................... 215
IV.9.4 Ci t UAG ................................................................................................................. 215
IV.9.5 Chn th mc ci t ................................................................................................... 216
IV.9.6 Tin trnh ci t UAG ................................................................................................... 216
IV.9.7 Ci t hon tt ........................................................................................................... 217
IV.9.8 Cc bc trin khai cu hnh ......................................................................................... 217
IV.9.9 Khi ng cu hnh sau khi hon tt .............................................................................. 218
IV.9.10 Cu hnh Client v GPOs ............................................................................................. 218
IV.9.11 Thc hin cu hnh DirectAccess Server ....................................................................... 219
IV.9.12 Cu hnh Infastructure Server ...................................................................................... 219
IV.10.1 Giao din ci t Forefront Security for Exchange ......................................................... 220
IV.10.2 Ci t cc b Engines i km ..................................................................................... 220
IV.10.3 Ci t hon tt .......................................................................................................... 221
IV Giao din Forefront security for Exchange Server ................................................................. 222
IV.11.1 Cu hnh ISP redundancy ............................................................................................ 222
IV.11.2 Chn Load balancing with failover capability (mc nh) ................................................ 223
IV.11.3 Cu hnh IP cho ISP connection 1 ................................................................................ 223
IV.11.4 Cu hnh cho ISP connection 2 .................................................................................... 224
IV.11.5 Cu hnh IP cho ISP connection 2 ................................................................................ 224
IV.11.6 Cu hnh hon tt ....................................................................................................... 225
IV.11.7 To rule load balancing ............................................................................................... 225
IV.12.1 Thc hin export file cu hnh ..................................................................................... 226
IV.12.2 Trang export welcome wizard ...................................................................................... 226
IV.12.3 Ty chn bo v file cu hnh ...................................................................................... 227
IV.12.4 Nhp password bo v file cu hnh ............................................................................. 228
IV.12.5 Chn ni lu file cu hnh ............................................................................................ 228
IV.12.6 Tin trnh export file cu hnh ...................................................................................... 229
IV.12.7 Trang import welcome wizard ...................................................................................... 229
_____________________________________________________________________________________
Trang 247

Tel: (848) 6267 8999 - Fax: (848) 6283 7867
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
Hnh
IV.12.8 Chn ni lu tr file backup ........................................................................................ 230

IV.12.9 Xc nhn mt khu bo v file cu hnh ....................................................................... 230
IV.12.10 Hon tt import file cu hnh ..................................................................................... 231
IV.12.11 Tin trnh import file cu hnh .................................................................................... 231
IV.12.12 Cc mc cu hnh sau khi restore ............................................................................... 232
V.1.3.3.1 V d v kt ni vi SecureNAT Client ........................................................................ 238
V.1.3.3.2 V d v kt ni vi Web Proxy Client ........................................................................ 239
_____________________________________________________________________________________
Trang 248

Ung Dung Microsoft Forefront TMG 2010 Trong Bao Mat Mang Doanh Nghiep

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ung Dung Microsoft Forefront TMG 2010 Trong Bao Mat Mang Doanh Nghiep

Uploaded by

Copyright:

Available Formats

TRNG CAO NG NGH iSPACE

240 V Vn Ngn, Phng Bnh Th, Qun Th c, TpHCM

XY DNG GII PHP BO MT DA TRN NN TNG

TRNG CAO NG NGH iSPACE

TRNG CAO NG NGH iSPACE

hng nm gn y, x hi ca chng ta v ang c nhiu thay i, nhiu xu hng

Internet Security and Acceleration Server (ISA)

Chnh v l mt sn phm ra i sau v tha hng mi tinh hoa ca cc ng dng trn nn

TRNG CAO NG NGH iSPACE

NHN XT CA DOANH NGHIP

TRNG CAO NG NGH iSPACE

NHN XT CA GING VIN HNG DN

TRNG CAO NG NGH iSPACE

GII THIU TNG QUAN .......................................................................................................... 13

TNG QUAN V FOREFRONT TMG 2010 ................................................................................. 13

LCH S, QU TRNH PHT TRIN CA FOREFRONT TMG 2010 .............................................. 15

Qu trnh pht trin: ...................................................................................................... 16

PRICE V LICENSE CA TNG PHIN BN FOREFRONT 2010.................................................. 17

CC TNH NNG CA TMG 2010 ............................................................................................ 18

Cc chc nng chnh ...................................................................................................... 18

Cc tnh nng ni bt ca TMG 2010 ............................................................................... 18

System Requirement ...................................................................................................... 20

CC M HNH FIREWALL ....................................................................................................... 21

Network template. ......................................................................................................... 21

Cu hnh cc thit lp mng ........................................................................................... 22

Edge Firewall ............................................................................................................. 22

3-Leg Perimeter ......................................................................................................... 22

Back Firewall .............................................................................................................. 23

Single Network Adapter .............................................................................................. 23

NHNG TNH NNG MI CA FOREFRONT TMG 2010 ............................................................ 25

GII THIU TMG .................................................................................................................. 25

GIAO DIN QUN L ............................................................................................................. 26

CC TNH NNG MI ............................................................................................................ 27

S KHC NHAU GIA TMG V UAG L G? ............................................................................. 33

Vic kch hot truy cp t bt c ni no ........................................................................ 33

Nhng im mi trong UAG ............................................................................................ 34

Thit k mng bo v .................................................................................................... 35

TRNG CAO NG NGH iSPACE

Trin khai UAG ........................................................................................................... 35

Trin khai TMG? ......................................................................................................... 36

Edge Firewall .......................................................................................................... 37

3-Leg perimeter ...................................................................................................... 38

Back Firewall .......................................................................................................... 39

Yu cu phn cng: ....................................................................................................... 40

H tng mng ................................................................................................................ 42

Tn phn gii ............................................................................................................. 42

Trin khai trong cc mi trng o ................................................................................. 44

PHN TCH YU CU MNG ................................................................................................... 44

GII QUYT CC MNG PHC TP ........................................................................................ 49

DNS TRONG TMG .................................................................................................................. 49

H thng gii quyt tn phn gii nh th no ? .............................................................. 50

Edge hoc Perimeter trong Workgroup ........................................................................ 51

Edge hoc Perimeter trong Domain ............................................................................. 53

nh hng ca DNS ....................................................................................................... 53

DNS Cache trong TMG .................................................................................................... 53

CHN NETWORK TEMPLATE .............................................................................................. 54

Edge Firewall Template............................................................................................... 54

3-Leg Perimeter mng Template ................................................................................. 55

Back Firewall Template ............................................................................................... 56

Single NIC Template ................................................................................................... 57

Join Firewall TMG vo Domain hoc Workgroup ........................................................... 59

CC LOI TMG CLIENT ...................................................................................................... 61

Web Proxy Client ........................................................................................................ 61

Web Proxy Client lm vic nh th no? ...................................................................... 62