You are on page 1of 10

Forefront Threat Management Gateway 2010 (TMG) Overview

Comprehensive, secure Web gateway to help protect employees from Web-based threats
Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employees to safely and productively use the Internet for business without worrying about malware and other threats. It provides multiple layers of continuously updated protections that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security. The Forefront TMG solution includes two separately licensed components: Forefront TMG server that provides URL filtering, antimalware inspection, intrusion prevention, application- and network-layer firewall and HTTP/HTTPS inspection in a single solution Forefront TMG Web Protection Service that provides the continuous updates for malware filtering and access to cloud-based URL filtering technologies aggregated from multiple Web security vendors to protect against the latest Web-based threats.

Key Benefits
Comprehensive Protection
Multiple URL filtering data sources for improved blocking of malicious Web sites Highly accurate antimalware engine Intrusion prevention against exploitation of vulnerabilities Built-in, proven network protection technologies of ISA 2006

Integrated Security
Multiple Web security technologies integrated into a single solution Authentication, update, policy distribution and reporting infrastructure investments

Simplified Management
Single interface for managing Web security policy Comprehensive logging and reporting

Features
Learn about the features and benefits of Microsoft Forefront Threat Management Gateway 2010 (TMG), which is designed to provide a comprehensive, secure Web gateway that helps protect employees from Web-based threats.

Feature Highlight: HTTPS Inspection


HTTPS Inspection, an innovative feature, enables Forefront TMG to inspect inside users SSL-encrypted Web traffic. By inspecting within these encrypted sessions, Forefront TMG can both detect possible malware as well as limit employee Web usage to approved sites. Sensitive sites, such as banking sites, can be excluded from inspection.

New Features
Feature Description

Destination URLs are examined for compliance with corporate policy and for URL Filtering malicious potential of destination Web site. Forefront TMG uses Microsoft Reputation Services for URL filtering, combining multiple sources to increase coverage of URLs and categorization. Web antivirus/antimalware protection Inbound and outbound Web traffic is inspected for viruses and malware, including archived folders. Encrypted folders can be blocked. For large files, users are trickled the file to assure them the file is being downloaded. Forefront TMG provides central management for Exchange and Forefront E-mail security Protection 2010 for Exchange when located on the same server. Forefront TMG does not include either Exchange or Forefront Protection 2010 for Exchange. Both must be purchased and installed separately. HTTPS-encrypted sessions can be inspected for malware or exploits. Specific HTTPS inspection groups of sitessuch as banking sitescan be excluded from inspection for privacy reasons. Users of the TMG Firewall Client can be notified of the inspection. Network Inspection System (NIS) Enhanced Network Address Translation (NAT) IP support Windows Server 64bit support Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS enables blocking of classes of attacks while minimizing false positives. Protections can be updated as needed. Forefront TMG now enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis.

Enhanced Voice over Forefront TMG includes SIP traversal, enabling simpler deployment of Voice over IP within the network. Forefront TMG is installed on Windows Server 2008 with 64-bit support.

Firewall Protections
Feature Description

Multi-layer firewall Application layer filtering

Forefront TMG provides access control and protection on three layers: packet filtering, stateful inspection, and application layer filtering. Forefront TMG provides deep content filtering through built-in application filters. Forefront TMG delivers customizable, granular controls to HTTP traffic, including:

Granular HTTP controls


File download controls Signature-based blocking

HTTP method controls

Forefront TMG provides strong controls over Web-based threats. DoS protections Extensive protocol support Forefront TMG provides resiliency against flood attacks and re-allocates resources to provide higher security inspection. Forefront TMG delivers out-of-the-box support for many protocols. New protocols can be defined.

Highly Secure Application Publishing


Feature Description

Highly secure e-mail access from Outlook Client Simple Outlook Web Access and Microsoft Office SharePoint Server publishing Highly secure publishing of Web servers, internal servers, and Terminal Services Single sign on

Remote users can access Exchange Server using the full Outlook MAPI client over the Internet without establishing a VPN connection. The connection is encrypted for security. Simple wizards allow quick configuration of remote access for both Outlook Web Access and SharePoint servers. Outlook Web Access users can be authenticated at the Forefront TMG server, preventing attacks by unauthenticated users. Remote users can access internal resources or Web servers more securely. Link translation is provided. Forefront TMG allow users to access a group of published Web sites without being required to authenticate with each Web site. Forefront TMG helps protect published Web sites from unauthenticated access by requiring the Forefront TMG firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server. Forefront TMG includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. Implements link translation automatically during Web publishing. To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL

Delegation of basic authentication

Link translation to internal servers

SSL bridging support

protected packets to be decrypted by Forefront TMG, inspected, and reencrypted.

Virtual Private Networks


Feature Description

Forefront TMG enables quick connectivity between sites via wizard-based Site-to-site VPN approach. Also can be configured for tunnel-mode IPSec for support of third party devices. Remote access VPN Inspection of VPN traffic VPN quarantine SecureNAT for VPN clients Publish VPN servers Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions, using the native Windows VPN services. VPN traffic terminated on the Forefront TMG server is inspected according to the appropriate security policy. Forefront TMG provides deep VPN client inspection and integration of your firewall policy. Forefront TMG helps ensure remote users connected to the network can gain Internet access while maintaining a strong security policy for the corporate network. Forefront TMG can be used to publish internal Windows Servers as VPN servers.

Management
Feature Description

Enterprise policy Easy-to-use wizards Real-time monitoring and reporting Query building Report creation and publishing External logging Delegated permissions

Policy can be assigned to gateways, arrays, or enterprise-wide. Forefront TMG simplifies configuration with multiple wizards for features such as Web publishing, Web access, and array configuration. Logs may be viewed real-time or historically including active sessions. With a built-in query tool, historical data can be found quickly. Complex queries can be built. Reports can be designed for specific needs and then published locally or to a network file share. Logs may be sent to a Microsoft SQL Server located on the internal network. Admin roles can be delegated to users or groups.

Networking and Performance


Feature Description

Network load balancing

Forefront TMG leverages network load balancing to provide fail over and scaling of performance. You may configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. Forefront TMG extends the firewall and security features to apply to traffic between any networks or network objects. Forefront TMG provides caching to improve user experience and reduce bandwidth costs. With the centralized cache rule mechanism of Forefront TMG, you can configure how objects stored in the cache are retrieved and served from the cache.

Network-based configuration

Caching

Background Intelligent Transfer Service (BITS) caching HTTP compression Diffserv (Quality of Service)

Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data. You can reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets. Forefront TMG includes packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.

Compare TMG with ISA Server 2006 and TMG MBE


ISA 2006 Firewall VPN (site-to-site and remote access) Web proxy Caching Arrays for load balancing and failover Non-domain joined gateway Windows Server 2008 64-bit support Web anti-malware HTTPS inspection TMG MBE TMG

E-mail security Network Inspection System ISP redundancy Centrally manage Standard and Enterprise Edition gateways together (requires Enterprise Edition gateway)

What's New
Learn more about key new features in Forefront Threat Management Gateway 2010 (TMG)
Multi-layer Web Security Integrates URL filtering, antimalware inspection, intrusion prevention, application- and network-layer firewalls, and HTTP/HTTPS inspection in a single solution. Forefront Threat Management Gateway Web Protection Service Provides antimalware updates for the integrated Microsoft AV engine and access to Microsoft Reputation Services for URL filtering. URL Filtering Correlation URL security decisions are more accurate as they are based on reputation information from multiple vendors and internal Microsoft security data. Network Inspection System (NIS) Provides signature-based intrusion prevention for web-based threats seeking to exploit known vulnerabilities. Updates for NIS are included in the base server license.

Frequently Asked Questions


Learn more about Forefront Threat Management Gateway by reading answers to frequently asked questions. Discover how Forefront Threat Management Gateway can help you secure your application infrastructure, streamline your network, and safeguard your IT environment. Q. What is Forefront Threat Management Gateway? A. Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats. It provides multiple layers of continuously updated protections including URL filtering, antimalware inspection, intrusion prevention, application proxy, and HTTP/HTTPS inspection - that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security. Forefront TMG enables organizations to perform highly accurate Web security enforcement by stopping employee access to dangerous site, based on reputation information from multiple Web security vendors and the technology that protects Internet Explorer 8 users from malware and phishing sites. Q. What features does Forefront Threat Management Gateway 2010 SP1 include?

A. This service pack will include a number of improved features and enhancements, including:
Improved reporting features o New User activity reports to monitor Web surfing information * New look and feel for all TMG reports Enhancements to URL filtering o User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy * Override for URL categorization on the enterprise level * Customized denial notification pages to fit an organizations needs Enhanced branch office support o * Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache Server * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices Support for publishing SharePoint 2010

Q. What is a secure Web gateway? A. A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System. Q. How is Forefront Threat Management Gateway 2010 different than Microsoft ISA Server 2006? A. Forefront Threat Management Gateway is different in four major ways:
Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic. Improved Application Layer Defenses: Forefront Threat Management Gateway 2010 includes Network Inspection System, which enables protection against vulnerabilities found in Microsoft products and protocols. Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall. Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

Q. How is Forefront Threat Management Gateway 2010 different than Forefront Threat Management Gateway, Medium Business Edition (TMG MBE)? A. Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway

2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users. Q. Does Forefront Threat Management Gateway 2010 require 64-bit servers? A. Yes, Forefront Threat Management Gateway 2010 runs on a server with a 64-bit processor. For more details, please see the system requirements. Q. Is Forefront TMG part of the Forefront Protection Suite and ECAL? A. Forefront TMG Web Protection Service is part of Forefront Protection Suite and ECAL. Forefront TMG 2010 is not part of these suite offerings and must be licensed separately. Q. What is the Forefront Threat Management Gateway Web Protection Service? A. The Forefront Threat Management Gateway Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats. Q. Does Forefront TMG 2010 include Forefront TMG Web Protection Service? A. No. Forefront TMG Web Protection Service is licensed separately. It can be licensed stand-alone, as part of the Forefront Protection Suite, or Enterprise CAL. Q. Do Forefront TMG 2010 customers have downgrade rights to ISA 2006? A. Yes. Customers who purchase Forefront TMG have downgrade rights to Microsoft Internet Security and Acceleration Server 2006. Q. What is the difference between Forefront Threat Management Gateway 2010 Standard and Enterprise editions? A. Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and provides extensive support for virtual environments. The following chart outlines the differences between these editions: Feature Network Load Balancing Cache Array Routing Protocol Enterprise Management Console Standard Enterprise No No No* Yes Yes Yes Yes

Support for unlimited virtual CPUs No

* TMG Enterprise Management Console can manage Standard edition servers

System Requirements
Review this Microsoft Forefront Threat Management Gateway 2010 information to make sure you have the required hardware and software to run the product. Forefront Threat Management Gateway 2010 Standard Edition Provided below are the minimum and recommended system configuration requirements to use Forefront Threat Management Gateway 2010 Standard Edition. System Component Operating System Processor Type Processor Cores Memory Minimum Requirements Windows Server 2008 SP2 (64-bit) or Windows Server 2008 R2 64-bit 2 2 GB Recommended Requirements Windows Server 2008 SP2 (64-bit) or Windows Server 2008 R2 64-bit 4 4 GB

2.5 GB of available hard disk space. This 2.5 GB of available hard disk space. This is exclusive of hard disk space that you is exclusive of hard disk space that you Disk Space want to use for caching or for temporarily storing files during malware inspection want to use for caching or for temporarily storing files during malware inspection Two local hard disk partition that is Disks One local hard disk partition that is formatted with the NTFS file system formatted with the NTFS file system. One disk for system and TMG logging, and one for caching and malware inspection One network adapter that is compatible with the computer's operating system, for communication Network with the Internal network. An additional network adapter for each network connected to the Forefront TMG server. One network adapter that is compatible with the computer's operating system, for communication with the Internal network. An additional network adapter for each network connected to the Forefront TMG server.

Licensing
The Forefront TMG solution includes two separately licensed elements: Forefront TMG 2010* Server provides URL filtering, anti-malware inspection, intrusion prevention, application- and network-layer firewall, and HTTP/HTTPS inspection in a single solution.

Forefront TMG Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.

* Forefront TMG 2010 is licensed under the processor licensing model, with a license required for each physical or virtual processor accessed by an operating system environment running a TMG Server. This license does not require any device or user CALs.

Production Licenses Forefront TMG 2010 Standard Edition Forefront TMG 2010 Enterprise Edition Forefront TMG 2010 Enterprise Edition 25-processor pack Forefront TMG Web Protection Service Required Software Production Licenses Windows Server 2008 with Service Pack (SP2) or Windows Server 2008 R2 Standard

Description Forefront TMG 2010 Standard Edition is a comprehensive, secure Web gateway that helps protect employees from Web-based threats. Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and offers complete support for virtual environments. Forefront TMG 2010 Enterprise Edition 25-processor pack is offered at 50% off the base price for customers who need Forefront TMG 2010 in large deployment scenarios such as branch offices. Forefront TMG Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.

Description Forefront TMG 2010 Standard and Enterprise Edition require Windows Server 2008 with Service Pack (SP2) or Windows Server 2008 R2 operating system.

* All prices reflect pricing for purchases in the United States and Canada and appear in US dollars. The prices listed are estimated retail prices; reseller pricing may vary.