Microsoft Forefront TMG - Part 2 - Secure NAT - Proxy - Firewall Client bi trc chng ta hon tt vic ci t Forefront TMG trong bi ny chng ta s tm hiu v cc giao thc truyn ti m Forefront TMG tng tc cc my trong Internal Network cho n gin ti s dng m hnh 2 my v mng ti ln Domain l gccom.net trong : - PC01 l my Windows Server 2008 s ci t Forefront TMG Join vo Domain - PC02 va l my DC Server 2008 va ng vai tr l my Client Test Cu hnh IP cc my nh sau: My c tnh PC01 PC02 Tn ftmg.gccom.net server.gccom.net Card Lan IP Address 192.168.1.2
172.16.2.1 Preferred DNS 172.16.2.2 172.16.2.2 Card Lan: ni gin tip 2 my PC01 & PC02 vi nhau thng qua Switch Card Cross: ni trc tip cc cp my PC01 vi PC02 Sau khi ci t FTMG thnh cng bn vo my PC02 ping th IP my PC01 & IP mng ngoi s thy khng th Ping c Tuy nhin vi my FTMG th ping rt tt 1 of 16 Nh vy ngay sau qu trnh ci t FTMG s kha tt c mi cng ra vo ca mng chng ta (172.16.2.0/24) By gi ti s tin hnh cu hnh FTMG sao cho cc my trong mng c th thy c nhau. Vi Forefront TMG chng ta c 3 gii php cc my trong mng 172.16.2.0/24 truy cp c Internet: Dng u im Nhc im Secure NAT Kim sot c tt c mi Port ra vo h thng Khng kim sot c User, trang web... Proxy Kim sot c mi User, trang web... Ch kim sot c cc Port 443,80,21 Firewall Client Kim sot c tt c mi Port ra vo h thng Kim sot c mi User, trang web... Ch h tr cc h iu hnh Windows 1/ Secure NAT Bn vo Start -> Programs -> Microsoft Forefront TMG -> Forefront TMG Management -> Forefront TMG Trong mn hnh chnh ca chng trnh Forefront TMG nhp phi vo Firewall Policy chn New -> Access Rule 2 of 16 t tn cho Rule ny v d l Internal VS Local Host Trong Rule Action chn Allow Trong Protocol bn chn All outbound traffic v nhp Next 3 of 16 Ti ca s Malware Inspection bn nhp chn Enable malware inspection for this rule p t ch bo v khi virus, malware cho tng Rule y l mt tnh nng mi trong Forefront TMG Ti Access Rule Sources nhp Add Chn Internal, Local Host trong th mc Networks 4 of 16 Mn hnh sau khi hon tt Ti Access Rule Destinations Add Internal, Local Host vo Nhp Next 5 of 16 Trong Filrewall Policy ta thy xut hin Rule Internal VS Local Host mi c to nhp Apply thc thi Rule ny By gi ti my PC02 bt DNS ln bn s thy xut hin thm Host (A) ca FTMG Ra Command DOS ping th my FTMG thy rt tt 6 of 16 Tuy nhin trn thc t ngi ta khng to Rule ny m s dng Remote Management Computers c sn ca FTMG Ti Firewall Policy ti xa Rule Internal i v chn Tab Toolbox bn phi, chn tip Computer Sets -> Remote Management Computers Trong mn hnh Remote Management Computers Properties nhp Add: Computer: ch tc ng duy nht ln mt my no Address Range: ch tc ng ln mt dy IP no Subnet: tc ng ln nguyn c Subnet 7 of 16 Mc nh trong Remote Management Computers Properties, FTMG ch Add cc IP ca chnh mnh m thi v vy ta phi Add thm cc IP hoc Network mi Trong v d ny ti s tc ng ln nguyn Subnet l 172.16.2.0/24 nn ti y ti chn Subnet t tn cho Rule ny l Subnet 172.16.2.0/24 v nhp nguyn Subnet l 172.16.2.0/24 vo sau nhp OK Ti my PC02 ra Command DOS ping th my FTMG thy rt tt 8 of 16 Nh vy n y cc my trong mng LAN c th ping thy nhau nhng cc my ny khng th ra Internet c ngoi tr my Forefront TMG v Rule m ta va to ch cho php truy cp qua li vi nhau gia cc my trong Internal & Local Host m thi. V vy cc my trong Internal c th truy cp c Internet ti y bn phi Add thm mt Rule na tng t vi Rule Internal vi thuc tnh nh sau: Ti Access Rule Sources Add Internal, Local Host vo Ti Access Rule Destinations Add External vo 9 of 16 Th truy cp Internet t cc my Client thy rt tt 2/ Proxy Vi cch cu hnh cho cc my truy cp c Internet thng qua Proxy ta phi cu hnh li IP ca mng chng ta Cu hnh IP cc my nh sau: My c tnh PC01 PC02 Tn ftmg.gccom.net server.gccom.net Card Lan IP Address 192.168.1.2
Preferred DNS 172.16.2.2 Card Lan: ni gin tip 2 my PC01 & PC02 vi nhau thng qua Switch Card Cross: ni trc tip cc cp my PC01 vi PC02 Ti my PC02 m Internet Explorer -> Tools -> Intrenet Options chn tip Tab Connections Nhp chn LAN Settings Nhp IP ca my PC01 vo Address v Port l 8080 10 of 16 Tr li IE truy cp th Internet thy rt tt 3/ Firewall Client Vi Firewall Client bn s tn dng c tt c cc u im ca Secure NAT v Proxy nhng i hi chng ta phi ci t mt cng c Firewall Client cho tt c cc my tnh trong mng phn mm ny c km theo trong b ci t Forefront TMG. Cu hnh IP cc my nh sau: My c tnh PC01 PC02 Tn FTMG.gccom.net server.gccom.net Card Lan IP Address 192.168.1.2
172.16.2.1 Preferred DNS 172.16.2.2 172.16.2.2 Card Lan: ni gin tip 2 my PC01 & PC02 vi nhau thng qua Switch Card Cross: ni trc tip cc cp my PC01 vi PC02 Ti my PC02 chn th mc Client trong Folder ci t Forefront TMG nhp chn Setup.exe ci t 11 of 16 Ti ca s ISA Server Computer Selection bn chn Connect to this ISA Server computer v nhp IP ca my Forefront TMG Sau khi qu trnh ci t hon tt bn thy ti System tray ca cc my Client xut hin Icon ca Firewall Client Ti my PC02 m Internet Explorer -> Tools -> Intrenet Options chn tip Tab Connections Nhp chn LAN Settings s thy Windows t ng chn cc gi tr ny vo y m ta khng cn phi nhp th cng nh lm ti Proxy 12 of 16 Tr li IE truy cp th Internet thy rt tt n y chng ta hon tt qu trnh ci t FTMG v cu hnh cho cc my trong mng c th ra c Internet. V mi cng vic trn my FTMG coi nh xong, nu bn c nhu cu truy cp FTMG chnh sa g thm trn thc t bn phi hn ch n mc ti a vic ngi lm vic trc tip trn my ci Forefront TMG m dng mt my Client bt k ci cng c Forefront TMG Management qun l FTMG m thi. Ti my Client bn Logon vo User Administrator ca my v chy chng trnh Setup Forefront TMG ln chn Install Forefront TMG Trong mn hnh Setup Scenarios bn ch chn Install Forefront Threat Management Gateway Management only m thi chn tip Next ci t 13 of 16 Mn hnh Component Selection nhp Next Sau khi ci t hon tt , tip n chy Forefront TMG Management ti my Client ln nhp phi vo Microsoft Forefront Threat Management Gateway v chn Connect to 14 of 16 Nhp IP hoc tn Domain ca my Forefront TMG vo Gi nguyn gi tr mc nh trong mn hnh Forefront TMG Credentials 15 of 16 n y Forefront TMG Management s hin th cc cng c y nh trn my Forefront TMG cho bn qun l OK mnh va trnh by xong phn Secure NAT - Proxy - Firewall Client - Microsoft Forefront Threat Management Gateway trong 70-557 ca MCSA.
Cng ty TNHH u t pht trin tin hc GC Com Chuyn trang k thut my vi tnh cho k thut vin tin hc in thoi: (073) - 3.511.373 - 6.274.294 Website: http://www.gccom.net 16 of 16