Chuyn trang dnh cho k thut vin tin hc

CHIA S - KINH NGHIM - HC TP - TH THUT

Microsoft Forefront TMG - Part 3 - Access Rule
Nh vy chng ta hon tt cc bc ci t Forefront TMG v cu hnh cho tt c cc my t Internal Network c th
truy cp Forefront TMG (Local Host) bng Firewall Client. V nh chng bit sau khi ci t xong Forefront TMG lp
tc ngn cch gia Internal Network v External Network bi chnh n, khi cc my trong Internal Network khng
th truy cp c ra ngoi (mng Internet) v ngc li. Hay ni mt cch khc Forefront TMG kha tt c mi Port
ra vo h thng.
Nh vy trong bi ny chng ta s tm hiu cch thc m cc Port c th truy cp Internet. Tuy nhin chng ta khng
m mt cch ty tin cc Port ny m ch m khi no thc s cn thit m thi.
cho n gin ti s dng m hnh 2 my v mng ti ln Domain l gccom.net
Cu hnh IP cc my nh sau:
My c tnh PC01 PC02
Tn FTMG.gccom.net server.gccom.net
Card Lan
IP Address 192.168.1.2

Subnet Mask 255.255.255.0

Default
gateway
192.168.1.1

Preferred DNS

Card Cross
IP Address 172.16.2.1 172.16.2.2
Subnet Mask 255.255.255.0 255.255.255.0
Default
gateway

172.16.2.1
Preferred DNS 172.16.2.2 172.16.2.2
Card Lan: ni gin tip 2 my PC01 & PC02 vi nhau thng qua
Switch
Card Cross: ni trc tip cc cp my PC01 vi PC02
- Card Lan 192.168.1.2/24 l Card ni vo Router ADSL ra Internet
- My PC01 chnh l my Forefront TMG Join vo domain
- My PC02 ng va ng vai tr l my DC Server va l my Client thuc mng 172.16.2.0/24
Ti my PC02 bt Active Directory Users and Computers ln v to mt Group l Kinh Doanh v mt User l
gccom1. Tin hnh Add gccom1 vo Group Kinh Doanh
1 of 25
u tin cc my trong Internal Network c th truy cp c Local Host v ngc li ta phi to mt Access Rule
(tng t lm bi Installation) v trong bi ny ti t tn cho Rule ny l Internal VS Local Host
Chn Allow
2 of 25
Chn tip All outbound traffic
Trong Access Rule Sources chn 2 thuc tnh l Internal v Local Host
V cho n gin trong bi hc ti chn lun Local Host tuy nhin trn thc t v l do bo mt chng ta khng chn Local
Host m ch chn duy nht Internal m thi. Nhm trnh tnh trng cc my trong Intrenal Network truy cp trc tip
ln my Forefront TMG
Tng t trong Access Rule Destinations chn 2 thuc tnh l Internal v Local Host

3 of 25
Trong User Sets chn All User
Mn hnh Rule Internal VS Local Host sau khi c to xong nh vy vi Rule ny chng ta c th hiu nh sau:
ng cho tt c cc giao thc (mi Port) t Internal sang Local Host v ngc li, quyn ny c gn ln mi User
c trong mng Internal
Tip theo cc my trong Internal Network truy cp ra Internet c bng domain name ca mt trang Web no v
d nh google.com.vn chng hn th i hi phi c mt DNS Server no phn gii gip ta tn min ny, m trong
ny chnh l DNS Server ca nh cung cp dch v ISP m ta ang s dng
Nh vy s to tip mt Access Rule c thuc tnh sao cho cc my trong Internal Network c quyn truy vn n cc
DNS Server bn ngoi v gi s ti t tn cho Rule ny l DNS Query
4 of 25
Ti ca s Protocol ta khng chn All outbound traffic na m ch m duy nht mt Port 53 truy vn DNS m thi
nn ta gi nguyn ch Selected protocols chn Add
Nhp chn DNS trong Folder Common Protocols
5 of 25
Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal
Tng t trong Access Rule Destinations chn duy nht 1 thuc tnh l External
Trong User Sets chn All User
Nh vy vi Rule DNS Query ny chng ta c th hiu nh sau:
ng cho giao thc DNS (duy nht Port 53) theo mt chiu t Internal sang External, quyn ny c gn ln mi
User c trong mng Internal
Nh vy khi cc my trong Internal Network truy cp mt trang web no u tin n s hi DNS Server ca h thng
chng ta (tc l PC02) v tt nhin DNS Server chng ta khng th hiu c Domain name ny v ngay lp tc DNS
Server ny s hi tip cc DNS Server bn ngoi nh FTMG m Port 53
Tuy nhin thc cht cho n lc ny cc my trong Internal Network vn cha truy cp c cc trang Web mnh mong
mun v thc t Forefront TMG ch m duy nht mt Port 53 m thi trong khi truy cp Web chng ta cn m tip
cc Port 80 (http), Port 443 (https), Port 21 (ftp)...
Tip n ti s to mt Access Rule sao cho cc User trong Group Kinh Doanh c php truy cp Internet nhng s b
gii hn v thi gian v ch c php truy cp mt s trang Web no m thi.
Gi s ti t tn cho Rule ny l Web Group KD
6 of 25
Ti ca s Protocol ta ch m 3 Port l Port 80,Port 443,Port 21 truy cp cc dch v HTTP, HTTPS, FTP m thi
nn ta gi nguyn ch Selected protocols chn Add
Ln lt Add 3 giao thc FTP, HTTP, HTTPS trong Folder Web vo.
Tip tc chn Next
7 of 25
Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal
Tuy nhin trong Access Rule Destinations ta khng chn thuc tnh l External na v nh th cc User c th truy cp
mi trang Web m vn t ra y l ta cn gii hn li v ch cho php truy cp mt s trang Web m thi. Nn bn
chn Add
Trong ca s Add Network Entities chn New -> URL Set
Trong ca s Allow Web Properties t tn cho URL set ny v d l Allow Web
8 of 25
Tip tc bn di bn Add cc trang Web cho php ngi dng truy cp vo theo c php:
http://*.<domain name>/*
http://<domain name>/*
Nh vy vi mi trang Web chng ta cn phi nhp 2 dng theo c php trn. Trong ny v d ti cho php User c quyn
truy cp 2 trang gccom.net v google.com m thi.
Tr li ca s Add Network Entities chn URL Set -> Allow Web
V ti mun Rule ny ch tc ng ln Group Kinh Doanh m thi nn trong User Sets chn All User v Remove n i.
Sau nhp Add thm Group mi
9 of 25
Trong ca s Add Users chn New
t tn cho Users Set ny l Group KD
Trong ca s Users nhp Add -> Windows users and groups
10 of 25
V i tng m ta mun tc ng l Group Kinh Doanh trn my DC Server (PC02) nn ti y ta phi chn Entire
Directory truy cp Users Database trn DC Server
Trong Select this users or groups chn Locations
Chn Entire Directory -> gccom.net
Tip tc Add Group Kinh Doanh vo
11 of 25
Tr li mn hnh Add Users chn Group KD
Mn hnh sau khi hon tt
12 of 25
Nh vy vi Rule Web Group KD ny ta c th hiu nh sau:
ng cho cc giao thc HTTP, HTTPS, FTP (cc Port 80,443,21) theo mt chiu t Internal sang danh sch Allow
Web, quyn ny c gn ln mi User c trong Group Kinh Doanh ca mng Internal
Tip theo ta cn gii hn thi gian s dng ca Group ny bng cch Double click ln Rule Web Group KD v chn Tab
Schedule
Nhp New to mt Schedule mi v t tn l Set Times
Tip tc chn Active nh hnh bn di
13 of 25
Mn hnh sau khi hon tt
Nh vy vi ty chn ny cc User thuc Group Kinh Doanh ch c truy cp cc trang Web thuc danh sch Allow
Web vo ct mc thi gian l t 8h->12h & 14h->18h ca cc ngy th 2->th 6 m thi
By gi ti my PC02 ti ng nhp vi user gccom1 v tin hnh test th xem th no.
u tin ti vo trang Web kythuatvien.com s nhn thy thng bo t FTMG l "Forefront TMG t chi yu cu
ny", v gccom1 thuc Group Kinh Doanh v truy cp trang Web khng nm trong danh sch Allow Web
14 of 25
Tuy nhin nu ti truy cp cc trang gccom.net & google.com.vn th rt tt v cc trang ny thuc danh sch Allow
Web
Logoff gccom1 v Logon li vi Administrator s thy khng truy cp c bt c trang Web no
15 of 25
iu ny hin nhin v cho n thi im ny ta ch cho php cc User thuc Group Kinh Doanh truy cp Web m thi cn
vi cc User khc th vn cha c php.
Nh vy ti s to mt Rule mi sao cho cc Users thuc Group Sep s truy cp c mi trang Web v mi giao thc
Ti Active Directory Users and Computers to mt Group l Sep. Tin hnh Add Administrator vo Group Sep
Ti PC01 bt Forefront TMG ln to tip mt Access Rule mi t tn l Sep
V c thuc tnh nh sau:
Rule Action: Allow
Protocol: All outbound traffic
Access Rule Sources: Internal
16 of 25
Access Rule Destinations: External
User Sets: Group Sep
(Thao tc tng t nh to Web Group KD)
Mn hnh sau khi hon tt
Nh vy vi Rule Sep ny ta c th hiu nh sau:
ng cho mi giao thc (tt c cc Port) theo mt chiu t Internal sang danh sch External, quyn ny c gn ln
mi User c trong Group Sep ca mng Internal
Ti my PC02 Logon vi Administrator s thy truy cp c mi trang Web
17 of 25
Vy l t ny n gi ta ch tm hiu v cc thc to cc Rule nhng vi Action l Allow m thi by gi ta s to cc
Rule nhng vi Action l Deny
To mt Access Rule mi vi tn l Cam KD truy cap Web den
Ti Rule Action khng chn Allow na m chn Deny
18 of 25
Ti ca s Protocol ta ch m 3 Port l Port 80,Port 443,Port 21 truy cp cc dch v HTTP, HTTPS, FTP m thi.
Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal
Tip n trong Access Rule Destinations ta khng chn thuc tnh l External m to mt URL Set mi t tn l Deny
Web
V to mt danh sch cc trang Web m bn cm cc User truy cp vo y trong v d ny gi s ti nh ngha trang
sexviet.com l Web en v ti mun ngn chn n.
Trong User Sets chn Group KD
Mn hnh sau khi hon tt
19 of 25
Nh vy vi Rule Cam KD truy cap Web den ny ta c th hiu nh sau:
Ngn cm cc giao thc HTTP, HTTPS, FTP (cc Port 80,443,21) theo mt chiu t Internal sang danh sch Deny Web,
quyn ny c gn ln mi User c trong Group Kinh Doanh ca mng Internal
Nh vy n y ta nhn thy c s mu thun trong Group Kinh Doanh:
- B cm truy cp trang google.com.vn trong Rule Cam KD truy cap Web den
- c php truy cp trang google.com.vn trong Rule Web Group KD
Tuy nhin trong Forefront TMG cc Rule no c thuc tnh Order cng nh th c u tin cao hn hay ni cch khc
cc Rule no nm trn s c u tin hn l cc Rule nm bn di.
Nh vy trong ny do Rule Cam KD truy cap Web den c u tin cao hn Rule Web Group KD nn cc Users trong
Group Kinh Doanh s khng truy cp c trang google.com.vn
Bn c th thay i th t cc Rule ny bng cch chn Move up/Move down, trn thc t ngoi Rule DNS Query c
nm trn cng cc Rule Deny ta nn cho quyn c u tin cao hn cc Rule Allow
Ti my PC02 Logon vo gccom1 s thy khng th truy cp trang sexviet.com c na
20 of 25
Mn hnh Web Browser s hin ln trang Web thng bo t Forefront TMG cho bit ni dung m bn khng th truy cp
Web c. Tuy nhin trang ny ch c cc chuyn vin IT th mi hiu l g, trn thc t vi ngi dng bnh thng h
khng bit l chng ta ngn cm vic truy cp ny.
Nh vy cho n gin hn khi ngi dng truy cp nhng trang Web cm ta nn Redirect n mt trang Web khc m
ni dung s thng bo chi tit hn cho ngi dng hiu r vn .
Gi s ti my PC01 ti ci IIS v to mt trang Web Default c ni dung nh hnh bn di
Tr li mn hnh Forefront TMG nhp phi vo Rule Cam KD truy cap Web den v chn Properties
21 of 25
Chn tip Tab Action -> Deny
Nhp chn Redirect HTTP requests to this Web page v nhp a ch my Forefront TMG vo
Tr li my PC02 Logon vi gccom1 v truy cp li trang google.com.vn s thy Web Browser khng hin th trang bo
li mc nh ca Forefront TMG na m t chuyn v trang Web m ta to lc ny
Tip theo ta s Modify Rule Sep sao cho cc User trong Group Sep c php truy cp mi trang Web ( lm lc ny)
nhng khng c xem nh, video, file... m ch c xem vn bn Text thun ty m thi.
Ti PC01 nhp phi vo Rule Sep chn Properties
22 of 25
Chn Tab Content types
Chn tip Selected content types v chn 3 ty chn trong ny l:
- Documents
- HTML Documents
- Text
Mn hnh sau khi hon tt
23 of 25
Tr li PC02 Logon vi Administrator vo mt trang Web ty s thy hnh nh, video... khng c hin th m ch c
thun ty Text m thi
24 of 25
Nh vy n y chng ta c bn hon thnh vic to cc Rule (Allow/Deny) cho cc my trong Internal Network c
th truy cp External Network
By gi ta s kho st mt s tnh nng khc ca Forefront TMG
Ti Firewall Policy nhp vo Icon Show/Hide Firewall Policy s thy tt c cc Rule ca Forefront TMG. Nh vy
ngoi cc Rule ta to thm mc nh Forefront TMG to sn mt s Rule cho ring mnh. Trn thc t ta khng nn
tc ng n cc Rule mc nh ny.
OK mnh va trnh by xong phn Access Rule - Forefront TMG trong 70-557 ca MCSA.


Cng ty TNHH u t pht trin tin hc GC Com
Chuyn trang k thut my vi tnh cho k thut vin tin hc
in thoi: (073) - 3.511.373 - 6.274.294
Website: http://www.gccom.net
25 of 25