Microsoft Forefront TMG - Part 3 - Access Rule Nh vy chng ta hon tt cc bc ci t Forefront TMG v cu hnh cho tt c cc my t Internal Network c th truy cp Forefront TMG (Local Host) bng Firewall Client. V nh chng bit sau khi ci t xong Forefront TMG lp tc ngn cch gia Internal Network v External Network bi chnh n, khi cc my trong Internal Network khng th truy cp c ra ngoi (mng Internet) v ngc li. Hay ni mt cch khc Forefront TMG kha tt c mi Port ra vo h thng. Nh vy trong bi ny chng ta s tm hiu cch thc m cc Port c th truy cp Internet. Tuy nhin chng ta khng m mt cch ty tin cc Port ny m ch m khi no thc s cn thit m thi. cho n gin ti s dng m hnh 2 my v mng ti ln Domain l gccom.net Cu hnh IP cc my nh sau: My c tnh PC01 PC02 Tn FTMG.gccom.net server.gccom.net Card Lan IP Address 192.168.1.2
172.16.2.1 Preferred DNS 172.16.2.2 172.16.2.2 Card Lan: ni gin tip 2 my PC01 & PC02 vi nhau thng qua Switch Card Cross: ni trc tip cc cp my PC01 vi PC02 - Card Lan 192.168.1.2/24 l Card ni vo Router ADSL ra Internet - My PC01 chnh l my Forefront TMG Join vo domain - My PC02 ng va ng vai tr l my DC Server va l my Client thuc mng 172.16.2.0/24 Ti my PC02 bt Active Directory Users and Computers ln v to mt Group l Kinh Doanh v mt User l gccom1. Tin hnh Add gccom1 vo Group Kinh Doanh 1 of 25 u tin cc my trong Internal Network c th truy cp c Local Host v ngc li ta phi to mt Access Rule (tng t lm bi Installation) v trong bi ny ti t tn cho Rule ny l Internal VS Local Host Chn Allow 2 of 25 Chn tip All outbound traffic Trong Access Rule Sources chn 2 thuc tnh l Internal v Local Host V cho n gin trong bi hc ti chn lun Local Host tuy nhin trn thc t v l do bo mt chng ta khng chn Local Host m ch chn duy nht Internal m thi. Nhm trnh tnh trng cc my trong Intrenal Network truy cp trc tip ln my Forefront TMG Tng t trong Access Rule Destinations chn 2 thuc tnh l Internal v Local Host
3 of 25 Trong User Sets chn All User Mn hnh Rule Internal VS Local Host sau khi c to xong nh vy vi Rule ny chng ta c th hiu nh sau: ng cho tt c cc giao thc (mi Port) t Internal sang Local Host v ngc li, quyn ny c gn ln mi User c trong mng Internal Tip theo cc my trong Internal Network truy cp ra Internet c bng domain name ca mt trang Web no v d nh google.com.vn chng hn th i hi phi c mt DNS Server no phn gii gip ta tn min ny, m trong ny chnh l DNS Server ca nh cung cp dch v ISP m ta ang s dng Nh vy s to tip mt Access Rule c thuc tnh sao cho cc my trong Internal Network c quyn truy vn n cc DNS Server bn ngoi v gi s ti t tn cho Rule ny l DNS Query 4 of 25 Ti ca s Protocol ta khng chn All outbound traffic na m ch m duy nht mt Port 53 truy vn DNS m thi nn ta gi nguyn ch Selected protocols chn Add Nhp chn DNS trong Folder Common Protocols 5 of 25 Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal Tng t trong Access Rule Destinations chn duy nht 1 thuc tnh l External Trong User Sets chn All User Nh vy vi Rule DNS Query ny chng ta c th hiu nh sau: ng cho giao thc DNS (duy nht Port 53) theo mt chiu t Internal sang External, quyn ny c gn ln mi User c trong mng Internal Nh vy khi cc my trong Internal Network truy cp mt trang web no u tin n s hi DNS Server ca h thng chng ta (tc l PC02) v tt nhin DNS Server chng ta khng th hiu c Domain name ny v ngay lp tc DNS Server ny s hi tip cc DNS Server bn ngoi nh FTMG m Port 53 Tuy nhin thc cht cho n lc ny cc my trong Internal Network vn cha truy cp c cc trang Web mnh mong mun v thc t Forefront TMG ch m duy nht mt Port 53 m thi trong khi truy cp Web chng ta cn m tip cc Port 80 (http), Port 443 (https), Port 21 (ftp)... Tip n ti s to mt Access Rule sao cho cc User trong Group Kinh Doanh c php truy cp Internet nhng s b gii hn v thi gian v ch c php truy cp mt s trang Web no m thi. Gi s ti t tn cho Rule ny l Web Group KD 6 of 25 Ti ca s Protocol ta ch m 3 Port l Port 80,Port 443,Port 21 truy cp cc dch v HTTP, HTTPS, FTP m thi nn ta gi nguyn ch Selected protocols chn Add Ln lt Add 3 giao thc FTP, HTTP, HTTPS trong Folder Web vo. Tip tc chn Next 7 of 25 Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal Tuy nhin trong Access Rule Destinations ta khng chn thuc tnh l External na v nh th cc User c th truy cp mi trang Web m vn t ra y l ta cn gii hn li v ch cho php truy cp mt s trang Web m thi. Nn bn chn Add Trong ca s Add Network Entities chn New -> URL Set Trong ca s Allow Web Properties t tn cho URL set ny v d l Allow Web 8 of 25 Tip tc bn di bn Add cc trang Web cho php ngi dng truy cp vo theo c php: http://*.<domain name>/* http://<domain name>/* Nh vy vi mi trang Web chng ta cn phi nhp 2 dng theo c php trn. Trong ny v d ti cho php User c quyn truy cp 2 trang gccom.net v google.com m thi. Tr li ca s Add Network Entities chn URL Set -> Allow Web V ti mun Rule ny ch tc ng ln Group Kinh Doanh m thi nn trong User Sets chn All User v Remove n i. Sau nhp Add thm Group mi 9 of 25 Trong ca s Add Users chn New t tn cho Users Set ny l Group KD Trong ca s Users nhp Add -> Windows users and groups 10 of 25 V i tng m ta mun tc ng l Group Kinh Doanh trn my DC Server (PC02) nn ti y ta phi chn Entire Directory truy cp Users Database trn DC Server Trong Select this users or groups chn Locations Chn Entire Directory -> gccom.net Tip tc Add Group Kinh Doanh vo 11 of 25 Tr li mn hnh Add Users chn Group KD Mn hnh sau khi hon tt 12 of 25 Nh vy vi Rule Web Group KD ny ta c th hiu nh sau: ng cho cc giao thc HTTP, HTTPS, FTP (cc Port 80,443,21) theo mt chiu t Internal sang danh sch Allow Web, quyn ny c gn ln mi User c trong Group Kinh Doanh ca mng Internal Tip theo ta cn gii hn thi gian s dng ca Group ny bng cch Double click ln Rule Web Group KD v chn Tab Schedule Nhp New to mt Schedule mi v t tn l Set Times Tip tc chn Active nh hnh bn di 13 of 25 Mn hnh sau khi hon tt Nh vy vi ty chn ny cc User thuc Group Kinh Doanh ch c truy cp cc trang Web thuc danh sch Allow Web vo ct mc thi gian l t 8h->12h & 14h->18h ca cc ngy th 2->th 6 m thi By gi ti my PC02 ti ng nhp vi user gccom1 v tin hnh test th xem th no. u tin ti vo trang Web kythuatvien.com s nhn thy thng bo t FTMG l "Forefront TMG t chi yu cu ny", v gccom1 thuc Group Kinh Doanh v truy cp trang Web khng nm trong danh sch Allow Web 14 of 25 Tuy nhin nu ti truy cp cc trang gccom.net & google.com.vn th rt tt v cc trang ny thuc danh sch Allow Web Logoff gccom1 v Logon li vi Administrator s thy khng truy cp c bt c trang Web no 15 of 25 iu ny hin nhin v cho n thi im ny ta ch cho php cc User thuc Group Kinh Doanh truy cp Web m thi cn vi cc User khc th vn cha c php. Nh vy ti s to mt Rule mi sao cho cc Users thuc Group Sep s truy cp c mi trang Web v mi giao thc Ti Active Directory Users and Computers to mt Group l Sep. Tin hnh Add Administrator vo Group Sep Ti PC01 bt Forefront TMG ln to tip mt Access Rule mi t tn l Sep V c thuc tnh nh sau: Rule Action: Allow Protocol: All outbound traffic Access Rule Sources: Internal 16 of 25 Access Rule Destinations: External User Sets: Group Sep (Thao tc tng t nh to Web Group KD) Mn hnh sau khi hon tt Nh vy vi Rule Sep ny ta c th hiu nh sau: ng cho mi giao thc (tt c cc Port) theo mt chiu t Internal sang danh sch External, quyn ny c gn ln mi User c trong Group Sep ca mng Internal Ti my PC02 Logon vi Administrator s thy truy cp c mi trang Web 17 of 25 Vy l t ny n gi ta ch tm hiu v cc thc to cc Rule nhng vi Action l Allow m thi by gi ta s to cc Rule nhng vi Action l Deny To mt Access Rule mi vi tn l Cam KD truy cap Web den Ti Rule Action khng chn Allow na m chn Deny 18 of 25 Ti ca s Protocol ta ch m 3 Port l Port 80,Port 443,Port 21 truy cp cc dch v HTTP, HTTPS, FTP m thi. Trong Access Rule Sources chn duy nht 1 thuc tnh l Internal Tip n trong Access Rule Destinations ta khng chn thuc tnh l External m to mt URL Set mi t tn l Deny Web V to mt danh sch cc trang Web m bn cm cc User truy cp vo y trong v d ny gi s ti nh ngha trang sexviet.com l Web en v ti mun ngn chn n. Trong User Sets chn Group KD Mn hnh sau khi hon tt 19 of 25 Nh vy vi Rule Cam KD truy cap Web den ny ta c th hiu nh sau: Ngn cm cc giao thc HTTP, HTTPS, FTP (cc Port 80,443,21) theo mt chiu t Internal sang danh sch Deny Web, quyn ny c gn ln mi User c trong Group Kinh Doanh ca mng Internal Nh vy n y ta nhn thy c s mu thun trong Group Kinh Doanh: - B cm truy cp trang google.com.vn trong Rule Cam KD truy cap Web den - c php truy cp trang google.com.vn trong Rule Web Group KD Tuy nhin trong Forefront TMG cc Rule no c thuc tnh Order cng nh th c u tin cao hn hay ni cch khc cc Rule no nm trn s c u tin hn l cc Rule nm bn di. Nh vy trong ny do Rule Cam KD truy cap Web den c u tin cao hn Rule Web Group KD nn cc Users trong Group Kinh Doanh s khng truy cp c trang google.com.vn Bn c th thay i th t cc Rule ny bng cch chn Move up/Move down, trn thc t ngoi Rule DNS Query c nm trn cng cc Rule Deny ta nn cho quyn c u tin cao hn cc Rule Allow Ti my PC02 Logon vo gccom1 s thy khng th truy cp trang sexviet.com c na 20 of 25 Mn hnh Web Browser s hin ln trang Web thng bo t Forefront TMG cho bit ni dung m bn khng th truy cp Web c. Tuy nhin trang ny ch c cc chuyn vin IT th mi hiu l g, trn thc t vi ngi dng bnh thng h khng bit l chng ta ngn cm vic truy cp ny. Nh vy cho n gin hn khi ngi dng truy cp nhng trang Web cm ta nn Redirect n mt trang Web khc m ni dung s thng bo chi tit hn cho ngi dng hiu r vn . Gi s ti my PC01 ti ci IIS v to mt trang Web Default c ni dung nh hnh bn di Tr li mn hnh Forefront TMG nhp phi vo Rule Cam KD truy cap Web den v chn Properties 21 of 25 Chn tip Tab Action -> Deny Nhp chn Redirect HTTP requests to this Web page v nhp a ch my Forefront TMG vo Tr li my PC02 Logon vi gccom1 v truy cp li trang google.com.vn s thy Web Browser khng hin th trang bo li mc nh ca Forefront TMG na m t chuyn v trang Web m ta to lc ny Tip theo ta s Modify Rule Sep sao cho cc User trong Group Sep c php truy cp mi trang Web ( lm lc ny) nhng khng c xem nh, video, file... m ch c xem vn bn Text thun ty m thi. Ti PC01 nhp phi vo Rule Sep chn Properties 22 of 25 Chn Tab Content types Chn tip Selected content types v chn 3 ty chn trong ny l: - Documents - HTML Documents - Text Mn hnh sau khi hon tt 23 of 25 Tr li PC02 Logon vi Administrator vo mt trang Web ty s thy hnh nh, video... khng c hin th m ch c thun ty Text m thi 24 of 25 Nh vy n y chng ta c bn hon thnh vic to cc Rule (Allow/Deny) cho cc my trong Internal Network c th truy cp External Network By gi ta s kho st mt s tnh nng khc ca Forefront TMG Ti Firewall Policy nhp vo Icon Show/Hide Firewall Policy s thy tt c cc Rule ca Forefront TMG. Nh vy ngoi cc Rule ta to thm mc nh Forefront TMG to sn mt s Rule cho ring mnh. Trn thc t ta khng nn tc ng n cc Rule mc nh ny. OK mnh va trnh by xong phn Access Rule - Forefront TMG trong 70-557 ca MCSA.
Cng ty TNHH u t pht trin tin hc GC Com Chuyn trang k thut my vi tnh cho k thut vin tin hc in thoi: (073) - 3.511.373 - 6.274.294 Website: http://www.gccom.net 25 of 25