Professional Documents
Culture Documents
Forefront Threat Management Gateway 2010
Forefront Threat Management Gateway 2010
Forefront Threat Management Gateway 2010
Features
Learn about the features and benefits of Microsoft Forefront Threat Management Gateway 2010 (TMG), which is designed to
provide a comprehensive, secure Web gateway that helps, protect employees from Web-based threats. Highlight: HTTPS
HTTPS Inspection, an innovative feature, enables Forefront TMG to inspect inside users’ SSL-encrypted Web traffic.
By inspecting within these encrypted sessions, Forefront TMG can both detect possible malware as well as limit employee Web
usage to approved sites. Sensitive sites, such as banking sites, can be excluded from inspection.
New Features
Feature Description
URL Filtering Destination URLs are examined for compliance with corporate policy and for
malicious potential of destination Web site. Forefront TMG uses Microsoft
Reputation Services for URL filtering, combining multiple sources to increase
coverage of URLs and categorization.
Web antivirus/anti- Inbound and outbound Web traffic is inspected for viruses and malware,
malware protection including archived folders. Encrypted folders can be blocked. For large files,
users are trickled the file to assure them the file is being downloaded.
E-mail security Forefront TMG provides central management for Exchange and Forefront
Protection 2010 for Exchange when located on the same server. Forefront TMG
does not include either Exchange or Forefront Protection 2010 for Exchange.
Both must be purchased and installed separately.
HTTPS inspection HTTPS-encrypted sessions can be inspected for malware or exploits. Specific
groups of sites—such as banking sites—can be excluded from inspection for
privacy reasons. Users of the TMG Firewall Client can be notified of the
inspection.
Network Inspection System Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on
(NIS) protocol analysis, NIS enables blocking of classes of attacks while minimizing
false positives. Protections can be updated as needed.
Enhanced Network Address Forefront TMG now enables you to specify individual e-mail servers that can be
Translation (NAT) published on a 1-to-1 NAT basis.
Enhanced Voice over IP Forefront TMG includes SIP traversal, enabling simpler deployment of Voice
support over IP within the network.
Windows Server 64-bit Forefront TMG is installed on Windows Server 2008 with 64-bit support.
support
Firewall Protections
Feature Description
Multi-layer firewall Forefront TMG provides access control and protection on three layers: packet
filtering, stateful inspection, and application layer filtering.
Application layer filtering Forefront TMG provides deep content filtering through built-in application
filters.
Granular HTTP controls Forefront TMG delivers customizable, granular controls to HTTP traffic,
including:
- Signature-based blocking
DoS protections Forefront TMG provides resiliency against flood attacks and re-allocates
resources to provide higher security inspection.
Extensive protocol support Forefront TMG delivers out-of-the-box support for many protocols. New
protocols can be defined.
Feature Description
Highly secure e-mail access Remote users can access Exchange Server using the full Outlook MAPI client
from Outlook Client over the Internet without establishing a VPN connection. The connection is
encrypted for security.
Simple Outlook Web Access Simple wizards allow quick configuration of remote access for both Outlook
and Microsoft Office Web Access and SharePoint servers. Outlook Web Access users can be
SharePoint Server publishing authenticated at the Forefront TMG server, preventing attacks by
unauthenticated users.
Highly secure publishing of Remote users can access internal resources or Web servers more securely.
Web servers, internal servers, Link translation is provided.
and Terminal Services
Single sign on Forefront TMG allow users to access a group of published Web sites
without being required to authenticate with each Web site.
Delegation of basic Forefront TMG helps protect published Web sites from unauthenticated
authentication access by requiring the Forefront TMG firewall to authenticate the user
before the connection is forwarded to the published Web site. This
prevents exploits from unauthenticated users from reaching the published
Web server.
Link translation to internal Forefront TMG includes a link translation feature that you can use to create
servers a dictionary of definitions for internal computer names that map to publicly
known names.
Implements link translation automatically during Web publishing.
SSL bridging support To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL
protected packets to be decrypted by Forefront TMG, inspected, and re-
encrypted.
Feature Description
Site-to-site VPN Forefront TMG enables quick connectivity between sites via wizard-based
approach. Also can be configured for tunnel-mode IPSec for support of third
party devices.
Remote access VPN Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions,
using the native Windows VPN services.
Inspection of VPN traffic VPN traffic terminated on the Forefront TMG server is inspected according to
the appropriate security policy.
VPN quarantine Forefront TMG provides deep VPN client inspection and integration of your
firewall policy.
SecureNAT for VPN clients Forefront TMG helps ensure remote users connected to the network can gain
Internet access while maintaining a strong security policy for the corporate
network.
Publish VPN servers Forefront TMG can be used to publish internal Windows Servers as VPN
servers.
Management
Feature Description
Real-time monitoring and Logs may be viewed real-time or historically – including active sessions.
reporting
Query building With a built-in query tool, historical data can be found quickly. Complex
queries can be built.
Report creation and Reports can be designed for specific needs and then published locally or to a
publishing network file share.
External logging Logs may be sent to a Microsoft SQL Server located on the internal network.
Feature Description
Network load balancing Forefront TMG leverages network load balancing to provide fail over and
scaling of performance.
Network-based You may configure one or more networks, each with distinct relationships to
configuration other networks. Access policies are defined relative to the networks and not
necessarily relative to a specific internal network. Forefront TMG extends the
firewall and security features to apply to traffic between any networks or
network objects.
Caching Forefront TMG provides caching to improve user experience and reduce
bandwidth costs. With the centralized cache rule mechanism of Forefront
TMG, you can configure how objects stored in the cache are retrieved and
served from the cache.
Background Intelligent Forefront TMG provides the caching mechanism for data received through
Transfer Service (BITS) BITS. Any cache rule that you create can be enabled to cache BITS data.
caching
HTTP compression You can reduce file size by using algorithms to eliminate redundant data during
transmission of HTTP packets.
Diffserv (Quality of Service) Forefront TMG includes packet prioritization functionality (provided by the
Diffserv Web filter), which scans the URL or domain and assigns a packet
priority using Diffserv bits.
Firewall √ √ √
Web proxy √ √ √
Caching √ √ √
Web anti-malware √ √
HTTPS inspection √
E-mail security √
ISP redundancy √