Microsoft TMG Replacement. How FORTINET integrated secuity platforms Help Protect the Perimeter in a Microsoft Infrastructure Environment



Similar documents
Astaro Gateway Software Applications

Move over, TMG! Replacing TMG with Sophos UTM

Fortigate Features & Demo

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Boston Area Windows Server User Group April 2010

Forefront Threat Management Gateway (TMG) Whitepaper The Solution.

Networking for Caribbean Development

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Owner of the content within this article is Written by Marc Grote

Configuring IPsec VPN with a FortiGate and a Cisco ASA

High Performance NGFW Extended

Use FortiWeb to Publish Applications

Connecting an Android to a FortiGate with SSL VPN

Cisco Small Business ISA500 Series Integrated Security Appliances

Product Factsheet MANAGED SECURITY SERVICES - FIREWALLS - FACT SHEET

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

CISCO IOS NETWORK SECURITY (IINS)

H.I.P.A.A. Compliance Made Easy Products and Services

PART D NETWORK SERVICES

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

McAfee Next Generation Firewall (NGFW) Administration Course

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Fortinet Certified Network Security Administrator

Cisco Certified Security Professional (CCSP)

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

Preventing credit card numbers from escaping your network

Virtual Private Networks Secured Connectivity for the Distributed Organization

INTRODUCTION TO FIREWALL SECURITY

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Simple security is better security Or: How complexity became the biggest security threat

FortiOS Handbook - PCI DSS Compliance VERSION 5.4.0

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Unified Threat Management, Managed Security, and the Cloud Services Model

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Configuring a FortiGate unit as an L2TP/IPsec server

RSA SecurID Ready Implementation Guide

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Gateway Security at Stateful Inspection/Application Proxy

FortiOS Handbook - Authentication VERSION 5.2.6

CTS2134 Introduction to Networking. Module Network Security

Security Appliances. for a wide field of application. Comprehensive threat management, secure Internet access, and secure remote access.

Network protection and UTM Buyers Guide

WHITE PAPER SECURING DISTRIBUTED ENTERPRISE NETWORKS FOR PCI DSS 3.0 COMPLIANCE

Troubleshooting. FortiOS Handbook v3 for FortiOS 4.0 MR3

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Network Access Security. Lesson 10

Recommended IP Telephony Architecture

How To Ensure Security In Pc Ds 3.0

Security. TestOut Modules

Firewall Defaults and Some Basic Rules

IPCOM S Series Functions Overview

Microsoft Lync Server 2010

NETASQ MIGRATING FROM V8 TO V9

From Network Security To Content Filtering

Owner of the content within this article is Written by Marc Grote

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Lync SHIELD Product Suite

Scenario: IPsec Remote-Access VPN Configuration

Check Point Security Administrator R70

White Paper. ZyWALL USG Trade-In Program

Gigabit SSL VPN Security Router

Migration Project Plan for Cisco Cloud Security

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS NETWORK SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Monitoring Forefront TMG

Secure Web Appliance. SSL Intercept

Enabling Secure BYOD How Fortinet Provides a Secure Environment for BYOD

Building Your Complete Remote Access Infrastructure on Windows Server 2012

Security Administration R77

Cisco Actualtests Exam Questions & Answers

FortiOS Handbook Authentication for FortiOS 5.0

TMG Replacement Guide

ICAB5238B Build a highly secure firewall

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

INTRODUCING KERIO WINROUTE FIREWALL

Hosted Microsoft Exchange Client Setup & Guide Book

Firewalls for the Home & Small Business. Gordon Giles DTEC Professor: Dr. Tijjani Mohammed

MANAGED SECURITY SERVICES

Cisco ASA 5500 Series Firewall Edition for the Enterprise

FortiGuard Web Content Filtering versus Websense March 2005

ISG50 Application Note Version 1.0 June, 2011

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Hosted Microsoft Exchange Client Setup & Guide Book

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

Transcription:

Microsoft TMG Replacement How FORTINET integrated secuity platforms Help Protect the Perimeter in a Microsoft Infrastructure Environment

1. Introduction This document gives an overview of FortiGate features and models which are relevant when it comes to choosing a successor for Microsoft s TMG. The main focus is placed on the following TMG functions: Besides FortiGate as an Integrated Security System/Next Generation FW, alternate products from Fortinet s portfolio may be used in certain cases: - Web Application Firewall (FortiWeb) - Mail Security (FortiMail), - Loadbalancer (FortiBalancer) This document focuses on replacing the most common TMG functions with FortiGate platforms, and achieving an easy to administer and cost effective solution for the SME market. Fortinet appliances simple license model is of particular interest. Specifically, FortiGate is not licensed on features or on functions. All features 1 are available without additional costs. Therefore the selection of the right model is mainly based on throughput. Additional services such as hardware and software support, as well as definition updates for AntiVirus, IPS, Application Control, URL filtering, etc. can be added when required. A list of authorized EMEA Fortinet Distributors is available here: http:///partners/emeapartners.html Further information can be found on the following Fortinet websites: http:// http://docs.fortinet.com http://kb.fortinet.com http:///partners/partner_program/fppemea.html 1 Due to technical capabilities, the FortiGate-60C/D and models below offer a limited feature set. Details are pointed out in Chapter 3.

2. TMG features a. Proxy One of the oldest and most-used functions of TMG was the role as a proxy server to enable Internet access for clients. In this context a key aspect was that users did not have to sign-in a second time. This Single-Sign-On (SSO) feature is part of the FortiGate feature set and is fully integrated. Thereby the FortiGate communicates with the Active Directory domain controllers and is able to read and evaluate the rights and permissions of users signed-in. Additionally comprehensive security functions including AntiVirus, Intrusion Prevention, Web Filter and Application Control can be used. Domain Controller??? Anti- Virus IDS/IPS Web Content Filtering Application Control Today almost every application tries to communicate via HTTP or HTTPS with various servers on the Internet. With application control enabled, the IP traffic and packets are inspected in detail. Thus FortiGate allows for detecting and differentiating between various applications, for example Skype, Skydrive, WindowsUpdate, NetMeeting, and many more. Detection is of course not limited to a particular vendor. Numerous applications are recognised as either dangerous or potentially harmful programs, such as botnet activity, remote access or file sharing applications. The latest list of applications is available at http://www.fortiguard.com

b. OWA/SharePoint Publishing From a functional perspective, two things are important when it comes to publishing Outlook Web Access or SharePoint services: - Translation of the public IP address - Exchanging the certificate, that external clients receive a valid, trusted and signed certificate. - Exchanging the certificate: ensuring that external clients receive a valid, trusted and signed certificate Server Internal WAN HTTPS When it comes to securing the application, the following security features are a good extension: - Scanning for attacks (Intrusion Prevention System) - Scanning for viruses - Checking of used paths for HTTP applications - Verifying communication protocol in use (is it HTTP(S) or Activesync traffic/packets?) - Blocking IP address and/or alarm administrators upon failed login attempts - Load sharing when using multiple application servers

c. Lync Publishing When publishing Lync services, there are more communication protocols in use compared to OWA/SharePoint. However infrastructure service requirements remain the same. Once again we see that public IP addresses need to be translated and SSL certificates changed accordingly on the perimeter side. Lync Server Internal WAN HTTPS / STUN / SIP SIP (TLS/IPSec) SIP Provider From a security standpoint, requirements increase due to the additional communication protocols involved. The perimeter firewall needs to be able to verify all of these protocols. This results in the following features list: - Scanning for attacks (Intrusion Prevention System) - Scanning for viruses - Checking of used paths for HTTP applications - Verifying communication protocol in use (is it HTTP(S) or Activesync traffic/packets?) - Layer 7 analysis of VoIP data - Blocking of IP address and/or alarm administrators upon failed login attempts - Load sharing when using multiple application servers Within the FortiGate feature set, a SIP (TLS) application level gateway (ALG) has been implemented, which enables detailed inspection and filtering of SIP traffic.

d. Firewalling with Fortinet FortiGate An Integrated Security System/Next Generation Firewall is the first line of defence against Internet attacks, providing protection for internal resources. At the same time, unwanted communications sent externally must be prevented. The core of all FortiGate models is the FortiOS operating system which serves as a platform for numerous fully-integrated security functions. These systems defend against advanced attacks and the latest threats. Established policies control all data flow that encounters a FortiGate appliance. Stateful-Inspection firewall supplemented by security components such as AntiVirus, IPS, Application Control, Webfilter, etc. ensures secure communication. Numerous industry certifications and recognitions prove the superiority of FortiGate appliances. The FortiGate s ability to build identity-based firewall policies (based on user or group information) is homogenous with Microsoft infrastructure environments using central user authentication and Single-Sign-On. Internal Network Internal

e. Virtual Private Networks with Fortinet s FortiGate Virtual Private Networks (VPN) allow secure, encrypted communication with company networks and resources. This means users can connect from outside the office and establish a secure connection from their smartphone or notebook using SSL VPN. The connection of various office locations can be achieved using persistent IPSec VPN tunnels. Fortinet s FortiGate offers remote access for mobile workers using SSL-VPN or L2TP/IPSec, and IPsec VPN for typical site-to-site communications between multiple locations. Pre-shared keys certificates are supported for authenticating devices and users. FortiToken is a one-time password solution directly built into the FortiGate operating system. It allows two factor authentication to securely authenticate mobile users.

3. Fortinet Products/Feature Matrix Fortinet s broad range of FortiGate models offers a flexible and effective choice of products to protect company networks. Due to the diversity of the different models, solutions are available for the smallest offices (1-5 users) to enterprise environments (10,000 users and more). An overview of all current FortiGate models can be found on the Fortinet Homepage at http:///products/fortigate/ Depending on the TMG features and throughput required, as an example for small networks, the following FortiGate models should be considered when replacing TMG: Model Firewall VPN Client-Proxy OWA/SPS Lync Publishing Publishing FortiGate-60C/D Yes Yes Yes No No FortiGate-100D Yes Yes Yes Yes Yes Firewall (1518/512/64 byte) Concurren t Sessions New Sessions/Se c IPSec VPN IPS (HTTP) Antivirus (Proxy/Flow ) FortiGate -60D 1.5 /1.5 /1.5 Gbps 500K 3.200 1 Gbps 200 35 /50 FortiGate -100D 2500 / 1000 / 200 2.5 Mil 22.000 450 950 300/700

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information