Professional Documents
Culture Documents
DNS Filter
The DNS filter intercepts and analyzes all inbound DNS traffic destined for the Internal network and other protected networks. If the detection of DNS attacks is enabled, you can specify that the DNS filter will check for specific types of suspicious activity. For more information, see Overview of intrusion detection [ http://technet.microsoft.com/en-us/library/cc441669.aspx ] .
The FTP access filter can distinguish between read and write permissions, enabling you to fine-tune access permissions. The FTP access filter uses the following protocol definitions, which are installed with the filter during the Forefront TMG installation: FTP FTP server
H.323 Filter
Forefront TMG includes an H.323 filter that allows H.323 compliant applications, such as Microsoft Windows NetMeeting 3, to pass through Forefront TMG. This enables rich multimedia and real-time collaboration capabilities between enterprises using the Internet. Organizations that deploy interdepartmental firewalls can also use this technology to enhance communications between their employees over their intranets. Additionally, the H.323 filter protects communication between internal clients and the Internet, hiding client IP addresses and restricting access, as needed. H.323 Protocol The H.323 protocol is a set of standards enabling real-time multimedia conferencing and communications over packet-based networks that do not guarantee Quality of Service (QoS). The standards were developed to accommodate varying usages. Due to the inadequate quality of voice over the Internet, it was proposed that improvements could be made if communications were carried partly on the Internet and partly on the public switched telephone network (PSTN). The H.323 standards would also provide for communications between a standard PSTN phone and a computer-based client. H.323 defines how compliant components (terminals, gateways, gatekeepers, and multipoint control units) engage in audio, video, and multipoint conference communications. The H.323 standards define the mandatory and optional services supplied by a gatekeeper. The H.323 protocol standard contends with call control and management for both point-to-point and multipoint conferences. The standard also defines the gateway operability that allows calls to be connected between H.323 terminals as well as between LAN and PSTN devices. By default, the H.323 filter is applied to the H.323 protocol. Limiting Access to H.323 You can create access rules that limit access to the H.323 protocol. For example, you might want to deny a client's H.323 access to video, T120 data sharing, and outbound calls. You can create an access rule that allows the H.323 client access only to the inbound calls protocol. Because Forefront TMG allows access only when explicitly specified, only this protocol will be allowed.
RPC Filter
Forefront TMG handles traffic for all remote procedure calls (RPCs) between clients outside your network and RPC servers located inside your network. Using the Forefront TMG RPC filter, you can define one or more universally unique identifier (UUID) interfaces as an RPC protocol definition. This protocol definition is used in Forefront TMG publishing rules for the server, so that external clients can access UUID interfaces on the internal RPC server.
The RPC filter applies to RPC traffic only (including user-defined RPC protocols). It does not apply to any RPC traffic that is tunneled through another protocol. For example, this filter does not affect RPC over HTTP or RPC over XML. The RPC filter works for both inbound and outbound scenarios. For publishing scenarios (incoming requests), you can limit the UUIDs allowed. For access rules (outgoing requests), the filter handles automatic opening of secondary connections. Exchange Server Publishing and the RPC Filter A popular method of accessing servers running Microsoft Exchange Server from remote sites is by using the full Microsoft Outlook MAPI client. Users prefer using the same full Outlook MAPI client for e-mail that they use when directly connected to the corporate network. The challenge for the firewall and security administrator is how to make the full Outlook MAPI client remote access connections secure. Remote access to Microsoft Exchange RPC services (which is required for Outlook MAPI client access) can require a large number of statically open ports on the Internet edge firewall. The number of statically opened ports required to allow remote access to Exchange RPC services has been a barrier to enabling an improved Outlook mail experience from remote locations. On a conventional firewall, to enable this type of access, a large number of statically opened ports on the traditional firewall made security and firewall administrators hesitant about allowing remote access for the full Outlook MAPI client. An important concern is the potential for viruses and worms designed to attack RPC and DCOM services. If you use a conventional firewall that is not RPC application-layer aware, RPC worms can attack the network through this port number. Such an attack could infect the Exchange server and subsequently infect other computers on the corporate network. The Forefront TMG RPC filter enables you to force secure Outlook MAPI connections with the corporate Exchange server. The RPC filter blocks outbound RPC worm connections from the corporate network. The filter can help you prevent RPC worm connections from leaving the corporate network and prevent hosts on your network from infecting computers on the Internet. The RPC filter can also be used to enforce secure RPC connections from Outlook MAPI clients. When this feature is enabled, connection requests from remote Outlook MAPI clients must be done through a secure encrypted channel. If the connection is not secured, Forefront TMG drops the client request. This allows Forefront TMG, instead of users, to control the level of security. Because the Exchange RPC protocol is predefined, the RPC filter opens only the necessary interfaces, rather than allowing full RPC to the Exchange server. RPC Filtering for Outlook Clients The following describes when the initial RPC endpoint mapper connection is established between the Outlook MAPI client and Forefront TMG: 1. The Outlook MAPI client establishes a connection to TCP port 135 on the external interface of Forefront TMG. 2. The RPC filter statefully inspects packets in the connection. If invalid RPC communications are detected, the connection is dropped. 3. Valid RPC connections from Outlook MAPI clients are forwarded to the Exchange server. The Exchange server responds to the request with a port number that the client uses for subsequent data connections. 4. Forefront TMG intercepts the response and changes the port number to a valid port that the Outlook MAPI client can use on the external interface of Forefront TMG. 5. Forefront TMG forwards to the Outlook MAPI client the port number it will use for subsequent communications with the Exchange server.
The following is the communications sequence between the Outlook MAPI client and the Exchange server after the endpoint mapper connection is established: 1. The Outlook MAPI client establishes a connection to the MAPI port that Forefront TMG instructed it to use. Forefront TMG screens the RPC commands to ensure that no exploits are contained within the
channel. 2. Information sent by the Outlook MAPI client is forwarded by Forefront TMG to the Exchange server RPC services. 3. The Exchange server responds to the Outlook MAPI client, and Forefront TMG intercepts the responses. The RPC filter screens these responses and changes the source port number. 4. Forefront TMG forwards the responses to the Outlook MAPI client. Strict RPC Compliance Outbound RPC protocols can be configured on a per-rule basis in order to enforce strict RPC compliance. By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as DCOM, will not be allowed through Forefront TMG.
SMTP Filter
Forefront TMG intercepts all Simple Mail Transfer Protocol (SMTP) traffic that arrives on port 25 of the Forefront TMG computer. The SMTP filter accepts the traffic, inspects it, and passes it on, only if the rules allow. By default, the SMTP filter is applied to the SMTP and SMTP server protocols for incoming traffic. Forefront TMG supports inter-forest communication between Exchange Server computers only when the communication is over a secure channel (using TLS). Logging Blocked E-Mail Messages If an SMTP command is blocked because it violates one of the SMTP filter's conditions, the blocked message will be logged only when you enable the SMTP filter event alert. This alert is disabled by default. Handling Commands The SMTP filter examines SMTP commands sent by Internet SMTP servers and clients. The filter can intercept SMTP commands and check whether they are valid and comply with the maximum length allowed in order to protect against buffer-overrun attacks. SMTP commands that violate the policy restrictions are assumed to be attacks against the SMTP server and can be stopped by the SMTP filter. Each SMTP command has a maximum length associated with it. This length represents the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, Forefront TMG returns an error code to the sender and the drops the connection. When a client uses a command that is defined but disabled, the filter closes that connection. When a client uses a command that is unrecognized by the SMTP filter, no filtering is performed on that message. The Request for Comment (RFC) considers the AUTH command as part of the MAIL FROM command. For this reason, the SMTP filter blocks MAIL FROM commands only when they exceed the length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For example, if you specify maximum length of MAIL FROM as 266 bytes and AUTH as 1,024 bytes, the message will be blocked only if the MAIL FROM command exceeds 1,290 bytes. The SMTP filter does not inspect SSL-encrypted SMTP traffic. To configure Forefront TMG to prevent such traffic, configure SMTP filter to block START/TLS/TLS commands.
SOCKS filter
The SOCKS filter provided with Forefront TMG forwards requests from SOCKS applications to the Microsoft Firewall service. Forefront TMG checks the access policy rules to determine if the SOCKS client application can communicate with the Internet.
When you install Forefront TMG, the SOCKS filter is disabled for all networks. You can configure Forefront TMG to listen for SOCKS requests on any port. (SOCKS applications typically send requests to port 1080.) You can modify the default port.
You can create access rules that limit access to the protocol definitions. For example, you might want to limit a client's access to Windows Media only. You can create a protocol rule that allows the Client MMS, Windows Media protocol, and another protocol rule that denies use of the Client PNM, RealNetworks protocol. If you disable the streaming media filter, all its protocol definitions are also disabled. Traffic that uses Windows Media Technologies, RealNetworks, and RTSP definitions is blocked. By default, the streaming media filters apply to the following protocols: RTSP, RTSP Server, MMS, MMS Server, PNM, and PNM Server. Forefront TMG does not cache content that is streamed. This means that MMS and RTSP content is not cached. However, if the content is delivered using Hypertext Transfer Protocol (HTTP) as a file resource (and not streamed HTTP), Forefront TMG may cache the content, depending on how you configure caching.
When Web Proxy Filter is enabled for a protocol, that protocol can use the following features, if applicable: Authentication. HTTP filtering.
When Web Proxy Filter is disabled for a protocol, Forefront TMG does not intercept requests from clients connecting to Web servers. This disables all caching and other proxying services for the client request. You can create a custom protocol, which listens on a port other than 80, and apply Web Proxy Filter to that protocol. You extend Web Proxy Filter functionality to the custom protocol. Copyright 2009 by Microsoft Corporation. All rights reserved.