Swift
asked on
Forefront TMG and CAS for Exchange 2010
Hi
It's widely held that we should publish OWA/ActiveSync/Outlook Anywhere (Exchange 2010) with Microsoft Forefront TMG 2010 as reverse proxy.
One of the rationale for doing so seems to be that incoming connections to OWA would be pre-authenticated at TMG rather than hitting directly at Client Access Server in order to ensure that only TMG validated sessions are passed onto the Client Access Server on Exchange 2010.
What are the other security threat vectors mitigated by inclusion of TMG in our exchange front end architecture design?
It's widely held that we should publish OWA/ActiveSync/Outlook Anywhere (Exchange 2010) with Microsoft Forefront TMG 2010 as reverse proxy.
One of the rationale for doing so seems to be that incoming connections to OWA would be pre-authenticated at TMG rather than hitting directly at Client Access Server in order to ensure that only TMG validated sessions are passed onto the Client Access Server on Exchange 2010.
What are the other security threat vectors mitigated by inclusion of TMG in our exchange front end architecture design?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.ntsystems.it/post/Web-Application-Proxy-in-Windows-2012-R2-preview.aspx
Here's what you get in 2012 R2 RTM. This is the way to go - not TMG...
web-app-proxy.PNG
web-app-proxy.PNG
ASKER
Hi carolchi
I was aware of TMG being EoL but Microsoft says just becoz it's EoL doesn't stop users from deploying it for it's way off from being end of support and then there is time for extended support.
Advantages listed off TMG are many, e.g. URL categorization, time based blocking, HTTPS inspection, Offloading SSL processing from application servers, Detection of possible malware and enforcement of corporate policies etc.
Wonder if suggested Web App proxy will cover all this?
I was aware of TMG being EoL but Microsoft says just becoz it's EoL doesn't stop users from deploying it for it's way off from being end of support and then there is time for extended support.
Advantages listed off TMG are many, e.g. URL categorization, time based blocking, HTTPS inspection, Offloading SSL processing from application servers, Detection of possible malware and enforcement of corporate policies etc.
Wonder if suggested Web App proxy will cover all this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Web access proxy in no way replaces TMG. Unfortunately I don't see a product that does.
And of course since IPv6 is implemented by default in 2012 R2 you are even less secure because as far as I can see the two NICs will communicate over IPv6 locallink and there is no way to stop it.
So you rely completely on your next generation firewall to do all the anti-malware and so on.
And of course since IPv6 is implemented by default in 2012 R2 you are even less secure because as far as I can see the two NICs will communicate over IPv6 locallink and there is no way to stop it.
So you rely completely on your next generation firewall to do all the anti-malware and so on.
ASKER
To Sembee:
You wrote that personally you do not have issues in exposing CAS services to internet directly. Working in an industry which is not bound by any mandatory regulations, just good security practices, why do you this maintain that reverse proxying CAS doesn't count for certain risks mitigation?
You wrote that personally you do not have issues in exposing CAS services to internet directly. Working in an industry which is not bound by any mandatory regulations, just good security practices, why do you this maintain that reverse proxying CAS doesn't count for certain risks mitigation?
What risks do you want to cover?
The combination of IIS and Exchange on a dedicated server (ie not doing anything else) has never been compromised. The compomises of IIS usualy come down to poor password security or a poor third party tool.
It also adds an additional layer of complexity, many of the problems I see with Exchange are caused by things outside of Exchange.
The biggest security risk on any network is the same for everyone - the users. Wetware. If you can enforce good password policies you will knock out 95% of the problems.
If you are being targetted then there is nothing you can do to stop someone determined to get in.
Simon.
The combination of IIS and Exchange on a dedicated server (ie not doing anything else) has never been compromised. The compomises of IIS usualy come down to poor password security or a poor third party tool.
It also adds an additional layer of complexity, many of the problems I see with Exchange are caused by things outside of Exchange.
The biggest security risk on any network is the same for everyone - the users. Wetware. If you can enforce good password policies you will knock out 95% of the problems.
If you are being targetted then there is nothing you can do to stop someone determined to get in.
Simon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are being targetted and you spot the attack, then they aren't very good. All that the other measures do is block the stupid attackers who are just after your bandwidth and resource and not the data. That is very easy to block - just simple measures will make them move on to someone else.
If you are being flooded with traffic due to a malicious attack, then nothing you can put in place will stop that - it will require the interaction of the ISP to drop the traffic. TMG and the like are still getting the traffic and have to process it to drop it, and there are much better ways of doing it.
Horses for courses in most cases - for the vast majority of end users the additional complexity is not required.
Simon.
If you are being flooded with traffic due to a malicious attack, then nothing you can put in place will stop that - it will require the interaction of the ISP to drop the traffic. TMG and the like are still getting the traffic and have to process it to drop it, and there are much better ways of doing it.
Horses for courses in most cases - for the vast majority of end users the additional complexity is not required.
Simon.
ASKER
We found 2 MS technologies where we felt comfortable but both of them have some pros and cons.
1. Forefront TMG
Pros: Matured technology in publishing Exchange.
• Only authenticated traffic hits CAS – preauthentication for OWA
• Deep application inspection – IDS like features (logs goes to MSS)
• Prevention from “Account lockout DOS attacks” by doing the soft lockout on TMG before accounts are actually locked out in the domain
Cons: product is getting expired
• Support until April 2015,
• Extended support until 2020,
• TMG is not supported on Windows 2012
2. Windows 2012 R2 – ARR Web Application Proxy
Pros:
• provides TMG like features
• Reverse proxy capabilities
• ADFS proxy capabilities
• Multifactor Authentication
Cons:
• New feature, to be tested, Not matured technology in publishing Exchange
• No packet inspection
Today, in Oct 2013, my take is to deploy TMG as a reverse proxy until MS support is valid meanwhile to plan and test for the replacement of TMG before the end of next year 2014.
1. Forefront TMG
Pros: Matured technology in publishing Exchange.
• Only authenticated traffic hits CAS – preauthentication for OWA
• Deep application inspection – IDS like features (logs goes to MSS)
• Prevention from “Account lockout DOS attacks” by doing the soft lockout on TMG before accounts are actually locked out in the domain
Cons: product is getting expired
• Support until April 2015,
• Extended support until 2020,
• TMG is not supported on Windows 2012
2. Windows 2012 R2 – ARR Web Application Proxy
Pros:
• provides TMG like features
• Reverse proxy capabilities
• ADFS proxy capabilities
• Multifactor Authentication
Cons:
• New feature, to be tested, Not matured technology in publishing Exchange
• No packet inspection
Today, in Oct 2013, my take is to deploy TMG as a reverse proxy until MS support is valid meanwhile to plan and test for the replacement of TMG before the end of next year 2014.