Forefront Threat Management Gateway 2010
Comprehensive, secure Web gateway to help protect employees from Web-based threats
Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employees to safely and productively use the Internet for business without worrying about malware and other threats. It provides multiple layers of continuously updated protections that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security.
The Forefront TMG solution includes two separately licensed components:
Forefront TMG server that provides URL filtering, antimalware inspection, intrusion prevention, application- and network-layer firewall and HTTP/HTTPS inspection in a single solution
Forefront TMG Web Protection Service that provides the continuous updates for malware filtering and access to cloud-based URL filtering technologies aggregated from multiple Web security vendors to protect against the latest Web-based threats.
- Multiple URL filtering data sources for improved blocking of malicious Web sites;
- Highly accurate antimalware engine;
- Intrusion prevention against exploitation of vulnerabilities;
- Built-in, proven network protection technologies of ISA 2006.
- Multiple Web security technologies integrated into a single solution;
- Authentication, update, policy distribution and reporting infrastructure investments.
- Single interface for managing Web security policy;
- Comprehensive logging and reporting.
- URL Filtering: Destination URLs are examined for compliance with corporate policy and for malicious potential of destination Web site. Forefront TMG uses Microsoft Reputation Services for URL filtering, combining multiple sources to increase coverage of URLs and categorization.
- Web antivirus/anti-malware protection: Inbound and outbound Web traffic is inspected for viruses and malware, including archived folders. Encrypted folders can be blocked. For large files, users are trickled the file to assure them the file is being downloaded.
- E-mail security: Forefront TMG provides central management for Exchange and Forefront Protection 2010 for Exchange when located on the same server. Forefront TMG does not include either Exchange or Forefront Protection 2010 for Exchange. Both must be purchased and installed separately.
- HTTPS inspection: HTTPS-encrypted sessions can be inspected for malware or exploits. Specific groups of sites—such as banking sites—can be excluded from inspection for privacy reasons. Users of the TMG Firewall Client can be notified of the inspection.
- Network Inspection System (NIS): Traffic can be inspected for exploits of Microsoft vulnerabilities. Based on protocol analysis, NIS enables blocking of classes of attacks while minimizing false positives. Protections can be updated as needed.
- Enhanced Network Address Translation (NAT): Forefront TMG now enables you to specify individual e-mail servers that can be published on a 1-to-1 NAT basis.
- Enhanced Voice over IP support: Forefront TMG includes SIP traversal, enabling simpler deployment of Voice over IP within the network.
- Windows Server 64-bit support: Forefront TMG is installed on Windows Server 2008 with 64-bit support.
- Multi-layer firewall: Forefront TMG provides access control and protection on three layers: packet filtering, stateful inspection, and application layer filtering;
- Application layer filtering: Forefront TMG provides deep content filtering through built-in application filters;
- Granular HTTP controls:Forefront TMG delivers customizable, granular controls to HTTP traffic, including: File download controls, Signature-based blocking, HTTP method controls. Forefront TMG provides strong controls over Web-based threats;
- DoS protections: Forefront TMG provides resiliency against flood attacks and re-allocates resources to provide higher security inspection;
- Extensive protocol support: Forefront TMG delivers out-of-the-box support for many protocols. New protocols can be defined.
Highly Secure Application Publishing
- Highly secure e-mail access from Outlook Client: Remote users can access Exchange Server using the full Outlook MAPI client over the Internet without establishing a VPN connection. The connection is encrypted for security;
- Simple Outlook Web Access and Microsoft Office SharePoint Server publishing: Simple wizards allow quick configuration of remote access for both Outlook Web Access and SharePoint servers. Outlook Web Access users can be authenticated at the Forefront TMG server, preventing attacks by unauthenticated users;
- Highly secure publishing of Web servers, internal servers, and Terminal Services: Remote users can access internal resources or Web servers more securely. Link translation is provided;
- Single sign on: Forefront TMG allow users to access a group of published Web sites without being required to authenticate with each Web site;
- Delegation of basic authentication: Forefront TMG helps protect published Web sites from unauthenticated access by requiring the Forefront TMG firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server;
- Link translation to internal servers: Forefront TMG includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. Implements link translation automatically during Web publishing;
- SSL bridging support: To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by Forefront TMG, inspected, and re-encrypted.
Virtual Private Networks
- Site-to-site VPN: Forefront TMG enables quick connectivity between sites via wizard-based approach. Also can be configured for tunnel-mode IPSec for support of third party devices;
- Remote access VPN: Forefront TMG provides termination of L2TP/IPSec and PPTP VPN sessions, using the native Windows VPN services;
- Inspection of VPN traffic: VPN traffic terminated on the Forefront TMG server is inspected according to the appropriate security policy;
- VPN quarantine: Forefront TMG provides deep VPN client inspection and integration of your firewall policy;
- SecureNAT for VPN clients: Forefront TMG helps ensure remote users connected to the network can gain Internet access while maintaining a strong security policy for the corporate network;
- Publish VPN servers: Forefront TMG can be used to publish internal Windows Servers as VPN servers.
- Enterprise policy: Policy can be assigned to gateways, arrays, or enterprise-wide;
- Easy-to-use wizards: Forefront TMG simplifies configuration with multiple wizards for features such as Web publishing, Web access, and array configuration;
- Real-time monitoring and reporting: Logs may be viewed real-time or historically – including active sessions;
- Query building: With a built-in query tool, historical data can be found quickly. Complex queries can be built;
- Report creation and publishing: Reports can be designed for specific needs and then published locally or to a network file share;
- External logging: Logs may be sent to a Microsoft SQL Server located on the internal network;
- Delegated permissions: Admin roles can be delegated to users or groups.
Networking and Performance
- Network load balancing: Forefront TMG leverages network load balancing to provide fail over and scaling of performance;
- Network-based configuration: You may configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. Forefront TMG extends the firewall and security features to apply to traffic between any networks or network objects;
- Caching: Forefront TMG provides caching to improve user experience and reduce bandwidth costs. With the centralized cache rule mechanism of Forefront TMG, you can configure how objects stored in the cache are retrieved and served from the cache;
- Background Intelligent Transfer Service (BITS) caching: Forefront TMG provides the caching mechanism for data received through BITS. Any cache rule that you create can be enabled to cache BITS data;
- HTTP compression: You can reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets;
- Diffserv (Quality of Service): Forefront TMG includes packet prioritization functionality (provided by the Diffserv Web filter), which scans the URL or domain and assigns a packet priority using Diffserv bits.