Why the Forefront TMG is a Cornerstone of Essential Business Server (EBS) Network Security
If you have not had a chance to check out the Microsoft Essential Business Server (EBS) product, you should carve out some time from your busy schedule to take a look at it. Take a look at the public preview software for EBS.
EBS is a three server solution designed for small or mid-sized businesses with up to 300 PCs. The EBS solution includes three servers, which can be run as physical or virtual machines. There is the Management Server, which is a domain controller and file server that also runs System Center Essentials. There is the Messaging Server, which is also a domain controller, and runs Exchange 2007. And finally there is the Security Server, which runs the Threat Management Gateway (TMG) Medium Business Edition. TMG is the next version of the ISA firewall. In addition to running TMG, the Security Server also runs Exchange Edge Server for anti-spam protection.
From what I have heard, there are a number of people who want the EBS solution, but would like to deploy it without the Security Server. The reason most of these people give for not wanting the Security Server is that they already have a “firewall” and therefore do not think they need the TMG component or that the TMG firewall adds to much complexity to what is considered an otherwise “simple” network security configuration.
At first blush you might think “sure, that is a valid request. If the customer already has a firewall, why introduce a second firewall into the mix?” The problem with this thinking is that the EBS team put a great deal of work thinking about the EBS threat models and how to make sure that all components of the solution have adequate defenses against the enumerated threats.
The TMG in the EBS solution allows remote access to a number of services on the EBS network. Some examples of the services to which users can gain remote access to include OWA, RPC/HTTP, Exchange ActiveSync, Terminal Services and Terminal Services Gateway, and SMTP. And these are the default settings. In a production network, you’ll likely see the TMG allow inbound access to POP3S, IMAP4S, DNS and other protocols.
Given all the remote access traffic that the EBS solution supports, you need to be assured that the connections from the external clients can be trusted. The problem the EBS team has, and you as a potential EBS customer, is that how can you define the threat model and the response to the established EBS threat model if you can’t control the nature of the defenses against those threats.
The type of “firewall” that small and midsized businesses might already have in place can vary widely. In most cases, the “firewall” they are currently using is little more than a NAT device that also provides some NAT editors and the ability to perform reverse NAT or “port forwarding” for UDP and TCP ports. Some of them might even include a rudimentary remote access VPN server or even support site to site VPN connections. Other “firewalls” the customer might have in place might include some degree of content filtering or even anti-malware capabilities.
The thing is, the EBS team does not know what kind of “firewall” you already have in place. But they do know what security features and capabilities the TMG has. The TMG provides an exceptionally high level of security for remote access connections by providing pre-authentication for inbound connections to Web servers, a firewall generated log on page, protections against anonymous attacks, an HTTP Security Filter to ensure HTTP protocol stream compliance and security, an SMTP filter to block SMTP exploits, an Edge Exchange Server prevent spam and its attendant malware and phishing attacks from entering the network over the SMTP protocol channel, strong outbound access control on a per user, per group, per protocol, per site basis, network flood protection, stateful packet and application layer inspection for all communications through and to the TMG firewall (including remote access VPN connections), and many more security capabilities.
Thus, the threat and response model for the EBS solution is based on a relatively sophisticated set of network security tools that are available with the TMG. Yes, it is possible that a small or midsized business has paid thousands of dollars for another firewall solution that can provide some of the features included in the TMG feature set, but it is unlikely that a non-TMG firewall could provide all the features that are used to provide the strong inbound and outbound access controls and connection scrubbing that the TMG firewall can provide.
So, rather than thinking of the TMG as a potential burden to your network, think of it as a unique opportunity to increase your network’s security posture to a level that your network has not seen before. This is not to say that you need to get rid of your current network firewall. Two heads are better than one, and two firewalls are better than one. The EBS team has done a great job at making it easy to drop in the TMG firewall behind your existing firewall. After the TMG firewall is installed, all you need to do on your existing firewall is configure some port forwarding rules for HTTP, HTTPS, SMTP, RDP and other protocols, so that they are redirected to the external IP address on the TMG firewall.
While at first glance it might seem that the TMG adds needless complexity to the EBS network configuration, the fact is that the EBS installer does most of the heavy lifting for you, so you do not really need to understand the internals of the TMG installation and configuration during the initial setup. The only thing you need to do is configure old firewall with port forwarding rules. You do not even need to renumber your network or change the default gateway settings on the machine on your network.
The bottom line is that the TMG firewall allows you to roll out a secure EBS networking solutions using a known, standard security model that is common to all EBS network scenarios. Sure, you can go in and break the EBS TMG security model by creating unsecure rules, but out of the box, the settings insure a well-defined baseline for network security, something you can’t say if you stayed with the old “firewall” or NAT device and had not introduced the TMG firewall into the design.
I would like to hear what you think about the TMG as part of the EBS solution. Send me note at firstname.lastname@example.org and I’ll discuss your opinions in the next newsletter.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)