By default, the system policy allows the Forefront TMG firewall to access network resources that are critical to the proper functioning of the firewall. Depending on your specific deployment, you may want to lock down access to some of those services.
Depending on your specific deployment and the services that you require, you can determine which system policy configuration groups should be enabled. This section describes some of these deployment considerations.
When you disable a system policy configuration group, you are not necessarily preventing use of a particular protocol. This is because the same protocol may be specified in a different rule, which is enabled by a different configuration group.
When you install Forefront TMG, basic network services are enabled. After installation, Forefront TMG can access name resolution servers on all networks and time synchronization services on the Internal network.
If the network services are available on a different network, you should modify the applicable configuration group sources (DHCP, DNS, or NTP) to apply to the specific network. For example, if the DHCP server is not located on the internal network but on a perimeter network, modify the source for the DHCP configuration group (on the From tab) to apply to the perimeter network.
You can modify the system policy, so that only specific computers on the internal network can be accessed. Alternatively, you can add additional networks if the services are found elsewhere.
Modify these configuration groups, depending on which network services you require:
DHCP services
If your DHCP server is not located on the internal network, modify the system policy rule so that it applies to the network where the DHCP server is located.
Authentication services
One of the fundamental capabilities of Forefront TMG is the ability to apply a firewall policy to specific users. In order to authenticate users, Forefront TMG must be able to communicate with the authentication servers.
Modify these configuration groups, depending on which authentication services you require:
-
Active Directory
-
RADIUS
-
RSA SecurID
-
CRL Download
Enabling DCOM traffic
When the Microsoft Management Console (MMC) rules are enabled, remote procedure call (RPC) traffic is allowed to the Local Host network. However, by default, DCOM traffic is blocked. If you want to allow DCOM traffic, disable the “Allow remote management from selected computers using MMC” system policy rule. Then, create a rule allowing RPC traffic. After creating the rule, in the rule properties, configure the RPC protocol and clear the Enforce strict RPC compliance setting.
Windows and RADIUS authentication services
By default, Forefront TMG can communicate with AD DS servers (for Windows authentication) and with RADIUS servers located on the internal network. If you do not require Windows authentication or RADIUS authentication, disable the applicable system policy configuration groups.
.gif) Note: |
|---|
-
When you disable the Active Directory system policy configuration group, access to all LDAP protocols is effectively disabled. If you require the LDAP protocols, create an access rule allowing use of these protocols.
-
If you require only Windows authentication, make sure you configure the system policy, disabling use of all other authentication mechanisms.
|
RSA SecurID authentication services
Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, make sure you enable this configuration group.
CRL authentication services
Certificate revocation lists (CRLs) cannot be downloaded by default, because the CRL Download configuration group is not enabled by default. To enable CRL download, verify that the CRL Download configuration group is enabled. Then, apply this configuration group to the network entities on which the certificate revocation lists are located.
All HTTP traffic will be allowed from the Forefront TMG firewall to network entities listed on the To tab.
Remote management
Usually, you will manage Forefront TMG from a remote computer. Carefully determine which remote computers are allowed to manage and monitor Forefront TMG.
Modify these configuration groups, depending on how you perform remote management:
-
Microsoft Management Console (MMC)
-
Terminal Server
-
Web Management
-
ICMP (Ping)
By default, the system policy rules allowing remote management of Forefront TMG are enabled. Forefront TMG can be managed by running a remote Microsoft Management Console (MMC) snap-in, or by using Terminal Services.
By default, these rules apply to the built-in Remote Management Computers computer set. When you install Forefront TMG, this empty computer set is created. Add to this empty computer set all computers that will remotely manage Forefront TMG. Until you do this, remote management is not available from any computer.
| Note: |
|---|
|
Limit remote management to specific computers by configuring the system policy rules to apply only to specific IP addresses.
|
Remote monitoring and logging
By default, remote logging, remote performance monitoring, and remote monitoring of Microsoft Operations Manager, are disabled. The following configuration groups are disabled by default:
-
Remote Logging (NetBIOS)
-
Remote Logging (SQL)
-
Remote Performance Monitoring
-
Microsoft Operations Manager
Diagnostic services
By default, the system policy rules allowing access to diagnostics services are enabled, with the following permissions:
-
ICMP—This service, allowed to all networks, is important for determining connectivity to other computers.
-
Windows networking—Allows NetBIOS communication, by default, to computers on the Internal network.
-
Microsoft error reporting—Allows HTTP access to the Microsoft Error Reporting sites URL set, to allow reporting of error information. By default, this URL set includes specific Microsoft sites.
-
HTTP Connectivity verifiers.—Allows the Forefront TMG firewall to use HTTP and HTTPS protocols to check whether a specific computer is responsive.
SMTP
By default, the SMTP configuration group is enabled, allowing SMTP communication from Forefront TMG to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message.
.gif) Important: |
|---|
|
It is recommended that you do not enable the SMTP configuration group, if you do not send alert information in an e-mail message.
|
Scheduled download jobs
By default, the scheduled download jobs feature is disabled. The Scheduled Download Jobs configuration group is disabled as long as this feature is disabled.
When you create a content download job, you will be prompted to enable this system policy rule. Forefront TMG will be able to access the sites specified in the content download job.
Accessing the Microsoft Web site
The default system policy allows HTTP and HTTPS access from the Local Host network (that is, the Forefront TMG firewall) to the Microsoft.com Web site. Access to the Microsoft.com Web site is required for a few reasons, such as, downloading antivirus and Network Inspection System signature updates, error reporting, or accessing the product documentation on the Forefront TMG Web site.
By default, the Allowed Sites configuration group is enabled, allowing Forefront TMG to access content on specific sites that belong to the System Policy Allowed Sites domain name set.
This URL set includes various Microsoft Web sites, by default. You can modify the domain name set to include additional Web sites, which Forefront TMG will be allowed to access.
HTTP and HTTPS access will be allowed to the specified Web sites.