Network Firewall Configuration
This section provides informations about the default configuration of Forefront TMG in Windows EBS.
For additional details about configuring firewall settings, see Forefront TMG Help: On the Security Server, in the Threat Management Gateway console, press F1.
For a list of ports and protocols that are used by several Microsoft server technologies, see article 832017 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=127873).
System policy rules
The system policy rules in Forefront TMG are documented at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=127992).
The following table shows if the system policy rules are enabled or disabled by default in Windows EBS:
| Name | Policy Group | Status |
|---|---|---|
Allow access to directory services for authentication purposes |
Authentication Services |
Enabled |
Allow remote management from selected computers using MMC |
Remote Management |
Enabled Note In Windows EBS, the Management Server and the Security Server are members of the Remote Management Computers set by default. |
Allow remote management from selected computers using Terminal Server |
Remote Management |
Enabled |
Allow remote management from selected computers using a Web application |
Remote Management |
Enabled |
Allow remote logging to trusted servers using NetBIOS |
Remote Logging |
Disabled |
Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers |
Authentication Services |
Disabled |
Allow Kerberos authentication from Forefront TMG to trusted servers |
Authentication Services |
Enabled |
Allow DNS from Forefront TMG to selected servers |
Network Services |
Enabled Note This rule must be enabled before Forefront TMG can perform DNS queries. |
Allow DHCP requests from Forefront TMG to all networks |
Network Services |
Enabled |
Allow DHCP replies from DHCP servers to Forefront TMG |
Network Services |
Enabled |
Allow ICMP (PING) requests from selected computers to Forefront TMG |
Diagnostic Services |
Enabled |
Allow ICMP (PING) requests from Forefront TMG to selected servers |
Diagnostic Services |
Enabled |
Allow VPN client traffic to Forefront TMG |
This system policy rule is not modified through the system policy editor. |
This rule is enabled automatically by Forefront TMG when you enable VPN traffic. |
Allow VPN site-to-site traffic to Forefront TMG |
This system policy rule is not modified through the system policy editor. |
This rule is enabled automatically by Forefront TMG when you create a site-to-site network. |
Allow VPN site-to-site traffic from Forefront TMG |
This system policy rule is not modified through the system policy editor. |
This rule is enabled automatically by Forefront TMG when you create a site-to-site network. |
Allow Microsoft CIFS from Forefront TMG to trusted servers |
Authentication Services |
Enabled |
Allow remote SQL Server® logging from Forefront TMG to selected servers |
Remote Logging |
Disabled Note Enable this rule if you configure Forefront TMG to write log data to a remote SQL Server. |
Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads) |
Authentication Services |
Enabled |
Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers |
Diagnostic Services |
Disabled |
Allow remote performance monitoring of Forefront TMG from trusted servers |
Remote Monitoring |
Enabled |
Allow NetBIOS from Forefront TMG to trusted servers |
Diagnostic Services |
Disabled |
Allow RPC from Forefront TMG to trusted servers |
Authentication Services |
Enabled |
Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error reporting sites |
Diagnostic Services |
Enabled |
Allow SecurID authentication from Forefront TMG to trusted servers |
Authentication Services |
Disabled |
Allow remote monitoring from Forefront TMG to trusted servers, using Microsoft Operations Manager (MOM) agent |
Remote Monitoring |
Enabled |
Allow HTTP/HTTPS requests from Forefront TMG to specified sites |
Various |
Enabled Note This rule allows Forefront TMG to communicate with sites in the System Policy Allowed Sites domain name set. |
Allow HTTP/HTTPS requests from Forefront TMG to specified Microsoft Update sites |
Various |
Enabled Note This rule allows Forefront TMG to communicate with sites in the Microsoft Update domain name set. |
Allow NTP from Forefront TMG to trusted NTP servers |
Network Services |
Enabled |
Allow SMTP from Forefront TMG to trusted servers |
Remote Monitoring |
Disabled |
Allow HTTP from Forefront TMG to selected computers for Content Download Jobs |
Various |
Disabled |
Allow MS Firewall Control communication to selected computers |
Remote Management |
Enabled |
Allow remote access to Configuration Storage server |
Configuration Storage Servers |
Enabled |
Allow access from trusted servers to the local Configuration Storage server |
Configuration Storage Servers |
Enabled |
Allow replication between Configuration Storage servers |
Configuration Storage Servers |
Enabled |
Allow intra-array communication |
Intra-array Communication |
Enabled |
Allow Remote Access to Forefront TMG Reporting |
Network Services |
Enabled |
Firewall policy rules
The following table lists the firewall policy rules that are configured by default in Forefront TMG in Windows EBS. These rules apply to all users in your network. The rules are processed in the order that they are listed in the table.
| Name | Type | Action | Protocol | Listening Port, Protocol Type, and Direction | ||
|---|---|---|---|---|---|---|
Allow incoming e-mail by publishing SMTP mail server |
Server publishing rule |
Allow traffic from anywhere to Security Server |
SMTP server |
25, TCP, inbound |
||
Microsoft Exchange Server publishing: Outlook Web Access |
Web publishing rule |
Allow traffic from the external Web listener to the remote Web site on Messaging Server |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Microsoft Exchange Outlook Anywhere and Terminal Services Gateway publishing rule (RPC over HTTPS) |
Web publishing rule |
Allow traffic from the external Web listener to the remote Web site on Messaging Server |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Microsoft Exchange Active Sync Web publishing rule |
Web publishing rule |
Allow traffic from the external Web listener to the remote Web site on Messaging Server |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Server publishing rule to redirect to Remote Web Workplace |
Web publishing rule |
Redirect HTTP requests to https://<RemoteName>/remote |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Remote Web Workplace Robots.txt Publishing Rule |
Web publishing rule |
Allow traffic from the external Web listener to the robots.txt file on the remote Web site on Messaging Server |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Remote Web Workplace Publishing Rule |
Web publishing rule |
Allow traffic from the external Web listener to the remote Web site on Messaging Server |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Allow DNS traffic from internal DNS Servers to external Forwarders or Root Hints |
Access rule |
Allow traffic from Management Server and Messaging Server to external networks |
DNS |
53, TCP, outbound 53, UDP, send receive |
||
Allow SMTP Mail Traffic from Security Server |
Access rule |
Allow traffic from Security Server to Messaging Server and to external networks |
SMTP |
25, TCP, outbound |
||
Allow Outbound SMTP Mail Traffic to Security Server |
Access rule |
Allow traffic from Messaging Server to Security Server |
SMTP |
25, TCP, outbound |
||
Allow Internet Access to All Users |
Access rule |
Allow traffic from all protected networks to external networks |
HTTP HTTPS |
80, TCP, outbound 443, TCP, outbound |
||
Allow Microsoft Exchange EdgeSync traffic from Messaging Server |
Access rule |
Allow traffic from Messaging Server to Security Server |
Microsoft Exchange EdgeSync |
50636, TCP, outbound |
||
Allow SCE Management Traffic from SCE Agent to Management Server |
Access rule |
Allow traffic from Security Server to Management Server |
HTTPS SCE AEM Agent SCE Agent SCE Health |
443, TCP, outbound 51906, TCP, outbound 5723, TCP, outbound 8530-8531, TCP, outbound |
||
Allow Time Synchronization of Internal Time Servers with Internet |
Access rule |
Allow traffic from Management Server and Messaging Server to external networks |
NTP (UDP) |
123, UDP, send receive |
||
Allow RDP (Terminal Services) from Messaging Server |
Access rule |
Allow traffic from the Messaging Server to the Security Server |
RDP (Terminal Services) |
3389, TCP, outbound |
||
Allow Windows Communication Foundation-based remote execution traffic between servers |
Access rule |
Allow traffic from Management Server and Messaging Server to the Security Server |
Windows Communication Foundation Net.TCP |
808, TCP, outbound |
||
Default rule |
Access rule |
Deny requests from all networks to all networks |
All traffic |
|
.gif "note")
NoteExternal Web listener settings
The following table lists properties of the default external Web listener that are associated with the Web publishing rules in Forefront TMG in Windows EBS.
| Setting | Value |
|---|---|
Selected networks |
External |
Client connections |
|
Certificate |
Single certificate, issued by the certification authority in Windows EBS Note For most organizations, it is recommended that you configure a public certificate instead of the private certificate that is issued by Windows EBS. This allows users to connect to Web services such as Remote Web Workplace with a Secure Sockets Layer (SSL) connection that is verified with a publically trusted certificate. For more information, see Certificates in Windows Essential Business Server. |
Authentication |
|
Web filtering rules
The following table lists the Web filtering rules that are configured in Forefront TMG in Windows EBS:
| Rule | Status |
|---|---|
DiffServ Filter |
Disabled |
Web Publishing Load Balancing Filter |
Enabled |
Compression Filter |
Enabled |
Authentication Delegation Filter |
Enabled |
Forms-Based Authentication Filter |
Enabled |
RADIUS Authentication Filter |
Enabled |
LDAP Authentication Filter |
Enabled |
Link Translation Filter |
Enabled |
Malware Inspection Filter |
Enabled |
HTTP Filter |
Enabled Note For more information about the default HTTP filter settings, see the following section. |
Caching Compressed Content Filter |
Enabled |
HTTP filter settings
The following table shows several settings for the default HTTP filter for Web publishing rules that are configured in Forefront TMG, such as rules that are configured for Outlook Web Access and Remote Web Workplace. This filter blocks HTTP requests that might be considered attacks because they are large or contain specific characters.
| Setting | Value |
|---|---|
Maximum headers length (bytes) |
32768 |
Allow any payload length |
Enabled |
Maximum URL length (bytes) |
10240 |
Maximum query length (bytes) |
10240 |
Verify normalization |
Enabled |
Block high-bit characters |
Enabled |
For detailed information about the settings for HTTP filtering in Forefront TMG, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=127993).
Note
When Verify normalization is enabled, Forefront TMG decodes URL-encoded HTTP requests to determine that the decoded request is valid. (URL-encoded requests contain a percent sign (%) followed by a particular number in place of certain characters. For example, %20 corresponds to a space.) Normalization helps prevent attacks that rely on double-encoded requests. Web services such as Outlook Web Access may use double encoding for particular requests, but these requests are filtered by Forefront TMG by default. To allow these requests, you need to disable Verify normalization for the Web publishing rule. To modify an HTTP filter setting, see Modify HTTP Filtering for Web Traffic.
Web proxy settings
The following table lists several of the default Web proxy configuration and cache settings.
| Setting | Value |
|---|---|
Web Proxy client connections |
Enabled on HTTP port 8080 |
Concurrent client connections |
Unlimited |
Connection timeout |
1800 seconds |
Firewall client support |
Enabled |
Bypass settings |
|
Publish autodiscovery information for this network |
Enabled |
Cache size |
Maximum of 20 GB or 10 GB Note The cache size is initially configured to allow at least 30% free space on the data storage volume for Security Server. |
Intrusion detection settings
In Windows EBS, Forefront TMG is configured by default to detect the following attacks:
Windows out-of-band (WinNuke)
Land
Ping of death
IP half scan
UDP bomb
DNS host name overflow
DNS length overflow