Change the Security Level

Applies To: Windows Essential Business Server

Windows Essential Business Server (Windows EBS) configures Forefront Threat Management Gateway (Forefront TMG) on the Security Server to help protect your network. The security settings that Windows EBS enforces may be more restrictive than the settings in your existing firewall. You can use the Change the Security Level task to quickly adjust the security settings in Forefront TMG. This can aid in diagnosing issues where specific applications cannot access the Internet.

About the Change the Security Level task

You can use this task to set the security level to the appropriate amount of protection for your network. The following table summarizes the protection methods that are enabled at each level.

Level / Feature Low Medium-low Medium Medium-high High

Authenticated user access

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Packet filtering

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Attack inspection

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Web and server publishing rules

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Web caching

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

E-mail spam filtering

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Changes made to Forefront Threat Management Gateway

After you select a level in the Change the Security Level task, Forefront TMG creates and configures firewall rules according to the following table.

Security level Changes made to Forefront TMG

Low

  • A new rule, Windows Essential Business Server added: Allow all traffic, is added at the top of the rule list. This rule opens Internet access to all applications and all users.

  • Intrusion detection is turned off.

  • Flood mitigation is turned off.

  • DNS attack detection is turned off.

  • Network address translation (NAT) is turned off.

Medium-low

  • A new rule, Windows Essential Business Server added: Allow all traffic, is added after the Web and server publishing rules. With this order, Web and server publishing rules are evaluated before the Windows Essential Business Server added: Allow all traffic rule. The Windows Essential Business Server added: Allow all traffic rule opens Internet access to all applications and all users, bypassing any restrictions in the Web access rules.

  • Intrusion detection is turned off.

  • Flood mitigation is turned off.

  • DNS attack detection is turned off.

Medium

  • A new rule, Windows Essential Business Server added: Allow all traffic, is added after the Web publishing rules. The Windows Essential Business Server added: Allow all traffic rule opens Internet access to all applications and all users and overrides other Web access rules.

Medium-high

  • The Internet access rule is set to allow all users. Internet traffic is inspected by using all default Forefront TMG protection mechanisms. Only outbound HTTP and HTTPS traffic is allowed.

High

  • A new rule, Windows Essential Business Server added: Deny Internet access to non-authenticated users, is added before the Windows Essential Business Server added: Allow all traffic rule to deny access to unauthenticated users.

Changing security levels

To use the Change the Security Level task during installation

  1. After you install the Security Server, start the Configuration and Migration Tasks checklist on the Management Server.

  2. In the Configuration and Migration Tasks checklist, click Change the security level, and then click Change the security level.

  3. In the dialog box, select a security level, and then click Apply.

To use the Change the Security Level task after installation

  1. On the Windows Essential Business Server Administration Console, click the Security tab.

  2. Click the Network firewall component, and then click the Change the security level task in the task pane.

  3. In the dialog box, select a security level, and then click Apply.

Recommendations

Recommended levels

The following table shows the recommended security levels for configurations that use Forefront TMG exclusively and for configurations that have an additional firewall.

Security level / Firewall configuration Low Medium-low Medium Medium-high High

Forefront TMG only

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

Front-end firewall with Forefront TMG

dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0 dce384ed-f4d0-4df0-9bd5-a99f1c8638f0

The higher the security level, the more protection provided to your network. In general, you should set the level to Medium-high or higher, except if you have an enterprise-level hardware firewall or if you need to do diagnosis.

Save settings

Before running the Change the Security Level task, you should save your network firewall settings. For more information, see “Save or Restore Network Firewall Settings” (https://go.microsoft.com/fwlink/?LinkID=159017).

Considerations

Keep the following considerations in mind when using the Change the Security Level task to configure Forefront TMG.

  • If you clear the I have an additional front-end firewall protecting my network checkbox, you cannot set the security level lower than Medium-high.

  • The Change the Security Level task does not change the security level if there are Forefront TMG rules that create a conflict.

Security level issues

  • If you set the security level to Low, NAT is turned off. Forefront TMG is configured to route traffic from the external network to the internal network. You need to add rules to your front-end firewall so that external network traffic that is destined for published Web sites and for internal computers is forwarded to the external IP address of the Security Server. For more information, see the documentation for the front-end firewall.

  • If you set the security level to a level other than Low, NAT is turned on (or remains on). Forefront TMG is configured to translate addresses on all traffic between the external and internal networks. You need to add rules to your front-end firewall so that external network traffic that is destined for published Web sites is forwarded to the external IP address of the Security Server.

  • If you customize attack protection settings in Forefront TMG, you could create a conflict with the settings in the Change the Security Level task. If you get an error message notifying you of a conflict, restore your attack protection settings in Forefront TMG to the default levels. For more information, see “Save or Restore Network Firewall Settings” (https://go.microsoft.com/fwlink/?LinkID=159017).

  • Rules that you create or rename could conflict with the Change the Security Level task. If you get an error message notifying you of a conflict, try the following:

    • Disable or delete the Forefront TMG rules that you created and that are applied to the HTTP or HTTPS protocol.

    • Disable or delete the Forefront TMG rules that you created and that are applied to the All outbound traffic protocol.

    • If you changed the names of default Forefront TMG rules, change them back to the original name.

  • If you set the security level to Medium or lower, network traffic from SecureNAT clients to the Internet is blocked. You need to do one of the following: