Microsoft Forefront: Secure Access to Your Cloud Services

You can provide secure access to cloud services while maintaining business continuity using Forefront Threat Management Gateway 2010.

Yuri Diogenes

There are still concerns about moving to cloud computing. Security is at the top of the list. As you plan your company’s migration to the cloud, you want to ensure that your current business is not interrupted. Your users need continuous access to their business applications—now hosted in cloud services—and in a secure and highly available manner.

There are other concerns as well. What if all my internal clients can’t access the cloud? Now that my e-mail system is on the cloud, what will happen if there’s an interruption in Internet access? As more people are required to stay connected to the Internet to access our cloud services, what should we do to guarantee security and productivity? These are common questions as you plan your migration to the cloud. The answers will shape the future deployment for the company.

While security and availability are the greatest concerns for companies moving to the cloud, cost savings is certainly the biggest driver. Cloud computing can help you achieve cost savings in new ways like adopting a “pay per usage” scheme or reducing datacenter facility costs.

Most companies need to be able to rapidly scale up or down, deliver a rich experience across all devices (including PCs, mobile devices and browsers) and align those needs without compromising data security. Forefront Threat Management Gateway (TMG) 2010 can help you securely access the cloud services and productivity tools you and your user community need to continue doing business.

Moving to the Cloud

For most businesses, migrating to the cloud starts by moving various business functions like productivity tools. This includes e-mail, team collaboration Web sites, instant messaging/videoconferencing and content-creation applications. These productivity tools are the engine of your business. They’re the core of your business and need to be always available, whether your user is at their desk or working remotely from a hotel or at a customer’s site (see Figure 1).

Figure 1 Office 365 is the Microsoft Cloud solution for business productivity

Figure 1 Office 365 is the Microsoft Cloud solution for business productivity

Let’s examine a hypothetical situation using a fictional company called Contoso. We’ll follow Contoso through the steps of planning and migrating to the cloud. The company is planning to move all of its business-productivity tools to the cloud. The first phase of the project is to use Exchange Online to move the e-mail system to the cloud for employees located in the United States.

There are four core prerequisites for this first phase (see Figure 2):

  • Internal users must not be affected if the Internet connection of the current ISP goes down
  • Users accessing their cloud e-mail system must be protected against potential threats. coming from the Internet
  • The company can enforce a central security policy on remote branches
  • Users must be prevented from accessing sites not allowed by the company’s security policy

Figure 2 These four pillars must be in place for the first phase

Figure 2 These four pillars must be in place for the first phase

High Availability

Forefront TMG 2010 can meet Contoso’s requirements for Phase 1 of the migration (see Figure 3). In order to comply with the high-availability requirements, use the following Forefront TMG 2010 features:

  • ISP-Redundancy: Contoso can have Internet access even if the current ISP provider is down. To accomplish this, another Internet path will be necessary, usually via another ISP.
  • Integrated Network Load Balancing (NLB): By integrating NLB with Forefront TMG, you can not only load traffic among NLB nodes, but also ensure a successful handoff between one node to the other, should one go down.

Figure 3 Leveraging the high-availability features in Forefront TMG 2010

Figure 3 Leveraging the high-availability features in Forefront TMG 2010

Maintain Security

Exchange Online services include antivirus and anti-spam features. Still, Contoso wants to ensure its users are protected when browsing sites originated by the e-mail system, so it’s using a multilayered approach (see Figure 4).

Figure 4 Leveraging Forefront TMG 2010 HTTPS Inspection feature to protect on-premises resources

Figure 4 Leveraging Forefront TMG 2010 HTTPS Inspection feature to protect on-premises resources

This multilayer approach lets you leverage the power of the cloud while protecting the on-premises client from potential threats that are coming from the Internet:

  • A Remote user sends an e-mail to a client on Contoso’s premises
  • This message is infected with a virus, and Exchange Online Antivirus cleans the message
  • A notification that a new message has arrived appears in the client mailbox
  • The user reads the message and notices there’s a link to download the latest report from a partner’s Web site. The end user identifies this is a link to a secure site (using HTTPS) and assumes it’s secure to download the report.
  • Forefront TMG HTTPS Inspection feature analyzes the traffic, validates the certificate and hands over the inspection to the Malware Inspection engine to analyze the file the user is trying to download. The Malware Inspection engine identifies this file as infected, and notifies the client the file can’t be opened because it’s infected with a virus.

Enforce Policy

This first phase of Contoso’s migration covers only users located in the United States. Due to the autonomy each branch office has for daily operations, the company needs to allow local branches to have control of their own traffic. It also has to do this while bound to company rules and policies. In order to achieve this goal, use Forefront TMG 2010 with a multi-array scenario and have company policies enforced at the enterprise level (see Figure 5).

Figure 5 Allowing autonomy to each branch office while maintaining central company policy enforcement

Figure 5 Allowing autonomy to each branch office while maintaining central company policy enforcement

This model provides a central management view for all arrays within the enterprise. It also helps with corporate policy enforcement. When you apply changes to the firewall policy or network rules, Forefront TMG ensures all existing client connections comply with the new policy or rules. It will also terminate connections that aren’t allowed.

Preserve Productivity

A worker using the new e-mail system must remain focused on productivity, so you need to minimize potential distractions. You also need to block users from malicious sites in accordance with company policy. The Forefront TMG 2010 URL Filtering feature uses a cloud-based service called Microsoft Reputation Service in order to categorize URLs a user is trying to access (see Figure 6).

Figure 6 Using Forefront TMG 2010 URL Filtering to improve information worker experience

Figure 6 Using Forefront TMG 2010 URL Filtering to improve information worker experience

Here’s how the process works:

  • A remote user sends an e-mail to a client located on Contoso premises
  • The message is infected with a virus and Exchange Online Antivirus cleans the message
  • A notification that a new message has arrived appears in the on-premises client mailboxThe client reads the message and notices there’s a link to access a partner’s new portfolio, which includes a gambling business
  • The Forefront TMG URL Filtering feature evaluates the URL and queries the Microsoft Reputation Service database to verify if the category of this URL matches “gamble,” which is not allowed by company policy
  • Forefront TMG blocks the access to this site and notifies the user why the site was blocked

If the employee thinks this site shouldn’t have been blocked, they can temporarily browse the Web site and notify the administrator that the site was misclassified.

There are other features in Forefront TMG that can help with cloud deployment scenarios. Caching is one example. Forefront TMG can cache HTTP and HTTPS data from your cloud applications. This saves bandwidth and improves the user experience by improving the latency for cloud requests.

Forefront TMG can also help with cloud deployments by integrating its BranchCache capability with Windows Server 2008 R2. To demonstrate this, we’ll assume the second phase of the Contoso cloud migration includes the Office Web Plus for clients located in some branch offices (see Figure 7).

Figure 7 Using the Forefront TMG 2010 BranchCache capability to assist cloud migration of resources located in the branch office

Figure 7 Using the Forefront TMG 2010 BranchCache capability to assist cloud migration of resources located in the branch office

Here’s an outline of how BranchCache can help with remote office cloud services:

  • A branch office client sends a request to the local Forefront TMG to access Office Web Apps
  • Forefront TMG evaluates whether or not the requested data is located in the local cache. If not, the local Forefront TMG sends the request to the main office Forefront TMG
  • The main office Forefront TMG retrieves the data from the cloud and sends it to the downstream Forefront TMG located in the branch office
  • The branch office Forefront TMG stores the data in the local cache and sends it to the client workstation that made the request
  • Another client workstation also located in the branch office performs the same request for the same data
  • Forefront TMG evaluates the request, verifies this data is located in the cache and provides the content directly to the client

As you can see, the more clients that are using cloud-based objects from the cloud, the more the cache will grow. Those objects will be accessed many times during the day. With Forefront TMG caching those objects, the company can save bandwidth while increasing access speed.

While security remains the primary concern for companies considering a move to the cloud, Forefront TMG 2010 can provide a secure Web gateway. With the security concerns resolved, you can focus on the real reason your company moved to the cloud in the first place: cost savings.

Yuri Diogenese

Yuri Diogenes* (CISSP, E-CEH, Security+, Network+, MCSE+S, MCTS, MCITP and MCT) works for Microsoft as senior security support escalation engineer on the CSS Forefront Edge Team, based in Irving, Texas. Diogenes is responsible for handling TMG/ISA escalations, and works closely with the TMG Product Team to open bugs and file design-change requests on behalf of Microsoft customers. Diogenes is coauthor of “Microsoft Forefront Threat Management Gateway Administrator’s Companion” (Microsoft Press, 2010) and other Microsoft Forefront titles. He also writes articles for the TMG Team Blog, for* TechNet Magazine and his personal blog.