About application filters
Microsoft Forefront Threat Management Gateway application filters provide an extra layer of security at the Microsoft Firewall service. Application filters can access the data stream or datagrams associated with a session within the Firewall service. Application filters are registered with the Firewall service and work with some or all of the application-level protocol streams or datagrams. An application filter can perform protocol-specific or system-specific tasks, such as authentication and virus checking. This topic describes some of the application filters provided with Forefront TMG:
FTP access filter
Intrusion detection filters
SIP Access Filter
TFTP Access Filter
Streaming media application filters
Web Proxy filter
The DNS filter intercepts and analyzes all inbound DNS traffic destined for the Internal network and other protected networks. If the detection of DNS attacks is enabled, you can specify that the DNS filter will check for specific types of suspicious activity. For more information, see Overview of intrusion detection.
The FTP access filter that is provided with Forefront TMG forwards File Transfer Protocol (FTP) requests from SecureNAT clients to the Microsoft Firewall service. The filter dynamically opens secondary ports, which are required by FTP, and performs necessary address translation for SecureNAT clients.
Although you could create a user-defined protocol for FTP, the protocol would not offer the full range of capabilities afforded by the FTP access filter.
The FTP access filter dynamically opens specific ports for the secondary connection (for computers on which the firewall client is installed), but the protocol definition opens a range of secondary ports. The FTP access filter can protect clients by performing the address translation required for the secondary connection.
The FTP access filter can distinguish between read and write permissions, enabling you to fine-tune access permissions.
The FTP access filter uses the following protocol definitions, which are installed with the filter during the Forefront TMG installation:
Forefront TMG includes an H.323 filter that allows H.323 compliant applications, such as Microsoft Windows NetMeeting® 3, to pass through Forefront TMG. This enables rich multimedia and real-time collaboration capabilities between enterprises using the Internet. Organizations that deploy interdepartmental firewalls can also use this technology to enhance communications between their employees over their intranets.
Additionally, the H.323 filter protects communication between internal clients and the Internet, hiding client IP addresses and restricting access, as needed.
The H.323 protocol is a set of standards enabling real-time multimedia conferencing and communications over packet-based networks that do not guarantee Quality of Service (QoS). The standards were developed to accommodate varying usages. Due to the inadequate quality of voice over the Internet, it was proposed that improvements could be made if communications were carried partly on the Internet and partly on the public switched telephone network (PSTN). The H.323 standards would also provide for communications between a standard PSTN phone and a computer-based client.
H.323 defines how compliant components (terminals, gateways, gatekeepers, and multipoint control units) engage in audio, video, and multipoint conference communications. The H.323 standards define the mandatory and optional services supplied by a gatekeeper. The H.323 protocol standard contends with call control and management for both point-to-point and multipoint conferences. The standard also defines the gateway operability that allows calls to be connected between H.323 terminals as well as between LAN and PSTN devices.
By default, the H.323 filter is applied to the H.323 protocol.
Limiting Access to H.323
You can create access rules that limit access to the H.323 protocol. For example, you might want to deny a client's H.323 access to video, T120 data sharing, and outbound calls. You can create an access rule that allows the H.323 client access only to the inbound calls protocol. Because Forefront TMG allows access only when explicitly specified, only this protocol will be allowed.
The intrusion detection filters provided with Forefront TMG include the DNS detection filter and the POP Intrusion Detection filter. These are described in the document "Forefront TMG Network Protection: Protecting Against Floods and Attacks" at the MicrosoftForefront TMG.
Forefront TMG handles traffic for all remote procedure calls (RPCs) between clients outside your network and RPC servers located inside your network. Using the Forefront TMG RPC filter, you can define one or more universally unique identifier (UUID) interfaces as an RPC protocol definition. This protocol definition is used in Forefront TMG publishing rules for the server, so that external clients can access UUID interfaces on the internal RPC server.
The RPC filter applies to RPC traffic only (including user-defined RPC protocols). It does not apply to any RPC traffic that is tunneled through another protocol. For example, this filter does not affect RPC over HTTP or RPC over XML.
The RPC filter works for both inbound and outbound scenarios. For publishing scenarios (incoming requests), you can limit the UUIDs allowed. For access rules (outgoing requests), the filter handles automatic opening of secondary connections.
Exchange Server Publishing and the RPC Filter
A popular method of accessing servers running Microsoft Exchange Server from remote sites is by using the full Microsoft Outlook MAPI client. Users prefer using the same full Outlook MAPI client for e-mail that they use when directly connected to the corporate network. The challenge for the firewall and security administrator is how to make the full Outlook MAPI client remote access connections secure. Remote access to Microsoft Exchange RPC services (which is required for Outlook MAPI client access) can require a large number of statically open ports on the Internet edge firewall. The number of statically opened ports required to allow remote access to Exchange RPC services has been a barrier to enabling an improved Outlook mail experience from remote locations.
On a conventional firewall, to enable this type of access, a large number of statically opened ports on the traditional firewall made security and firewall administrators hesitant about allowing remote access for the full Outlook MAPI client. An important concern is the potential for viruses and worms designed to attack RPC and DCOM services. If you use a conventional firewall that is not RPC application-layer aware, RPC worms can attack the network through this port number. Such an attack could infect the Exchange server and subsequently infect other computers on the corporate network.
The Forefront TMG RPC filter enables you to force secure Outlook MAPI connections with the corporate Exchange server. The RPC filter blocks outbound RPC worm connections from the corporate network. The filter can help you prevent RPC worm connections from leaving the corporate network and prevent hosts on your network from infecting computers on the Internet.
The RPC filter can also be used to enforce secure RPC connections from Outlook MAPI clients. When this feature is enabled, connection requests from remote Outlook MAPI clients must be done through a secure encrypted channel. If the connection is not secured, Forefront TMG drops the client request. This allows Forefront TMG, instead of users, to control the level of security. Because the Exchange RPC protocol is pre-defined, the RPC filter opens only the necessary interfaces, rather than allowing full RPC to the Exchange server.
RPC Filtering for Outlook Clients
The following describes when the initial RPC endpoint mapper connection is established between the Outlook MAPI client and Forefront TMG:
The Outlook MAPI client establishes a connection to TCP port 135 on the external interface of Forefront TMG.
The RPC filter statefully inspects packets in the connection. If invalid RPC communications are detected, the connection is dropped.
Valid RPC connections from Outlook MAPI clients are forwarded to the Exchange server. The Exchange server responds to the request with a port number that the client uses for subsequent data connections.
Forefront TMG intercepts the response and changes the port number to a valid port that the Outlook MAPI client can use on the external interface of Forefront TMG.
Forefront TMG forwards to the Outlook MAPI client the port number it will use for subsequent communications with the Exchange server.
The following is the communications sequence between the Outlook MAPI client and the Exchange server after the endpoint mapper connection is established:
The Outlook MAPI client establishes a connection to the MAPI port that Forefront TMG instructed it to use. Forefront TMG screens the RPC commands to ensure that no exploits are contained within the channel.
Information sent by the Outlook MAPI client is forwarded by Forefront TMG to the Exchange server RPC services.
The Exchange server responds to the Outlook MAPI client, and Forefront TMG intercepts the responses. The RPC filter screens these responses and changes the source port number.
Forefront TMG forwards the responses to the Outlook MAPI client.
Strict RPC Compliance
Outbound RPC protocols can be configured on a per-rule basis in order to enforce strict RPC compliance. By default, strict compliance is enforced for RPC protocols. By enforcing strict compliance, RPC-type protocols, such as DCOM, will not be allowed through Forefront TMG.
Forefront TMG intercepts all Simple Mail Transfer Protocol (SMTP) traffic that arrives on port 25 of the Forefront TMG computer. The SMTP filter accepts the traffic, inspects it, and passes it on, only if the rules allow.
By default, the SMTP filter is applied to the SMTP and SMTP server protocols for incoming traffic.
Forefront TMG supports inter-forest communication between Exchange Server computers only when the communication is over a secure channel (using TLS).
Logging Blocked E-Mail Messages
If an SMTP command is blocked because it violates one of the SMTP filter's conditions, the blocked message will be logged only when you enable the SMTP filter event alert. This alert is disabled by default.
The SMTP filter examines SMTP commands sent by Internet SMTP servers and clients. The filter can intercept SMTP commands and check whether they are valid and comply with the maximum length allowed in order to protect against buffer-overrun attacks. SMTP commands that violate the policy restrictions are assumed to be attacks against the SMTP server and can be stopped by the SMTP filter.
Each SMTP command has a maximum length associated with it. This length represents the number of bytes allowed for each command. If an attacker sends a command that exceeds the number of bytes allowed for the command, Forefront TMG returns an error code to the sender and the drops the connection.
When a client uses a command that is defined but disabled, the filter closes that connection. When a client uses a command that is unrecognized by the SMTP filter, no filtering is performed on that message.
The Request for Comment (RFC) considers the AUTH command as part of the MAIL FROM command. For this reason, the SMTP filter blocks MAIL FROM commands only when they exceed the length of the MAIL FROM and AUTH commands issued (when AUTH is enabled). For example, if you specify maximum length of MAIL FROM as 266 bytes and AUTH as 1,024 bytes, the message will be blocked only if the MAIL FROM command exceeds 1,290 bytes.
The SMTP filter does not inspect SSL-encrypted SMTP traffic. To configure Forefront TMG to prevent such traffic, configure SMTP filter to block START/TLS/TLS commands.
The SOCKS filter provided with Forefront TMG forwards requests from SOCKS applications to the Microsoft Firewall service. Forefront TMG checks the access policy rules to determine if the SOCKS client application can communicate with the Internet.
When you install Forefront TMG, the SOCKS filter is disabled for all networks. You can configure Forefront TMG to listen for SOCKS requests on any port. (SOCKS applications typically send requests to port 1080.) You can modify the default port.
Streaming media application filters allow Firewall clients and SecureNAT clients to use streaming media protocols to access media streaming servers such as the Microsoft Windows Media Technologies server.
Forefront TMG includes three application filters, which enable client access to common streaming media protocols:
RTSP filter. Applies to Real-Time Streaming Protocol (RTSP), which is used for access rules, and RTSP Server, which is used for server publishing rules. When enabled, this application filter can be used to allow applications such as Windows Media Player 11, Windows Media Player 10, Windows Media Player 9, Real Networks RealPlayer Plus, RealPlayer G2, QuickTime 7, QuickTime 6, QuickTime 5, and QuickTime 4 client access and server publishing.
MMS filter. Applies to Microsoft Windows Media, known as Microsoft Media Server (MMS), which is used for access rules, and to the MMS Server protocol, which is used for server publishing rules. When enabled, this application filter can be used to allow Windows Media Player 8 (default client in Microsoft Windows XP) client access and server publishing.
PNM filter. Applies to Progressive Networks protocol (PNM), which is used for access rules, and PNM Server, which is used for server publishing rules. When enabled, this application filter can be used to allow RealPlayer client access and server publishing.
You can create access rules that limit access to the protocol definitions. For example, you might want to limit a client's access to Windows Media only. You can create a protocol rule that allows the Client MMS, Windows Media protocol, and another protocol rule that denies use of the Client PNM, RealNetworks protocol.
If you disable the streaming media filter, all its protocol definitions are also disabled. Traffic that uses Windows Media Technologies, RealNetworks, and RTSP definitions is blocked.
By default, the streaming media filters apply to the following protocols: RTSP, RTSP Server, MMS, MMS Server, PNM, and PNM Server.
Forefront TMG does not cache content that is streamed. This means that MMS and RTSP content is not cached. However, if the content is delivered using Hypertext Transfer Protocol (HTTP) as a file resource (and not streamed HTTP), Forefront TMG may cache the content, depending on how you configure caching.
Web Proxy Filter works at the application level on behalf of a client requesting Web-based traffic. Although you cannot disable this filter, you can configure whether the filter applies to specific protocols. By default, it is applied to the Hypertext Transfer Protocol (HTTP), which is configured as follows:
Direction is Outbound.
Protocol Type is TCP.
Port is 80.
When Web Proxy Filter is enabled for a protocol, that protocol can use the following fetures, if applicable:
When Web Proxy Filter is disabled for a protocol, Forefront TMG does not intercept requests from clients connecting to Web servers. This disables all caching and other proxying services for the client request. You can create a custom protocol, which listens on a port other than 80, and apply Web Proxy Filter to that protocol. You extend Web Proxy Filter functionality to the custom protocol.