Microsoft Forefront: Achieving Defense in Depth with Forefront

With the multiple layers and modes of protection Microsoft Forefront offers, you can configure your protection to precisely suit your needs.

William Stanek

Spam, viruses, phishing scams, malware—it’s a jungle out there. The bad guys want in and the security survival tools and techniques of yesterday are insufficient on their own. To stay one step ahead, you need to retool and rethink. That’s where Microsoft Forefront can help.

Forefront is a multilayered product suite that delivers enterprise-grade identity management and protection solutions. Trying to navigate the maze of Forefront offerings can be intimidating because of the shifting product landscape and because Forefront delivers what I like to call Defense in Depth Squared (DiD2).

While there have been some changes, the individual products in the Forefront suite now include:

  • Forefront for Office Communication Server 2007 R2
  • Forefront Identity Manager 2010
  • Forefront Endpoint Protection 2010
  • Forefront Threat Management Gateway 2010
  • Forefront Unified Access Gateway 2010
  • Forefront Online Protection for Exchange Server
  • Forefront Protection 2010 for Exchange Server
  • Forefront Protection 2010 for SharePoint

That’s quite a lineup, especially when you add the related offerings being phased out while these are being phased in, including:

  • Identity Lifecycle Manager 2007
  • Forefront Client Security
  • ISA Server 2006
  • Intelligent Access Gateway 2007
  • Office Communications Server 2007
  • Forefront Security for Office Communications Server

The Replacements

Forefront Identity Manager 2010 replaces Identity Lifecycle Manager 2007. Forefront Identity Manager is a unified policy management system for controlling user identities, user access levels, resources and credentials. It’s designed for heterogeneous environments, so business owners and IT can use the product to ensure all enterprise systems—including line-of-business (LOB) applications, databases and directories—adhere to the same policy set. Forefront Identity Manager (see Figure 1) focuses on:

  • User Management: user provisioning and de-provisioning access and resources
  • Credential Management: managing and synchronizing credentials across systems
  • Group Management: managing security groups and distribution lists
  • Policy Management: creating and enforcing policies across systems

Figure 1 Forefront Identity Manager 2010 at a glance

Figure 1 Forefront Identity Manager 2010 at a glance

Forefront Endpoint Protection 2010 is an integrated solution for managing and securing network endpoints. An endpoint computer is simply a client or server that’s part of the enterprise and not typically used as a gateway or entry point. Forefront Endpoint Protection replaces Forefront Client Security and is built on System Center Configuration Manager 2007.

Forefront Endpoint Protection uses the Configuration Manager infrastructure to deploy and manage endpoint protection. It has two main components: security agents and management servers (see Figure 2). Security agents run on the endpoint computers, providing real-time protection from all types of malware, as well as scanning for threats on a pre-set schedule. Management servers let you centralize protection deployment and administration.

Figure 2 Forefront Endpoint Protection 2010 has two primary components

Figure 2 Forefront Endpoint Protection 2010 has two primary components

Forefront Threat Management Gateway (TMG) 2010 replaces ISA Server 2006. Forefront TMG is a secure Web gateway to protect against Web-based threats. The server acts as a threat-management firewall and provides URL filtering, malware detection, intrusion prevention and HTTP/HTTPS inspection. HTTPS inspection (see Figure 3) lets Forefront TMG inspect SSL-encrypted Web traffic during transport to ensure it complies with security policy. This facilitates malware detection and limits Web usage to approved sites while excluding certain sensitive sites, such as banking sites, from inspection. Figure 3 provides an overview of how this process works.

Forefront TMG can act as a virtual private network (VPN) endpoint, enabling site-to-site VPN and letting remote-access VPN clients terminate at the TMG server. It can also inspect VPN traffic terminating on the TMG server to ensure it’s in compliance with security policy. The process works similar to HTTPS inspection. The TMG server can also act as the Hosted Cache Server for a branch office to simplify BranchCache deployment. That same server also can be the branch office’s read-only domain controller.

Figure 3 HTTPS inspection with Forefront Threat Management Gateway 2010

Figure 3 HTTPS inspection with Forefront Threat Management Gateway 2010

Mind the Mail

Forefront provides two-fisted Exchange Server protection:

  • Forefront Online Protection for Exchange Server protects inbound and outbound e-mail using off-premises, hosted scanning engines and filters that block of out-of-policy content and filter malware and spam before it gets to the enterprise Exchange Servers
  • Forefront Protection 2010 for Exchange Server protects e-mail inbound and outbound to on-premises Exchange servers using locally installed scanning engines and filters to block out-of-policy content and filter malware and spam

The off-premises, hosted solution requires no hardware or software installation, and comes as one of the Microsoft Online Services. You can use this solution with on-premises, hosted or Exchange Online messaging. Either way it helps to screen messages before they reach inboxes.

The on-premises solution is designed to be used with on-premises Exchange messaging. You have to install it on Edge, Hub, Mailbox and Public Folder servers. It will screen messages while they’re in transit and before they’re delivered. When used with the hosted solution, it creates a security-enhanced stream between your on-premises messaging environment and off-premises solution.

Scanning engines and filters are the heart of both products. Both use multiple scanning engines and filters to ensure that if one engine fails or goes offline for updates, they’ll continue to block spam, dangerous attachments and other unwanted content. It examines messages in real-time as they’re transported by Edge and Hub servers and in the store on Mailbox and Public Folder servers (see Figure 4).

Figure 4 Message scanning with Forefront Protection 2010 for Exchange Server

Figure 4 Message scanning with Forefront Protection 2010 for Exchange Server

Forefront Unified Access Gateway (UAG) 2010 replaces Intelligent Access Gateway 2007. Forefront UAG provides remote clients with secure access to enterprise applications, resources and networks. With Forefront UAG, you can publish Web and non-Web applications so you can access them remotely over HTTP or HTTPS. Published applications can include Microsoft applications, LOB applications and RemoteApps made available with Remote Desktop Services (see Figure 5). You can also configure Forefront UAG as a DirectAccess server to connect clients directly to internal resources without requiring a VPN connection.

Figure 5 Publishing applications for external access with Forefront Unified Access Gateway 2010

Figure 5 Publishing applications for external access with Forefront Unified Access Gateway 2010

The final Forefront solution is Forefront Protection 2010 for SharePoint. Forefront Protection 2010 for SharePoint provides multilayered protection for documents stored and shared in SharePoint libraries. It installs scanning engines and filters on SharePoint servers to prevent users from uploading or downloading files containing viruses, malware or other types of malicious content. You can set policies to safeguard confidential information and block inappropriate content as well.

So there’s your complete introduction to Forefront and the related family of products. At its most fundamental, Forefront delivers DiD2 protection for endpoint computers, communication and collaboration servers, and enterprise networks.

Here’s the comprehensive list of the Forefront family of products:

  • Forefront for Office Communication Server 2007 R2
  • Forefront Identity Manager 2010
  • Forefront Endpoint Protection 2010
  • Forefront Threat Management Gateway 2010
  • Forefront Unified Access Gateway 2010
  • Forefront Online Protection for Exchange Server
  • Forefront Protection 2010 for Exchange Server
  • Forefront Protection 2010 for SharePoint

Joshua Hoffman

William R. Stanek is a leading technology expert, an instructional trainer and the award-winning author of more than 100 books. Follow Stanek on Twitter at https://twitter.com/williamstanek.