1 / 31

Web Application Proxy vs. TMG

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com |. Web Application Proxy vs. TMG. Web Application Proxy. Threat Management Gateway vs. WAP. Threat Management Gateway.

taryn
Download Presentation

Web Application Proxy vs. TMG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | ondrej@sevecek.com | www.sevecek.com | Web Application Proxyvs. TMG

  2. Web Application Proxy Threat Management Gateway vs. WAP

  3. Threat Management Gateway • Forward HTTP/S proxy • Kerberos SSO authentication • user/group based rules and logging • HTTPS inspection • Reverse HTTP/S proxy • TLS/SSL endpoint • HTTPS inspection • Basic, Forms, TLS certificate, AD FS authentication • Kerberos constrained delegation • Stateful firewall • IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

  4. Web Application Proxy • Forward HTTP/S proxy • Kerberos SSO authentication • user/group based rules and logging • HTTPS inspection • Reverse HTTP/S proxy • TLS/SSL endpoint • HTTPS inspection • Basic, Forms, TLS certificate, AD FS authentication • Kerberos constrained delegation • Stateful firewall • IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

  5. TMG forward proxy HTTP/S Server DC HTTP/S Client NAT HTTP/S Client HTTP/S Client HTTP/S Client TMG Proxy

  6. TMG/WAP reverse proxy Browser HTTP/S Client DC CRM GUI HTTP/S Client Web NAT TLS Cert SharePoint TLS Cert Exchange OWA TLS Cert TLS Cert TMG

  7. Perimeter authentication+ auth. forwarding Browser HTTP/S Client DC CRM GUI HTTP/S Client Web NAT SharePoint Exchange OWA TMG

  8. TLS client certificate authentication • TLS session establishes first • Without client certificate no HTTP inside • No password guessing • Certificates mappedto user accounts

  9. Web Application Proxy Remote Access compared

  10. Network Access Technologies • VPN • SMB/SQL/LDAP/DCOM sensitive to RTT • Remote Desktop • no clipboard, no file proliferation • limited malware surface • 802.1x • WiFi or Ethernet • no encryption, authorization only • DirectAccess • GPO managed IPSec tunnel over IPv6 • Web Application Proxy • HTTPS reverse proxy for web applications

  11. VPN Scenario VPN Client SQL DC FS NAT SharePoint RDP VPN Gateway RADIUS

  12. DA Scenario DAClient SQL DC FS NAT SharePoint RDP DA Server RADIUS

  13. RDP Scenario RDPClient SQL DC FS Wks NAT Wks SharePoint Wks RDP RDP Gateway RADIUS

  14. 802.1x WiFi Scenario SQL DC FS SharePoint WiFi AP RDP WiFiClient RADIUS

  15. 802.1x Ethernet Scenario SQL DC FS SharePoint Wks Switch RDP Wks RADIUS Printer

  16. WAP Scenario Web Browser or GUI client Lync Web SharePoint NAT Exchange Web Application Proxy AD FS AD FS Proxy DC

  17. VPN Compared

  18. VPN Compared

  19. Web Application Proxy Web Application Proxy

  20. Names and certificates NAT Web Browser or GUI client http://intranet SharePoint Web Application Proxy https://intranet.gopas.cz https://adfs.gopas.cz AD FS Proxy AD FS DC https://adfs.gopas.cz

  21. Service accounts NAT Web Browser or GUI client sp-intranet-web SharePoint Web Application Proxy Network Service AD FS Proxy AD FS Network Service DC svc-adfs

  22. Windows authenticationwith passwords - overview NAT Web Browser or GUI client SharePoint Kerberos Exchange Web Application Proxy Cookie Forms AD FS Proxy AD FS DC BasicPOST

  23. Windows authenticationwith passwords - #1 NAT Web Browser or GUI client SharePoint Exchange Web Application Proxy Redirect 307 AD FS Proxy AD FS DC

  24. Windows authenticationwith passwords - #2 NAT Web Browser or GUI client SharePoint Exchange Web Application Proxy Forms AD FS Proxy AD FS DC BasicPOST

  25. Windows authenticationwith passwords - #3 NAT Web Browser or GUI client SharePoint Exchange Web Application Proxy Claims Redirect 302 AD FS Proxy AD FS Claims DC

  26. Windows authenticationwith passwords - #4 NAT Web Browser or GUI client SharePoint Kerberos Exchange Web Application Proxy Claims Cookie AD FS Proxy AD FS DC

  27. Windows authenticationwith passwords - #5 NAT Web Browser or GUI client SharePoint 200 OK Exchange 200 OK Web Application Proxy Cookie Cookie AD FS Proxy AD FS DC

  28. Windows authenticationwith TLS client certificate NAT Web Browser or GUI client SharePoint Kerberos Exchange Web Application Proxy Cookie TLS Client Certificate AD FS Proxy TCP 49443 AD FS DC TLS Client Certificate TCP 49443

  29. Claims authentication NAT Web Browser or GUI client SharePoint Claims Exchange Cookie Web Application Proxy Cookie Claims Forms AD FS Proxy AD FS DC BasicPOST TLS Client Certificate

  30. Web Application Proxy Long journey?

  31. Long journey yet? • Basic only with pass-through • deprecated since AD FS 2.0 • no Basic fallback (GUI clients) • No selection intranet/extranet • No persistent cookies • always the web page regardless of client (GUI) • AD FS native support since Exchange 2013 SP1 • AD FS native support since SharePoint 2010 • no WebDAV support • No inspection

More Related