Forefront TMG MBE Features

Windows Server 2008, 64-bit compatible

TMG MBE may be run on Windows Server 2008 64-bit

Single wizard for Web access configuration

Allows customers to configure Web access, including malware protection, from a single wizard

Firewall generated forms for forms-based authentication

Generate forms used by Outlook Web Access sites for forms-based authentication. This enhances security for remote access to Outlook Web Access sites by preventing unauthenticated users from contacting the Outlook Web Access server.

Enforce Microsoft Exchange RPC connections from full Microsoft Outlook messaging and collaboration MAPI clients

Publishing rules give remote users connection to Exchange Server using the fully functional Outlook MAPI client over the Internet. The Outlook client must be configured to use secure RPC so that the connection is encrypted.

RPC policy allows you to block all non-encrypted Outlook MAPI client connections.

Microsoft Office SharePoint Server Publishing Wizard

New wizard publishes multiple Windows SharePoint Services sites simultaneously and provides for automatic link translation.

Branch Office VPN Connectivity Wizard

Automatically configures a site-to-site VPN connection between two separate offices.

Stateful filtering and inspection for VPN

VPN clients configured as a separate network zone.

Create distinct policies for VPN clients. The firewall rule engine discriminately checks requests from VPN clients. The engine statefully filters and inspects these requests and dynamically opens connections based on the access policy.

Stateful filtering and inspection for communications moving through a site-to-site VPN tunnel

Control the resources that specific hosts or networks can access on the opposite side of the link. Use group-based or user-based to gain granular control over resource use with the link.

Publishing VPN servers

Publish IP protocols and PPTP servers.

Smart PPTP application filter performs complex connection management.

Publish the Windows Server 2003 NAT-T L2TP over IPSec VPN server using TMG MBE 06 server publishing.

Ease of use management features

Includes management features that make it easier to improve security of networks by avoiding misconfigurations.

User interface features include task panes, context-sensitive Help panes, and a Getting Started Wizard.

Export and import of configuration data

Export and import configuration information.

Save configuration parameters to an .xml file, and then import the information from the file to another server.

TMG MBE Microsoft Operations Manager (MOM) Management Pack

MOM Management Pack enables enterprise-level event monitoring and consolidation of common firewall activities.

Broad vendor support

Independent vendors offer products, such as virus detection, management tools, and content filtering and reporting, that build on and integrate with TMG MBE.

Real-time monitoring of log entries

View firewall, Web Proxy, and SMTP Message Screener logs in real time.

TMG MBE Server Management snap-in displays the log entries as they are recorded in the firewall’s log file.

Real-time monitoring and filtering of firewall sessions

View all active connections to the firewall. From a session view, you can sort or disconnect individual or groups of sessions. In addition, you can filter the entries in the session’s interface to focus on the sessions of interest using the built-in session filtering facility.

Customizing TMG MBE reports

Includes an enhanced report customization feature for adding more information in the firewall reports.

E-mail notification after report creation

Configure a report job to send you an e-mail message after a report job is completed.

Designed to create log summaries at 00:30 (12:30 A.M.). Reports are based on information contained in log summaries. You can easily customize the time when log summaries are created with TMG MBE. This gives you increased flexibility in determining the time of day reports are created.Log to an MSDE database

In addition to .txt files and Microsoft SQL Server databases, logs can now be stored in an .mdb file. Logging to a local database enhances query speed and flexibility.

Multiple network configuration

Configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks and not necessarily relative to a specific internal network. TMG MBE extends the firewall and security features to apply to traffic between any networks or network objects.

Route and NAT network relationships

Define routing relationships between networks, depending on the type of access and communication required between the networks.

In some cases, you may want more secure, less transparent communication between the networks. For these scenarios, you can define a NAT relationship. In other situations, you want to simply route traffic through TMG MBE. In these cases, you can define a route relationship. Packets moving between routed networks are fully exposed to TMG MBE stateful filtering and inspection mechanisms.

Multi-layer firewall

Provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering.

HTTP filtering on a per-rule basis

HTTP policy allows the firewall to perform deep HTTP stateful inspection (application layer filtering).

Extent of the inspection is configured on a per-rule basis. With this capability, you can configure custom constraints for HTTP inbound and outbound access.

Control HTTP file downloads through file extension

HTTP policy enables you to define policy based on file extension, including ”allow all except a specified group of extensions” or “block all extensions except for a specified group.”

Control HTTP access based on “HTTP Signatures”

HTTP inspection can help you create “HTTP Signatures” that can be compared to the Request URL, Request headers, Request body, and Response body. This gives you precise control over what content internal and external users can access through the firewall.

Extensive protocol support

Gain control over accessing and using any protocol, including IP-level protocols. Users can then use applications such as Ping and Tracert and can create VPN connections using PPTP. In addition, IPSec traffic can be enabled through TMG MBE.

Customizable protocol definitions

Control the source and destination port number for any protocol for which you create a firewall rule. This gives the TMG MBE firewall administrator a high level of control over what packets are allowed inbound and outbound through the firewall.

Granular control over IP options

Configure IP options on a granular basis and only allow the IP options you require while blocking all others.

Microsoft Hotmail Web-based e-mail access through the firewall

HTTP filter enables users to access Hotmail through an easy-to-configure firewall rule without the need for special configuration on the client or firewall.

Firewall Rule wizards

Rule wizards make it easier to create access policy.

Create access policy with a sophisticated firewall rule that you can use to configure any required policy element. You do not need to leave the rule wizard to create a network object. Any network object or relationship can be created within the new wizard.

User-based or group-based access policy

Enhanced firewall rules allow you to define the source and destination for each protocol a user or group is able to access. This greatly increases flexibility for inbound and outbound access control.

Port redirection for FTP server publishing rules

Receive a connection on one port number and redirect the request to a different port number on the published server.

Enhanced remediation during attack

Flood Resiliency provides enhanced remediation during attacks through log throttling, control of memory consumption, and control of pending DNS queries.

Authentication

Authenticate users with built-in Windows, LDAP, RADIUS, or RSA SecurID authentication.

Separate front-end and back-end configuration provides for more flexibility and granularity.

Supports single sign-on for authentication to Web sites.

Apply rules to users or user groups in any namespace.

Third-party vendors can use the SDK to extend built-in authentication mechanisms.

RADIUS support for Web Proxy client authentication

Authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory.

Web publishing rules can also use RADIUS to authenticate remote access connections.

SecurID authentication for Web Proxy clients

Authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server.

Forms-based authentication

Forms-based authentication is now available for all published Web sites, and not just for Outlook Web Access.

Support for LDAP authentication

LDAP authentication allows TMG MBE to authenticate to Active Directory without being a member of the domain.

Secure Web publishing

Place servers behind the firewall, either on the corporate network or on a perimeter network, and publish their services. With the improved secure Web Publishing Wizard, you can create a rule that lets users have SSL remote access to published Web servers.

Preservation of source IP address in Web publishing rules

Gives you a choice on a per-rule basis whether the firewall should replace the original IP address with its own or forward the original IP address of the remote client to the Web server.

SSL bridging support

To guard against embedded attacks in HTTP traffic, SSL bridging allows SSL protected packets to be decrypted by TMG MBE, inspected, and re-encrypted.

Cache rules

With the centralized cache rule mechanism of TMG MBE, you can configure how objects stored in the cache are retrieved and served from the cache.

HTTP compression

Reduce file size by using algorithms to eliminate redundant data during transmission of HTTP packets.