Secure Access to your Cloud Services

TBittner — Tue, 22 Feb 2011 06:00:00 GMT

Moving to the Cloud is going on and so we will have more and more On-Premise and Cloud environments living site by site.

Securing access to Cloud Services will be more relevant for the future.

A great article on this topic has been published by Yuri Diogenes, Senior Security Support Escalation Engineer on Microsoft Forefront Team.

http://technet.microsoft.com/en-us/magazine/gg607680.aspx

Configure the Forefront TMG 2010 to allow DPM 2010 communication

TBittner — Wed, 20 Oct 2010 05:00:00 GMT

The DPM agent uses various ports and protocols to connect with the DPM server. The Forefront TMG needs to be configured to allow the DPM server to communicate through those ports. The complete list of ports that are used by DPM are documented at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=118620).

Use the following procedures to configure the Forefront TMG to work with DPM:

Define protocols for DPM in Forefront TMG
Add a computer rule for the DPM server
Create an access rule for DPM traffic
Configure registry settings on the Security Server and the DPM server

To define protocols for DPM in Forefront TMG

Open the Forefront Threat Management Gateway console.
In the console tree, expand the node for TMG Server, and then click Firewall Policy.

In the right pane, click Toolbox, expand Protocols, click New, and then click Protocol.

The New Protocol Definition Wizard appears, and you can define a new DPM Agent Coordinator protocol (TCP, outbound, port range 5718) as follows:

In the New Protocol Definition Wizard, type DPM Agent Coordinator, and then click Next.
On the Primary Connection Information page, click New.
In the New/Edit Protocol Connection dialog box, choose a Protocol type of TCP, a Direction of Outbound, and a Port Range (both From and To) of 5718. Click OK.
Click Next twice, and then click Finish to close the New Protocol Definition Wizard.

In the right pane, click New, and then click Protocol.

The New Protocol Definition Wizard appears, and you can define a new DPM Protection Agent protocol (TCP, outbound, port range 5719).
In the right pane, click New, and then click Protocol.

In the New Protocol Definition Wizard, define a new DPM Dynamic Ports protocol (TCP, outbound, port range 50000-50050).

Note

You need approximately 50 ports in the unreserved dynamic port range between 49152 and 65535. For more information about this range, see the Internet Assigned Numbers Authority Web Site (http://go.microsoft.com/fwlink?LinkId=22654).
1. In the New Protocol Definition Wizard, type DPM RPC, and then click Next.
2. On the Select Server page, click Add interfaces manually.
3. On the Adding Interfaces to the Protocol Definition page, click Add.
4. In the Add/Edit Interfaces dialog box, under Interface UUID type {12345778-1234-abcd-ef00-0123456789ac}. Under Interface Name, type RPC for DPM, click OK, and then click Next.
5. Click Finish to close the New RPC Definition Wizard.
In the top pane, click Apply to save changes and update the configuration.

To add a computer rule element for the DPM server

In the right pane of the Forefront TMG console, click Toolbox, expand Network Objects, click New, and then click Computer.
In the New Computer Rule Element dialog box, type a Name for the DPM server, and then under Computer IP Address, type the server’s IP address. Click OK.
In the top pane, click Apply to save changes and update the configuration.

To create an access rule for DPM traffic

In the right pane of the Forefront TMG console, click Tasks, and then under Firewall Policy Tasks, click Create Access Rule.
The New Access Rule Wizard appears. Type a name for the access rule (such as Allow DPM Traffic), and then click Next.
On the Rule Action page, click Allow, and then click Next.
On the Protocols page, under This rule applies to, choose Selected protocols, and then click Add.
- DPM Agent Coordinator
- DPM Dynamic Ports
- DPM Protection Agent
- NetBIOS Datagram
- NetBIOS Name Service
- NetBIOS Session
- Ping
- RPC (all interfaces)
- DPM RPC
On the Access Rule Sources page, click Add.
- Expand the Networks node, click Local Host, and then click Add.
- Expand the Computers node, click the name of your DPM server, and then click Add.
On the Access Rule Destinations page, click Add.
- Expand the Networks node, click Local Host, and then click Add.
- Expand the Computers node, click the name of your DPM server, and then click Add.
On the User Sets page, accept the default (All Users). Click Next, and then click Finish.
Under All Firewall Policy, right-click the DPM access rule, and then click Properties.
In the Properties dialog box, click Protocols, click RPC (all interfaces), click Filtering, and then click Configure RPC protocol.
In the Configure RPC protocol policy dialog box, clear the Enforce strict RPC compliance check box. Then click OK twice.
Under All Firewall Policy, if the DPM access rule is not the first listed, right-click the DPM access rule, and then click Move Up. Repeat until the rule is the first listed.
In the top pane, click Apply to save your changes and update the configuration.

Warning

Use the following procedure to modify registry settings on TMG and the DPM server. Modify the registry with care. Serious system-wide problems might occur if you modify the registry incorrectly. To correct such problems, you may need to reinstall the operating system software on these servers.

To configure registry settings on the TMG and the DPM server

Log on to the server as domain administrator.
Click Start, click Run, type regedit, and then click OK.
In the left pane of Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc.
Right-click the Rpc node, click New, and then click Key. Type Internet as the name of the key.
Configure the following values for the Internet key:

Ports REG_MULTI_SZ 50000-50050

PortsInternetAvailable REG_SZ Y

UseInternetPorts REG_SZ Y
To apply the registry settings, close Registry Editor and then restart the server.

Search results for 'app:weblogs' matching tags 'System Center', 'Storage', 'ISA Server', and 'Hyper-V'

Secure Access to your Cloud Services

Configure the Forefront TMG 2010 to allow DPM 2010 communication