Deconstructing Forefront Threat Management Gateway (TMG) 2010 Firewall Client Operation and Communication
The Forefront TMG client, often referred to as simply the “firewall client”, is a powerful tool that security administrators can use to control network communication on their network. It provides transparent proxy services for client applications that make use of the Winsock protocol. Using the firewall client enables secure, authenticated forward (outbound) proxy for most TCP and UDP-based applications making requests to external networks controlled by the Forefront TMG 2010 firewall. Firewall client configuration and operation can be managed centrally on the TMG firewall, providing a convenient way to deliver fine-grained network access control for both web-based and non-web based applications.
What Is the Firewall Client?
The firewall client is a Layer Service Provider (LSP) that can be installed on Windows workstations to provide transparent proxy services for applications that use the Winsock protocol. After installation, the firewall client registers with the client’s networking stack as a Winsock Catalog Provider. You can see this by issuing the following command at an elevated command prompt:
netsh winsock show catalog
The firewall client can be found in the Client folder on the Forefront TMG 2010 installation media, or it can be downloaded from Microsoft here. The firewall client is supported on all versions of Windows and can be installed manually, via Active Directory, or through any Microsoft or third-party systems management tool. For ease of configuration, the TMG firewall client can also take advantage of automatic proxy detection using WPAD to discover and connect to the TMG firewall.
After installing the firewall client, be sure to visit Windows Update as there have been a number of updates to the client since it was first introduced.
Support for the firewall client must be enabled on the TMG firewall. In the TMG management console, highlight Web Access Policy in the navigation tree and then click Configure Web Proxy in the Tasks pane under Related Tasks. Select the Forefront TMG Client tab and check the box next to Enable Forefront TMG Client support for this network. Provide the IP address, hostname, or fully-qualified domain name (FQDN) for the TMG firewall. If this is a load balanced enterprise array, be sure to use a hostname that resolves to all of the dedicated IP addresses of the internal network interfaces of each array member. Never use the virtual IP address (VIP) or a name that resolves to the VIP for TMG firewall client connections. Connecting to the VIP with the firewall client is unsupported and will cause erratic behavior and intermittent connectivity issues for client applications. In addition, the firewall client can automatically configure the web browsers web proxy settings on the target machine. If you select this option it is recommended that you choose one option only – automatically detect, use a configuration script, or use a web proxy server. Selecting more than one option, or all of them, can result in unexpected behavior.
TMG Firewall Access Policy
To demonstrate the operation of the TMG firewall client I’ll use the Remote Desktop Client to connect to a Windows Server 2012 R2 server hosted in Microsoft Azure. To begin I’ve created an access rule allowing outbound access to the External network using the Remote Desktop Protocol port TCP 3389. In addition I’ve restricted this access rule to members of the Remote Desktop Users security group in Active Directory.
Firewall Client Operation
When I open the Remote Desktop Client and attempt to establish a connection to my remote Windows server, the TMG firewall client will intercept this communication and, if it is destined for a remote network, forward it to the TMG firewall transparently to be proxied to its original destination. Remote network determination is made by comparing the hostname of the request to the list of domain names listed on the Domains tab of the properties dialog box for the Internal network.
In addition, the firewall client also compares the destination IP address of the request to the range of addresses listed on the Addresses tab.
If the destination name or address matches any of these entries, the firewall client will ignore the request and it will be processed normally without being forwarded to the TMG firewall.
Firewall Client Communication
When a request is made to a destination that is remote, the TMG firewall client first establishes a control channel connection with the TMG firewall on TCP port 1745.
Next the TMG firewall responds to the client indicating that authentication and encryption are required to continue.
Once the client is successfully authenticated, the TMG firewall will complete the establishment of the firewall client control channel.
To enable the Remote Desktop Client to establish communication to the remote server, the firewall client will now establish a data session on a different TCP port. This is a dynamic port that is negotiated over the firewall client control channel.
Looking at the outbound communication on the TMG firewall shows that the connection is made on the client’s originally requested TCP port.
The Forefront TMG firewall client is an amazingly powerful tool that can be deployed to provide transparent proxy services for most TCP and UDP-based applications. The firewall client allows for highly granular network access control by enforcing strong user and group-based authentication. The exchange of authentication information between the client and the TMG firewall is encrypted by the firewall client control channel. Although deploying client software can be challenging, especially in large organizations, the firewall client is an MSI software package that lends itself well to automated deployment using Active Directory group policy or systems management platforms like Microsoft System Center Configuration Manager (SCCM). Once deployed, the firewall client is easy to manage and, when combined with web proxy automatic detection techniques such as WPAD, results in a low-touch deployment and configuration. Here I’ve demonstrated how to use the firewall client to control outbound access for the Remote Desktop Protocol, but the applications are nearly limitless. Some common examples that are excellent candidates for the firewall client include Citrix applications, telnet and SSH remote administration, and FTP. Deploy the firewall client today and I’m sure you’ll find even more applications that can benefit from the power and flexibility it provides.