How to Use forefront to manage application servers.

Are application servers deployed inside an enterprise, such as email servers or OA servers, accessible to users on the Internet or Intranet? As shown in. To implement this control, you can use the Web Server feature released by Forefront Security Gateway. When publishing a Web server, Forefront Security Gateway can use web publishing rules to create access policies to allow or deny access to internal Web applications by intranet and Internet users. 　　I. functions that can be implemented when a web server is released When publishing a Web server, you can create a web publishing rule to specify the access method of the internal Web application server. For example, the administrator can restrict access to a specific user, a specific computer, or a specific network, and require the user to perform authentication and check communication between the client and the Publishing Server. To put it simply, while releasing Web servers, the Forefront Security Gateway can formulate some access policies. Then, you must follow these access policies during access. Note that the access policy is mainly used for internal web application servers. Access to Internet resources is not the content to be discussed in this article. Forefront Security Gateway provides comprehensive management for internal web application servers. For example, when publishing an application environment composed of a web server that executes the same role or carries the same content, you can configure forefront to balance the control between servers in the application environment to enable high availability for inbound access, that is, to achieve load balancing. And so on. In addition, you can also implement Web Cache Management, Web identity authentication, and so on.   　　Ii. Typical web publishing Solution In the forefront security network, multiple Web release solutions are supported. It should be emphasized that different release schemes have different characteristics. For this reason, administrators need to master the characteristics of various release schemes and then choose to use specific schemes in specific scenarios. Specifically, the following solutions are available. First, the outlook release solution for Microsoft products. Microsoft has an Exchange Mailbox server. This mailbox server supports both software clients and web clients. That is, users are allowed to access the mailbox server through the Web. When a user is allowed to access the Exchange mailbox from a Web browser, there are two clients available (this refers to the client provided by Microsoft, not the products of other companies ). They are basic clients and advanced clients respectively. The basic client, as its name implies, is simpler in terms of functions than advanced clients. For example, in the advanced client, features such as unified messaging and spelling check are available, but they are not available in the basic client. However, if an advanced client is used, the Web browser version is required. For example, in advanced clients of version 2010, IE6 or later is required. To enable Forefront Security Gateway to better integrate this product, Microsoft has designed a release solution for this purpose. Second, publish the Web server through HTTP. If it is not a product of Microsoft, such as an OA server or another company's mailbox service, what release scheme does forefront adopt? To support Web Server products of other companies, forefront has designed an HTTP publishing solution. With this solution, you can publish a single web server, or publish multiple Web servers to form a Server Load balancer application environment. Note that the forefrong security gateway treats multiple servers behind the Server Load balancer device as a single server. This simplifies management. The server farm release of the security gateway reconstructs the association with the client. For example, you can configure ciikie to operate on the client's IP address. This feature is very important when the client is highly mobile and there is no fixed location. This feature is also required when a device between the Server Load balancer device and Forefront Security Gateway hides the IP address of a client for security reasons. The most typical representative is the NAT technology. You can use it to hide the IP address of a device to improve system security. Third, publish Web Servers through HTTPS. There is a defect in publishing an application server over HTTP. When a user on the Internet accesses an internal enterprise application through HTTP, the user name and password are transmitted in plaintext. That is to say, attackers can obtain users' accounts and passwords through simple tools such as sniffer. Therefore, it is less secure. It is generally used to publish resources that do not require authorized access. Such as enterprise portal websites. Web applications that can be accessed only after authentication, such as email or e-commerce systems, usually Use https to publish Web servers. HTTPS is mainly published using the SSL protocol. When using this protocol, you must install the SSL server certificate issued to the public host name of the published website in the personal storage area of the Local Computer on each forefronttmg computer. This is a required prerequisite. If the web publishing rule requires an SSL connection between the forefronttmg computer and the published server, you must also install the SSL server certificate issued to the host name specified as the internal site name on the published server. It seems a little complicated, but as long as you perform the operation on your own, you will find that it is not as difficult as you think.     　　Iii. Precautions for publishing service period rules In specific configuration, I think you need to pay attention to the following details. First, forefronttmg is not case sensitive when identifying paths. This is a common feature of most Microsoft applications. That is to say, if the web server includes folders A and A, and the released path points to one of the folders, the system will publish these two folders at the same time. Although forefronttmg does not distinguish between uppercase and lowercase characters, we recommend that you set certain rules for the Case sensitivity of paths for readability. If the path contains multiple English words, the first character of each word is capitalized. Second, you must note that you can configure the way to pass creden。 to the published server in Web publishing rules. However, web publishing rules also require that the incoming client requests match the corresponding website on the Web server. To put it simply, there are multiple ways to transmit user identity information. administrators can select user identity information based on their actual needs. However, you must note that the client request information must match the website on the published web server. Otherwise, there will be unnecessary access errors. The third is for publishing rules, that is, you can adopt an allow policy or a deny policy, or use both policies in combination. The specific access policy should be determined based on the actual situation. If only a specific user is allowed (the number of users is relatively small), the policy can be used. On the contrary, most users can access the service. A denial policy can be adopted if only a specific user (such as an employee in the trial period) cannot bother you. In both cases, you can adopt a comprehensive strategy. 　　Iv. Maintenance and Management of Web listeners When using Forefront Security Gateway to publish rules, you also need to understand the maintenance and management of web listeners. Because the system will assign a Web Listener to each web publishing rule. Simply put, the Web Listener defines the network or the number of incoming connections on a specific IP address and port, and the number of concurrent client connections allowed on the connection. I want to emphasize this Web Listener. The Web listener can be configured as HTTP authentication or form-based authentication. However, it should be noted that at this time, because the HTTP protocol is used, the client authentication will be executed through HTTP without encryption. At this time, because the user identity information is transmitted in plain text form on the network, these configurations are often not safe. Therefore, it is disabled by default. If you need to use this authentication method, you need to manually start this method. To enable this function, the administrator can open the Web Listener attributes, click Advanced options on the authentication tab, and select the check box "Allow client authentication through HTTP. However, this may cause some security risks. Other security measures, such as IPsec Encryption, may be required to eliminate such risks.