Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
 Â Â Â Â Â Â 
Article View
Microsoft IAG SSLVPN Project - Design Document [Template]
Created by Idan on 9/29/2010 3:10:39 PM

[Type the company name]

Microsoft IAG SSLVPN Project - Design Document [Template]

 

                   Â

 

 

 

 

Document Changes Tracking

 

Num

Author

Date

Document Version

Changes

1

Idan Plotnik

10/28/2008

V 0.1

Document Creation

2

    

3

    

4

    

Document Changes Reviewers

Num

Author

Date

Document Version

Changes

1

Idan Plotnik

10/28/2008

V 0.1

Document Creation

2

    

3

    

4

    

This is only an initial template - the finale version will be available for download

Table of Contents

 

1    Introduction    6

1.1    Background    6

1.2    Requirements    6

1.3    Goals    6

1.4    Out for scope    6

2    High-Level Solution Technical Description    6

3    Network    6

3.1    Project Network Diagram    6

3.2    Networking    6

3.2.1    IP Addresses    6

3.2.2    DNS    6

3.2.3    WINS    6

3.2.4    Routing    6

3.3    Naming Convention    6

3.3.1    Computers Names    6

3.3.2    Domain Names    6

3.3.3    Organization Units (OU)    6

3.3.4    Portal Names    6

3.4    Active Directory Structure Description    6

4    Security    6

4.1    Firewall Rules    6

4.2    Authentication    6

4.2.1    Passwords    7

4.3    SSL    7

4.4    IPSec    7

4.5    Security Policy    7

4.6    Logging    7

4.7    Reporting    7

4.8    SIM/SOC Integration    7

4.9    Windows Update    7

5    System    7

5.1    Backup    7

5.2    Restore    7

6    Redundancy and Load Balancing    7

6.1    Redundancy architecture    7

6.2    Load Balancing architecture    7

6.3    Routers    7

6.4    Switches    7

6.5    Physical Infrastructure    7

7    Application and Configuration    8

7.1    IAG Configuration    8

7.1.1    Trunks Design    8

7.2    IAG Customization    25

7.2.1    User Interface (UI) Look & Feel    25

8    Disaster Recovery (DRP)    26

9    Appendix A: Testing The Architecture Per Module    26

10    Appendix B: Troubleshooting The Architecture Per Module    26

 

  1. Introduction

    1. Background

    2. Requirements

    3. Goals

    4. Out for scope

  2. High-Level Solution Technical Description

  3. Network

    1. Project Network Diagram

    2. Networking

      1. IP Addresses

      2. DNS

      3. WINS

      4. Routing

    3. Naming Convention

      1. Computers Names

      2. Domain Names

      3. Organization Units (OU)

      4. Portal Names

    4. Active Directory Structure Description

  4. Security

    1. Firewall Rules

    2. Authentication

      1. Passwords

        1. IAG Passphrase

        2. IAG Configuration Password

        3. IAG System Policy Manager Password

 

  1. SSL

  2. IPSec

  3. Security Policy

  4. Logging

  5. Reporting

  6. SIM/SOC Integration

  7. Windows Update

  1. System

    1. Backup

    2. Restore

  2. Redundancy and Load Balancing

    1. Redundancy architecture

    2. Load Balancing architecture

    3. Routers

    4. Switches

    5. Physical Infrastructure

  3. Application and Configuration

    1. IAG Configuration

      1. Trunks Design

        1. Portal Trunks

[Fill in all the configuration you have done in your POC or what you want to implement in your production environment]

Trunk Name:

[Fill in the name of the trunk]

 

Advanced Trunk Configuration

 

General

 

Web Logging

 

Include Username in Log

Disable

 

Include Username in Log

Grade out

 

Debugging

 

Debug Mode

Disabled

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

Authentication

 

Authentication User On Session Login

  

Select Authentication Servers

 
 

Users Selects From a List of Servers

 
  

Show Servers Names

 
 

User Must Provide Credentials On-the-Fly

 
  

Use the Same User Name

 
 

Enable Users to Add Credentials for Each Selected Server

 
 

Enable Users to Change Their Passwords

 
  

Notify User X Days Prior to Expatriation

  
 

Enable Users to Manage Their Credentials

 
 

Enable Users to Select Language

 
 

Skip client compliance checks when accessing a SharePoint site outside of a session

 
 

Login Page:

Login.asp

 

On-the-Fly Login Page:

Login.asp

 

Permitted Authentication Attempts:

3

 

Block Period:

0

 

Logoff Scheme

 

Logoff URL:

/InternalSite/LogoffMsg.asp

 

Logoff Message:

/InternalSite/LogoffMsg.asp

 

WaitX Sec After Logoff URL to Terminate Session

30

 

Pass the Logoff to the Application Server

 
 

Send Logoff Response to the Browser

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

Session

 

Session Configuration

 

Max Concurrent Sessions:

10000

Concurrent Sessions Threshold:

0

Max Concurrent Unauthenticated Sessions Threshold:

0

Session Notification Timeout:

60

Error Message URL:

/InternalSite/InternalError.asp

Disable Component Installation and Activation

 

Disable Scripting Before Application Start

 

Use Endpoint Certification

 
 

Verify User Name Against Certificate

 

Attachment Wiper Cleans Application-Specific Temporary Files

 

Use DNS Suffix:

  

Bind Source IP to the Session

 
 

Endpoint Policies

 

Session Access Policy:

Default Session Access

Privileged Endpoint Policy:

Default Privileged Endpoint

Install Socket Forwarding Components Policy:

Always

Prompt User when Retrieving Information from Endpoint

 
 

Default Session Settings

 

Inactive Session Timeout (Seconds):

300

Automatic Scheduled Logoff After:

60 Minutes

Nullify Cookies on Logoff

 

Avoid Browser-Side Caching

 

Activate Attachment Wiper (ActiveX)

 

Prompt User to Disconnect Channel When Portal is Closed without Logoff

 
 

Re-open Portal if User Select to Keep Channel Open

 
 

Privileged Session Settings

 

Inactive Session Timeout (Seconds):

1800

Automatic Scheduled Logoff After:

1440

Nullify Cookies on Logoff

 

Avoid Browser-Side Caching

 

Activate Attachment Wiper (ActiveX)

 

Prompt User to Disconnect Channel When Portal is Closed without Logoff

 
 

Re-open Portal if User Select to Keep Channel Open

 
 

Endpoint Settings

 

Uninstall Socket Forwarding Component

 

Add Site to Pop-Up Blocker's Sites

 

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

Application Customization

 

Enable Application Customization

 

Select Customized Temple:

 

Automatic

Other (Manual Configuration)

 

Search and Replace on Content-Type

 

text/.*

application/x-javascrip.*

 

Compression Handling in Responses

 

Support GZip Compression of Listed URL Extensions

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

Application Access Portal

 

Skip Body Parsing

 

Don't parse the bodies of these request.

Server:

URLs:

Don't parse the bodies of the response to these requests.

Server:

URLs:

 

Manual URL Replacement

 

URL:

To URL:

Type:

Server Name:

Use SSL:

Port:

 

Search and Replace Response Content

 

Handle responses to requests for these URLs if not previously handled by a specific parser

Server:

URLs:

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

URL Inspection

 

Valid Methods

 

Available Methods in the System

 

Methods in "DEFAULT" Group

 
 

This list is used by the URL Set when the Methods field is set to DEFAULT

 

URL Set Level

 

Type

 
 

Out-Of-The-Box Security Configuration

 

Type:

Legal Characters

Forbid Encoding of:

Include NULL:

Enable %u Encoding:

 

Check Global Out-Of-The-Box Rules

 
 

General Options

 

Max Post/Put Data:

-1

 

Block "Negotiate" Authorization Header

 

 

Trunk Name:

 
 

Advanced Trunk Configuration

 

Global URL Settings

 

The following parameter list is automatically added to each rule configured in the URL List

 

Global Parameter List

 

Name:

Nam Type:

Value:

Value Type:

Length:

Existence:

 

Rejected Values

 

Reject the request if a parameter value matches any of the following regular expressions:

 
 

URL Settings

 

Download URLs:

Type:

URL:

Method:

Upload URLs:

Type:

URL:

Method:

Check Content:

Check Parameters:

 

Parameter name:

 

Parameter Value:

 

Check Value:

Restricted Zone URLs:

     

Ignore Requests in Timeout Calculations:

Type:

URL:

Method:

Trunk Name:

 
 

Advanced Trunk Configuration

  

URL Set

 

URL List

 

Num:

Name:

Action:

URL:

Parameters:

Note:

Methods:

 

All Other URLs Will Be Rejected

 

Parameter List

 

Num:

Name:

Name Type:

Value:

Value Type:

Length:

Existence:

 

Unlisted Parameters:

 

Reject

 

Accept

 
 

Max Name Length:

-1

Max Value Length:

-1

Allowed Occurrences:

Multiple

Max Total Length:

-1

Rejected Values Checking:

On

 

Export

 

Import

 

 

  1. Basic Trunks

  2. WebMail Trunks

  3. Public Trunks

  1. IAG Customization

    1. User Interface (UI) Look & Feel

  1. Disaster Recovery (DRP)

  2. Appendix A: Testing The Architecture Per Module

  3. Appendix B: Troubleshooting The Architecture Per Module

This is only an initial template - the finale version will be available for download

powered by metaPost

print
rating
 Comments