Вы находитесь на странице: 1из 8

access control list (ACL) A level of permission that can be set on a file or a directory allowing specified users access

within an NTFS directory. An access control entry (ACE) is an entry in the list. ACL See access control list (ACL). active caching A mechanism used to automatically initiate new requests to update cached file objects without user intervention. Requests can be activated based on the length of time an object has been cached or was last retrieved from the source location of the object. This type of caching can be used to ensure the freshness of specified data within the cache. See also passive caching. address spoofing See spoofing. Advanced Digest authentication An improved version of Digest authentication that is provided for user accounts stored in Active Directory in a Windows Server 2003 domain. With this method, user credentials are stored on domain controllers as an MD5 hash, rather than in a reversibly encrypted form, and cannot feasibly be recovered by anyone with access to a domain controller. See also Basic authentication and Integrated authentication. alerting A feature that notifies administrators about suspicious network events, such as rejected packets, protocol violations, and a full hard disk. Alerts can log events to the system event log, run a specified command line, send an SMTP email message to specified recipients, and stop or start specified Forefront TMG services. API See application programming interface (API). application filter A firewall extension that registers for and processes events related to connection with another network. Application filters are typically designed to enhance the security provided by a firewall by excluding or modifying data that approaches the network. application gateway Computer software intended to maintain security on a secluded network yet allow certain traffic to go between the private network and the outside world. See also firewall. application programming interface (API) A set of routines used by an application to direct the performance of procedures by a computer's operating system. array An administrative unit that provides access to Forefront TMG configuration settings that are contained in the hierarchy of administration COM objects. Each Forefront TMG computer is associated with a single array. When two or more Forefront TMG computers are associated with the same array, the array members can be managed as a single, logical entity and can provide distributed caching, load balancing, and fault tolerance. In Forefront TMG Standard Edition, only one Forefront TMG computer is associated with the array. array manager A Forefront TMG server that is designated as the only array member for maintaining the array-level configuration and distributing updates to all the other array members in a standalone array containing multiple Forefront TMG servers. An array manager is a Configuration Storage server and maintains the configuration for the entire array using Active Directory Lightweight Directory Services (AD LDS), the ISASTGCTRL service, and the Microsoft Forefront TMG Storage (ISASTG) service. array member A Forefront TMG server that is joined to an array. asynchronous I/O A feature that allows some input/output (I/O) functions to return immediately, even though an I/O request is still pending. Asynchronous I/O enables an application to continue with other processing and wait for the I/O to be completed at a later time. Asynchronous I/O is also called overlapped I/O. authentication Verification of the identity of a user or system entity to determine permission to access a resource or perform an operation. See also Basic authentication, Integrated authentication, Digest authentication, Advanced Digest authentication, and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). autodial A component of Forefront TMG that enables users to automatically connect to remote networks, such as the Internet, during predetermined times. bandwidth The data transfer capacity of a digital communications system. bandwidth control The practice of setting the maximum network capacity that a service is allowed to use. You can deliberately limit a server's workload by not allowing it to receive requests at full capacity, saving resources for other programs, such as email. Basic authentication An authentication method that encodes the user name and password before transmitting them over the network. Basic authentication is also called cleartext authentication because the encoding (base-64) can be decoded by anyone with a freely available decoding utility. Note that encoding is not the same as encryption. See also Digest authentication, Advanced Digest authentication, and Integrated authentication. BIND service See Domain Name System (DNS) . binding A process that establishes the initial communication channel between the protocol driver and the network adapter driver. bitmask A numeric value intended for a bit-by-bit value comparison with other numeric values, typically to flag options in parameters or return values. Usually this comparison is done with bitwise logical operators, such as And and Or in Visual Basic, and ampersand (&) and pipe (|) in C++. browser An application for navigating and accessing information about either the Internet or an intranet. cache A store of frequently retrieved objects and URLs located on the cache drive of a Forefront TMG computer. Instead of retrieving an object directly from an Internet Web server, the object is stored and retrieved from the cache instead. Caches improve network performance by reducing the number of objects retrieved from the Internet based on their popularity. cache drive A hard disk partition where cached content is stored on a Forefront TMG computer that is configured for caching. Each cache drive is identified by its drive letter (C:, D:, etc.), and each cache drive has a specified amount of space, in megabytes, that can be allocated for caching. certificate See digital certificate. CGI See Common Gateway Interface (CGI). chaining A method to link multiple Forefront TMG computers together for routing requests among them. Communication is in an upstream, hierarchical order. challenge/response See Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) . clear text See Basic authentication. COM object

A programming structure that includes both data and functionality. A COM object is defined and allocated as a single unit. The only public access to a COM object is through the programming structure's interfaces. At a minimum, a COM object must support the IUnknowninterface, which maintains the object's existence while it is being used and provides access to the object's other interfaces. Common Gateway Interface (CGI) A standard interface for HTTP server applications. It is used by an application that runs on a server to generate dynamic content based on parameters sent by the requesting Web browser. completion port See I/O completion port. connection object In application filters, a COM object that implements the IFWXConnection interface and represents a single connection within the Microsoft Firewall service. credentials Information that is supplied by a user or system entity to state and prove its identify. Credentials are used in authentication methods for verifying the identity of users and system entities, such as client computers and servers. cryptographic service provider A software module that implements cryptography algorithms for authentication, encoding, and encryption. DACL See discretionary access control list (DACL). data filter A component of an application filter that monitors content, as in a check for viruses, and that can also modify content. data filter object In application filters, a COM object that implements the IFWXDataFilter interface. data packet A sequence of binary digits, including data and control signals, that is transmitted and switched as a composite whole. The data, control signals, and, possibly, error control information are arranged in a specific format. data source name (DSN) The logical name that allows a connection to an Open Database Connectivity (ODBC) data source, such as a SQL Server database. demand-dial connections A process used by autodial to perform on-demand outgoing connections either to an Internet service provider or to a corporate office from a branch office. DHCP See Dynamic Host Configuration Protocol (DHCP). Digest authentication An authentication method for HTTP clients, in which an encrypted digest or hash of the users credentials and additional data is created in a process known as hashing. This way, no other user can impersonate the original sender of the request. A hash cannot feasibly be decrypted to recover the original user name and password. Digest authentication can be used only in Windows Server 2008, Windows Server 2003, and Windows 2000 domains for users who have an account stored in Active Directory. See also Basic authentication,Integrated authentication, and Advanced Digest authentication. digital certificate A digital document that is commonly used for authentication and secure exchange of information about open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standard. discretionary access control list (DACL) A list that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object. distributed caching The caching of Internet objects in an array or chain of Forefront TMG computers, providing load balancing and fault tolerance. Client requests are sent through the array, to upstream Forefront TMG computers, or any combination thereof. DNS See Domain Name System (DNS). DNS spoofing See spoofing. domain name The computer name that substitutes for a network IP address. For example, www.microsoft.com is a computer name that represents the IP address 157.45.60.81. A computer name is also called a friendly name. See also Domain Name System (DNS). Domain Name System (DNS) A protocol and computer-naming hierarchy used throughout the Internet to map computer IP addresses to their domain names. DNS is sometimes referred to as the BIND service. driver A software component that allows a computer to send and receive information to and from a hardware device. DSN See data source name (DSN). dynamic filters Filters that are automatically started by the Microsoft Firewall service, Web proxy, or SOCKS proxy service. This feature allows the Forefront TMG services to automatically open and close communication ports on the external interface when transmission of packets is needed. Dynamic Host Configuration Protocol (DHCP) A protocol that offers dynamic assignment of IP addresses and related information for temporarily connected network users. DHCP provides safe, reliable, and simple TCP/IP network configuration, prevents address conflicts, and helps conserve the use of IP addresses through centralized management of address allocation. encryption The process of making information indecipherable to protect it from unauthorized viewing or use, especially during network transmission or when it is stored on a transportable magnetic medium. Enterprise Management Server (EMS) A Forefront TMG computer that can store the configurations of multiple arrays and the enterprise-level configuration settings in an enterprise and can be used to centrally manage the arrays. An EMS is a Configuration Storage server and stores the configurations using Active Directory Lightweight Directory Services (AD LDS), the ISASTGCTRL service, and the Microsoft Forefront TMG Storage (ISASTG) service. An enterprise can have a primary EMS and a replica, or alternate, EMS. FAT See file allocation table (FAT). fault tolerance The ability of Forefront TMGs in a domain array to take over the responsibilities of a failed server. file allocation table (FAT) A table or list maintained by some operating systems to keep track of the status of various segments of disk space used for file storage. See also NTFS file system. File Transfer Protocol (FTP) The Internet standard protocol for transferring files between computers. FTP uses the Telnet and TCP protocols. The server requires a client to supply a logon user name and password before honoring requests. filter

A means of excluding information that does not match a predefined set of specifications. See application filter. filter object In application filters, a COM object that implements the IFWXFilter interface. Every application filter must include a filter object. When the Microsoft Firewall service starts, it creates an instance of the filter object for each application filter that is installed on the Forefront TMG computer and enabled. All filter objects are destroyed when the Microsoft Firewall service shuts down. firewall A security system intended to protect an organization's network against external threats, such as hackers coming from another network, such as the Internet. See also application gateway. firewall event Any of several events that the Microsoft Firewall service triggers in response to occurrences of specific types. Firewall service See Microsoft Firewall service. Firewall service completion port See I/O completion port. Forefront TMG Management The interface tool used to manage Forefront TMG computers. forward caching Caching that is implemented for clients on a source network that are sending outgoing requests to servers on a destination network. forward proxy A Web proxy scenario where internal clients access the Internet. FQDN See fully qualified domain name (FQDN). FTP See File Transfer Protocol (FTP). full proxy mode A reverse proxy mode with source network address translation (NAT), in which the IP address of a client sending requests to a published server is translated to an IP address of the network adapter on the Forefront TMG computer that is connected to the network where the published server resides if there is a NAT network relationship between the source and destination networks. fully qualified domain name (FQDN) In TCP/IP, host names with their domain names appended to them. For example, a computer with host name zebra and domain name microsoft.com has an FQDN of zebra.microsoft.com. See also Domain Name System (DNS). gateway A device that routes data packets between multiple TCP/IP networks having dissimilar transport protocols. Forefront TMG can act as a gateway between an internal network (an intranet) and the public network (the Internet). See also router. Generic Route Encapsulation (GRE) A protocol that is used in conjunction with the Point-to-Point Tunneling Protocol (PPTP) to create virtual private networks (VPNs). After the PPTP control session has been established, GRE is used to encapsulate the data or payload in a secure manner. globally unique identifier (GUID) A 128-bit value that uniquely identifies objects such as OLE servers, interfaces, manager entry-point vectors, and client objects. GRE See Generic Route Encapsulation (GRE). group In a network, an account containing user accounts that are called members. The permissions and rights granted to a group are also provided to its members, making groups a convenient way to grant common capabilities to collections of user accounts. Groups are assigned unique names within a domain. GUID See globally unique identifier (GUID). H.323 protocol The International Telecommunications Union - Telecommunications (ITU-T) standard protocol for real-time multimedia communications and conferencing over packet-based networks. hash A mathematical algorithm used for routing client requests within an array or a chain. The result of the hash determines which specific Forefront TMG computer to send the client request. header In data packet communications, a specified number of bytes that precedes the actual data being transmitted. It identifies control information used to deliver, route, and process the data contents of a packet. hierarchical caching The forwarding of a client HTTP request from one Forefront TMG computer to another Forefront TMG computer upstream. The downstream (source) Forefront TMG computer forwards client requests that it cannot service from its own cache. Hierarchical caching uses upstream routing and is a subset of distributed caching. host name The name given to a computer that is part of a network domain and used for client authentication. Also called the computer name. See also fully qualified domain name (FQDN). HTML See Hypertext Markup Language (HTML). HTTP See Hypertext Transfer Protocol (HTTP). Hypertext Markup Language (HTML) A markup language derived from the Standard Generalized Markup Language (SGML). HTML is used to create a text document with formatting specifications that tells a software browser how to display the page or pages included in the document. Hypertext Transfer Protocol (HTTP) An application-level client/server protocol used to transfer information over the World Wide Web. Web browsers use this protocol to send requests to Web servers, and Web servers use it to send responses back to Web browsers. IANA See Internet Assigned Number Authority (IANA). ICMP See Internet Control Message Protocol (ICMP). IIS See Internet Information Services (IIS). inbound access The ability to send information from an external network, such as the Internet, to an internal or external network. Integrated authentication

A secure form of authentication, where the user name and password are hashed before being sent across the network. Users are authenticated by using either the Kerberos V5 authentication protocol, the NTLM authentication protocol, or a challenge/response authentication protocol. See also Basic authentication, Digest authentication, and Advanced Digest authentication. Integrated Services Digital Network (ISDN) A dial-up connection to the Internet installed by your Internet service provider (ISP) or telephone company. An ISDN line can offer speeds up to 128,000 bits per second (bps) and must be installed at both the server site and the remote site. interactive application A program written in C, Perl, or as a Windows batch file. The user initiates the program by clicking a link in a hypertext document. Internet Assigned Number Authority (IANA) A regulatory organization that is responsible for the assignment and registration of the values of unique parameters for Internet protocols. These values include top-level domain names, IP addresses, port numbers, protocol and enterprise numbers, content types, content subtypes, character sets, and access types. Internet Control Message Protocol (ICMP) The Internet standard protocol subset of IP that handles control and error messages. Gateways use ICMP to send problem reports on packets back to the source that sent the packet. Internet Information Services (IIS) The Microsoft Internet server feature designed for implementing and managing Web sites. Although IIS supports multiple protocols, it primarily transmits information in HTML pages by using HTTP. Forefront TMG integrates fully with IIS. Internet Protocol (IP) The Internet standard routing protocol that defines the IP datagram as the unit of data transfer and provides the IP address scheme to route packets from one network location to another. IP includes the ICMP protocol. The Internet Protocol suite is often called Transmission Control Protocol/Internet Protocol (TCP/IP). Internet Protocol security (IPsec) A set of standards that are used to implement virtual private networks (VPNs). IPsec supports a tunnel mode, in which both the packet header and the payload are encrypted. I/O completion port A Windows construct that efficiently manages threads used for asynchronous input/output (I/O). An I/O completion port is created by the operating system at the request of the Forefront TMG. IP See Internet Protocol (IP). IPsec See Internet Protocol security (IPsec). ISDN See Integrated Services Digital Network (ISDN). Kerberos A network authentication protocol supporting authentication services. L2TP See Layer Two Tunneling Protocol (L2TP). LAT See local address table (LAT). Layer Two Tunneling Protocol (L2TP) An industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. The Microsoft implementation of L2TP uses Internet Protocol security (IPsec) encryption. layered service provider (LSP) A service that provides higher-level custom communication functions and relies on services provided by an underlying base provider. In particular, Forefront TMG Client is a layered service provider that extends Winsock 2 from the client to the Forefront TMG server and uses the underlying base TCP/IP service provider to communicate with the Forefront TMG server. LDAP See Lightweight Directory Access Protocol (LDAP). Lightweight Directory Access Protocol (LDAP) The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) version 3 is defined as a Proposed Standard in Internet Engineering Task Force (IETF) RPC 3377. load balancing A method to distribute client requests among Forefront TMG computers. If one Forefront TMG computer is unavailable, another server can accept the request, preventing an interruption in service. local address table (LAT) A table of all the IP address ranges on the Forefront TMG network in which a Firewall client resides. If Firewall client support is enabled for a specific network, all the IP address ranges included in that network are distributed to Firewall clients residing in the network and stored in memory by the Firewall Client Agent service (FwcAgent). Firewall clients recognize IP addresses that are included in the IP address ranges in the LAT as local destinations that can be contacted directly. The LAT is updated periodically by Forefront TMG. LSP See layered service provider (LSP). member server A server that has been assigned to a domain but is not designated as either the primary domain controller (PDC) or the backup domain controller (BDC) within the assigned domain. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) A method of authentication in which a server uses Windows Server 2003 security to allow access to its resources. Microsoft Firewall service An API service used by Forefront TMG that inspects traffic along connections between source and destination computers in user mode to determine whether to allow or deny it based on rules that are associated with specific protocols. Traffic can be directed to extensions of the Firewall service, called application filters, for deeper inspection before allowing or denying it. The Firewall service also provides a DNS cache, connectivity monitoring, logging, network configuration detection, and automatic dialing. Microsoft Management Console (MMC) General, ISV-extensible common management console in Windows operating systems. The MMC console is a Windows-based multiple document interface (MDI) application. MMC provides no management behavior, but instead provides a common environment for snap-ins, which provide the actual management functionality. MIME See Multipurpose Internet Mail Extensions (MIME). MMC See Microsoft Management Console (MMC). MS-CHAP See Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). multihomed A computer with network connections to multiple separate physical networks. Multipurpose Internet Mail Extensions (MIME) An Internet standard that extends the format of email to support non-ASCII character sets, non-text file attachments, message bodies with multiple parts, and header information written in non-ASCII characters. MIME standards are also used in other communication protocols, such as HTTP.

name resolution The process of mapping a computer name (friendly name) into its corresponding numeric IP address. namespace A tree-formatted, ordered list of all the nodes available in the current tool. The display of the namespace is similar to a folder and directory structure on a hard drive. It is required for the Domain Name System (DNS) to work properly. The DNS namespace is hierarchical in nature and allows host names to be stated in absolute or relative terms. Absolute names, or fully qualified domain names (FQDNs), are defined from the root of the namespace and uniquely identify a node in the hierarchy. Relative names are represented relative to a name in the hierarchy. NAT See network address translation (NAT). negative caching The caching of HTTP error conditions associated with accessing a particular URL. If the URL is unavailable, the error response message can be cached and returned to subsequent clients that request the same URL. NetBIOS See network basic input/output system (NetBIOS). network address translation (NAT) The process that a computer forwarding packets uses to convert the IP addresses and TCP/UDP port numbers of packets from the private values that are used on the source network to public values that are recognized on the destination network. See also secure network address translation (SecureNAT). network adapter A hardware device that enables a computer to connect to a network. A network adapter in the form a card that can be inserted into a motherboard slot is sometimes called a network interface card (NIC). network basic input/output system (NetBIOS) An API that can be used by applications on a local area network (LAN). NetBIOS provides applications with a uniform set of commands for mapping input/output (I/O) operations into equivalent network operations. Network News Transfer Protocol (NNTP) The Internet standard protocol for posting, distributing, and reading network news messages posted among news groups on the Internet. Messages are posted to NNTP servers and are accessed by NNTP clients (newsreaders). Network Policy Server (NPS) The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2008. NPS supersedes the Internet Authentication Service (IAS). When acting as a Network Access Protection (NAP) health policy server, NPS performs system health evaluation for NAP clients based on configured health and network policies. NNTP See Network News Transfer Protocol (NNTP). NTFS file system An advanced file system that supports file system recovery, very large storage media, and object-oriented applications. NTFS also offers enhanced security over the older FAT file system. ODBC See Open Database Connectivity (ODBC). Open Database Connectivity (ODBC) An API that enables applications to access data from a variety of database systems. overlapped I/O See asynchronous I/O. passive caching In this type of service, data is cached and discarded entirely on the basis of object size, popularity, or time since the requested object was last updated in the cache. Frequently referred to as on-demand caching because all caching updates are user-initiated. See also active caching. password authentication See authentication. ping A TCP/IP utility that verifies connections to one or more remote computers by sending ICMP packets and listening for reply packets. plug-in A third-party application that is installed to extend and enhance the functionality of Forefront TMG. Point-to-Point Protocol (PPP) A communications protocol that allows a computer to connect to other computers over a standard dial-up telephone line using a high-speed modem. Point-to-Point Tunneling Protocol (PPTP) A networking protocol that enables remote users to access corporate networks securely across the Internet by dialing into an Internet service provider (ISP) or by connecting directly to the Internet. PPTP supports multiprotocol virtual private networks (VPNs). Because PPTP allows multiprotocol encapsulation, users can send any packet type over an IP network. POP See Post Office Protocol (POP). popularity A measure of the frequency with which objects or URLs are requested by client applications, such as Web browsers. See also cache. port number A number that identifies a certain Internet application with a specific connection. Ports are used in TCP to name the ends of logical connections that carry long-term conversations. Post Office Protocol (POP) A network protocol that permits a client computer to access email on a server. Usually, this means that a POP3 server is used to allow a client computer to retrieve mail that an SMTP server is holding for it. PPP See Point-to-Point Protocol (PPP). PPTP See Point-to-Point Tunneling Protocol (PPTP). protocol A set of rules and conventions for sending information over a network. These rules govern the content, format, timing, sequencing, and error control of messages exchanged among network devices. The family of networking protocols for communication across interconnected networks and the Internet is Transmission Control Protocol/Internet Protocol (TCP/IP) . Forefront TMG policy rules use protocol definitions to identify individual protocols. A protocol definition may include a set of primary connections, a set of secondary connections, and a set of application filters that are associated with the protocol. Each connection, in turn, is defined by the name of an IP protocol, a port number, and a direction, which may be outbound or inbound. proxy A software component that connects a user to a remote destination through an intermediary gateway. proxy client A client computer that must use a proxy server to gain access to network services not directly supported for client usage. proxy server A computer that acts as a relay between remote servers and clients to intercept requests and process communications on behalf of proxy clients. publishing The process that allows computers remote from a Forefront TMG computer to publish to the Internet. Publishing includes reverse hostingand secure Web publishing. QoS See Quality of Service (QoS).

Quality of Service (QoS) A set of quality assurance standards and mechanisms for data transmission. RADIUS See Remote Authentication Dial-In User Service (RADIUS). RADIUS accounting The user log on and log off accounting method used by the Remote Authentication Dial-in User Service (RADIUS) protocol. For more information see RADIUS Authentication and Accounting. RADIUS authentication The authentication method used by the Remote Authentication Dial-in User Service (RADIUS) protocol. For more information see RADIUS Authentication and Accounting. Remote Authentication Dial-in User Service (RADIUS) An industry-standard protocol that is used to transmit authentication, authorization, and configuration information between a Forefront TMG computer and an authenticating server, called a RADIUS server, with a database that stores user information. For more information see RADIUS Protocol remote administration The practice of administering a computer from another computer connected across the network. remote procedure call (RPC) A message-passing facility that allows a distributed application to call services available on various computers in a network. RPC is used during remote administration of computers. remote socket An external socket on the Forefront TMG computer that listens to or connects to the Internet. The remote socket represents the client's internal socket. Report Definition Language (RDL) A set of standards for creating XML definitions of reports, report categories, report parameters, and other report objects that are typically stored in .rdl files for use with SQL Server Reporting Services. reverse caching Caching implemented for incoming requests to a published Web server. reverse hosting The process by which any server sitting behind a Forefront TMG can publish to the Internet. See also secure Web publishing and publishing. reverse proxy A Web proxy scenario where a Forefront TMG computer passes content received from a published Web server to an end user at the end user's request. router An intermediary device on a communications network that expedites message delivery. routing The process of forwarding packets to other routers. Routing is used with arrays to direct client requests for Internet objects. Routing is done in conjunction with arrays, chained Forefront TMG computers, or directly to the Internet. Routing and Remote Access Service A Microsoft-developed service that allows remote client computers running Microsoft dial-up networking, all Microsoft RAS clients, or any third-party PPP client to dial in to a network server (RAS server). RAS servers can also be configured to allow local client computers to dial out to servers outside an internal network. RPC See remote procedure call (RPC). secure network address translation (SecureNAT) The Forefront TMG extension of the Windows network address translation (NAT) feature. SecureNAT provides a degree of address transparency for networked clients. NAT substitutes a global IP address, valid on the Internet, for an internal IP address. Forefront TMG enhances the underlying Windows NAT functionality by enabling access control for FTP, Windows NetMeeting for H.323, and T-120 protocols. It also enables rerouting HTTP requests, which can then frequently be satisfied by a local cache. This enhancement greatly improves HTTP performance and lowers bandwidth requirements. Secure Socket Tunneling Protocol (SSTP) A VPN protocol that uses an HTTP-over-SSL session between VPN clients and servers over port 443 to enable PPP negotiation between the client and server with authentication and the subsequent exchange of encapsulated IP packets. Secure Sockets Layer (SSL) A protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks. secure Web publishing The process by which a server behind a Forefront TMG computer can publish to the World Wide Web (WWW) without compromising security. See also reverse hosting and publishing. SecureNAT See secure network address translation (SecureNAT). security identifier (SID) A unique string value of variable length that identifies a user, group, or computer account. Every Windows account on a network is issued a unique SID when the account is first created. Generic users and generic groups are identified by well-known SIDs. server certificate A digital certificate (SSL certificate) installed on a server and used by the server to authenticate itself to a client. session filter object In application filters, a COM object that implements an IFWXSessionFilter interface. A session filter object is created by an application filter for a specific session (client computer) when the Microsoft Firewall service raises a network event for which the application filter is registered. Session Description Protocol (SDP) An Internet Engineering Task Force (IETF) proposed standard protocol that defines a format for describing streaming media session parameters (session descriptors) in an ASCII string and is used for session announcement, session invitation, and other forms of multimedia session initiation. Session Initiation Protocol (SIP) An Internet Engineering Task Force (IETF) standard protocol for initiating interactive multimedia user sessions and Internet telephony calls. SIP supports name mapping and redirection. sender reputation level (SRL) A number between 0 and 9 that indicates the probability that a specific sender is a spammer or a malicious sender. A value of 0 indicates that a message sent by the sender is probably not spam. Values of 1 through 9 indicate increasing probabilities that a message sent by the sender is spam. SID See security identifier (SID). Simple Mail Transfer Protocol (SMTP) An Internet standard protocol used for exchanging email messages between SMTP servers on the Internet. SMTP See Simple Mail Transfer Protocol (SMTP). snap-in Software that makes up the smallest unit of console extension. One snap-in represents one unit of management behavior (for example, the event log viewer is a functional unit of management and thus a good candidate to become a snap-in). Snap-ins are COM in-process servers that are implemented as dynamic-link libraries (DLLs). socket An endpoint of a logical communications channel used by TCP/IP applications. Sockets are defined in data structures by using a combination of device IP addresses and reserved TCP/UDP port numbers to indicate connection and delivery service information. See also Windows Sockets (Winsock) . SOCKS A protocol for traversing firewalls in a secure and controlled manner, made available to the public by the Internet Engineering Task Force (IETF).

source NAT See full proxy mode. spam confidence level (SCL) A normalized value that is calculated using a spam filtering algorithm from characteristics of an email message, such as its content and headers, and indicates the likelihood that the message is spam. A value of 0 indicates that the message is probably not spam. Values of 1 through 9 indicate increasing probabilities that the message is spam. spoofing The practice of making a transmission appear to come from an authorized user. For example, in DNS spoofing, the DNS name of another system is assumed either by corrupting a name-service cache or by compromising a domain-name server for a valid domain. SQL See Structured Query Language (SQL). SQL server A server that uses the Structured Query Language (SQL) to query, update, and manage a relational database. SSL See Secure Sockets Layer (SSL). SSL certificate See digital certificate. Structured Query Language (SQL) A database query and programming language widely used for accessing data in, querying, updating, and managing relational database systems. See also SQL server. subnet mask A TCP/IP configuration parameter that extracts network and host configuration data from an IP address. This 32-bit value enables the recipient of IP packets to distinguish the network ID portion (domain name) of the IP address from the host ID (host name). TCP See Transmission Control Protocol (TCP). TCP/IP See Transmission Control Protocol/Internet Protocol (TCP/IP). Telnet The Internet standard protocol for remote terminal connection service. Telnet allows a user to interact with the remote computer as if the user was on a terminal directly connected to the remote computer. Time to Live (TTL) A standard field in a TCP/IP header that indicates an age-of-expiration value that is examined by receiving hosts. Data with active TTL values is maintained and forwarded on the network; data with expired TTL values is discarded. Transmission Control Protocol (TCP) The Internet standard transport protocol that provides the reliable, two-way connected service that allows an application to send a stream of data end-toend between two computers across a network. The Internet protocol suite is often called TCP/IP. Transmission Control Protocol/Internet Protocol (TCP/IP) A family of networking protocols that allows computers with diverse hardware architectures and various operating systems to communicate across interconnected networks and the Internet. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Every computer on the Internet supports TCP/IP. Transport Layer Security (TLS) An Internet Engineering Task Force (IETF) standard cryptographic protocol that provides endpoint authentication and ensures confidentiality by encrypting the segments of network connections in the application layer to guarantee secure end-to-end transit in the transport layer. TLS is intended to replace SSL. TTL See Time to Live (TTL). tunneling See Point-to-Point Tunneling Protocol (PPTP). UDP See User Datagram Protocol (UDP). Uniform Resource Locator (URL) The address of a resource on the Internet. A common URL syntax has the form protocol://host:port/path, where protocol specifies the means of returning the object, such as Hypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP); host specifies the remote server where the resource (file) resides; port (optional) specifies the port number to which to connect; and path specifies the path to the resource (file) on the remote server. upstream routing The routing of a response from one Forefront TMG computer to another Forefront TMG computer. A request from a client computer always flows upstream to Forefront TMG computers until the requested item is found, whether it is in the cache of a Forefront TMG computer or from the Internet. Forefront TMG sends the response downstream to the client computer. URL See Uniform Resource Locator (URL). User Datagram Protocol (UDP) A standard transport protocol in TCP/IP networking that provides connectionless service for unacknowledged delivery of packets. UDP adds port addresses to the service provided by IP. virtual private network (VPN) A network that is constructed using public systems such as the Internet but uses security mechanisms to ensure privacy and that only authorized users are allowed access. VPN See virtual private network (VPN). Web filter An extension of the Forefront TMG Web proxy that can evaluate, redirect, and modify HTTP requests and responses. Web filters are similar in functionality to ISAPI filters that work with Internet Information Services (IIS). Windows challenge/response authentication See Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) . Windows Internet (WinINet) API A collection of functions contained in Wininet.dll that simplifies client access to the Internet by way of HTTP and FTP. Windows Internet Name Service (WINS) A name resolution service that runs on Windows Server 2003. WINS maps friendly names to IP addresses. A WINS server handles name registrations, queries, and releases. See also Domain Name System (DNS) . Windows NTFS file system (NTFS) See NTFS file system. Windows Script Host A language-independent scripting host for 32-bit Microsoft Windows operating system platforms that enables scripts to be executed directly on the Windows desktop or command console, without the need to embed those scripts in an HTML document. Windows Sockets (Winsock)

A Windows implementation of the widely used University of California-Berkeley Sockets API. Winsock is a networking API used to create TCP/IP-based sockets applications. Winsock provides interfaces between applications and the transport protocol and works as a bidirectional connection for incoming and outgoing data. See also socket. WinINet See Windows Internet (WinINet) API. WINS See Windows Internet Name Service (WINS). Winsock See Windows Sockets (Winsock).