Installing Forefront Threat Management Gateway 2010

Posted by on Apr 13, 2010 in Forefront, TMG

Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years.   TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint.  Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint  web sites.

Let’s begin by outlining some of the key new features that TMG introduces over ISA.

  • URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console.  Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc.  This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
  • Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
  • Email protection: Yup, you guessed it.. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
  • Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
  • Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.

Now that we have been introduced to some of the notable features within TMG, let’s begin the installation and initial configuration, but before doing so, ensure that you have met the minimum system requirements which are listed in the following TechNet article ;

http://technet.microsoft.com/en-au/library/dd896981.aspx

After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool.  Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.

image thumb13 Installing Forefront Threat Management Gateway 2010 tmg forefront

The following welcome screen is displayed.

image5 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next

Accept the terms and conditions. Click on Next

image8 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Select Forefront TMG services and Management.  Click Next.

image11 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.

image14 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Upon completion, you should receive the following Preparation Complete Window.  Click Finish to launch the TMG installation.

image17 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

The installation begins and the wizard outlines the 3 core stages and estimated times.

image20 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Once the welcome screen appears, click Next.

image23 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Accept the Licence Agreement. Click Next

image26 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Enter the customer information and Click Next.

Specify your installation path.  Click Next.

image29 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Add your Internal Network Address Ranges. Click Next.

image1 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

You will receive the below warning message advising of services that will be restarted during the installation.  Click Next.

image4 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Install.

image71 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

You should hopefully receive the below screen notifying that the installation was a success.

image10 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps.  Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.

image13 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Let’s begin by going through the 3 stages of the Getting Started Wizard.  The first stage is Configuring your network settings.

image161 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next

The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server.  In my instance, I only have one single adapter and this has been reflected in the below screen capture.  This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.

image19 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next

Specify your IP address settings.  It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.

image22 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next and Finish.

You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.

image251 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.

image281 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next and Finish.

The third and final stage of the Getting Started Wizard is defining your deployment options.

image31 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next

Specify whether Forefront TMG will use the Microsoft Update Service to check for updates.  Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.

image34 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection.  As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.

image37 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next

Specify your NIS signature update settings and how often it will check for new updates.

image40 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Click Next.

In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.

Click Next

In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.

Click Next and then Finish.

image43 thumb Installing Forefront Threat Management Gateway 2010 tmg forefront

Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule.  We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.

I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.

References

Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx

Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx

Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx