Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years. TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint. Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint web sites.
Let’s begin by outlining some of the key new features that TMG introduces over ISA.
- URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console. Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc. This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
- Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
- Email protection: Yup, you guessed it.. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
- Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
- Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.
Now that we have been introduced to some of the notable features within TMG, let’s begin the installation and initial configuration, but before doing so, ensure that you have met the minimum system requirements which are listed in the following TechNet article ;
After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool. Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.
The following welcome screen is displayed.
Accept the terms and conditions. Click on Next
Select Forefront TMG services and Management. Click Next.
The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.
Upon completion, you should receive the following Preparation Complete Window. Click Finish to launch the TMG installation.
The installation begins and the wizard outlines the 3 core stages and estimated times.
Once the welcome screen appears, click Next.
Accept the Licence Agreement. Click Next
Enter the customer information and Click Next.
Specify your installation path. Click Next.
Add your Internal Network Address Ranges. Click Next.
You will receive the below warning message advising of services that will be restarted during the installation. Click Next.
You should hopefully receive the below screen notifying that the installation was a success.
Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps. Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.
Let’s begin by going through the 3 stages of the Getting Started Wizard. The first stage is Configuring your network settings.
The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server. In my instance, I only have one single adapter and this has been reflected in the below screen capture. This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.
Specify your IP address settings. It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.
Click Next and Finish.
You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.
The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.
Click Next and Finish.
The third and final stage of the Getting Started Wizard is defining your deployment options.
Specify whether Forefront TMG will use the Microsoft Update Service to check for updates. Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.
The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection. As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.
Specify your NIS signature update settings and how often it will check for new updates.
In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.
In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.
Click Next and then Finish.
Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule. We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.
I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.
Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx
Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx
Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx