Installing Forefront Threat Management Gateway 2010

Posted by on Apr 13, 2010 in Forefront, TMG

Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years.   TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint.  Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint  web sites.

Let’s begin by outlining some of the key new features that TMG introduces over ISA.

  • URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console.  Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc.  This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
  • Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
  • Email protection: Yup, you guessed it.. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
  • Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
  • Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.

Now that we have been introduced to some of the notable features within TMG, let’s begin the installation and initial configuration, but before doing so, ensure that you have met the minimum system requirements which are listed in the following TechNet article ;

http://technet.microsoft.com/en-au/library/dd896981.aspx

After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool.  Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.

image

The following welcome screen is displayed.

image

Click Next

Accept the terms and conditions. Click on Next

image

Select Forefront TMG services and Management.  Click Next.

image

The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.

image

Upon completion, you should receive the following Preparation Complete Window.  Click Finish to launch the TMG installation.

image

The installation begins and the wizard outlines the 3 core stages and estimated times.

image

Once the welcome screen appears, click Next.

image

Accept the Licence Agreement. Click Next

image

Enter the customer information and Click Next.

Specify your installation path.  Click Next.

image

Add your Internal Network Address Ranges. Click Next.

image

You will receive the below warning message advising of services that will be restarted during the installation.  Click Next.

image

Click Install.

image

You should hopefully receive the below screen notifying that the installation was a success.

image

Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps.  Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.

image

Let’s begin by going through the 3 stages of the Getting Started Wizard.  The first stage is Configuring your network settings.

image

Click Next

The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server.  In my instance, I only have one single adapter and this has been reflected in the below screen capture.  This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.

image

Click Next

Specify your IP address settings.  It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.

image

Click Next and Finish.

You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.

image

The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.

image

Click Next and Finish.

The third and final stage of the Getting Started Wizard is defining your deployment options.

image

Click Next

Specify whether Forefront TMG will use the Microsoft Update Service to check for updates.  Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.

image

The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection.  As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.

image

Click Next

Specify your NIS signature update settings and how often it will check for new updates.

image

Click Next.

In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.

Click Next

In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.

Click Next and then Finish.

image

Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule.  We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.

I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.

References

Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx

Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx

Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx

One Comment

  1. thanks so much. helped me alot.

Trackbacks/Pingbacks

  1. Installing Forefront Threat Management Gateway 2010 | SharePoint … | Software Firewall - [...] more from the original source: Installing Forefront Threat Management Gateway 2010 | SharePoint … Share and [...]
  2. A new toy manufacturing company is planning to launch its toys in the market and wishes to appoint retail outl? - [...] Installing Forefront Threat Management Gateway 2010 | SharePoint … [...]
  3. How do you reinstall photo booth and system settings on an iMac? :Hyperstore International - [...] Installing Forefront Threat Management Gateway 2010 | SharePoint … [...]
  4. Installing Forefront Threat Management Gateway 2010 | Sharepoint … - [...] Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest…
  5. Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 | SharePoint George - [...] Today I will continue my series of articles on Microsoft’s latest Forefront Threat Management Gateway (TMG) and will focus…