Forefront Threat Management Gateway (TMG) 2010 Survival Guide

Forefront Threat Management Gateway (TMG) 2010 Survival Guide

We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps. Join the community!

 

Introduction

Forefront Threat Management Gateway (TMG) 2010 is a firewall that can be deployed in a variety of scenarios that assist you in protecting internal network resources. The core scenarios where Forefront TMG can be used are described in the diagram below:













Besides the core scenarios shown in the above diagram, Forefront TMG 2010 also can be used for:

Forefront TMG 2010 is an evolution of its predecessor, ISA Server 2006. You can accrue many advantages by migrating from ISA Server 2006 (or previous versions) to Forefront TMG 2010; read this article to understand the reasons to perform this migration. If you are still using ISA 2000 or ISA 2004, review this article regarding mainstream support for those products.

The next sections of this article will describe what you need in order to plan, deploy and configure Forefront TMG 2010 in your network.

Planning

When planning Forefront TMG 2010 implementation it is important to identify the purpose of having TMG installed in your network. Are you going to use as reverse proxy? Forward proxy? VPN Server? Site to Site VPN Gateway? Winsock Proxy? Network Firewall? IDS/IPS? These are questions that you will need to answer before deploying TMG. The main resources that you can use in this phase are:

If you currently have ISA Server 200x installed on your network, make sure to use the resources below while planning the migration:

During this planning phase you might decide to implement Forefront TMG 2010 in a virtual environment. In order to correctly plan your Edge virtualization, make sure to use the resources below:

If you don't have experience with Forefront TMG 2010, it is important to get some hands on experience before deploying it in production. There are a series of online resources that can help you with that:

Last but not least, you also can use this phase to plan how to use Forefront TMG as an e-mail protection mechanism. Follow the guidelines from the article “Planning to protect against e-mail threats” in order to plan for this scenario.

High Availability Considerations while Planning Forefront TMG Deployment

Forefront TMG 2010 has a set of features that can assist you while deploying a scenario that requires high availability. Here are some core TMG features in this area:

Security Considerations while Planning Forefront TMG Deployment

As Forefront TMG 2010 can be used as a firewall, it’s normal that many IT Administrators want to perform some sort of hardening on the system.







The only supported way to harden a Forefront TMG system is by using the 
Windows Server 2008 Security Configuration Wizard (SCW). There is an update for TMG in the Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit that introduces a newer template to be use on SCW to harden a Forefront TMG system. This method applies hardening to Forefront TMG and the Windows Server 2008 installation on which TMG is installed. Failure to comply with this requirement (that is, creating a nonstandard hardening solution) can cause problems, as the ones described in this blog post.

The other security debate that exists around Forefront TMG while installing as a firewall is whether or not the computer should belong to an Active Directory domain. There are many circumstances that push the IT Administrator to make the choice of installing TMG in a workgroup rather than joining to a domain. The recommendation is to evaluate potential risks to your own environment before choose the best option.







Also, read the article
Debunking the Myth that the ISA Firewall Should Not be a Domain Member to get a better understanding of both sides of this deployment. If Forefront TMG 2010 is to be part of a domain, make sure to have an isolated OU and Domain Policy for the Forefront TMG computers. The reason for that is because there are some scenarios where changes to group policy can cause issues on Forefront TMG, such as the one listed in this blog post.

While deploying Forefront TMG 2010 in Branch Offices, you can also consider a security practice of installing Forefront TMG in a Read Only Domain Controller (RODC), which is a new capability introduced in Forefront TMG 2010 SP1 Update 1. For more information on how to perform this operation read the article Installing Forefront TMG on a RODC.

Authentication is another important subject while planning publishing and web access for an application through Forefront TMG. TMG can perform authentication of resources for web access or web publishing (or both). The resources below will be useful while considering authentication in TMG:

Deploying Forefront TMG 2010

During the deployment phase the main resource that you should use is the Forefront TMG 2010 Deployment Guide. The guide supplies the core steps to prepare and install Forefront TMG 2010. As a best practice, you should also update Forefront TMG 2010 in the following order:

It is possible to create a slipstreamed installation source from which TMG can be installed (example: Richard Hicks' blog), to save time installing and rebooting each TMG server in the farm. If you create a slipstreamed installation, be aware that:

  • the slipstreamed install source must remain static for the lifetime of the installation
    • If you create an SP2 slipstream, and install farm members, you must not then update that installation source to SP2+SP2 Rollup 1 to install a new node
    • You could start from it, make a copy, and update the copy, but the original SP2-only farm members may use the original installation source when installing updates, and patching it could break that (meaning you'd need to create another SP2-only patched source to fix it).
  • the slipstreamed source should be created in a relatively default environment, as problems affecting TMG installation will affect the creation of the combined package.
    • If TMG doesn't install right due to a lockdown policy of some sort, the creation of an admin MSI may suffer from the same problem.
    • This usually becomes obvious when the slipstreamed package won't install.
In this phase it is also common to deploy third party applications to the same server as TMG. Applications such as antivirus, backup software and others might be integrated during the deployment phase. It is important to follow some best practices while performing such operations:
  • Antivirus – if you are installing antivirus on Forefront TMG, make sure to follow the article “Considerations when using antivirus software on FF Edge Products” to properly exclude files and folders from realtime scanning. Fail to comply with this requirement can lead to reliability problems and support issues, like the one documented in this blog post.
  • From the same article, pay attention to the statement that says:



    “Forefront Edge products do not support the use of firewall or network monitoring mechanisms that operate separate from the extensibility API provided by each product.”



     -
     if the antivirus fails to comply with this requirement, the behavior exposed in
    this blog post can occur.
  • Backup software – be sure to exclude the Forefront TMG cache folder from backup software to avoid issues like the one showed in this blog post.
  • Third party addins – when installing third-party add-ins that integrate with Forefront TMG, try to locate and use the latest version available, in order to avoid potential issues that can cause downtime.

Configuring

Once you have Forefront TMG 2010 installed, you can start configuring some of the features that you need, to accomplish the tasks that were identified during the planning phase. The main resource for this is the Operations Guide. There are also some other guides that can be used in order to accomplish these tasks, such as:

Note: community contributions within this session are very welcome. There are so many applications that you can publish through Forefront TMG that Microsoft just can’t test and document all. If you have an article where you explain how to publish certain application that is not on this list, please feel free to add a link to this list (the Edit tab is at the top-middle of the wiki page).

Other Resources

Here are some additional resources about Forefront TMG 2010 that might be helpful:

Call to action

This is a living document that we are starting now, and giving to you as a base to expand upon. Do you want to get engaged on this? Make sure to read the guidelines from Wiki: How to Contribute, and have a great time helping the community to grow!

Note: please do not add troubleshooting articles to this Survival Guide; we are working to build a Troubleshooting Survival Guide for Forefront TMG 2010. Once we have it we will post it here







This article was originally written by:

Yuri Diogenes, Senior Technical Writer



Windows Server iX | IT Pro Security



Microsoft Corporation



--------



Yuri’s Blog: 
http://blogs.technet.com/yuridiogenes   



Team’s Blog: http://blogs.technet.com/b/securitycontent



Twitter: http://twitter.com/yuridiogenes

Forefront TMG Wiki Portal Page











Sort by: Published Date | Most Recent | Most Useful
Comments
  • amazing work yuri..:)

  • Lovely 1.. Really nice article

  • Hi !

    I add tvice link and not show corectly, now i'm  fixed link for Forefront TMG 2010 SP1 Update 1 Rollup 4. and now is OK.

  • great resources

  • Thanks for updating Marc!

  • very good job, thank a lot,

  • I actually have a question about this.  I like all of the resources you have here, and I wish I had experience to contribute more to it.  I was wondering though, can Forefront TMG sort of act like a router, performing routing, VPN, Firewall and NIS, and application security all in one installation if the network is small enough?  Is that recommended?  

  • Hi Cron22,

    Yes! The TMG firewall is a full fledged network firewall and can do all the things you mention.

    HTH,

    Tom

  • I was wondering if there is an update to the instructions for hardening the TMG server if it's running on Server 2008 R2 as opposed to Server 2008.  The link provided references Server 2008 Security Configuration Wizard and I can't see anywhere if it is okay to run on R2.

    Can you please clarify?

    Thanks