We encourage you to
enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing
new content where there are gaps. Join the
Forefront Threat Management Gateway (TMG) 2010 is a firewall that can be deployed in a variety of scenarios that assist you in protecting internal network resources. The
core scenarios where Forefront TMG can be used are described in the diagram below:
Besides the core scenarios shown in the above diagram, Forefront TMG 2010 also can be used for:
Forefront TMG 2010 is an evolution of its predecessor, ISA Server 2006. You can accrue many advantages by migrating from ISA Server 2006 (or previous versions) to Forefront
TMG 2010; read this article
to understand the reasons to perform this migration. If you are still using ISA 2000 or ISA 2004, review
regarding mainstream support for those products.
The next sections of this article will describe what you need in order to plan, deploy and configure Forefront TMG 2010 in your network.
When planning Forefront TMG 2010 implementation it is important to identify the purpose of having TMG installed in your network.
Are you going to use as reverse proxy? Forward proxy? VPN Server? Site to Site VPN Gateway? Winsock Proxy? Network Firewall? IDS/IPS?
These are questions that you will need to answer before deploying TMG. The main resources that you can use in this phase are:
If you currently have ISA Server 200x installed on your network, make sure to use the resources below while planning the migration:
During this planning phase you might decide to implement Forefront TMG 2010 in a virtual environment. In order to correctly plan your Edge virtualization, make sure to use
the resources below:
If you don't have experience with Forefront TMG 2010, it is important to get some hands on experience before deploying it in production. There are a series of online resources
that can help you with that:
Last but not least, you also can use this phase to plan how to use Forefront TMG as an e-mail protection mechanism. Follow the guidelines from
the article “Planning to protect against e-mail threats” in order to plan for this scenario.
Forefront TMG 2010 has a set of features that can assist you while deploying a scenario that requires high availability. Here are some core TMG features in this area:
As Forefront TMG 2010 can be used as a firewall, it’s normal that many IT Administrators want to perform some sort of hardening on the system.
The only supported way to harden a Forefront TMG system is by using the Windows Server 2008 Security
Configuration Wizard (SCW). There is an update for TMG in the
Microsoft® Forefront Threat Management Gateway (TMG) 2010 Tools & Software Development Kit
that introduces a newer template to be use on SCW to harden a Forefront TMG system. This method applies hardening to Forefront TMG and the Windows Server
2008 installation on which TMG is installed. Failure to comply with this requirement (that is, creating a nonstandard hardening solution) can cause problems, as the ones described in
this blog post.
The other security debate that exists around Forefront TMG while installing as a firewall is whether or not the computer should belong to an
Active Directory domain. There are many circumstances that push the IT Administrator to make the choice of installing TMG in a workgroup rather than joining to a domain. The recommendation is to evaluate potential risks to your own environment before choose
the best option.
Also, read the article Debunking the Myth that the ISA Firewall Should Not be a Domain Member to
get a better understanding of both sides of this deployment. If Forefront TMG 2010 is to be part of a domain, make sure to have an isolated OU and Domain Policy for the Forefront TMG computers. The reason for that is because there are some scenarios where
changes to group policy can cause issues on Forefront TMG, such as the one listed in
this blog post.
While deploying Forefront TMG 2010 in Branch Offices, you can also consider a security practice of installing Forefront TMG in a Read Only Domain
Controller (RODC), which is a new capability introduced in Forefront TMG 2010 SP1 Update 1. For more information on how to perform this operation read the article
Installing Forefront TMG on a RODC.
Authentication is another important subject while planning publishing and web access for an application through Forefront TMG. TMG can perform authentication of resources
for web access or web publishing (or both). The resources below will be useful while considering authentication in TMG:
During the deployment phase the main resource that you should use is the
Forefront TMG 2010 Deployment Guide. The guide supplies the core steps to prepare and install Forefront TMG 2010.
As a best practice, you should also update Forefront TMG 2010 in the following order:
So to get the latest version installed, you need to install:
Note: It is important to emphasize that the updates listed above are the most current as of
April 2013; if you're using this guide after that, please check for more recent updates.
It is possible to create a slipstreamed installation source from which TMG can be installed (example: Richard Hicks' blog), to save time installing and rebooting each TMG
server in the farm. If you create a slipstreamed installation, be aware that:
Once you have Forefront TMG 2010 installed, you can start configuring some of the features that you need, to accomplish the tasks that were identified
during the planning phase. The main resource for this is the Operations Guide. There are also some other guides that
can be used in order to accomplish these tasks, such as:
Note: community contributions within this session are very welcome. There are so many applications that you can publish through Forefront TMG that Microsoft
just can’t test and document all. If you have an article where you explain how to publish certain application that is not on this list, please feel free to add a link to this list (the Edit tab is at the top-middle of the wiki page).
Here are some additional resources about Forefront TMG 2010 that might be helpful:
This is a living document that we are starting now, and giving to you as a base to expand upon. Do you want to get engaged on this? Make sure to read the guidelines from
Wiki: How to Contribute,
and have a great time helping the community to grow!
Note: please do not
add troubleshooting articles to this Survival Guide; we are working to build a Troubleshooting Survival Guide for Forefront TMG 2010. Once we have it we will post it here
This article was originally written by:
Yuri Diogenes, Senior Technical Writer
Windows Server iX | IT Pro Security
Yuri’s Blog: http://blogs.technet.com/yuridiogenes
amazing work yuri..:)
Lovely 1.. Really nice article
I add tvice link and not show corectly, now i'm fixed link for Forefront TMG 2010 SP1 Update 1 Rollup 4. and now is OK.
Thanks for updating Marc!
very good job, thank a lot,
I actually have a question about this. I like all of the resources you have here, and I wish I had experience to contribute more to it. I was wondering though, can Forefront TMG sort of act like a router, performing routing, VPN, Firewall and NIS, and application security all in one installation if the network is small enough? Is that recommended?
Yes! The TMG firewall is a full fledged network firewall and can do all the things you mention.
I was wondering if there is an update to the instructions for hardening the TMG server if it's running on Server 2008 R2 as opposed to Server 2008. The link provided references Server 2008 Security Configuration Wizard and I can't see anywhere if it is okay to run on R2.
Can you please clarify?
See if this helps tmgblog.richardhicks.com/.../security-configuration-wizard-for-forefront-tmg-2010-and-windows-server-2008-r2-sp1