Forefront TMG Configuration RRS feed

  • Question

  • Hello

    I am installing a new TMG into our local network. We have lots of notebooks and few Mac computers. We don't have an Active Directory in our network, all computers belong to a workgroup.

    What I want is all users must go to internet via TMG, to do that I configured wpad file and dhcp server to distribute automatic proxy configuration. No user must enter any user credentials. I also installed an active directory domain to make dns, dhcp, vpn and authentication works for admin users.

    My rules are like below

    Allow > VPN users to internal > All Users > VPN Clients > Internal

    Deny > custom rule for facebook > All Users > Restricted internal IP range > Facebook site

    Deny > Blocked web sites > All users except admins > Restricted internal IP range > restricted url sets

    Allow > Allow web access > All users > All computers > External

    Deny > Default rule

    My DHCP IP distribution is to exception to Those exception range belongs to admin users which will have unrestricted access to internet.

    My aim is our users will use one AD user to connect VPN when they are outside office, when they are inside office they won't enter manual proxy settings. My problem is if a user changes their IP manually he/she can access internet without any restrictions. I want to forbid this action but none of their computers belong to a domain.

    I also want to all admin users authenticate via their active directory users (I created users in AD for admins) but I can't get any authentication popup window in web browsers. I also tried manually entering proxy server credentials in network settings but it didn't work.

    I created a Allow > from Internal > to Internal > All users rule in firewall settings but then everybody's net connection cut off.

    How can I make this work?

    Friday, June 8, 2012 7:14 AM

All replies

  • Alright, I made all of necessary configurations but I still couldn't make authentication popup window. Users must not enter any proxy details on their web browsers but they should be enter credentials on their web browsers via popup when they first enter a website.
    Monday, June 18, 2012 9:23 PM