2. Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no
association with any real company, organization, product, domain name, e-mail address, logo, person,
place or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
® 2009 Microsoft Corporation. All rights reserved.
Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
3. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Table of Contents
Lab 1: Installing Forefront Threat Management Gateway 2010 ............................................................................. 1
Introduction..................................................................................................................................................... 1
Objectives..........................................................................................................................................1
Prerequisites .....................................................................................................................................1
Scenario.............................................................................................................................................1
Lab Configuration ............................................................................................................................................ 2
Exercise 1 Install Threat Management Gateway (Release Candidate) .................................................................... 3
Task 1: Install Forefront TMG 2010 ............................................................................................................. 3
Task 2: Install Forefront Protection 2010 for Exchange Server ................................................................... 4
Exercise 2 Perform initial configuration of Forefront TMG ..................................................................................... 6
Task 1: Configure the network configuration using the Network Settings Wizard ..................................... 6
Task 2: Run the System Configuration Wizard ............................................................................................ 7
Task 3: Enable NIS and signature updates using the Deployment Wizard .................................................. 7
i
4.
5. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Lab 1: Installing Forefront Threat
Management Gateway 2010
Introduction
Objectives
After completing this lab, you will be able to:
Install Microsoft® Forefront™ Threat Management Gateway 2010 (TMG) on a Windows
Server® 2008 R2 server.
Perform an initial configuration of Forefront TMG using the Getting Started wizards.
Prerequisites
Ensure your virtual machines are properly configured on Microsoft® Hyper-V™. Please refer to
the Classroom Setup Guide for instructions.
Scenario
Adatum has deployed a single Forefront TMG server to provide the following services:
Allow Adatum users to browse Internet Web sites. Users must be protected from
browser-targeting malicious software (malware) over both HTTP and HTTPS.
Provide secure access to Outlook Web Access (OWA) and internal Microsoft® Windows®
SharePoint® Services sites to remote users.
Transfer e-mail between Internet mail servers and Adatum’s Microsoft® Exchange
Server 2010 system. Adatum users must be protected from spam and e-mail–borne
malware.
1
6. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Lab Configuration
The following diagram illustrates the configuration of the virtual machines that are required for
this lab module. Hyper-V is used as the host platform due to the requirement for 64-bit guest
machines.
VAN-DC1
VAN-EX1
192.168.0.40
192.168.0.42
Internet VAN-CLI1
192.168.0.47
NYC-WEB Adatum.com
www.fabrikam.com VAN-EDG
10.0.0.2
10.0.0.1 192.168.0.50
VAN-SP1
192.168.0.43
The following machines will be used in this lab and should be powered on:
VAN-DC1 – Provides Active Directory® and DNS services for the Adatum domain.
VAN-EDG – Runs the Microsoft® Exchange Edge Transport Service to exchange SMTP e-
mail between the Internet and the Adatum Exchange Server environment. It also runs
Forefront Threat Management Gateway 2010 to secure the SMTP service and to provide
secure Web browsing and publishing to Adatum users.
The following machines will not be used in this lab and should be powered off:
VAN-CL1 – A Windows® 7 client in the Adatum domain used to access the Exchange
Server and Microsoft® SharePoint® Server.
VAN-SP1 – Runs Windows SharePoint Services 3.0 SP1 for collaboration and document
sharing between Adatum users.
VAN-EX1 – Runs Exchange Server 2010 for the Adatum domain (Mailbox, Client Access,
and Hub Transport roles). It uses the Forefront TMG server to exchange SMTP mail with
the Internet.
NYC-WEB – Hosts DNS, Web, and SMTP services. This host is used to implement the
fabrikam.com Web site used by Adatum users, as well as the Fabrikam SMTP server. It is
also used as the client to published services on Adatum (OWA and SharePoint).
All computers should be logged on as AdatumAdministrator with the password Pa$$w0rd.
NYC-WEB does not belong to the Adatum domain, so it should be logged on locally using the
same user name and password.
2
7. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Exercise 1
Install Threat Management Gateway (Release Candidate)
Note: Because of the length of time it takes for the installation to complete, and the fact that
little knowledge would be gained, this exercise has been completed for you. The details have
been provided in this lab manual so you can examine the server installation steps. After you
read these steps, please begin Exercise 2.
In this exercise, you will install Forefront Threat Management Gateway 2010 and Microsoft®
Forefront™ Protection 2010 for Exchange Server.
The Forefront TMG server (VAN-EDG) is running Windows Server 2008 R2, Enterprise Edition,
x64. It has been configured with the following prerequisites in order to reduce the time needed
to complete the lab exercises. If they had not been preinstalled, the Preparation Tool that runs
at the start of setup would install them for you (with the exception of Exchange Server).
Microsoft® .NET Framework 3.5 SP1.
Microsoft® Exchange Server 2010 – Edge Transport Server role (installed but not
configured). This is configured and managed by Forefront TMG to provide protection to
inbound and outbound SMTP traffic.
Server Roles:
Active Directory® Lightweight Directory Services (AD LDS) is required to store the configuration
of the Exchange 2010 Edge Transport Server and Forefront TMG Server roles.
Server Features:
Windows® PowerShell™
The server VAN-EDG is configured with two network adapters:
o External 10.0.0.1 subnet mask: 255.0.0.0
o Internal 192.168.0.50 subnet mask: 255.255.255.0
The Internal address range for Adatum will be defined as 192.168.0.0 – 192.168.255.255. All
address ranges outside of this (except local host 127.x) will be considered part of the External
network.
Task 1: Install Forefront TMG 2010
Note: Perform the following steps on the VAN-EDG computer.
1. Open Windows Explorer, and browse to C:InstallFFTMG2010EE.
2. Double-click autorun.
If the computer has Internet access, you should click Run Windows Update to ensure that
all of the latest critical and security updates have been installed.
3
8. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
3. Click Run Preparation Tool.
This starts the Preparation Tool before Forefront TMG is installed.
The Preparation Tool inspects the server for the necessary prerequisites and installs them if
required. This requires Internet connectivity to download the components.
4. Click Next to begin preparation.
5. Accept the license agreement, and then click Next.
6. Select Install Forefront TMG Services and Management, and then click Next.
The Preparation Tool checks the system requirements and installs any components that are
missing.
7. Select Launch Microsoft Forefront TMG Setup, and then click Finish.
8. Click Next to begin installation.
9. Accept the license agreement, and then click Next.
10. Accept the default user name and serial number, and then click Next.
11. Accept the default location to install to (C:Program FilesMicrosoft Forefront Threat
Management Gateway), and then click Next.
The next screen allows you to define the address range that will be associated with the
internal network (as defined within Forefront TMG).
12. Click Add.
13. Click Add Range.
14. Type 192.168.0.0 for the start address and 192.168.255.255 for the end address. Click OK.
15. Click OK to complete the addition of IP ranges to the internal network. Click Next.
16. Read the warning that services will be stopped during installation, and then click Next.
17. Click Install to begin the installation.
18. Click Finish to complete the installation.
Task 2: Install Forefront Protection 2010 for Exchange Server
1. Click Install Microsoft Forefront Protection 2010 for Exchange Server.
2. Accept the license agreement, and then click Next.
3. Click Next on the message that the Microsoft Exchange Transport service will be restarted.
4. Accept the default installation location (C:Program Files (x86)Microsoft Forefront
Security for Exchange Server), and then click Next.
5. If the service will access the Internet for updates via a proxy, type the proxy details and
credentials if required. Click Next.
6. Select Enable Forefront Security for Exchange antispam now, and then click Next.
7. Configure the use of Microsoft Update, and then click Next.
4
9. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
8. Choose whether or not you want to be part of the Microsoft Customer Experience
Improvement Program (CEIP), and click Next.
9. Verify that the settings are correct, and click Next.
5
10. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Exercise 2
Perform initial configuration of Forefront TMG
Note: The initial configuration of Forefront TMG configures the server to download and install
engine and definition updates for Web and e-mail antimalware as well as the antispam engine.
Because these definition updates are essential for the remaining exercises in this lab, and
because the lab lacks the connectivity to obtain these updates, the initial configuration has been
performed for you.
The details have been left in this lab manual so you can examine the steps that were taken to
install this server. After reading these notes, please begin Exercise 3.
When the Forefront TMG Management Console is started for the first time, the Getting Started
Wizard runs. Though you don’t have to use the wizard to configure the server, it presents the
main configuration options in a logical order.
The Getting Started Wizard provides a starting point for four additional wizards that can be
accessed sequentially:
The Network Settings Wizard allows you to apply network templates based on common
scenarios, and to modify IP, DNS, and routing settings for your network adapters.
The System Configuration Wizard allows you to change the computer name, domain
membership, and DNS suffixes.
The Deployment Wizard allows you to license and enable Network Inspection System
and Malware Protection services, and to define how signature updates are obtained and
used.
The Web Access Wizard allows you to configure Forefront TMG so that internal users
can access Internet Web sites.
The first three wizards in the list above will be used in this exercise to perform initial
configuration of the Forefront TMG server. Configuration of Web access (and other scenarios)
will be performed in subsequent exercises.
Note: Perform the following steps on the VAN-EDG computer.
Task 1: Configure the network configuration using the Network Settings Wizard
1. On the VAN-EDG computer, click Start | All Programs | Microsoft Forefront TMG |
Forefront TMG Management.
2. Click Configure network settings.
3. Click Next to start the Network Settings Wizard.
4. Select the Edge firewall template, and then click Next.
5. Select Internal as the adapter that is connected to the LAN, and then click Next.
6
11. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
6. Select External as the adapter that is connected to the Internet, and then click Next.
As noted above, a default gateway would typically be defined on this interface instead of
the internal interface.
7. Click Finish to complete the Network Settings Wizard.
Task 2: Run the System Configuration Wizard
1. Click Configure system settings.
2. Click Next to start the System Configuration Wizard.
3. There is no need to change the computer name or domain membership, so click Next.
4. Click Finish to complete the System Configuration Wizard.
Task 3: Enable NIS and signature updates using the Deployment Wizard
Though malware inspection can be enabled using the Deployment Wizard, you will enable it in a
later exercise.
1. Click Define deployment options.
2. Click Next to start the Deployment Wizard.
3. Select Use the Microsoft Update service to check for updates, and then click Next.
This is required to enable malware definition updates to be received from Microsoft®
Update.
4. For the Network Inspection System, select Activate complementary license and enable
NIS.
5. For Web Protection, select Activate evaluation license and enable Web Protection.
6. Ensure that both Enable Malware Inspection and Enable URL Filtering are selected, and
then click Next.
7. For Network Inspection System signature updates, select Check for and install updates and
the default polling interval of 15 minutes. An alert will be triggered if updates are not
installed after 45 days.
8. Select Microsoft default policy as the option to use for newly downloaded attack
signatures, and then click Next.
This ensures that attacks that exploit vulnerabilities will be blocked by Forefront TMG as
soon as the signature is published to Microsoft Update and downloaded by Forefront TMG.
9. Answer No to participation in the Customer Experience Improvement Program, and then
click Next.
10. For the Microsoft Telemetry Service, select I do not want to join Microsoft Telemetry
Service at this time, and then click Next.
The telemetry service provides Microsoft with information on attacks and responses as they
occur, aiding in the development and distribution of effective threat mitigations.
7
12. Implementing Forefront Threat Management Gateway 2010
Lab Manual - Lab 1
Note: Because the labs do not have Internet access, both of the above options are disabled.
11. Click Finish to complete the Deployment Wizard.
12. Ensure that Run the Web Access wizard is not selected, and then click Close to end the
Getting Started Wizard.
Web Access Policy will be created in the next lab.
8