To install an Enterprise Management Server (EMS) for centralized managementInsert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive. On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must relaunch the setup, as described in step 1.On the main setup page, click Run Preparation Tool to launch the Forefront TMG Preparation Tool. For instructions on running the Preparation Tool, see the Microsoft TechNet article Preparing for installation (http://technet.microsoft.com/en-us/library/dd896983.aspx).On the main setup page, click Run Installation wizard to launch the Forefront TMG Installation Wizard.On the Setup Scenarios page, click Enterprise Management Server for centralized array management. On the Installation Path page, specify the Forefront TMG installation path.On the Enterprise Management Server Configuration page: Click Create a new enterprise configuration on this EMS, to create new enterprise policies and policy rules for this installation of EMS.Click Copy an existing enterprise configuration to this EMS, to duplicate the enterprise configuration of an existing EMS to this computer. The configuration copied includes enterprise policies and settings of the arrays of the enterprise.If you selected Create a new enterprise configuration on this EMS, on the Create New Enterprise page, enter the name of the enterprise in the Enterprise name box and a short description of the enterprise in the Description box.If you selected Copy an existing enterprise configuration to this EMS, on the Locate Configuration Storage Server page, enter the fully qualified domain name (FQDN) of the EMS from which to copy the enterprise configuration settings, and then select which user account to use when connecting to the configuration storage server.Important: Before copying the enterprise configuration settings from an existing EMS, on the existing EMS, you must add the new EMS computer to the Replicate configuration storage servers under Computer Sets in Network Objects. On the Forefront TMG Configuration Replicate Source page:Click Replicate over the network to copy settings over the network.Click Copy from the restored backup files to copy settings from a backup folder.On the Enterprise Deployment Environment page, select the membership type of your Forefront TMG Enterprise deployment.Click Single domain deployment if the enterprise computers are in the same domain.Click Workgroup deployment if the enterprise computers reside in a workgroup. You must install a server certificate. For more details on installing server certificates, see Creating certificatesOn the final page, you can select to open the Forefront TMG Management console immediately.
Forefront TMG implements a cache feature to improve performance and response times for Web requests. You configure the cache to contain Web objects that are frequently requested by users. When a user makes a request, the caching mechanism serves the requested object directly from the cache instead of making a request to the Internet. Web caching provides two main benefits:Faster Internet user access – Web requests are served from the cache instead of requiring a connection to a remote Internet server. In Web publishing scenarios, reverse caching speeds up access for Internet users requesting Web content from corporate Web servers published by Forefront TMG 2010.Reduced traffic on the Internet connection – Because frequently requested objects are served from the cache, bandwidth is saved on the Internet connection. In Web publishing scenarios, reverse caching reduces the load on the published Web server.Supported caching typesForefront TMG supports two types of caching:Forward caching – Caches frequently-requested Internet content, and serves it to internal users.Reverse caching – Caches content that is frequently requested from internal Web servers published by Forefront TMG, and serves it to external, remote users. Reverse caching is enabled by default when forward caching is enabled.
Considerations for storing cached contentForefront TMG stores cached content in two locations:In memory (by default, 10% of the RAM is used for caching objects).On disk.Because objects that are cached to memory can be retrieved faster than objects cached to the disk, Forefront TMG stores the most popular content on both the disk and in memory. If the cache content file on the disk is too full to hold a new object, Forefront TMG removes older objects from the cache. It determines which objects to remove from the disk by using a formula that evaluates how old is the object, how often the object is accessed, and its size.When you plan for caching, consider the following:More RAM provides faster performance for serving cached content. In large deployments, it is recommended that a high-performance hard disk is used.You must use a formatted NTFS file system partition for the cache, and the cache drive must be local. When you configure a cache drive, a cache-content file Dir1.cdat is created in the location drive:\\urlcache.The maximum size for the cache file on a single drive is 64 GB.Files larger than 512 MB do not remain in cache upon reboot.You should locate the file on a physical disk other than the disk on which the operating system and Forefront TMG are installed. This reduces contention on the system and boot disk.Forefront TMG cache performance counters provide information about cache memory performance, cache space, and URL handling. Based on this information, you can modify cache settings as required.
To enable caching In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and under Related Tasks, click Configure Web Caching.On the Cache Drives tab, select the server entry, and then click Configure.Select the required drive, and in Maximum cache size, specify the maximum size in megabytes. Click Set to save the setting. Click Reset to set the value back to 0. The maximum size for a single cache file is 64 GB. If you require a larger cache store, you can split it into several files over different drives.To disable caching, set the cache drive size to 0. Check cache rules before disabling caching. Content that is served only from the cache will not be available if caching is disabled. To configure advanced caching properties, leave the Cache Settings dialog box open, and continue with the next procedure. To configure how objects are cached and how expired objects are served from the cache In the Cache Settings dialog box, click the Advanced tab. Leave the default setting Cache objects that have an unspecified last modification time enabled, to specify that pages, or objects that do not have a time stamp of the last modification, can still be cached.Leave the default setting Cache object event if they do not have an HTTP status code of 200, to specify that pages without this status code should be cached. The HTTP 200 status code is an OK response to a Web server that indicates that a request is fulfilled, and that a complete page has been obtained.In Maximum size of URL cached in memory, specify a maximum limit on the size of objects that can be stored in memory. This prevents excessive caching of large objects, such as graphics. A limit that is too low may hinder caching performance, because objects are served more quickly from the memory (RAM) cache.Select Do not return the expired object (return an error page), to specify that negative caching should not be used. Negative caching allows you to specify the circumstances in which expired cache objects should be returned to users, when a required Web server is not available.Select Return the expired object only if expiration was, to indicate that in some circumstances, an expired object should be returned. Then select one of the following:Select At less that this percentage of original Time-To-Live, to specify how long an expired object should be served from the cache, based on a percentage of the original Time-to-Live (TTL). A TTL value is specified in every cache rule you create. For example, if you specify a value of 59, the maximum time period in which the expired object is returned, is 50% of the original TTL setting.Select But no more than (minutes), to indicate that an expired object should not be returned if the expiry time was greater than the specified number of minutes, even if it falls within the TTL setting specified previously.7.In Percentage of free memory to use for caching, specify the percentage of RAM made available for caching. The default is 10 percent.To configure cache rulesIn the Forefront TMG Management console, in the tree, click the Web Access Policy node.On the Tasks tab, click Configure Web Caching.On the Cache Rules tab, click New. Follow the instructions in the wizard, and note the following:On the Cache Content page, by selecting to cache Dynamic content, if the source and request headers indicate caching, Forefront TMG will cache retrieved objects even if they are marked as not cacheable.On the Cache Content page, by selecting to cache Content requiring user authentication for retrieval, if the source and request headers indicate caching, Forefront TMG will cache content requested by authenticated users. Content is then served from the cache without verifying access permissions, and non-authenticated users may be able to access it.On the Cache Advanced Configuration page, the setting Cache SSL Responses applies to SSL bridged traffic. SSL tunneled traffic is not cached. This means that you can cache SSL traffic in reverse caching scenarios, in which internal Web sites are published over SSL, and the SSL request is terminated on the Forefront TMG firewall. Outgoing SSL requests to the Internet cannot be cached.On the HTTP Caching page, the setting Set TTL of objects (% of the content age) instructs Forefront TMG to keep HTTP objects valid in the cache according to TTL settings. TTL settings are based on the TTL defined in the response header, and the TTL boundaries defined in the cache rule. The percent of the content age is a percentage of the time of the content's existence. The higher the percentage, the less frequently the cache is updated.
In arrays, Forefront TMG uses Cache Array Routing Protocol (CARP) to provide a single, logical cache, for all the servers in the array. CARP allows Forefront TMG array members to efficiently balance Web-based client load, and split cached content between them. On the client side, CARP provides client computers with the information and algorithms required to identify which is the best server in the array to serve their request, thus eliminating the need for array members to forward requests between the array members. CARP also supports array server selection by the servers themselves and chained proxies.
In a scenario where you are using ISA Server 2006 with NLB, and you also want to use Kerberos for Web Proxy authentication, you should use Automatic Script Configuration (WPAD) (see the MSDN article Automatic Detection Concepts in ISA Server 2006 http://technet.microsoft.com/en-us/library/bb794779.aspx. However from ISA Server 2000, ISA Server 2004/2006 changed the way that the servers list is built for the configuration file. On ISA Server 2000 (see the MSDN article FPCWebProxy.CARPNameSystem Property http://msdn.microsoft.com/en-us/library/ms822622.aspx) we return the fully-qualified names within the function MakeProxies(). But in ISA 2004 and later, we use the server IP addresses appropriate to the network where the script was requested. This change from fpcNameSystem_DNS to fpcNameSystem_IP for ISA 2004/2006 (see the MSDN article CARPNameSystem Property of IFPCWebProxy[C++] | FPCWebProxy.CARPNameSystem [Visual Basic] http://msdn.microsoft.com/en-us/library/ms826254.aspx) was made to eliminate the common name resolution problems seen in many ISA deployments.With the adoption of Internet Explorer 7 and the option to use Kerberos for Web Proxy authentication, the use of the IP causes Kerberos authentication to fail and the browser falls back to NTLM authentication. To change how the ISA Server 2004 and 2006 will build the script by using the fully-qualified name rather than the IP address, save and run the following script on the ISA Server: Const fpcCarpNameSystem_DNS = 0Const fpcCarpNameSystem_WINS = 1Const fpcCarpNameSystem_IP = 2 Dim oISA: Set oISA = CreateObject( "FPC.Root" )Dim oArray: Set oArray = oISA.GetContainingArrayDim oWebProxy: Set oWebProxy = oArray.ArrayPolicy.WebProxy If fpcCarpNameSystem_DNS = oWebProxy.CarpNameSystem Then WScript.Echo "ISA is already configured to provide DNS names in the WPAD script" WScript.QuitEnd If oWebProxy.CarpNameSystem = fpcCarpNameSystem_DNSoWebProxy.Save true WScript.Echo "ISA was configured to provide DNS names in the WPAD script..." Important: shortly after runing this script, the Firewall service will restart. Therefore we recommend doing this change after business hours.
Today, more and more businesses rely on their Internet Service Providers link (or ISP) to handle their outside Internet world communications. Sending emails, browsing the web and any other web related actions are essential business infrastructure services that are only available as long the ISP line is up and running. Keeping a stable, available and reliable outside Internet connection is one of the critical tasks on every administrator’s check list. Forefront TMG provides a new capability called ISP redundancy which basically enables utilizing not one, but two ISP links for external connectivity—either for traffic load balancing or as a failover backup.Once you’ve passed the initial Forefront TMG setup steps, either by manual configuration or by using the Getting Started Wizard, in the Forefront TMG Management console tree, open the Networking pane, click the ISP Redundancy tab, and click Enable ISP Redundancy to turn this feature on. Clicking Enable ISP Redundancy will open up the configuration wizard. The first configuration step is choosing between two modes of operations:Load Balancing– Network connections are distributed between the two active ISP lines. Load factor between the two links can be configured by sliding the percentage rule from one end to the other (see image 2). Distribution levels are determined by the actual number of connections.Failover– Network connections are routed through the primary ISP Link. The secondary links stays inactive up until the master link connection is broken or disconnected. If the master connection fails the secondary link becomes active by routing the outbound traffic through the second ISP Link. The secondary link will stay active up until the primary link comes back again.Diverting traffic to a specific ISP Link by using NAT rulesWe saw before that we can define explicit IP addresses to be diverted through a specific link. But there are cases where we are required to divert specific internal network subnets through a specific ISP link. Forefront TMG introduces new network rules settings that can be used to configure these requirements. For example, if you want a subnet to be routed through a specific link you can set up a new network rule by clicking on the Forefront TMG console networking node and clicking on the Create a network rule. We’ll set the source and destination for the network, define it as a NAT, and pick the Use selected IP addresses for each network option on the NAT Address Selection step.
The new Forefront TMG client that is available on Forefront TMG is now capable of performing automatic discovery using a record that resides on Active Directory. TMG Client still able to use the traditional methods (DHCP / DNS) for automatic discovery, the difference now is that if both options are enabled on UI (see Figure 1) the auto detection will take effect using the following flow: Forefront TMG client will first try to retrieve information from Active Directory using LDAP query.If the Forefront TMG client is unable to retrieve that information due to an error with the connection, it won’t failover to DHCP / DNS automatic detection methods for security reasons. This reduces the risk that an attacker might try to force fallback to a less secure method by affecting Active Directory marker availability. Active Directory discovery is considered more secure than DHCP/DNS methods.In case that the connection succeeded to Active Directory but no information was found the TMG Client will failover to DHCP and then to DNS.In order to configure Active Directory to support that you should use the TMG Auto-Discovery Configuration Tool (TmgAdConfig.exe). This tool configures an Active Directory with a marker key that points to your Forefront TMG server. This key is going to be used by the TMG Client to locate the Forefront TMG server and connect to it. You can download the TMG AD Configuration Tool from Microsoft Download Center (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=dff77975-84bf-484f-a3bd-9d8dd800e220, and look for the AdConfigPack.EXE). After download and install on TMG, you can execute the following command line in order to register the AD marker key: tmgadconfig add -default -type winsock -url http://ftmgfw.contoso.com:8080/wspad.dat
Firewall client network settings The following list summarizes settings that are specified for a Forefront TMG network and applied to all Firewall clients located in that network.Enable Firewall client support for this network – Enables a specific network to listen for requests from Firewall clients on port 1745. For configuration instructions, see the Microsoft TechNet article Enabling a network to receive firewall client requests (http://technet.microsoft.com/en-us/library/cc995209.aspx).Name – For a specific network, specifies the fully qualified domain name (FQDN) of the Forefront TMG computer for Firewall clients. Ensure that there is a DNS entry available for clients to resolve this name. If there is no DNS server available, an IP address is required.Use a Web proxy server – Indicates that Firewall clients in the network should use the specified server as a Web proxy if Web browser automatic configuration is enabled.Automatically detect settings – Indicates that the Web browser on Firewall client should automatically detect Web proxy settings. Use automatic configuration script – Specifies that the Web browser on Firewall client computers in the network should obtain settings from a configuration file. The Forefront TMG default configuration file holds information about the proxy server that should be used for the URL request and for the settings specified on the Web Browser tab and the Domains tab. For configuration instructions, see the Microsoft TechNet article Enabling a network to receive firewall client requests (http://technet.microsoft.com/en-us/library/cc995209.aspx).
Firewall client settings are located in the following files on the Firewall client computer:Management.iniCommon.iniApplication.iniCommon.iniThe Common.ini file specifies configuration settings that apply to all applications. The following is an example of a typical Common.ini file:Copy Code [Common] ServerName=ISA_1 Disable=0 Autodetection=0Management.iniThis file contains Firewall Client configuration settings. The following is an example of a typical Management.ini file:Copy Code [WebBrowser] EnableWebProxyAutoConfig=1Application.iniThis file can be created on the client computer with configuration settings for specific Winsock application. Configuration files locationThe location of the configuration files on the client computer is dependent on the operating system. For example, on Windows XP computers, the files are copied to two locations:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Firewall Client 2004\\Documents and Settings\\username\\Local Settings\\Application data\\Microsoft\\Firewall Client 2004On Windows Vista computers, the files are copied to the following locations:\\Users\\All Users\\Microsoft\\Firewall Client 2004\\Users\\username\\AppData\\Local\\Microsoft\\Firewall Client 2004 Configuring Firewall client settings Configuration settings specified in the Forefront TMG Management console are delivered to the client configuration files as follows:During Firewall client installation.Each time a client computer is restarted. When a manual refresh is triggered on the client computer. Every six hours after an initial refresh is made.In addition, you can manually modify configuration files on the client computer. When modifications are made, the following order of preference is applied:The .ini files in the folder of a specific user take precedence.Firewall client looks next in the All Users folder. If a configuration setting is specified that contradicts the user-specific settings, it is ignored.Firewall client then detects the Forefront TMG to which it should connect, in accordance with the settings specified in the Firewall Client Management dialog box.Firewall client examines the server-level settings. Any configuration settings specified in Forefront TMG are applied. If a configuration setting is specified that contradicts the user-specific or computer-specific settings, it is ignored.
Forefront TMG supports the following migration options: Migrating from Internet Security and Acceleration (ISA) Server 2004 to Forefront TMGMigrating from ISA Server 2006 to Forefront TMGMigrating from Forefront TMG Release Candidate (RC) to Forefront TMG Release to Manufacturing (RTM)Upgrading from Forefront TMG Standard Edition to Enterprise EditionMigration limitationsBefore you migrate, you should be aware of the following:Migration from ISA Server 2004 is supported only for ISA Server 2004 Service Pack 2 and Service Pack 3.If you have enabled the Local Host network to listen for Web proxy client requests, this setting will not be migrated.Customized log field selections are not migrated. When ISA Server 2004/2006 configuration settings are imported, customized log field selections are overwritten with default log field settings.Report configuration settings are not migrated.If you have specified a custom value for the number of times that an event must occur before an alert is triggered, this custom value will not be migrated.Third party add-ons are disabled after upgrade. If you were running a third-party add-on for ISA Server 2004/2006, before re-enabling it, you should contact the vendor to check on the availability of an updated version for Forefront TMG.
To upgrade to the Forefront TMG 2010 Enterprise Edition, purchase a license for your server and get a new product key. To upgrade to Enterprise Edition In the Forefront TMG Management console, in the tree, click the System node.On the System tab, right-click the server, and then click Properties.Click the Product ID tab and then click Upgrade to Enterprise Edition.Enter the Forefront TMG Enterprise Edition product key.Click OK to close the Product Key Entry dialog box, and then click OK to close the Server Properties dialog box.
Design Options Single purpose and location, no high availability Forefront TMG 2010 Standard Edition Single purpose and location, high availability Forefront TMG 2010 Enterprise Edition in stand-alone array Multiple purposes and/or locations, high availability Enterprise Management Server
Single Purpose and Location Forefront TMG 2010 Standard Edition (SE) Light and medium traffic All-in-one solution No high availability requirements Internet Forefront TMG Standard Edition 5
Single Purpose and Location Forefront TMG 2010 Enterprise Edition (EE): Stand-alone array Shared configuration High traffic solution Simple upgrade to EE Data maintained Internet EE license key Stand-alone Provides high availability Array and scale out 6
Forefront TMG Arrays Shared configuration of EE servers Allows scale out and high availability Seen as single entity by clients Network connections load balanced across the array Administered as single entity Configuration settings share across array members Stand-alone array No dedicated management server One server designated as the array manager Consoles redirect to array manager 7
Enterprise Management Server (EMS) Dedicated, replicated configuration store Single point of administration Uses Windows Server® 2008 Active Directory® Lightweight Directory Services (AD LDS) to host configuration store Same replication mechanism as Active Directory (AD) Requires Active Directory authentication to replicate 9
Using EMS-managed Arrays Arrays can enforce Enterprise policy configured in EMS Optionally allow local array policy Define primary and secondary EMS servers for high availability Array members query EMS using LDAP Domain-joined array members authenticate via AD (Kerberos) Workgroup servers or in untrusted domains authenticate using TLS (certificates) 10
Deploying an EMS Select EMS to be installed on the server Configure to create a new enterprise or be a replica of an existing one Select the authentication method 11
Creating an Array on EMS An EMS can store policies for several different arrays, as well as a default enterprise policy 12
Joining EMS-managed Array Servers select which primary and secondary EMS to use and which array to join 13
Managing Forefront TMG SE from EMS Array EMS can be used to manage policies for Forefront TMG 2010 Standard Edition (SE) servers 14
Forefront TMG Enterprise Deployment Design Single, replicated AD LDS database Hosted on two or more EMS replicas Contains one or more arrays of Forefront TMG EE servers Optionally managing Forefront TMG SE servers Recommended one EMS database per organization 15
Sample Enterprise TMG Deployment Standalone Array DMZ (Publishing) Site-to-Site VPN EMS Array TMG SE (Web Access) Branch Office (Internet link only) Internet TMG Management EMS EMS ArrayCorp HQ (VPN) EMS Array Replicated Configuration WAN Branch Office (WAN & Internet link) EMS EMS Array (Web Access) TMG Management TMG SE Branch Office Regional HQ (WAN link only) 16
EMS Design Considerations If EMS fails, you cannot monitor array or manage its configuration Always define at least one EMS replica EMS cannot be hosted on array members Sample design for EMS high availability: Deploy two EMS servers (one primary, one replica) in one physical site Deploy one EMS server (replica) in other physical sites Use a maximum of 40 arrays or servers per EMS 17
Console Design Considerations x86 and x64 Management Console Requires Windows Server® 2008 or Windows Vista® Deployed on administrative workstations Require LAN-speed and latency to EMS and array members Otherwise the best option is to use Remote Desktop 18
DNS Considerations Windows can only use one primary DNS server Which to use? ISP DNS servers? Corporate DNS servers? Solutions: Use Corporate DNS servers and forwarders Host DNS service locally Use conditional forwarding for internal DNS zones Forward all other queries to to ISP DNS servers 19
Domain vs. Workgroup Workgroup scenarios Unauthenticated inbound and outbound traffic For example, Secure Mail Relay Web site publishing using LDAP, RADIUS, or SecurID tokens VPN with RADIUS authentication Outbound Web Access using RADIUS Deployment considerations Require certificates on all EMS and array members 20
Web Proxy Chaining Main scenario Site with no Internet link Default rule is to retrieve directly Chain all Web requests, or just requests to specific destinations Also used for site redirection 21
Sample Web Proxy Chaining Design TMG Array TMG SE Small Branch Office Regional HQ (Link to Regional HQ) ISP 1 Internet WAN Internet TMG Array ISP TMG Array 2 Branch Office Disaster (WAN and Recovery site Internet link) ISP Link Chaining Client Traffic TMG Array TMG SE Branch Office Head Quarters (WAN link only) 23
Scalability and Availability Service scale out and high availability options Network load balancing Cache Array Routing Protocol (CARP) Connectivity high availability through Internet service provider (ISP) redundancy
Network Load Balancing (NLB) Provides high availability at host level When the host is off its traffic is redirected to other members of the NLB cluster Allows scale out Uses client IP instead of cookie for session affinity Works with any IP device Built in Windows feature, integrated with Forefront TMG Single affinity Use for Web proxy (outbound) Web and server publishing (inbound) Remote access through VPN 26
Network Load Balancing Host 3 Host 2 Host 1 NLB Cluster The networkis sent One server accepts A response floods client initiates a L2 or L3 the incomingclient request torequest the client anclient back to the NLB Switch request cluster Internet NLB hosts share the same Client(s) MAC address and Virtual IP
NLB Modes Unicast MAC address overwritten with shared MAC Prevents node-node communication Not supported on Microsoft Hyper-V™ Switch flooding issues Multicast Adds multicast MAC address May require ARP table entry at router/L3 switch IGMP Multicast Only sends to ports in IGMP group Not RFC-compliant
Web Content Caching Forward proxy caching Cache objects requested by internal web proxy clients Reverse proxy caching Cache static content from published web sites Reduces load on Web servers Cache rules based on destination only Networks, IP ranges, DNS domains, URLs Security Support
Enabling Caching Define cache drives on array members 32
Cache Array Routing Protocol (CARP) Distributed caching algorithm Returns the IP address or host name of the caching server most likely to have a cached copy of the content Per fully qualified domain name (FQDN), not per page Allows the implementation of a single, logical cache (scales linearly) Implemented using script that runs client-side or server-side Server-side – Allows members of the Forefront TMG array to fetch content in other array members Client-side – Allows Web proxy clients to fetch the content directly from the appropriate array member 34
Enabling CARP Server-side: Enable per network CARP exceptions per network Load factor Client-side: Use configuration script provided by the array Provided by WPAD or by the Use automatic configuration script option 37
CARP, NLB, and High Availability Client-side CARP is not a high availability solution Browser restart on node failure If you need high availability: Enable CARP on server Configure clients to use NLB address (disables client-side CARP) If you want cache efficiency and performance: Enable CARP on server Configure clients to use client-side CARP Use WPAD or automatic configuration script 39
Internet Service Provider (ISP) Redundancy Enables utilizing two ISPs for external connectivity Two modes of operation Failover – Primary and backup ISP Load balancing and failover – Connections distributed between two active ISPs Percentage of connections routed through each ISP Network rules can be use to route subnets through a specific link 40
Client Types Web proxy client CERN-compatible browsers/applications SecureNAT client Any host supporting IP Forefront TMG client Formerly ISA firewall client Windows computers 42
Client Comparison SecureNAT Forefront Web ProxyFeature Client TMG Client ClientInstallation IP Routing Yes Web browserrequired configuration configurationOS Support Any OS supporting Windows only Any proxy-aware TCP/IP Web applicationProtocol support Requires All Winsock HTTP, HTTPS, and application filters applications FTP download for multiple- connection protocolsUser-level No Yes Yesauthentication
Web Proxy Client Configuration Generate configuration Discover configuration Automatic configuration script Web Proxy Auto Discovery (WPAD) Static proxy configuration Enforce configuration Manual Group policy Forefront TMG client 44
Discover Web Proxy ConfigurationAutomatic Configuration Script Script maintained by array http://<FQDN>/array.dll?Get.Routing.Script Configures: Web proxy address and port Site and domain bypass Alternate proxy CARP membership Configure via site group policy object (GPO) for roaming clients 46
Discover Web Proxy ConfigurationWeb Proxy Automatic Discovery (WPAD) Allows Web clients to autodiscover the Web proxy using DNS or DHCP DNS client queries for host wpad in each DNS suffix Not location aware DHCP client queries lease for option 252 http://<FQDN>:80/wpad.dat Location aware Takes precedence over Automatic Configuration Script Can be enabled via GPO 47
Discovery Web Proxy ConfigurationStatic Proxy Configuration Configurable via GPO Best option with NLB or other load balancing solutions Supported by all platforms Limitations: Disables client-side CARP If NLB is used, clients use NTLM authentication Cannot define alternate proxy 48
Enforce Configuration Manual browser configuration Can be scripted Active Directory GPO Restricted to domain members Defined per domain, site or organizational unit (OU) Forefront TMG Client Client configures browser settings
SecureNAT clients Only requires proper routing Clients perform DNS resolution Limitations: No user information passed No support for secondary connections (without application filter) Use for: Non-Web protocols Simple, unauthenticated protocols Non-Windows systems
Enhanced NAT Specify IP used for NAT from source to destination network Solves issues with SMTP Sender Policy Framework and other IP-based authorization policies Web proxy and NAT-based access rules only Overrides ISP redundancy load balancing mode 51
Forefront TMG Client Formerly known as ISA Firewall client Supports all WinSock-based applications FwcWsp.dll registered with WinSock protocol stack FwcWsp tracks all WinSock calls All remote TCP calls sent to FWC listener (TCP 1745) User information passed on all requests Use for: User-based access authentication to non-Web protocols Complex protocols with secondary connections 52
Forefront TMG Client Discovery Secure discovery using Active Directory, with fallback to DHCP and DNS Secure discovery uses AD to store discovery information for domain members Forefront TMG client and Web proxy discovery Allows global and site- specific markers Configured using TmgAdConfig.exe TmgAdConfig add –site <Site> -type <winsock|webproxy> -url <URL> 53
Server-side Configuration Domains and Addresses tabs determine routing 54
Client-side Configuration Settings Clients settings stored in the following files: Management.ini Common.ini Application.ini Client settings defined in the console are delivered to the client during restart, and then every six hours Manual refresh also possible 55
Client-side Configuration Users can use the client to configure HTTPS Inspection notifications and Automatic Detection options 56
Migration from ISA Server to Forefront TMG ISA Server SE Forefront TMG SE Forefront TMG EE standalone server ISA Server EE Forefront TMG EMS ISA Server 2004/2006 settings can be exported to a file and then imported on Forefront TMG SE or EE Export confidential information option must be set ISA Server EE can be migrated to Forefront TMG EMS No in place upgrade option ISA Server x86 only, Forefront TMG x64 only
Upgrading from Forefront TMG SE to EE Simply select the Upgrade to Enterprise Edition option on the System Properties Enter the Forefront TMG 2010 Enterprise Edition product key No need to rerun setup