System RequirementsSupported Operating Systems: Windows Server 2008Minimum system requirements:Supported operating systems: Windows Server 2008 SP2 or Windows Server 2008 R2 A computer with 2 core (1 CPU x dual core) 64-bit processor 2 gigabytes (GB) or more of memory 2.5 GB of available hard disk space (this is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection)One local hard disk partition that is formatted with the NTFS file system One network adapter that is compatible with the computer's operating system, for communication with the Internal network An additional network adapter for each network connected to the Forefront TMG server Recommended system requirements: Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2 A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor 4 gigabytes (GB) or more of memory 2.5 GB of available hard disk space (this is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection)Two disks for system and TMG logging, and one for caching and malware inspectionOne network adapter that is compatible with the computer's operating system, for communication with the Internal network An additional network adapter for each network connected to the Forefront TMG server
Before installing Forefront TMG 2010, you must run the Preparation Tool to verify that the applications which are required for the successful installation of Forefront TMG 2010 are installed on your computer. If you run Forefront TMG 2010 without first running the Preparation Tool, the installation of Forefront TMG 2010 may fail if the computer does have the required applications installed. These applications are: Windows Roles and FeaturesMicrosoft .NET 3.5 Framework SP1Windows Web Services API
To run the Preparation Tool On the Installation Type page, select the required installation type option:Forefront TMG services and ManagementForefront TMG Management only Enterprise Management Server (EMS) for centralized array management The Preparation Tool downloads and installs the prerequisite applications, according to the selected Forefront TMG installation type.Insert the Forefront TMG 2010 DVD into the DVD drive, or run autorun.hta from a shared network drive.On the main setup page, click Run Windows Update. Windows Update might require one or more computer restarts. If the computer restarts, you must launch the setup page again, as described in step 1 of this procedure.On the main setup page, click Run Preparation Tool to launch the Preparation Tool. On the main setup page, click Run Installation Wizard to launch the Forefront TMG Installation Wizard.On the Installation Type page, click the Forefront TMG Services and Management button. On the Installation Path page, specify the Forefront TMG 2010 installation path.On the Define Internal Network page, click Add, click Add Adapter, and then select the adapter which is connected to the main corporate network.Note: If you are installing Forefront TMG on a computer with a single network adapter, all IP address ranges should be configured for the Internal network, except for the following: 0.0.0.02518.104.22.168127.0.0.0-127.255.255.255 (Local Host)22.214.171.124-254.255.255.255 (multicast)7. On the Ready to Install the Program page, click Install.Adding IP addresses to the internal networkOn the Addresses page, select any of the following methods to add addresses to the Internal network: Add Range – Addsa range of IP addresses. You must specify the beginning and ending IP address in the range; for example, 10.0.0.1 to 10.0.0.255.Add Adapter– Selects a network adapter. The IP addresses that are included in the Internal network are based on the IP address and subnet mask of the selected adapter.Add Private – Adds IP addresses defined as non-routable IP addresses, based on Request for Comment (RFC) 1918, and on the Automatic Private IP Addressing (APIPA) feature.
Use the Forefront TMG Getting Started Wizard to configure or modify initial deployment settings. The wizard contains the following three sub-wizards:Network Setup Wizard– Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. System Configuration Wizard– Use to configure operating system settings, such as computer name information, and domain or workgroup settings.Deployment Wizard– Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service. After Forefront TMG installation, you can run the Getting Started Wizard to configure basic deployment settings, including changing network adapter settings, making policy updates, and joining the server to a workgroup or domain.
The following Forefront TMG network topologies are available:Edge firewall– In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network, and the external network (usually the Internet). 3-Leg perimeter– This topology implements a perimeter network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks, and the external network. Back firewall– In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.Single network adapter– This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet. For more information, see the Microsoft TechNet article About single network adapter topology(http://technet.microsoft.com/en-us/library/ee191507.aspx).
You can configure the settings for your Forefront TMG network topology using the Network Setup Wizard. To configure your network topology settingsIn the Getting Started Wizard, click Configure network settings.On the Network Template Selection page of the Network Setup wizard, select the option that most closely matches your Forefront TMG network topology. On the Local Area Network (LAN) Settings page of the wizard, in Network adapter connected to the LAN, click the adapter connected to the main corporate network, and enter an IP address. If you selected to apply the single network adapter template, you have the additional option of using a dynamic IP address allocated by DHCP. If you selected a setting other than the single network adapter template, only a static IP address is supported for this adapter. In Specify additional array topology routes,click the Add button to add static routes for the array topology route.On the Internet Settings page of the wizard, click the adapter connected to the Internet. You should set a default gateway on only one of the Forefront TMG network adapters. This is usually the network adapter associated with the Internet. Configure only a single default gateway on a network adapter. If your Internet service provider (ISP) allocates a dynamic IP address, click the Obtain an IP address automatically button.If your ISP allocates a static IP address, click the Use the following IP address button.If you have a third network adapter, on the Perimeter Network Settings page of the wizard, click the network adapter connected to the perimeter network. If you want to apply network address translation (NAT) to traffic between the perimeter network and the LAN, hiding internal IP addresses, in What type of IP addresses do servers in the perimeter networks use, click the Public button. Traffic between the perimeter network and the Internet is routed. If you want to apply NAT to traffic between the perimeter network and the Internet, hiding internal IP addresses, in What type of IP addresses do servers in the perimeter networks use, click the Private button. Traffic between the perimeter network and the LAN is routed, exposing internal addresses.
To configure your server and system settings1. In the Getting Started Wizard, click Configure system settings. 2. On the Host Identification page of the System configuration wizard, in the Computer name box, enter the name of the Forefront TMG server. 3. In Member of, define whether the server is a member of a Windows domain or workgroup, as follows:If you select Windows domain, the domain name is used as the primary Domain Name System (DNS) suffix, and you do not need to modify this setting. You will be required to restart the computer.If you select Workgroup, you may want to explicitly add a primary DNS suffix in order to register the computer in the correct zone, if allowed by DNS.
You can configure your deployment settings using the Deployment Wizard. To configure your deployment settings1. In the Getting Started Wizard, click Define deployment options.2. On the Microsoft Update Setup page of the Deployment wizard, click Use the Microsoft Update service to check for updates (recommended) to specify that the Microsoft Update service should be used to obtain malware definition updates. 3.On the Forefront TMG Protection Features Settings page of the wizard, do the following:a. For Network Inspection System, select to activate the complementary license and enable Network Inspection System (NIS).b. For Web Protection, select the license activation type for Web protection. If you selected Activate purchased license and enable Web Protection, enter the license key and expiration date of the purchased license.c. If you want to scan requested HTTP content allowed by access rules for malware, such as viruses and spyware, select Enable malware inspection.4. On the NIS Signature Update Settings page of the wizard, for Select automatic update action, select the type of action to deploy when there are new or updated signature sets.5. For New Signature Set Configuration, select the response policy option for new signatures.6.On the Customer Feedback page of the wizard, if you want to participate in the Customer Experience Improvement Program, click Yes, I am willing to participate anonymously to join the Customer Experience Improvement Program. This program helps Microsoft to improve the quality and reliability of Forefront TMG. If you join the program, Microsoft collects anonymous information about hardware configuration, use of software and services, and trend patterns. No personally identifiable information is collected.7. On the Microsoft Telemetry Reporting Service page, do one of the following:Click the Basic button to send basic information to Microsoft regarding filtered URLs, URL category overrides, potential threats, and the response taken.Click the Advanced button to provide information to Microsoft about potential threats including traffic samples and full URL strings.Click the None button to decline participation in the service.
Forefront TMG supports unlimited network adapters in accordance with hardware limitations.An adapter may have zero or more addresses. Each address can only belong to one network (be associated with exactly one network adapter). There should be no overlap of address ranges on a network.When creating or editing a network on your Forefront TMG server, for the following network types, you can specify an IP address range or select a network adapter associated with the network you are configuring:Internal networkPerimeter networkExternal networkIP addresses for network adapters associated with the same network should be identical on each array member.You can select a network adapter for your network by running the Create a New Network Wizard or editing a selected network. The list of network adapter settings configured in Windows Server is logged to the Network Adapters tab in the Networking node. You can edit the network adapter settings.Note: After adding a network adapter to the network you are creating or editing, it is recommended that you not change or rename the network adapter configured for your server.
Forefront TMG networks represent your corporate network topology. Generally, a network is defined for each network adapter installed and enabled on the computer. Networks that do not require associated network adapters are the Local Host network, which represents Forefront TMG, and virtual private networks.When deployed at the edge of your network, Forefront TMG should be configured with at least two network adapters: One connected to the Forefront TMG Internal network that represents the main corporate network.One connected to the Forefront TMG External network that usually represents the Internet.The External network is defined dynamically, based on the IP address ranges of other networks. You can configure the IP address range and other properties of the Internal network. If three or more adapters are available, you can also configure the properties of one or more perimeter networks. You can configure a dial-up connection on one network only (for example, to dial up for Internet access).
A Network Set is set of one or more networks. You can use network sets to specify a source or destination in firewall policy rules.
There are two types of network sets, Exclude and Include.Exclude network sets are defined by selecting a set of networks excluded from the network set. The network set contains all the networks that are not selected.Include network sets are defined by selecting the networks that are included in the network set. Used in Network Rules and Policy RulesInclude or ExcludeUsed to group networks
Enhanced NAT is used (for example) by SMTP publishing for Sender ID compatibility.
Forefront TMG controls internal network access by enforcing policies that determine whether or not connections between networks are allowed. These policies may be of the following types:Firewall policy – Inspects and filters connections between the internal network and the Internet. The firewall policy is made up of the following rule sets:Access rules – Control outbound Web access, that is, access from internal computer to the Internet.Web publishing rules – Control inbound access to published Web servers.Server publishing rules – Control inbound access to published non-Web servers.System policy – Controls traffic to and from the Local Host network (the Forefront TMG server) to allow traffic and protocols necessary for Forefront TMG to perform authentication, domain membership, network diagnostics, logging, and remote management. Forefront TMG provides a predefined rule set, which is created during system installation. You can enable or disable individual rules, and modify rule destinations, but you cannot delete existing rules or create new rules.Network rules – Specify that resources in one network are allowed to communicate with resources in other networks, and what type of relationship (either routing or NAT) exists between the source and destination.
Microsoft Forefront TMG can be installed on a computer with a single network adapter. Typically, you use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network and another firewall is located at the edge, protecting corporate resources from the Internet. When you install Forefront TMG on a computer with a single network adapter, Forefront TMG is only aware of two networks: Local Host network that represents the Forefront TMG computer itself.Internal network which includes all unicast IP addresses that are not part of the Local Host network.In this configuration, when an internal client browses the Internet, Forefront TMG sees the source and destination addresses of the Web request as belonging to the Internal network. There is no concept of an external network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (Forefront TMG protects itself in all scenarios.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols through the Forefront TMG server. The following scenarios are supported when running Forefront TMG with a single adapter:Forward Web Proxy requests using HTTP, HTTPS, or FTP for downloads.Cache Web content for use by clients on the corporate network. Web publishing to protect published Web or FTP servers.Microsoft® Outlook® Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP publishing.Remote client VPN access.Unsupported scenarios There are a number of feature limitations in a single network adapter configuration:Application layer inspection – Application-level filtering does not function, except for the Web proxy filter for HTTP, HTTPS, and FTP over HTTP traffic.Server publishing – Server publishing is not supported. Because there is no separation of Internal and External networks, Forefront TMG cannot provide the NAT functionality required in a server publishing scenario.Firewall clients – The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG computer), and Firewall client requests are not supported.SecureNAT clients – SecureNAT clients use Forefront TMG as a router to the Internet, and requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the Forefront TMG 2010 computer), and SecureNAT client requests are not supported.Virtual private networking (VPN) – Site-to-site VPNs are not supported in a single network adapter scenario.
Forefront Edge Security and Access ProductsThe Forefront Edge Security and Access products provide enhancednetwork edge protection and application-centric, policy-based access tocorporate IT infrastructures Before Now Network Protection Integrated and comprehensive protection from Internet-based threats Network Access Unified platform for all enterprise remote access needs
The Threat Landscape Vulnerabilities down, threats up Increasing sophistication of threats Threats moving to the application layer Rising threats Phishing Spam and malicious e-mail Blended threats
Forefront TMG Value Proposition Firewall – Control network policy access at the edge Comprehensive Secure Web Gateway – Protect users from Web browsing threats Secure E-mail Relay – Protect users from e-mail threats Integrated Remote Access Gateway – Enable users to remotely access corporate resources Intrusion Prevention – Protect desktops and Simplified servers from intrusion attempts
Forefront TMG Deployment Scenarios • All-in-one solution for medium businesses Unified Threat • Firewall, VPN, Web security, IPS, e-mail relayManagement (UTM) in a single box • Authenticating proxy with security Secure Web • Web antivirus and URL filtering Gateway • Inspection of HTTP and HTTPS traffic • Secure Web publishing Remote Access • Dial-in VPN Gateway • Site to site VPN • Antispam Secure E-mail Relay • Antivirus • E-mail filtering
Features Summary• VoIP traversal • HTTP antivirus/ • Exchange Edge • Network• Enhanced NAT antispyware integration inspection• ISP link • URL filtering • Antivirus system redundancy • HTTPS forward • Antispam inspection Secure Web E-mail IntrusionFirewall Prevention Access Protection • NAP integration • Array management • Malware protection with client VPN • Change tracking • URL filtering • SSTP integration • Enhanced reporting • Intrusion • W2K8, native 64-bit prevention Remote Deployment and Subscription Access Management Services
Features SummaryComparing with ISA Server 2006 ISA Server 2006 Forefront TMG Network layer firewall Application layer firewall Internet access protection (proxy) Basic OWA and SharePoint publishing Exchange publishing (RPC over HTTP) IPSec VPN (remote and site-to-site) Web caching, HTTP compression Windows Server® 2008 R2, 64-bit (only) New Web antivirus, antimalware New URL filtering New E-mail antimalware, antispam New Network intrusion prevention New Enhanced UI, management, reporting New
Forefront TMG LicensingTwo editions and Two Client Access Licenses (CALs) Enterprise Edition Scalability and management E Standard Edition Full UTM Subscriptions Web protection E-mail protection
Comparing Forefront TMG Editions Standard Edition Enterprise EditionNumber of CPUs Up to 4 CPUs UnlimitedArray/NLB/CARP support Enterprise management Yes, with added ability for EMS to manage SEsPublishing VPN support Forward proxy/cache, compressionNetwork IPS (NIS) E-mail protection Requires Microsoft® Exchange Server License (Server + CALs) and installation by the admin
Subscriptions Subscription-based licenses Sold as Client Access Licenses (CALs) Charged per user/per year Protection Components E-mail protection Antispam Antivirus HTTP protection Antimalware URL filtering Network Inspection System is free!
Translating Licenses Today At Launch ISA Server SE Forefront TMG 2010 SE ISA Server EE Forefront TMG 2010 EE Covered by Software Assurance Available per user/device, per year Forefront TMG 2010 EE
System Requirements Minimum Recommended Processor 2 core (1 CPU x dual core) 4 core (2 CPU x dual core or 64-bit processor 1 CPU x quad core) 64-bit processor Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory Hard Disk Space 2.5 GB of available hard disk 2.5 GB of available hard disk space* space* Hard Disks One local hard disk partition Two disks for system and logging, formatted with NTFS and one for caching and malware inspection Network One network adapter for One network adapter for each communicating with the network connected to the internal network Forefront TMG 2010 server Operating System Windows Server® 2008 x64 with Service Pack 2, or Windows Server® 2008 R2* Exclusive of the hard disk space used for caching and for storing temporary files 15
Installation Prerequisites Basic installation Connected to the network, with DNS server settings configured Required operating system components: Windows® Roles and Features Microsoft® .NET Framework 3.5 SP1 Windows Web Services API Windows Installer 4.5 Preparation Tool installs the required components For the Secure Mail Relay usage scenario Exchange Edge Transport Role Microsoft® Exchange Server 2007 with Service Pack 1, or Microsoft® Exchange Server 2010 Microsoft® Forefront™ Protection 2010 for Exchange Server
Initial ConfigurationGetting Started Wizard 19
Configuring Network SettingsNetwork Setup Wizard Select the network topology used: Edge firewall 3-Leg perimeter Back firewall Single network adapter 20
Configuring Network SettingsNetwork Setup Wizard Define the IP configuration for each network adapter Assign adapter to the appropriate network 21
Configuring System SettingsSystem Configuration Wizard Define host name, domain membership and DNS suffix 22
Configuring Deployment SettingsDeployment Wizard Activate subscription licenses Enable malware protection and intrusion prevention Configure signature update schedule and response policy Join the Customer Experience Improvement Program (CEIP) and the Microsoft Telemetry Service 23
Configuration Concepts Networks External DMZ ExternalDMZ Internal DMZ EXT Internet DMZ INT ISP 1 ISP 2 TMG LAN 1 Local Host VPN client LAN 2 VPN Clients Branch LAN 3 Internal 27
Configuration ConceptsNetworks Networks configuration model the enterprise network infrastructure Contains all reachable IPs for network adapter Cannot overlap with other Networks Static or dynamic 28
Configuration ConceptsNetwork Sets DMZ Networks DMZ EXT Internet DMZ INT ISP 1 ISP 2 TMG VPN client LAN 1 LAN 2 Branch LAN 3
Configuration ConceptsNetwork Sets Network Sets are used to group one or more networks Defined by selecting the networks included in the set (Include) or a set of networks excluded from the set (Exclude) Used in the definition of network and policy rules 30
Configuration ConceptsNetwork Rules Define allowed traffic flows Determine the relationship between two networks Route Bi-directional Source address not modified NAT Uni-directional Source address is modified Required for non-Web access and Server Publishing rules Web proxy filter ignores network rules 31
Configuration ConceptsNetwork Rules New Feature: Enhanced NAT Specify the IP address to be used when doing NAT 32
Configuration ConceptsRouting Display the routing table used between networks Set via route –p add command or GUI 33
Forefront TMG Policy Three types of rules: 1. Network rules 2. System policy 3. Firewall policy 34
Single Adapter Scenario Forefront TMG supports using a single network adapter Supported scenarios Secure Web Gateway (forward Web proxy and cache) Web Publishing (reverse Web proxy and cache) Remote client VPN access Unsupported scenarios Application layer inspection (except for Web proxy) Server publishing Non-Web clients Firewall client Secure NAT Site-to-site VPNs 35
Single Adapter Scenario Local Host Internet TMG LAN 2 LAN 1 LAN 3 VPN Client VPN Clients Internal 36
Common Configuration Mistakes Multiple default gateways Define only one default gateway Not adding reachable addresses to networks Ensure all reachable addresses added DNS resolution issues DNS server list is system wide, not per adapter Use the internal DNS servers, or host a DNS server service locally and use conditional forwarding 37
Lab 1: Forefront TMG Installation In this lab, you will: Install Forefront TMG on a Windows Server® 2008 R2 server Perform an initial configuration of Forefront TMG using the Getting Started wizards Lab 1 - Exercises 1 and 2 Estimated completion time: 45 min