Here are some common configuration errors in Forefront TMG and suggestions to resolve them: - Defining multiple default gateways on the same network adapter. TMG only supports one default gateway per adapter. - Not adding all reachable IP addresses and subnets to the appropriate network definitions. This prevents proper routing and policy evaluation. - DNS resolution issues due to incorrect DNS server configuration. TMG uses the system-wide DNS server list, not per adapter. Ensure the internal DNS servers are used, or host a local DNS server service using conditional forwarding. - Overlapping network definitions. Network ranges cannot overlap to prevent ambiguity in routing and policy matching. - Incorrect network relationships defined between networks. The relationship must

1. Introduzione a TMG 2010
Fabrizio Volpe
MVP Directory Services
fabrizio.volpe@gmx.com

2. Breve Storia della Perimeter Protection
Proxy Server 1.0 Internet Security And Accelleration (ISA) 2000
Proxy Server 2.0 Stateful Packet Inspection
«Trusted Networks»
ISA 2004
ISA 2006 Forefront Threat Management
NO network traffic
Web Publishing Gateway 2010
out of the box

3. Forefront Edge Security and Access Products
The Forefront Edge Security and Access products provide enhanced
network edge protection and application-centric, policy-based access to
corporate IT infrastructures
Before Now
Network
Protection
Integrated and comprehensive
protection from Internet-based threats
Network
Access
Unified platform for all
enterprise remote access needs

4. Forefront TMG ed UAG
New features make Forefront TMG the ideal outbound access solution
In contrast to ISA 2006, very little has been done in Forefront TMG in
terms of improvements for inbound access control
Exceptions :
 Secure Socket Tunneling Protocol (SSTP) for VPN client connections
 NAP Integration
You will not see any other major changes in the Web or Server
Publishing features when moving from ISA 2006 to Forefront TMG
The majority of inbound access (remote access) effort is going into the
Microsoft Forefront Unified Access Gateway (UAG) 2010
It is expected that Forefront TMG will be used primarily for outbound
access control and network firewall, and UAG will be used for inbound
access (remote access) control
4

5. Possibili Collocazioni nel Network Perimeter
Back-end firewall behind
Edge of the corporate network another Forefront TMG
firewall or third-party firewall
As a parallel firewall on the As a network service segment
edge, next to another firewall, providing a secure
Forefront TMG or third-party perimeter between client systems
firewall and network services
Multi-homed firewall that acts as the hub between
multiple internal and perimeter networks
5

6. Forefront TMG: caratteristiche
Firewall – Control network policy access at the
edge
Comprehensive
Secure Web Gateway – Protect users from
Web browsing threats
Secure E-mail Relay – Protect users from
e-mail threats Integrated
Remote Access Gateway – Enable users to
remotely access corporate resources
Intrusion Prevention – Protect desktops and
Simplified
servers from intrusion attempts

7. Forefront TMG: Scenari di Implementazione
• All-in-one solution for medium businesses
Unified Threat
• Firewall, VPN, Web security, IPS, e-mail relay
Management (UTM) in a single box
• Authenticating proxy with security
Secure Web
• Web antivirus and URL filtering
Gateway • Inspection of HTTP and HTTPS traffic
• Secure Web publishing
Remote Access
• Dial-in VPN
Gateway • Site to site VPN
• Antispam
Secure E-mail Relay • Antivirus
• E-mail filtering

8. Forward, Reverse Proxy, Web Proxy, e Winsock
Proxy Server
• Application layer inspection
• For forward proxy connections, Web anti-
Web proxy server malware capabilities and URL filtering
Reverse proxy services • For reverse proxy SSL bridging
• For both HTTP protocol inspection
• Stateful packet and application layer inspection on
all traffic moving through the VPN
Remote Access VPN • User-based access controls (based on user name
Server or user group membership)
• Remote Access Quarantine Control and Network
Access Protection (NAP)
• Forefront TMG email gateway feature is powered by
the Edge Transport Server role of Exchange Server
Secure E-mail Gateway 2010 together with Microsoft Forefront Protection
2010 for

9. Network Inspection System, Malware Inspection e
HTTPS Inspection
• Usa signatures of known vulnerabilities from the
Network Inspection Microsoft Malware Protection Center (MMPC) to
System help detect malicious traffic and then to take
action
• The Malware Inspection filter (Edge Malware
Protection) is a built-in Web filter
Malware Inspection • Delayed download, HTML progress page,
Trickling
• Forefront TMG introduces a new feature called
HTTPS inspection
• Is based on a trusted man-in-the-middle
HTTPS Inspection mechanism, in which Forefront TMG works as a
trusted man in the middle to be the SSL site for
the clientman in the middle to be the SSL site for
the client

10. Riepilogo delle funzionalità
• VoIP traversal • HTTP antivirus/ • Exchange Edge • Network
• Enhanced NAT antispyware integration inspection
• ISP link • URL filtering • Antivirus system
redundancy • HTTPS forward • Antispam
inspection
Secure Web E-mail Intrusion
Firewall Prevention
Access Protection
• NAP integration • Array management • Malware protection
with client VPN • Change tracking • URL filtering
• SSTP integration • Enhanced reporting • Intrusion
• W2K8, native 64-bit prevention
Remote Deployment and Subscription
Access Management Services

11. Riepilogo delle funzionalità
Confronto con ISA Server 2006 ISA Server
2006
Forefront
TMG
Network layer firewall  
Application layer firewall  
Internet access protection (proxy)  
Basic OWA and SharePoint publishing  
Exchange publishing (RPC over HTTP)  
IPSec VPN (remote and site-to-site)  
Web caching, HTTP compression  
Windows Server® 2008 R2, 64-bit (only)  New
Web antivirus, antimalware  New
URL filtering  New
E-mail antimalware, antispam  New
Network intrusion prevention  New
Enhanced UI, management, reporting  New

12. Licenze
Two editions and Two Client Access Licenses (CALs)
Enterprise Edition
Scalability and management
E
Standard Edition
Full UTM
Subscriptions
Web protection E-mail protection

13. Confronto tra le edizioni
Standard Edition Enterprise Edition
Number of CPUs Up to 4 CPUs Unlimited
Array/NLB/CARP support  
Enterprise management  Yes, with added ability for EMS
to manage SEs
Publishing  
VPN support  
Forward proxy/cache,  
compression
Network IPS (NIS)  
E-mail protection Requires Microsoft® Exchange Server License (Server + CALs)
and installation by the admin

14. Passaggio licenze da ISA 2006 a TMG 2010
Today At Launch
ISA Server SE Forefront TMG 2010 SE
ISA Server EE Forefront TMG 2010 EE
Covered by Software Assurance
Available per user/device, per year Forefront TMG 2010 EE

15. Installazione e configurazione iniziale

16. Requisiti di sistema
Minimum Recommended
Processor 2 core (1 CPU x dual core) 4 core (2 CPU x dual core or
64-bit processor 1 CPU x quad core) 64-bit
processor
Memory 2 gigabytes (GB) of memory 4 gigabytes (GB) of memory
Hard Disk Space 2.5 GB of available hard disk 2.5 GB of available hard disk
space* space*
Hard Disks One local hard disk partition Two disks for system and logging,
formatted with NTFS and one for caching and malware
inspection
Network One network adapter for One network adapter for each
communicating with the network connected to the
internal network Forefront TMG 2010 server
Operating System Windows Server® 2008 x64 with Service Pack 2, or
Windows Server® 2008 R2
* Exclusive of the hard disk space used for caching and for storing temporary files
16

17. Server Roles e Features richieste
Server roles and
features required by
Other software
Forefront TMG
include:
These server roles are Forefront TMG
installed during Forefront Network Policy
Microsoft .NET Preparation Tool
Framework 3.5
TMG installation; you do Server
SP1
not need to install them in
advance
Routing and
Windows Web
They are not removed if Remote Access
Services API
Service
you uninstall Forefront
TMG
Active Directory
Lightweight Microsoft Update
Directory Services Forefront TMG is not
supported on a machine
that is configured as a
Network Load
Microsoft domain controller, with
Windows Installer
Balancing
4.5 the exception of a read-
only domain controller,
which requires that TMG
Service Pack 1 be
Windows
PowerShell installed.
17

18. Prerequisiti
Basic installation
Connected to the network, with DNS server settings configured
For the Secure Mail Relay usage scenario
Exchange Edge Transport Role
Microsoft® Exchange Server 2007 with Service Pack 1, or
Microsoft® Exchange Server 2010
Microsoft® Forefront™ Protection 2010 for Exchange Server

19. Nota : Enterprise Management Server
Both the Standard and Enterprise editions of Forefront TMG store
their configurations in an Active Directory Lightweight Directories
Services (AD LDS) database
Standard Edition : the AD LDS database is always on the Forefront
TMG firewall itself
Enterprise Edition : option of installing the AD LDS configuration
database on a firewall array member or on a separate computer.
The separate computer hosting the AD LDS database is called the
Enterprise Management Server (EMS)

20. Installazione
20

21. Installazione
21

22. Configurazione iniziale
Getting Started Wizard
22

23. Configurazione dei Network Settings
Network Setup (Template) Wizard
Select the network
topology used:
Edge firewall
3-Leg perimeter
Back firewall
Single network
adapter
23

24. Configurazione dei Network Settings
Network Setup Wizard
Define the IP
configuration for
each network
adapter
Assign adapter to
the appropriate
network
24

25. Configurazione dei System Settings
System Configuration Wizard
Define host
name, domain
membership and
DNS suffix
25

26. Configurazione dei Deployment Settings
Deployment Wizard
Activate subscription
licenses
Enable malware
protection and
intrusion prevention
Configure signature
update schedule and
response policy
Join the Customer
Experience
Improvement
Program (CEIP) and
the Microsoft
Telemetry Service
26

27. Configurazione dei Deployment Settings
Deployment Wizard
27

28. Concetti base

29. Network Relationship
TMG, defines a network as a logical representation of a network
connection owned by the computer where TMG operates
• These networks can be
• a physical connection such as network interface card (NIC) or modem
• a logical interface such as a dial-in or site-to-site VPN connection
In each case, TMG must have a clear understanding of how to define
and process the traffic that is received from a given network
• The simplest definition for a network relationship is that relationship indicated by the
source and destination hosts as defined in the traffic 5-tuple
Note 5-tuple is an industry-standard standard term describing the
criteria used to uniquely identify an Ip communication channel
• This data includes:
• n Source and destination IP addresses
• n Source and destination ports (if used)
• n Transport Protocol (TCP, UDP, and so on)
29

30. Configurazione
Network Rules
Like firewall policy rules, network rules define how TMG will handle traffic between
source and destination hosts
Network rules are also processed in the order in which they are defined
Because network rules form a primary criterion for traffic processing, they have
Define allowed traffic flows the power to discard traffic before any firewall policy
rule has the opportunity to evaluate it
When this happens, the firewall log will not include a name in the rule field because
no firewall policy rule processed the traffic
As is the case with firewall policy rules, the order of network rules is critical to
correct traffic evaluation by TMG
30

31. Configurazione
Network Rules
All network rule sets
will begin with the
same rule, Local Host
Options presented for
Access, which defines
a network rule source No firewall policy
a route relationship
and destination elements which
for traffic that is
When you run the criteria are limited to abstract the source or
sourced or
Network Rule Wizard, those items that are destination into a
terminated by TMG All network rules
you are given the defined as some name (such as
itself operate in the
opportunity to select variation or grouping domain or URL sets)
•This rule cannot be context of network
from a subset of the of an IP address, IP can be used for
modified by the objects
firewall policy subnet, IP address network rules
TMG administrator network objects range, or because they cannot
combinations of represent literal
these as in Computer network membership
or Network Sets
31

32. Configurazione
Network Adapters
Forefront TMG supports unlimited network adapters
Limited by hardware
32

33. Configurazione
Networks
Networks configuration model the enterprise network
infrastructure
Contains all reachable IPs for network adapter
Cannot overlap with other Networks
Static or dynamic
33

34. Configurazione
Network Sets
Network Sets are used to group one or more networks
Defined by selecting the networks included in the set (Include) or a
set of networks excluded from the set (Exclude)
Used in the definition of network and policy rules
34

35. Configurazione
Network Relationship
Determine the relationship between two networks
Route
Bi-directional
Source address not modified
NAT
Uni-directional
Source address is modified
Required for non-Web access and Server
Publishing rules
Web proxy filter ignores network rules
35

36. Configurazione
Network Rules
New Feature: Enhanced NAT
Specify the IP address to be used when doing NAT
36

37. Configurazione
Routing
Display the routing table used between networks
Set via route –p add command or GUI
37

38. Forefront TMG Policy
Three types of rules:
1. Network rules
2. System policy
3. Firewall policy
38

39. Installazione su server a singola scheda di rete
Forefront TMG supports using a single network adapter
Supported scenarios
Secure Web Gateway (forward Web proxy and cache)
Web Publishing (reverse Web proxy and cache)
Remote client VPN access
Unsupported scenarios
Application layer inspection (except for Web proxy)
Server publishing
Non-Web clients
Firewall client
Secure NAT
Site-to-site VPNs
39

40. Cosa Verificare in caso di Setup Failed
During the installation process, TMG Setup stores information about each step that was performed in the %systemroot%temp folder
The information in TMG Setup log files is based on Microsoft Windows Installer logging
If you want to use the SMTP Protection feature on TMG, you need to install Microsoft Exchange Edge Transport Role and Forefront
Protection 2010 for Exchange Server
The log files for the Exchange component of the installation are stored at %systemdrive%ExchangeSetupLogs
Forefront Protection 2010 for Exchange Server component add setup information in the file FssSetupLogYYMMDDTimeStamp .txt,
which is located in %sytemdrive%UsersAll UsersMicrosoftForefront Security for Exchange Server
If TMG Setup fails for any reason, first read the description of the error message that appears onscreen
40

41. Setup Log Files
41

42. Classici errori di configurazione
Multiple default gateways
Define only one default gateway
Not adding reachable addresses to networks
Ensure all reachable addresses added
DNS resolution issues
DNS server list is system wide, not per adapter
Use the internal DNS servers, or host a DNS server service locally
and use conditional forwarding
42