Installing and configuring Microsoft Forefront TMG Beta 2
One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit. Other requirements include:
* 2 gigabytes (GB) or more of memory
* 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
* One network adapter that is compatible with the computer's operating system, for communication with the internal network.
* An additional network adapter for each network connected to the Forefront TMG server.
* One local hard disk partition that is formatted with the NTFS file system.
Microsoft has divided the new feature into six sections:
* Control network policy access at the edge (Firewall)
* Protect users from web browsing threats (Web Client Protection)
* Protect users from E-mail threats (Email Protection)
* Protect desktops and servers from intrusion attempts (NIS)
* Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
* Simplified management (Deployment
After downloading the installation sources, start the TMG installation process by clicking the Install Forefront TMG
Installing Forefront Threat Management Gateway
Read and accept the License Agreement and provide additional Customer Information if required. Forefront TMG Beta 2 does not require entering an installation key.
The next step is to select the Setup scenario. For this article, we select the radio button Install Forefront Threat Management Gateway services
. If you only want to install the TMG Management console, select the second radio button. The third option is for installing a Management Server which centrally manages multiples TNG servers in an array.
Select Setup scenario
Select the components to install and the directory where the TMG binaries should be installed.
Next, select the IP address ranges for the internal network. As a best practice, select the IP address ranges from the internal network adapter.
Specify the internal network address ranges
Select the internal network adapter. As a best practice, I recommend to give the network adapters in the Network and Sharing Center on the Windows Server 2008 a name which reflects the function of this network adapter.
Select Network Adapters
If the following services are installed on the Server, the TMG setup process restarts these services during the setup process.
Exchange Server 2007 SP1 Setup
Select the Custom Exchange Server installation option and specify a path for the Exchange Server 2007 installation files.
Custom Exchange Setup
Select the Edge Transport Server Role.
Selecting Edge Server role
Because a previous installation is pending, we have to restart the system and rerun the setup. The second warning can be ignored and is specific to my test environment.
Restart required before Setup can continue
Exchange Setup is installing files and the Edge Transport Server role.
Setup in progress
The TMG setup takes a while.
After the setup process has finished the TMG installation, you should start the Forefront TMG Management Wizard console.
Setup has finished
The Forefront TMG console appears and launches the Getting Started Wizard.
TMG – Getting started Wizard
Start with the configuration of the network settings by first selecting a Network Template which corresponds to your current network environment.
Select Network Topology
Specify the adapter for the LAN interface and if required additional network routes.
Select Network Adapters
Next, select the WAN adapter.
After the Network configuration wizard has finished, start the system configuration wizard. The Wizard asks for domain or workgroup membership and the Primary DNS suffix. In my opinion you should have all necessary settings finished before starting the TMG setup or Setup wizard.
Next, the deployment wizard asks for Microsoft Update service settings.
Windows update settings
As a next step you must specify the License settings for the Network Inspection System, Web protection and E-Mail protection.
For the Network Inspection System (NIS), you have to configure additional settings like the polling frequency and the response policy for new signatures from the Microsoft Response Center.
NIS Update settings
The next dialog boxes ask for Customer Feedback settings and settings for the Microsoft Telemetry Service.
Web Policy Access Wizard
The Web Access Policy allows the creation of a new Firewall policy. You can choose between a simple and custom configuration.
Access Policy Groups
Allow or deny the Web request.
Select access groups which are allowed to use Forefront TMG for Internet access and select the destination to which the groups have access.
If you want to activate Malware inspection for this Firewall rule, select the radio button.
Malware Inspection settings
A new feature of Forefront TMG is the HTTPS inspection feature which allows outbound HTTPS inspection. You can enable HTTPS inspection during the web access policy wizard.
Select if you want to enable Web Caching. If you want to cache web content through TMG, you must also specify the cache drive and the size of the cache and some other settings.
Until all setup tasks are finished, the wizard closes and you have to save all configuration changes. Now you can use the Forefront Threat Management for additional tasks.
After a successful installation of Microsoft Forefront TMG the Getting Started Wizard will start when you open the Microsoft Forefront TMG console the first time. The Getting Started Wizard will help TMG Administrators to initial configure TMG for their business needs.
The Getting Started Wizard
The first step of the wizard configures the Internal and external Networks for TMG. The second wizard configures local settings as domain membership settings.
The third wizard configures basic settings like Windows Update settings and Microsoft Telemetry settings.
The Microsoft Forefront TMG console is not very different from the ISA Server 2006 Management console. The console is very similar to the ISA Server 2006 Management console. There are only some new nodes in the console on the left side but these nodes allow very powerful settings. Several settings have been unchanged in Microsoft Forefront TMG and some familiar settings have new configuration buttons and configuration tabs..
Microsoft Forefront TMG services
In Microsoft Forefront TMG, it is now possible to configure related Firewall policy settings from one point in the console which automatically navigates to the appropriate settings in the TMG MMC.
Configure different Microsoft Forefront TMG settings
In the right pane of the TMG console it is possible to configure many related Firewall tasks. New in TMG is the support for several VOIP (VoiceOverIP) scenarios. Microsoft Forefront TMG comes with a native SIP filter.
TMG Firewall Policy Tasks
Microsoft Forefront TMG is the first Microsoft Enterprise Firewall which enables you to protect your network from malicious attacks in form of Malware. The Malware protection feature is the first line of defense against several types of Zero Day exploits.
Definition of Malware
Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.
Configure advanced Web protection
The Malware inspection feature can be enabled globally and in the applicable Firewall access rule.
Configure global Malware inspection settings
In the Inspection settings tab it is possible to configure advanced Malware inspection settings like when to scan content for Malware and when to block files which are larger than the configured size.
Configure advanced Malware settings
HTTPS outbound inspection
Microsoft ISA Server 2006 supports incoming HTTPS inspection in HTTPS bridging scenarios and Microsoft Forefront TMG extends this feature for outgoing HTTPS inspection.
Configure HTTPS inspection settings
It is possible to configure several required certificate settings which are required for HTTPS inspection.
HTTPS inspection certificate settings
Clients can be notified when HTTPS Inspection is used.
Notification settings for users with enabled HTTPS inspection
Antivirus and Antispam
Microsoft Forefront TMG dramatically extends its functionality in the way that TMG can act as an SMTP inspection gateway and an antivirus server. The Antispam functionality is based on the Microsoft Exchange Server 2007 edge functionality and the Antivirus functionality on Microsoft Forefront Security. In Microsoft Forefront TMG there is a new Node called E-Mail Policy.
It is possible to configure mail flow settings and Antivrus and Antispam settings.
All SMTP protection features can be enabled and disabled on a granular base.
SMTP Protection properties
There are several spam filtering settings which are all based on the protection settings on Microsoft Exchange Server 2007 Edge Server.
Like in Exchange Server 2007 Edge, it is possible to configure Content Filtering settings and many more other approved Antispam settings.
Forefront TMG comes also with Antivirus components based on the Microsoft Forefront Security family.
You can choose between several Antivirus engines. A maximum of five engines can be used at the same time (like in the original Microsoft Forefront Security products).
If a virus is detected it is possible to configure the actions to perform.