Since working with Microsoft Forefront Threat Management Gateway (TMG) 2010 since its inception, there are a number of settings that consistently confuse and perplex many new and even some experienced TMG firewall administrators. In this month’s article I’ll explore what I consider to be the top 5 obscure and confusing settings that seem to trip people up the most.
CARP Load Factor
The CARP load factor setting can be found by highlighting the System node in the navigation tree of the Forefront TMG management console, clicking the Servers tab in the center pane, and then double-clicking a server and selecting the CARP tab.
By default, the CARP load factor is set to 100 on all nodes in the array. What is this setting for? It is used to provide a weighted average for how cached content is distributed amongst the members of the array. This setting can be useful in scenarios in which not all array members have the same performance capabilities. For example, if you have an array with three nodes and one of those nodes has a faster CPU or more disk space available for the content cache, you can configure that node with a higher numerical load factor setting. The load factor setting itself is an arbitrary number anywhere between 1 and 2147483647. The higher the number relative to the other nodes determines how the cached content is distributed between those nodes.
For this setting to have an effect, content caching and CARP must first be enabled. Caching is enabled by highlighting the Web Access Policy node in the navigation tree and clicking the Configure Web Caching link in the Tasks pane under Related Tasks. Select the Cache Drives tab, highlight one of the nodes, and then click the Configure button.
Highlight an available disk drive, enter a Maximum cache size in megabytes and click Set.
For optimal performance it is best to specify a disk drive other than the system drive. Ideally you should choose a partition that is exclusive for the cache, and on a dedicated disk drive if possible. The maximum size of the cache file is 64GB per partition.
CARP is enabled by clicking the Configure Web Proxy link in the Tasks pane under Related Tasks. Select the CARP tab and choose the option to Enable CARP on this network. Optionally you can specify sites that should be exempt from CARP, effectively allowing content from these sites to be stored on all nodes in the array.
Forward Web Proxy SSL Certificate Authentication
Another setting that is the source of much confusion is the Enable SSL setting on the Web Proxy tab of the Internal network properties.
Many TMG administrators mistakenly believe that this can be used to provide a secure channel between web proxy clients and the TMG firewall serving as a web proxy server. Making matters worse is that selecting this option and choosing a certificate gives no indication that it won’t work in this manner. If you don’t believe me, go ahead and give it a try yourself. Configure your web proxy client to use a web proxy server on the default SSL port of 8443 and see what happens.
That’s right, it doesn’t work! That’s because this feature is used only in web proxy chaining scenarios. If you’re connecting a downstream proxy to an upstream proxy you can enable SSL for authentication and encryption for this communication channel.
Another related setting that trips up many TMG administrators is the seemingly apparent ability to use client certificates to authenticate web proxy clients. Click the Authentication button below Configure allowed authentication methods and you’ll see an option to use an SSL certificate as an authentication method for clients connecting to the Forefront TMG computer.
However, upon selecting this authentication method the TMG server will warn us that using this option limited to web proxy chaining scenarios where a downstream proxy server can authenticate to an upstream proxy server using a client certificate.
Web Browser Direct Access
There’s a setting on the Web Browser tab of the Internal network properties page that is often misunderstood. If you select the option If Forefront TMG is unavailable. Use this backup route to connect to the Internet. The choices are Direct access and Alternative Forefront TMG.
I’ve had more than one TMG firewall administrator express concern that the default setting of allowing direct access might result in clients circumventing access controls in place on the firewall. This may or may not be the case, depending how your network infrastructure is designed. If you have multiple network egress points on your network, then yes, clients will be able to access the Internet directly using the underlying network’s routing infrastructure if the TMG firewall is unavailable, assuming of course that the gateway of last resort allows this communication. However, it is common for edge firewalls to restrict outbound access to the internet from only corporate web proxy servers and to deny direct client access. If that’s the case, choose the option to use an alternate Forefront TMG proxy server to ensure access to the Internet.
VPN User Mapping
One of the most important capabilities provided by the Forefront TMG firewall is its ability to authenticate users against Active Directory and enforce access control based on the individual user or their group membership. RADIUS and EAP authentication are also popular authentication methods for remote access clients. However, VPN remote access clients are subject to firewall policy, and if that policy applies to Windows users or groups, RADIUS and EAP authenticated clients may fail to access required resources. To resolve this issue, VPN user mapping must be enabled. In the TMG management console, highlight Remote Access Policy (VPN) in the navigation tree, click Configure VPN Client Access in the Tasks pane, then choose the User Mapping tab and select the option to Enable User Mapping. Optionally you can select the option to use a specific domain when a username does not contain a domain. Note: The TMG server must be a member of a domain to take advantage of the VPN user mapping feature.
The E-Mail policy configuration in TMG can be quite perplexing to new and even experienced TMG administrators. Highlighting the E-Mail Policy node in the navigation tree and choosing the E-Mail Policy tab in the center pane you’ll find a link to Configure E-Mail Policy.
Clicking the link will launch the E-Mail Policy Wizard and guide you through the process of configuring SMTP routes. You can, in fact, walk through the entire wizard and define internal mail servers, accepted authoritative domains, enable spam filtering, virus and content filtering, and configure connectivity for EdgeSync traffic. However, if you read the fine print on the welcome screen for the wizard it states clearly that E-mail protection features are only available if Forefront Protection for Exchange Server and the Exchange Edge Transport role are installed. So, although you can complete this wizard successfully it won’t actually do anything until you install the Exchange 2007 or 2010 Edge Transport role along with Forefront Protection 2010 for Exchange on the TMG firewall itself.
So that’s my top 5 list of obscure and confusing settings in Forefront Threat Management Gateway (TMG) 2010. If you’ve ever wondered what CARP load factor was, wanted to know how to configure SSL client certificate authentication for forward web proxy clients, were curious if web proxy clients have direct access to the Internet if the TMG firewall is unavailable, needed to enforce strong user and group based authentication on VPN clients that authenticate with RADIUS or EAP, or couldn’t figure out why your E-Mail policy configuration wasn’t working, then I hope I’ve cleared things up for you here. If you have additional suggestions, I’d love to hear them! Drop me a note and let me know which settings are confusing you and I’ll provide some clarification!