Installing Threat Management Gateway 2010 RTM Enterprise Edition (Part 2)
If you would like to read the first part in this article series please go to Installing Threat Management Gateway 2010 RTM Enterprise Edition.
In the first part of this two part series, we began the installation of TMG Enterprise Edition in a simple “vanilla” setup. Most of what you have seen so far undoubtedly looks very similar to the installation experience you have had with ISA Server over the last decade. In this, part two of the series, we will see some new components of the installation process; specifically, we will be taking a look at the new Getting Started Wizard.
Let us pick up where we left off. At this point you will see the Getting Started Wizard page, and the first part of this process is to configure the network settings. Click the Configure network settings link.
Notice that at the bottom of the page that if you need to import your ISA 2006 configuration into TMG, you need to do that before you run the Getting Started Wizard. We’ll talk about migrating your ISA firewall configuration settings to TMG in a future article, so we won’t cover that right now.
Also note that you can get help with the Getting Started Wizard by clicking the Help about the Getting Started Wizard link toward the bottom of the page.
Click Next on the Welcome to the Network Setup Wizard page.
On the Network Template Selection page, you have up to four options to choose from:
Edge Firewall - This is the default option and the one used in the majority of cases. This will create a default Internal Network and a default External Network.
3-Leg perimeter - This option allows you to configure a trihomed DMZ segment. The reason it doesn’t appear as an option in the figure below is because you need at least three NICs for this option to be available. When you select this option, a TMG Firewall Network will be created by the DMZ segment, and Network Rules will be automatically created for you.
Back firewall - This option is used when you have another firewall, such as another TMG firewall, ISA firewall or 3rd party firewall, in front of the TMG firewall. A perimeter TMG Firewall Network will be automatically created as well as a default Internal Network.
Single network adapter - This option is used when you have a single NIC installed on the TMG firewall. This is used only when the firewall is going to be used as a Web proxy server. This configuration does not support any protocols other than HTTP, HTTPS and FTP. It does support remote access VPN.
In this example we will select the Edge firewall option and click Next.
On the Local Area Network (LAN) Settings page, you configure the IP addressing configuration of the internal interface. If you already configured the interface, you will see the settings here. You can also change the settings on this page. In the Specify additional network topology routes section, you can click the Add button and add routing table entries (not sure why they called routing table entries “network topology routes”, but I was not at that meeting).
After configuring your internal interface settings, click Next.
On the Internet Settings page you configure the IP address settings on the external interface. Notice that you have the option to set static entries or use DHCP. Select the appropriate NIC and then choose the settings that work for you. Click Next.
That is all for the Network Setup Wizard. Review your settings on the Completing the Network Setup Wizard page and click Finish.
The next step is the Configure system settings wizard. Click the Configure system settings link to get started.
Click Next on the Welcome to the System Configuration Wizard page.
Several configurable options are available on the Host Identification page:
Computer name - Here you can click the Change button to change the name of the computer. This will require a restart of the machine.
Member of - Here you can choose to make the TMG firewall a member of a Windows domain or a Workgroup. In most cases, the TMG firewall should be made a member of a domain so that you have the highest level of security possible for the firewall. You will need to restart the machine after changing workgroup or domain membership.
Primary DNS Suffix - Here you can change the primary DNS suffix used by the TMG firewall. This is used by the firewall to append a suffix to single label name queries that the firewall may need to perform. If the TMG firewall is a member of a domain, it will automatically pick up the Active Directory domain name as the primary DNS suffix.
At the bottom of the page you’ll see the full computer name of the TMG firewall after you make changes here. In general, I handle these configuration tasks before beginning installation of the TMG firewall. However, if you forget to do this in advance, it’s nice to know that you can take care of these tasks by using the System Configuration Wizard.
Wow! That was a pretty short wizard. Read the information on the Completing the System Configuration Wizard page to confirm that it is correct and then click Finish. Note that if you change the domain, workgroup or compute name the machine will restart before you can move onto the next steps.
The third step of the Getting Started Wizard is Define deployment options. Click the Define deployment options link.
Click Next on the Welcome to the Deployment Wizard link.
The first thing the Deployment Wizard wants you to do is choose your Microsoft Update Setup options. Here you have three choices:
Use the Microsoft Update service to check for updates (recommended) - This option has the TMG firewall use Microsoft update on the Internet to update firewall, OS, anti-malware and NIS signatures. Since it’s likely that Microsoft has higher uptime than your internal WSUS or SCCM configuration, this is probably the best option for the majority of cases.
I do not want to use the Microsoft Update service - Use this option if your company has policy in place where you are not supposed to use the Microsoft Update to automatically update the firewall. You might use this option if you’re wary about installing updates and want to validate them before installing them on your firewall or firewall arrays.
Notice that if the computer is not connected to the Internet, this step could take several minutes, as the firewall will try multiple attempts to connect to the Internet Microsoft Update Services. This is a little misleading because your firewall might be able to connect to the Internet, but if you didn’t configure the TMG firewall to use an external DNS server (which is not recommend – you should avoid configuring an external DNS server on any of the firewall’s interfaces), then the TMG firewall has no way to resolve the names of the Internet Microsoft Update servers.
You might have configured the internal interface to use an internal DNS server, but the TMG firewall won’t be able to use that DNS server yet because you do not have an Access Rule in place that allows outbound access to internal DNS servers to external DNS servers. This puts you in a bit of a catch 22 – you need to resolve Internet host names, but you can not get to the configuration interface yet to make those DNS servers available to you.
Maybe in a future service pack update they’ll create a temporary DNS rule during setup that allows internal DNS servers to resolve public host names. Until then, we’ll just have to wait a bit during this phase of the installation.
On the Forefront TMG Protection Features Settings page you have several options:
Network Inspection System (NIS) - Here you can choose to activate the complementary license or choose not to activate it. You do not need to license the NIS signatures – all copies of the TMG firewall allow you to take advantage of NIS.
Web Protection - Here you have the option to Activate the evaluation license and enable Web protection. You can also enter your license details if you have licensed this feature. At this time, the details of how to license the Web protection updates is unclear.
Enable Malware Inspection - If you enable this option, the TMG firewall will be able to inspect Web (HTTP/HTTPS) connections for malware. Note that only Web connections are inspected – this feature does not inspect other protocols such as NNTP, SSH, etc.
Enable URL Filtering - This option turns on the URL Filtering capabilities of the TMG firewall and allows you to later configure sites or site categories that you might want to block access to, using Access Rules.
Notice how the URL Filtering service works. The TMG firewall doesn’t download an entire database. Instead, the TMG firewall sends the URL string to the Microsoft Reputation Service over an SSL connection to get a category result and uses that result to evaluate the connection request.
On the NIS Signature Update Settings page, you have several options again:
Select automatic definition update action – You can choose to check and install the options, or check and download, or not even check. In most cases, you’ll want to automatically check for NIS signatures and install them automatically.
Automatic polling frequency - Microsoft works around the clock on putting together signatures to protect your network. In order to take advantage of this, you want to poll Microsoft servers frequently so that you have the most up to date protection. The default interval is 15 minutes, but you can change that value if you like to make the check more or less frequent.
Trigger an alert if no updates are installed after this number of days - This setting allows you to get an alert if updates don’t happen after “x” number of days.
New Signature Set Configuration - This allows you to set a default response policy for new signatures. The default setting is typically the best one, which is Microsoft default policy (recommended). I’ll do an article on NIS in the future that will give you more insight about NIS signatures and response policies.
On the Customer Feedback page, you have the option to join the Microsoft Customer Experience Improvement Program. I highly recommend that you participate in this program. It allows Microsoft to find out how you use the TMG firewall and helps them focus on making the product better based on how people use the firewall. In this example we will select the Yes, I am willing to participate anonymously in the Customer Experience Improvement Program option and click Next.
On the Microsoft Telemetry Reporting Service page you can help Microsoft and other TMG firewall owners by providing information about malware and other attacks on your network to Microsoft. Unless you have a strong reason for not participating, I highly recommend that you select the Advanced option. This makes the anti-malware component more effective and ends up making everyone’s networks more secure. However, when you select the advanced option, in addition to basic information being sent to Microsoft, information about potential threats are sent in greater details, including traffic samples and full URL strings. The additional information provides Microsoft with more help in analyzing and mitigating threats.
In this example we will select the Advanced option and click Next.
That was a long wizard! On the Completing the Deployment Wizard page read the information about the choice you made to confirm that they are correct, then click Finish.
At this point things seem to get stuck. As mentioned earlier, I suspect the issue is that the TMG firewall isn’t able to resolve the names it needs to get to the Internet locations required to download the updates to the anti-malware and NIS services. This is a problem related to the fact that you don’t want to put an external DNS server address on any of the TMG firewall’s NICs – but during installation, this might be required. However, it can also cause problems with Active Directory communications. The problem can be solved later by creating an Access Rule that allows internal DNS servers access to the Internet, the type of access depending on how you configure your internal DNS servers to resolve Internet hosts names – either via recursion or forwarders.
At this point we are done with the Getting Started Wizard. It will say on the bottom of the page that You have successfully completed all the steps of the Getting Started Wizard. You are now ready to define Web Access policy for your organization. For ISA firewall admins, the Web Access Policy feature can be a bit confusing – because this policy creates Access Rules and groups them into a Web Access Policy.
So how did we do? I would expect that after installing the firewall that the Alerts tab will be nice and clean and only tell me that the services have started and life is great – there will be plenty of time for me to mess up the configuration later. What’s the result?
Oops. What’s up with that? No more endpoint mappers, and I did not try to map an endpoint yet and even if I did, I wouldn’t know what endpoints to even try to map. I see the problem sometimes related to name resolution issues, so maybe the DNS issue I talked about earlier could be related to this. The malware inspection problem is most likely due to DNS issues, so I am not too worried about that one. Let us restart the firewall and see if anything interesting happens.
That’s a little better. The WFP Filter Conflict Detected alert is a “normal” alert – i.e., it is a spurious alert that you can ignore. Not sure why the Malware Inspection Currently Unavailable alert is still there, but it is probably due to the fact that the machine has not been running long enough to download updates.
In this two part series, we went over the installation experience for the TMG firewall. In the first part of the series, we saw what appeared to be a installation experience that was very close to the ISA firewall installation experience. However, in part 2 of this series, we were introduced to the Getting Started Wizard, which is all new with the TMG firewall. We went through the three sub-wizards that are part of the Getting Started Wizard and successfully completed installation of the TMG firewall.
That was fun! Now what should we do next? I was thinking it might be fun to install the email protection components, since email protection is a major scenario for the TMG firewall. Of course, that means I’ll need to get Exchange 2010 up and running – but I’m told that Exchange 2010 is a bit easier to install and configure than Exchange 2007, so I think I will give that a try. If you have any scenarios that you would like me write about other than email protection, please send me a note at [email protected]. See you then! –Deb.
If you would like to read the first part in this article series please go to Installing Threat Management Gateway 2010 RTM Enterprise Edition.