Last month Microsoft released Service Pack 2 (SP2) for Forefront Threat Management Gateway (TMG) 2010. In addition to the usual collection of bug fixes that service packs typically include, SP2 for TMG also adds some additional features and functionality. TMG SP2 brings new site activity reporting capabilities, improved error pages, and it enables content caching for SSL responses in forward proxy deployment scenarios (when HTTPS inspection is enabled). In addition, TMG SP2 provides the capability to leverage Kerberos authentication for Network Load Balancing (NLB) enabled proxy arrays.
Improved Error Pages
With SP2, TMG administrators now have the option of using a new set of error pages. The new pages have a whole new look and feel. They have a much more polished, modern look and are easily customizable. With the new error pages an administrator can now include embedded objects, allowing for the use of custom images as required. These new and improved error pages are not enabled by default after installing TMG SP2. This was done so as not to break functionality for TMG administrators who may have customized the existing error pages.
To enable the new error pages, open the TMG management console, right-click the array in the navigation tree, and then choose Properties. Select the Error Pages tab and choose the option to Use the version available from Forefront TMG SP2 onwards.
If you need to customize these new error pages, they can be found in the Forefront TMG installation folder under the \Templates\WebObjectsTemplates\ISA folder. Here’s a comparison between the old and new error pages.
Old error page:
New error page:
Site Activity Report
With URL filtering now integrated with the TMG firewall, organizations that deploy TMG for their secure web gateway often require detailed reporting to monitor user activity. Until SP2, one critical report that was lacking was the ability report on all traffic destined for a specific site. TMG SP2 now includes this important report. To create a site activity report, highlight the Logs & Reports node in the navigation tree, and then select the Reporting tab in the center console. In the Tasks pane click the Create Site Activity Report Job link.
Give the report job a descriptive name, then highlight OVERWRITE and enter the domain name of the destination you wish to report on.
Once the changes have been saved and the configuration has been applied, right-click the report and choose Generate and View Report. The report will list the users who have visited the domain you specified, including any sub-domains, as well as the amount of traffic generated to the site.
SSL Content Caching
SSL content caching has always been possible with ISA and TMG in reverse proxy scenarios. Support for SSL content caching in forward (outbound) proxy scenarios was added with software update 1 rollup 3, however, it was a complicated manual process to configure and enable it. With TMG SP2, this functionality is now integrated with the GUI. To enable SSL content caching in a forward proxy scenario, highlight the Web Access Policy node in the navigation tree, then click the Configure Web Caching link in the Tasks pane.
Double-click a cache rule, then select the Advanced tab and check the option to Cache SSL responses in forward proxy traffic.
Kerberos Authentication and NLB
For TMG EMS-managed or standalone enterprise arrays using integrated Network Load Balancing (NLB), resolving the proxy array name to the array Virtual IP Address (VIP) resulted in TMG using NTLM instead of Kerberos to authenticate requests. In order to leverage Kerberos authentication, TMG administrators were forced to use DNS round-robin for load balancing web proxy requests. Where Web Proxy Auto Discovery (WPAD) is enabled the WPAD record canresolve to the VIP, but the autoconfiguration script still provides the hostnames of individual array members to its clients. If the host that was initially chosen by the client was offline for any reason, users might experience a delay when attempting to access web-based resources. In very busy environments, NTLM is a serious bottleneck that can significantly impede performance and throughput for authenticated web proxy requests, so using Kerberos for authentication is essential in these situations.
To configure TMG with SP2 to use Kerberos authentication for NLB arrays when clients connect to the VIP, you must first configure the TMG firewall service to run under a domain account. Right-click the array node in the navigation tree and choose Properties. Select the Credentials tab, then choose the option to Use this account: and click Set Account…. Enter the name and password for the service account in domain\account format and choose Ok to continue.
When making these changes in the TMG management console, exercise caution when entering the username and password for the new service account. TMG does not validate this account before applying the configuration and restarting the services. If you do not specify the correct account or password, or if there are issues with the account (e.g. disabled or locked out), TMG will restart the firewall service using the Network Service account and log an alert.
Changing the TMG firewall service account should always be done via the TMG management console. TMG sets the appropriate privileges for the service account, so making these changes using the Services MMC snap-in will fail. In addition, the service account you specify for TMG does not need to have any special domain privileges. In fact, for security it is recommended that the account not have any domain privileges at all. The account does not need to be a member of any domain or local group.
Next, register the Service Principal Name (SPN) in the Kerberos database using the setspn.exe tool. The syntax is as follows:
setspn.exe –U –A http/<arrayname><account name>
Using the example above, if our web proxy clients access the array using the FQDN proxy.richardhicks.net, the command would look like this:
setspn.exe –U –A http/proxy.richardhicks.net tmgsvc
Once complete, Kerberos authentication can be leveraged when web proxy clients resolve proxy.richardhicks.net to the VIP.
If the array is also providing reverse proxy services and using Kerberos Constrained Delegation (KCD), you must register the domain service account instead of each array member’s machine account. More information about KCD can be found here.
Before installing TMG SP2, your existing TMG installation must have SP1 installed along with software update 1 for TMG SP1. No additional hotfix rollups are required beyond this. It is recommended that TMG SP2 also be applied to Forefront Unified Access Gateway (UAG) 2010 deployments.
Service Pack 2 for Microsoft Forefront Threat Management Gateway (TMG) 2010 includes several important new features. Enhanced error pages have an improved look and feel and are more easily customizable, which can be used to provide more information to users. New site activity reports will give administrators increased visibility in to which clients are accessing specific web sites. SSL response caching when HTTPS inspection is enabled is a welcome enhancement to this important protection mechanism. The ability to leverage Kerberos authentication for proxy arrays when addressing the array using an FQDN that resolves to the NLB VIP will greatly improve scalability and increase performance and throughput for very large enterprise deployments. These features, along with the hotfixes included in the service pack make SP2 a compelling update for TMG.