Keep in mind that all the information in this article is based on a beta version of Microsoft Forefront TMG and is subject to change.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
Let us begin
A few months ago, Microsoft released the Beta 2 version of Microsoft Forefront TMG (Threat Management Gateway) with a lot of new exiting features.
Before we start with the installation of Microsoft Forefront TMG into an array, I would like to explain to you the new terminology used in Forefront TMG. There are two different terms which are now commonly used:
- EMS (Enterprise Management Server)
- CSS (Configuration Storage Server)
The Enterprise Management Server is a server which is used to manage a TMG Enterprise Array or even possibly, a standalone server.
The Configuration Storage Server (CSS) is used for all local TMG installations and provides storage for the TMG Server configuration. For your information, every TMG has a local CSS. When the TMG administrator joins the Server to a TMG Array, the local TMG Server will use the Enterprise CSS (EMS). When the Enterprise CSS is applied, the local CSS will be disabled.
First off, we have to create a new Microsoft Forefront Threat Management Gateway Enterprise. To do so, start the setup from the TMG setup installation file and select the appropriate option.
Figure 1: Create a new Microsoft Forefront Threat Management Gateway Enterprise
It is also possible to create a replica from the Enterprise configuration. This will create a new EMS server which works hand in hand with the other EMS server. A productive TMG Enterprise should always have two or more EMS servers.
You must specify an account which is used for the EMS service. In my lab, I used the Administrator account from the domain. In a production environment you should use another, in order not to use such a security critical account.
Figure 2: Enterprise Management Server Service Account
The following Figure gives you an overview of the new Microsoft Forefront Threat Management Console with the EMS Server installed. The configuration is similar to the ISA Server 2006 Management Console, as you can see in the following screenshot.
Figure 3: New Microsoft Forefront Threat Management Gateway Enterprise and console
Next, we have to create a new TMG Array. When this is done, you will be able to join the standlone TMG Servers to the new TMG Array. Start by creating a TMG Array by executing the wizard to create new Arrays.
Figure 4: Wizard to create a new TMG Array
It is possible to create multiple Arrays in the TMG Enterprise (and there is a minimum of one Server per TMG Array). You must assign a name for the new Array.
Figure 5: Specify the Array DNS Name
The next step should be to resolve the DNS name by having it in every Array. The DNS name is used by the TMG Server Firewall Client and the Webproxy client. You must create a corresponding DNS record in your internal DNS Server for the TMG Array servers.
Every Array must have an Enterprise Policy. Select the default Policy, or better still, a newly created Enterprise Policy which should be used in the Array.
Figure 6: Assign an Enterprise Policy
Now it is time to select which type of Array Firewall policy rules can be created for the Array.
Figure 7: Specify Array Policy Rule Types
It takes some time to create the new TMG Array, depending on the performance of your system.
Figure 8: Create a new Array process
After some time, the TMG Array should be created sucessfully (as seen in the following screenshot). It is now possible to join together the standlone TMG servers to the TMG Enterprise.
Figure 9: New created TMG Array
The installation of Microsoft Forefront TMG is part of other articles on www.isaserver.org so I only created one screenshot about the installation process to see which setup option you must choose in the TMG installation wizard.
Figure 10: Installing TMG
After the TMG setup has sucessfully finished, start the Microsoft Forefront Threat Management console and click the Join Array option in the task pane, as shown in the following screenshot.
Figure 11: Start the Join Array Wizard
The Join Array Wizard starts…
Figure 12: Join Array Wizard
Select the Array Membership type. Because we prviously created an Enterprise Management Server and a TMG Array, we will join the standlone TMG server to the EMS.
Figure 13: Join an array managed by an EMS Server
Specify the fully qualified domain name (FQDN) for the the EMS. It is also possible to change the account which has the rights to connect to the EMS server.
Figure 14: Specify the EMS FQDN
Because we already created an TMG Array in the EMS, we will select the previously created TMG Array. It is also possible to create a new Array, but this could take a longer than creating the Array on the EMS Server because of network latency.
Figure 15: Join an existing EMS array
The TMG standalone server is now joining the TMG Array.
Figure 16: Join the array phase
After some time, the TMG standalone Server will become part of the EMS Array.
Figure 17: Array successfully joined
Start the TMG Management console and navigate to the properties of the newly Array joined TMG server and you will see that the TMG server is now managed by the EMS array.
Figure 18: EMS Array information
To see which CSS (Configuration Storage Server) is used by the TMG Server, navigate to the TMG Array properties, click the Configuration Storage tab. If you have a second CSS Server, which is recommended, enter the additional CSS Server as an alternate Configuration Storage Server.
Figure 19: TMG Array properties
After joining the Server to the TMG Array, you can now configure TMG for your business needs.
In this article, I gave you an overview about how to integrate the Microsoft Forefront Threat Management Gateway into a TMG array to centrally manage all TMG servers within the TMG Enterprise or Array. There are not a lot changes from ISA Server 2006 Enterprise CSS concepts, so you should be familiar with the EMS console in Microsoft Forefront TMG in no time.