Keep in mind that the information in this article is based on a beta version of Microsoft Forefront TMG and is subject to change.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
A few days ago, Microsoft released Beta 2 from Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exiting features.
In this article, I will show you how to install the prerequisites before installing Forefront TMG. After a successful installation, I will show you some basic configuration tasks.
One of the most important changes in Microsoft Forefront TMG is that it must be installed on Windows Server 2008 with 64 Bit. Other requirements include:
- 2 gigabytes (GB) or more of memory
- 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection.
- One network adapter that is compatible with the computer’s operating system, for communication with the internal network.
- An additional network adapter for each network connected to the Forefront TMG server.
- One local hard disk partition that is formatted with the NTFS file system.
Microsoft has divided the new feature into six sections:
- Control network policy access at the edge (Firewall)
- Protect users from web browsing threats (Web Client Protection)
- Protect users from E-mail threats (Email Protection)
- Protect desktops and servers from intrusion attempts (NIS)
- Enable users to remotely access corporate resources (VPN, Secure Web Publishing)
- Simplified management (Deployment)
After downloading the installation sources, start the TMG installation process by clicking the Install Forefront TMG button.
Figure 1: Installing Forefront Threat Management Gateway
Read and accept the License Agreement and provide additional Customer Information if required. Forefront TMG Beta 2 does not require entering an installation key.
The next step is to select the Setup scenario. For this article, we select the radio button Install Forefront Threat Management Gateway services. If you only want to install the TMG Management console, select the second radio button. The third option is for installing a Management Server which centrally manages multiples TNG servers in an array.
Figure 2: Select Setup scenario
Select the components to install and the directory where the TMG binaries should be installed.
Figure 3: Component selection
Next, select the IP address ranges for the internal network. As a best practice, select the IP address ranges from the internal network adapter.
Figure 4: Specify the internal network address ranges
Select the internal network adapter. As a best practice, I recommend to give the network adapters in the Network and Sharing Center on the Windows Server 2008 a name which reflects the function of this network adapter.
Figure 5: Select Network Adapters
If the following services are installed on the Server, the TMG setup process restarts these services during the setup process.
Figure 6: Services stopped during the installation
In this beta version of TMG, you have to install the Microsoft Exchange Server 2007 Edge Server role before you install TMG. The Edge Server role is required by TMG Server for Antispam features and SMTP routing.
Figure 7: Error – Exchange Edge is not installed
Cancel the TMG Server setup process and start installing Exchange Server 2007 Edge from the Exchange Server 2007 DVD.
Figure 8: Exchange Server 2007 SP1 Setup
Select the Custom Exchange Server installation option and specify a path for the Exchange Server 2007 installation files.
Figure 9: Custom Exchange Setup
Select the Edge Transport Server Role.
Figure 10: Selecting Edge Server role
Because a previous installation is pending, we have to restart the system and rerun the setup. The second warning can be ignored and is specific to my test environment.
Figure 11: Restart required before Setup can continue
Exchange Setup is installing files and the Edge Transport Server role.
Figure 12: Setup in progress
The TMG setup takes a while.
Figure 13: Installing components
After the setup process has finished the TMG installation, you should start the Forefront TMG Management Wizard console.
Figure 14: Setup has finished
The Forefront TMG console appears and launches the Getting Started Wizard.
Figure 15: TMG – Getting started Wizard
Start with the configuration of the network settings by first selecting a Network Template which corresponds to your current network environment.
Figure 16: Select Network Topology
Specify the adapter for the LAN interface and if required additional network routes.
Figure 17: Select Network Adapters
Next, select the WAN adapter.
After the Network configuration wizard has finished, start the system configuration wizard. The Wizard asks for domain or workgroup membership and the Primary DNS suffix. In my opinion you should have all necessary settings finished before starting the TMG setup or Setup wizard.
Figure 18: Host identification
Next, the deployment wizard asks for Microsoft Update service settings.
Figure 19: Windows update settings
As a next step you must specify the License settings for the Network Inspection System, Web protection and E-Mail protection.
Figure 20 License activation
For the Network Inspection System (NIS), you have to configure additional settings like the polling frequency and the response policy for new signatures from the Microsoft Response Center.
Figure 21: NIS Update settings
The next dialog boxes ask for Customer Feedback settings and settings for the Microsoft Telemetry Service.
Web Policy Access Wizard
The Web Access Policy allows the creation of a new Firewall policy. You can choose between a simple and custom configuration.
Figure 22: Access Policy Groups
Allow or deny the Web request.
Select access groups which are allowed to use Forefront TMG for Internet access and select the destination to which the groups have access.
If you want to activate Malware inspection for this Firewall rule, select the radio button.
Figure 23: Malware Inspection settings
A new feature of Forefront TMG is the HTTPS inspection feature which allows outbound HTTPS inspection. You can enable HTTPS inspection during the web access policy wizard.
Select if you want to enable Web Caching. If you want to cache web content through TMG, you must also specify the cache drive and the size of the cache and some other settings.
Until all setup tasks are finished, the wizard closes and you have to save all configuration changes. Now you can use the Forefront Threat Management for additional tasks.
In this article, I gave you some information about how to install Microsoft Forefront TMG Beta 2 on Windows Server 2008. The setup process is easy but in this beta version the prerequisite before installing Microsoft Forefront TMG is an installed Exchange Server 2007 with the Edge server role. This might be changed in upcoming versions of Forefront TMG.