Installing the Forefront Threat Management Gateway (Forefront TMG) Beta 1
If you haven’t heard yet, the ISA Firewall is going away. The last version of the ISA Firewall is going to be ISA 2006. However, that doesn’t mean that the ISA software that we’ve come to love over the year is going away. While the ISA brand will fall into the dustbin of history, we’ll see the next version of the ISA Firewall come in with a new name: the Forefront Threat Management Gateway.
There are a number of reasons why the ISA name is going away. But probably the primary reason is that the general public never seemed to be able to figure out what the ISA Firewall was all about. Some people thought it was just a Web proxy server (a la Proxy 2.0), some people thought it was just a firewall, some people thought it was a VPN server, some people thought it was a VPN gateway, and some people thought it was some kind of Frankenstein and couldn’t make any sense out of it. By renaming the product, the Forefront TMG should be able to get some newfound attention, and hopefully the name itself will provide a clearer focus on the primary design goal of the product.
In this article I’m going to give you a look at the installation process. However, before installing the TMG, you need to know the following:
- TMG will only run on 64-bit Windows Server 2008. There will be a 32-bit demo version after the TMG goes RTM, but there won’t be any beta versions that run on 32-bit Windows
- TMG requires at least 1 GB of memory (it will probably run on less, but not very quickly)
- 150 MB of disk space
- At least one NIC (although I always recommend two or more NICs to provide true security)
- You must install to the default folder on the C: drive
- TMG will install IIS 7 on your machine in order to support SQL reporting services. If you remove TMG from the machine, II7 will not be removed for you and you will need to do that manually
- Services and driver files for the TMG are installed in the TMG installation folder
- For the beta 1 version of the TMG, the TMG machine must be a domain member. In future betas, non-domain membership will be supported.
In this article series (should end up being two parts), I am installing the TMG on a Windows Server 2008 Enterprise edition machine that is running as a VM on VMware Virtual Server 1.0. The VM has two interfaces: one interface is bridged to the external network and will act as the external interface and the second interface is placed on VMNet2, which will be the interface on the default Internal Network. Note that the networking model for the TMG has not changed from that used by the ISA Firewall.
Download your TMG software.
The TMG is one of the several pieces of software that comprise the Forefront Stirling collection of products. You can download all of the them, or just the TMG. The TMG will work fine without Stirling, but Stirling is something that you definitely want to get to know about in the future.
Double click the file you downloaded. You’ll see the Welcome to the Welcome to the InstallShield Wizard for the Forefront Threat Management Gateway page. Click Next.
Install the files to the default location, which is C:\Program Files (x86)\Microsoft ISA Server. Click Next.
The files will be extracted to that location.
Click Finish when the extraction finishes.
Go to the C:\Program Files (x86)\Microsoft ISA Server folder and double click the ISAAutorun.exe file.
This opens up the Microsoft Forefront TMG 270-Day Evaluation Setup dialog box. Click the Install Forefront TMG link.
This bring up the Welcome to the Installation Wizard for Microsoft Forefront Threat Management Gateway page. Click Next.
On the License Agreement page, select the I accept the terms in the license agreement option and click Next. Notice that license agreement still contains the old code name of the product, which was Nitrogen.
On the Customer Information page, enter your User Name and Organization. The Product Serial Number will be filled in for you. Click Next.
Here we see a new setup option that wasn’t available in previous version of the product. On the Setup Scenarios page, you have the option to install the Forefront TMG or install only the TMG Management console. In this example we’re installing the entire product, so we’ll select Install Forefront Threat Management Gateway and click Next.
On the Component Selection page, you have the options to install the TMG firewall software, the TMG management console, and the CSS. Yes, you guess it. There are no more Standard and Enterprise editions of the ISA firewall. The TMG will be sold as a single edition and this single edition uses the CSS, even if you have only a single member TMG array. However, you will be able to create arrays using the TMG. However, that functionality is not available with this version of the TMG and will be available in later betas.
In this example we’ll install all of these options in the default folder (we need to install in the default folder for this version of the TMG). Click Next.
It looks like I have a problem here. While the machine is a member of the domain, I forgot to log on with a user account that is a domain member. In order to install the TMG, you must be logged on as a domain user that has local administrator privileges on the TMG machine.
Looks like I’m going to have to restart the installation. We’ll pick up where we left off after I log off and log on again and restart the installation.
Now that I’m logged on as a domain user with local admin privileges, we pick up the installation process on the Internal Network page. If you’re installed the ISA Firewall, you’ll recognize this page from previous version of the ISA Firewall. This is where you define the default Internal network. In almost all cases you should select the Add Adapter option, since this will define your default Internal network based on the routing table configured on the ISA Firewall. However, one thing I don’t know is if I change the configuration of the routing table on the ISA Firewall if the definition of the default Internal Network will automatically change. I’ll bet a quarter that it doesn’t, but it’s something we’ll have to check into in the future.
The Internal Network page now shows the definition of the default Internal Network. Click Next.
The Services Warning page informs you that the SNMP Service, the IIS Admin Service, the World Wide Web Publishing Service and the Microsoft Operations Manager Service will all be restarted during the installation. It’s unlikely that you’ll have already installed the Web server role on this machine, so you don’t need to worry about the IIS Admin Service or the World Wide Web Publishing Service, but you should be aware of the SNMP and Microsoft Operation Manager Service restart. Remember, TMG will install and configure IIS 7 for you.
Click Install on the Ready to Install the Program page.
The progress bar shows you the installation progress. Here you can see the CSS being installed.
It worked! The Installation Wizard Completed page shows the installation has completed successfully. Put a checkmark in the Invoke Forefront TMG Management when the wizard closes checkbox. Click Finish.
At this point you’ll see the Protect the Forefront TMG Server Web page. Here you’re provided information on turning on Microsoft Update, running the ISA BPA, and reading the Security and Protection section in the Help file. One thing I can tell you about the Help File so far is that they’ve done a fantastic job at upgrading its content. There is much more information, and much more real world deployment information included with the new and improved Help File. I recommend that you spend some time reading the Help file. I guarantee that even if you’re a seasoned ISA Firewall admin, the TMG Help File is going to provide you some new insights.
After the initial installation is complete, you’ll see the new Getting Started Wizard. The Getting Started Wizard is new with the TMG and wasn’t available in the previous versions of the ISA Firewall. There are three basic wizards included in the Getting Started Wizard, and an optional fourth one that we’ll see when we finish the first three.
The first wizard is the Configure network settings wizard. Click the Configure network settings link on the Getting Started Wizard page.
On the Welcome to the Network Setup Wizard, click Next.
On the Network Template Selection page, select the network template that you want to apply to the TMG. These are the same network templates that were available with previous versions of the ISA Firewall. Click on each of the options and read the information provided on the lower part of the page.
In this example, we’ll use the preferred template, which is the Edge firewall template. Click Next.
On the Local Area Network (LAN) Settings page, you are given the opportunity to configure IP addressing information on the LAN interface. First, you select the NIC that you want to be the LAN interface on the ISA Firewall by clicking the drop down menu for Network adapter connect to the LAN. The IP addressing information for this NIC will appear automatically. You can make changes to the IP addressing information here. Also, you can create additional static routes by clicking the Add button.
One thing I don’t know is what changes on this page will do to the definition of the default Internal Network. Suppose I configured the default Internal Network to be 10.0.0.0-10.0.0.255 but then decided to change the IP address on the internal interface on this page so that the was on a different network ID. Will the definition of the default Internal Network change? What if I add a static route on the internal interface of the TMG? Will these change be reflected in the definition of the default Internal Network? I don’t know, but it’s something to investigate in the future.
I won’t make any changes on this page as I had already set up the internal interface with the IP addressing information I required. Click Next.
The Internet Settings page allows you to configure IP addressing information on the external interface of the TMG firewall. Like the last page, you select the NIC that you want to represent the external interface by clicking the Network adapter connected to the Internet drop down list. Also like the last page, you can change the IP addressing information. Since I already configured the external interface with the IP addressing information I wanted it to have, I’ll make no changes here. Click Next.
The Completing the Network Setup wizard page shows you the results of your changes. Click Finish.
This takes you back to the Getting Started Wizard page. The next wizard is the Configure system settings wizard. Click the Configure system settings link.
Click Next on the Welcome to the System Configuration Wizard page.
The Host Identification page asks you about the host name and domain membership of the TMG firewall. In this example, it has automatically detected the host name of the machine, which is TMG2009. The wizard has also identified the domain membership of the machine. I suspect that this wizard will allow you to join a domain if you haven’t yet done so, and to leave the domain if you want to. Also, if the machine is a workgroup member, you have the opportunity to enter a primary DNS suffix that the ISA Firewall can use to register in your domain DNS, if you have DDNS enabled and you don’t require secure DDNS updates.
Since I have already configured this machine as a domain member, I don’t need to make any changes on this page. Click Next.
That’s it for the System Configuration Wizard. Click Finish on the Completing the System Configuration Wizard page.
One more wizard on the Getting Started Wizard page. Click the Define deployment options link.
Click Next on the Welcome to the Deployment Wizard page.
On the Microsoft Update Setup page, you have to the options Use the Microsoft Update service to check for updates and I do not want to use Microsoft Update Service. Note that not only does the TMG use the Microsoft Update service to update the OS and the TMG firewall software, it also uses it to check for malware definitions, which is does several times a day (by default, every 15 minutes). Since one of the major advantages of using an Microsoft firewall over other firewalls is the excellent auto-update feature, we’ll go ahead and using the Microsoft Update site. Click Next.
On the Definition Update Settings page, you select whether you want the TMG firewall to check and install, check only or do nothing with malware inspection updates. You can also set the polling frequency, which is set at every 15 minutes by default. However, you can set the updates to be downloaded once a day, and then configure the time of day when you want those updates installed. Click Next.
On the Customer Feedback page, choose whether or not you want to provide anonymous information to Microsoft on your hardware configuration and how the product is used. No information shared with Microsoft can be used to identify you, and no private information is released to Microsoft. I figure I share my name, birth date, social security number, drivers license number and address with my bank, and I trust Microsoft a lot more than I trust my bank, given the bank’s requirements to share information with the Federal Government. So sharing this technical information with Microsoft is a no-brainer, and it helps make the product more stable and secure. Select Yes, I am willing to participate anonymously in the Customer Experience Improvement Program (recommended) option.
On the Microsoft Telemetry Service page, you can configure your level of membership in the Microsoft Telemetry service. The Microsoft Telemetry Service helps protect against malware and intrusion by reporting information to Microsoft about potential attacks, which Microsoft uses to help identify attack patterns and improve precision and efficiency of threat mitigations. In some instances, personal information might be inadvertently sent to Microsoft, but Microsoft will not use this information to identify or contact you. It’s hard to determine what kind of personal information might be sent, but since I’m in the habit of trusting Microsoft, I’ll select the Join with an advanced membership option. Click Next.
The Completing the Deployment Wizard page shows the choices you made. Click Finish.
That’s it! You’re done with the Getting Started Wizard. But that doesn’t mean that you’re done. If you put a checkmark in the Run the Web Access wizard checkbox, the Web Access Wizard will start. Let’s put a checkmark there and see what happens.
This starts the Welcome to the Web Access Policy Wizard. Since this is a new way of creating TMG firewall policies, I think we’ll wait until the next article to get into the details of this wizard. It seems that the TMG will allow you to configure Web Access Policy in a way that’s a bit different than how we did it with previous versions of the ISA Firewall, so I want to make sure we have an article dedicated to this feature.
Now that installation is complete, we can see the new console. If you look at the left pane of the console, you’ll see that there aren’t any nested nodes, which makes navigation a bit easier. Also, we see a new node, the Update Center node. This is where you can get information about updates to the anti-malware feature of the TMG, and also find out when the malware updates where installed.
After installation completed, I found that there were some errors. But this might be related to the fact that the TMG didn’t work at all after the installation was complete. I was able to solve this problem by restarting the computer. I’m not sure if there is related to running the TMG firewall on VMware Virtual Server, or if this is a beta bug.
Taking a look at the Initial Configuration Tasks you can see that a number of roles and services were installed on this computer as part of the TMG installation. These include:
- Active Directory Lightweight Directory Services (ADAM)
- Network Policy and Access Services (required for RRAS and VPN)
- Web Server (IIS) (required for SQL reporting services and TMG reporting)
- Network Load Balancing Services (required for NLB support)
- Remote Server Administration Tools (don’t know why these were installed)
- Windows Process Activation Service (most likely secondary to the Web server role requirements)
In this article we went through the installation process for the TMG firewall. There were a few changes from what we’ve seen in previous versions of the ISA Firewall, but nothing earthshaking. But that’s OK, the installation experience isn’t a place where I expect to be wowed. What we did see were a few nice improvements in the installation routine that gives you some more flexibility during setup.
If you take some more time to look at the TMG firewall software after installation, and you don’t notice any of the features that you were hoping for, don’t get too worried yet. This is a very early beta version and I suspect that it far from feature complete. I know there are more than a dozen features that have been repeatedly requested ever since the released of ISA 2000. So, while sometimes first impressions are lasting impressions, I don’t want that to be the case for your first view of the TMG firewall. Remember that it’s beta one and expect to see some things in the future that are going to make you very happy. Thanks! – Tom.