TMG Runs IIS 7 — Is This a Security Issue?

Tarek Majdalani (who runs the great Web site) brought up an interesting question today regarding the next version of the ISA Firewall, the Forefront Threat Management Gateway (Forefront TMG). He mentioned whether we were going to have problems with the fact that IIS 7 is installed on the TMG, given that we’ve been so vehement on that you should never install the WWW service on the ISA Firewall.

The reason why we so strongly recommend that you don’t place the WWW service on the firewall is that in the past, the only reason to do so was to run a Web site on the firewall. Since the ISA firewall security model is broken when you install extraneous services on the firewall, we recommended that you never do so. Exposing the ISA firewall via a Web site that’s accessible to connections from clients on any network significantly increases the attack surface.

The reason why IIS is installed on the TMG firewall is that it’s required to support SQL reporting services, which is what the TMG firewall uses to create the TMG firewall reports. However, if you look at the IIS configuration, you’ll see that the only binding is for TCP port 8008 which is used for local access to the SQL reports.

More importantly, there are no rules that allow connections to the local IIS Web server, so the Web server is not exposed to external (non-local host) connections. So, for all practical purposes, the Web server is not accessible except to the TMG Firewall and locally logged on users. This means there is no practical increase in the attack surface on the TMG due to the IIS 7 installation.



Thomas W Shinder, M.D.

Email: [email protected]
MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top