TMG Web Proxy Client Concepts and Configuration (Part 1)

If you would like to read the next part in this article series please go to TMG Web Proxy Client Concepts and Configuration (Part 2).

Like its predecessor,  ISA Server, the TMG firewall supports three types of clients:

  • SecureNAT client
  • Firewall client (TMG client)
  • Web Proxy client

Understanding the client types

The SecureNAT client is a computer that is configured with a default gateway that enables it to reach an Internet gateway. The default gateway might be the IP address of the internal interface of the TMG firewall, or it might be the address of a router that is configured with a routing table entry that enables connections destined for the Internet to be routed through the TMG firewall. The key issue with the SecureNAT client is that it is dependent on the routing infrastructure of your current network so that all Internet bound connections are forwarded through the TMG firewall. The SecureNAT client supports all protocols that are included with the TMG firewall, and it supports complex protocols that have Application Filters included with the TMG firewall. The SecureNAT client doesn’t require any additional software installation – you just set the default gateway on the client.

The Firewall client (which is now called the TMG client, but was named the Firewall client for so many years that many of us are still in the habit of calling it the Firewall client, so I’ll continue to refer to it as such here) is a Winsock Proxy client (and in fact, this is what it was called prior to ISA 2000). When a machine is configured as a Firewall client, all calls by Winsock applications on the Firewall client computer are forwarded by the Firewall client software to the TMG firewall. The TMG firewall performs name resolution on behalf of the Firewall client and then forwards the connection to the Internet destination. The nice thing about the Firewall client is that it only needs a route to the TMG firewall; thus your routing infrastructure doesn’t have to be set up so that all Internet bound requests are passed through the TMG firewall when you’re using the Firewall client. The Firewall client supports all protocols, including custom protocols that you can create yourself, and it supports all complex protocols, even if there is no Application Filter for the protocol. You have to install the Firewall client software on the Firewall client computer to make it a Firewall client.

The Web proxy client is the one we’re going to be discussing in this article. The Web proxy client enables the Web Proxy client computer to access the HTTP, HTTPS and HTTP-tunneled FTP connections to the Internet, so the Web proxy client supports a very limited number of protocols when compared to the SecureNAT and Firewall clients. The good news is that you don’t have to install any software on the Web Proxy client computer. A computer becomes a Web Proxy client when you configure the browser on the machine to use a Web proxy server. When the browser (or web enabled application) sends an HTTP or HTTPS request to the Internet, the Web Proxy client configuration will intercept the connection and forward it to the Web proxy listener on the TMG firewall. The TMG firewall will resolve the name of the destination server on behalf of the client and then forward the request to the destination Web site or Web service.

While at first glance it might seem that Web proxy client configuration is pretty simple, there are a number of potential complexities that you should become familiar with. Perhaps “complexity” is the wrong term, because the Web Proxy client configuration options aren’t necessarily complex or hard to understand, but there are quite a number of options that allow you a lot of flexibility, so you should be aware of these options in order to obtain the functionality that you need. We’ll look at those options in the following sections.

The Web Proxy Server Role on the TMG Firewall

The TMG firewall is actually a collection of a number of network firewall roles. For those of you who are new to the TMG firewall, the TMG firewall can act as one or more of the following:

  • Network IDS/IPS (via the Network Inspection System and behavior IDS features)
  • Web anti-malware server
  • Web URL filtering server
  • Network firewall edge firewall
  • Network back-end firewall
  • Multi-homed DMZ firewall
  • Remote Access VPN server
  • Site to Site VPN gateway
  • Windows DirectAccess server/gateway
  • Reverse Proxy Server
  • Forward Proxy Server

That’s quite a bevy of features and functionality that are packed into the TMG firewall. However, depending on the deployment model you choose for the TMG firewall, you may lose some of the functionality. For example, if you configure the TMG firewall to be a front-end, back-end, or DMZ firewall, you get the entire collection of features and functionality listed above. However, if you deploy the TMG firewall as a single-NIC firewall, you lose most of the above listed functionality and more.

One thing you do get with all deployment models of the TMG firewall is the Web Proxy server feature. Whether you have a multi-homed TMG firewall or a single-NIC TMG firewall, you will always be able to use the TMG firewall as a forward and reverse proxy server. Therefore, when it comes to Web Proxy client configuration, the same principles apply to when the TMG firewall is configured as a full featured firewall, as when it is configured as just a single-NIC Web Proxy server.

Web Proxy Client Configuration on the TMG Firewall

You may have noticed that this is “Part One” in a series of articles. In this article, we’re going to use as an example a TMG machine that is configured to be a front-end network firewall on a production network. We’ll start with the server-side configuration of the TMG firewall in this article and later on in this series, we’ll examine the client-side of the configuration.

You can get started with the Web Proxy client configuration by opening the TMG firewall console and then clicking the Web Access Policy node in the left pane of the console, as shown in Figure 1 below.

Figure 1

After you click on the Web Access Policy node in the left pane of the console, you then click the Tasks Tab in the Task Pane of the console. In the Related Tasks section, click the Configure Web Proxy link, as shown in Figure 2.

Figure 2

This brings up the Internal Properties dialog box. This is actually the Properties dialog box you would see when you right click on the Internal network and click Properties, if you were in the Networking node  in the left pane of the TMG firewall console. It’s important to note that while you will need to configure the Web Proxy settings on the default Internal Network in almost all cases, if you have other internal networks that you’ve configured, you’ll want to configure the Web Proxy client configuration for those networks as well.

The General Tab

The first tab you’ll see is the General tab. There’s not much to do here. You’ll see the Name of the network, and then a Description (optional) dialog box, as you can see in Figure 3. If you want, you can enter more detailed information about the network here. While there’s not much point to adding anything here for the default Internal Network, I often find it useful to include more information in this text box when I create a DMZ or other internal Networks, so that other admins of the TMG firewall can more easily understand the purpose of the Network.

Figure 3

Now click on the Addresses tab. On this tab, you define the network by listing all the addresses that are allowed to connect to resources through the TMG firewall using the NIC that connects to this TMG network. If a computer has an address that is not included in this address list, then the connection attempt will be interpreted as spoofed and the connection attempt will be dropped.

The best way to handle this option is to use the Add Adapter button, which you can see on the right in Figure 4. When you use this option, you can then select the NIC that is assigned to the TMG Network that you’ve defined. Then you can see that the TMG firewall has already automatically computed the addresses that should be assigned to the TMG Network for which this NIC is the “root.” By default, the TMG firewall will include all the addresses that are “on network” for the NIC connected to that Network. In addition, it will also include all addresses that are included in the network IDs for which you created routing table entries when you installed the TMG firewall. You should recall that the Getting Started Wizard gave you the option to include additional network routes during installation.

While this tab doesn’t directly reflect Web Proxy client configuration, it’s critical to note that if the addresses aren’t correctly entered here, it will have a negative impact on your Web Proxy clients to the extent that they won’t be able to connect to the Web Proxy listener, and if they can’t connect to the Web Proxy listener, they won’t be able to connect to any Internet resources.

Figure 4

Next, click the Domains tab, which is shown in Figure 5. On this tab, you specify the domain names that belong to this network. Firewall client computers on this network won’t use the TMG firewall client to connect to resources in these domains.

This tab then is directly related to the Firewall client configuration. However, as we’ll see later when we click the Web Browser tab, we’ll be able to leverage the domain names included on this tab in configuring the Web Proxy client.

You might be wondering what actually happens when you enter a domain name on this tab. Let’s say that a client on the default Internal Network needs to access a resource on the domain. Since this name is included on this list, the Firewall client software will ignore the request and the connection won’t be routed to the TMG firewall. Instead, the connection will be made directly to the destination server. If the destination server is on the same network, the connection will be made directly to the server on the same network. If the destination is on another network, it will be routed through a route (if that’s what needs to be done) or routed through the TMG firewall, if the client is configured as a SecureNAT client that will use the TMG firewall as a gateway to the destination server. The key point here is that if the destination resource is on a domain listed here, the Firewall client will not handle the request.

Figure 5


In this, part 1 of our series on the Web Proxy client configuration, we went through some of the details describing the three different types of TMG clients, and then began our walkthrough of the server-side configuration that influences Web Proxy client behavior. In the next article in this series, we’ll drill down on the entries  in the Web Browser tab and the Auto Discovery tab. See you then!  -Deb.

If you would like to read the next part in this article series please go to TMG Web Proxy Client Concepts and Configuration (Part 2).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top