What’s going on during a Forefront TMG Installation?


I will give a deep look into the Forefront TMG setup files, the registry and file system changes during a Forefront TMG installation with the help of tools like Process Monitor and we will also track Windows service changes during a Forefront TMG installation and I will also give you some tips for troubleshooting a failed Forefront TMG installation.

Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”

Let’s begin

A typical Forefront TMG installation requires many settings and configurations in the underlying Windows operating system. During a Forefront TMG installation, many Windows Server features and roles will be installed, Forefront TMG installs by default a local SQL Server 2008 SP1 express database for SQL Reporting services and databases for Forefront TMG Web proxy and Firewall logging. In this article, I’ll try to cover every step during a Forefront TMG installation. To see what happens during a Forefront TMG installation I used the Microsoft tool Process Monitor to see the changes and modifications of the Server during the installation process. For this article we will cover the following installation steps:

  • AD-LDS installation
  • TMG Log files
  • Windows and TMG processes during the installation
  • Created services
  • Registry changes
  • Windows Firewall settings
  • Event Log entries

Server Manager

The Forefront TMG preparation tool installs some Windows Server roles and features. Before the TMG installation there are no roles and features installed as you can see in the following screenshots:

Figure 1: No installed Windows roles

Figure 2: No installed Windows features

As a first step we have to run the Forefront TMG preparation tool which installs the required Windows roles and features:

Figure 3: Forefront TMG preparation tool

The installation process is the Prerequisitesinstaller.exe.

Figure 4: Forefront TMG preparation tool

To see what happens during the Prerequisites installation process I used the Microsoft Process monitor to filter all activities for this process.

Figure 5: Process Monitor filter

As you can see there are many activities going on during the installation process.

Figure 6: Installation process

The Forefront TMG installation process writes many log files into the Windows\temp directory.

Figure 7: Forefront TMG log files

There are some logfiles for the Server Manager installation of the required Forefront TMG prerequisites.

Figure 8: Server Manager log files

After the prerequisites have been installed successfully you can check the installed roles and features with ServerManager or ServerManagercmd.

Figure 9: Installed roles

Figure 10: Installed features

Step 1

TMG Installation

Now we can start the Forefront TMG installation process. As a first step the local TMG configuration storage for the TMG configuration will be created. Forefront TMG uses a local AD-LDS instance.

Figure 11: TMG configuration Storage Server

The required files for the AD-LDS instance will be installed during the prerequisites installer.

Figure 12: AD-LDS files


A log file will be created which protocols all installation steps.

Figure 13: AD-LDS log file

A more detailed AD-LDS log file can be found in C:\windows\debug\adamsetup.log

Figure 14: AD-LDS log file

AD-LDS database

The AD-LDS database will be installed in the Forefront TMG installation directory.

Figure 15: AD-LDS database


A local AD-LDS (AD/AM) service will be created. The other Forefront TMG Services will be started after the Forefront TMG installation.

Figure 16: AD-LDS service

Registry Changes

During the Forefront TMG installation, a local AD-LDS instance will be created which holds the TMG configuration. The TMG configuration will also be stored in the local Registry and the TMG service will ensure that the AD-LDS database stores the configuration in the local Registry. The following screenshot shows the local Registry after the ISASTGCTRL service has been installed but not completely filled until the Forefront TMG setup has finished.

Figure 17: Local registry settings for TMG

After the local AD-LDS database has been created, you can see that the TMG installation process writes into this database.

Figure 18: AD-LDS database will be filled during TMG installation

Step 2

After the core components have been installed, additional components will be installed. These additional components are primarily the installation of the local SQL Server 2008 SP1 Express databases for SQL Reporting services and the databases for the Forefront TMG Web proxy and Firewall logging.

Figure 19: Step 2

SQL Server 2008 Express installation

Figure 20: SQL installation

During the SQL Express installation a hidden folder called config.msi in the root directory of the server will be created which contains a detailled log file.

Figure 21: SQL Setup logs

SQL Reporting Service installation

After the SQL Server 2008 express core components has been installed, the SQL Reporting service/database will be installed

Figure 22: SQL reporting service installation

The SQL Server reporting database will be installed in the local SQL Server installation directory.

Figure 23: SQL reporting service database directory

It takes a while but after a few minutes you can see the new SQL Server databases for the TMG Web proxy and Firewall logging. These databases are stored in the local Forefront TMG installation directory.

Figure 24: SQL databases for TMG

Figure 25: The Forefront TMG installation finished sucessfully.

After Forefront TMG has been installed, you can see the all TMG entries in the Registry.

Figure 26: Forefront TMG settings in the local Registry

The local AD-LDS database has also been filled with the local TMG configuration. You can check this with ADSIEDIT as you can see in the following screenshot. We first have to connect to the AD-LDS instance.

Figure 27: Connect to the Forefront TMG AD-LDS instance

After a successful connection you will see the entire Forefront TMG configuration in the AD-LDS database.

Figure 28: AD-LDS database content

Forefront TMG Setup log files

After the installation of TMG you will also find all Forefront TMG log files during the installation in the Windows\Temp directory.

Figure 29: Forefront TMG settings in the local Registry

You can use these log files if the Forefront TMG installation fails. If the Forefront TMG installation failed you must also have a look into the entries in the Windows event log.

The following screenshot will give you a description of the Forefront TMG log files.

Figure 30: TMG Setup log files Source: http://technet.microsoft.com/de-de/library/ee781947.aspx

For example, I opened the Forefront TMG Firewall installation log file.

Figure 31: Forefront TMG Firewall service log file

During the Forefront TMG installation, TMG takes control over the local Windows Firewall through the Windows Filtering Platform (WFP).

Figure 32: Forefront TMG controls the local Windows Firewall

Troubleshooting Forefront TMG Setup

If something goes wrong during a Forefront TMG installation you can use the Superflow application for Forefront TMG to troubleshoot the installation process. The Superflow application will give you some more information about how to troubleshoot installation problems. You can download the Superflow application for free here.

Figure 33: TMG SuperFlow


I hope that my article will give you more insight into the installation process of Forefront TMG and what’s going on under the hood of the GUI. I found it very useful to use the Process Monitor tool to see what will be created and changed in the underlying Windows Operating System and after the Forefront TMG installation has been finished, my Process Monitor recorded over eight! Million process activities (File system access, Registry access, process executions and more) 🙂  

Related links

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top