Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010 has been built on top of the core capabilities delivered in Microsoft Internet Security and Acceleration (ISA) Server 2004/2006 in order to deliver a comprehensive, enhanced and integrated network security gateway. Forefront TMG provide additional protection capabilities to help secure the corporate network from external/Internet-based threats. Forefront TMG 2010 prevent abuse of networks from internal and external entity. Forefront provide more management capabilities in terms security and protection. Forefront TMG 2010 is available in Standard Edition and Enterprise Edition. Standard version does not support Array/NLB/CARP support and Enterprise Management. For E-mail Protection both version requires Exchange license. 

Forefront TMG 2010 provide the following enhanced protection capabilities:

  • Malware inspection
  • URL filtering
  • HTTP filtering
  • HTTPS inspection
  • E-mail protection
  • Network Inspection Systems (NIS)
  • Intrusion detection and prevention
  • Secure routing and VPN

    Understanding Network Topology

    The following Forefront TMG network topologies are available:

    • Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).


    • 3-Leg perimeter—This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network.


    • Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.


    • Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.


    Functionality of a single network adapter topology

    The single network adapter topology enables limited Forefront TMG functionality, that includes:

    • Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
    • Web caching for HTTP and CERN proxy FTP.
    • Web publishing. HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
    • Dial-in client virtual private network (VPN) access.

    Limitations of a single network adapter topology

    The following limitations apply when you use the single network adapter topology:

    • Server publishing and site-to-site VPN are not supported.
    • SecureNAT and Forefront TMG Client traffic are not supported.
    • Access rules must be configured with source addresses that use only internal IP addresses.
    • Firewall policies must not refer to the external network.

    Hardware Requirements

    Systems requirements depends on number of users and deployment scenario. Forefront TMG is a vital part in a ICT infrastructure. To achieve best performance, you must add best processing power and memory in TMG server however the following will give you an optimum performance.

    Processor- Intel Xeon (Dual core/Quad-core/i7) or AMD Opteron (dual core/quad core). Intel Hyper-Threading Technology enabled in bios if Intel server board.


    Disk Space –50GB systems partitions and 150GB logging +60GB-100GB Web caching in a separate partition. RAID 5 config would be highly recommended.

    NIC- 2 Gigabit NIC with redundant config (number of NICs depends on deployment scenario)

    Important! Forefront TMG has been built on 64 architecture.

    Operating Systems and features

    Windows Server 2008 SP2 64 bit or Windows Server 2008 R2

    Microsoft .NET Framework 3.5 SP1

    Windows Web Services API

    Network Policy Server.

    Routing and Remote Access Services.

    Active Directory Lightweight Directory Services Tools.

    Network Load Balancing Tools.

    Windows Power Shell

    Windows Installer 4.5

    Important! It’s not recommended to install any application or programme in TMG server other then antivirus program. It must be a dedicated server for Forefront TMG. Disable unnecessary services after installing operating systems. Install Machine Certificate from Enterprise Root CA Authority before installing TMG. TMG server must be a member of Active Directory Domain.

    Installation of Forefront TMG

    Prepare a 64 bit Windows Server 2008. Insert Forefront TMG DVD into the server. Run preparation tools.


    Click continue on UAC authorization prompt.

     2 3 4 5 6 7 8

    Check Launch TMG installation. Click finish.

    9 10 11 12 13 14 15

    Add ranges of internal IP address For example: to You can as many subnet ranges as you have for internal networks.

    16 17 18 19 20 21 22 23 24

    Open Forefront TMG Management from start menu. TMG will automatically prompt you for initial configuration.


    Step1: Network Setup Wizard—Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. Note that you must have static IP address in all NIC of TMG server before you proceed for network settings.

    26 27

    This is highly important part of config because in this section you will mention what type of network topology you are going to use. Here, I am configuring De-militarized Zone (DMZ) or 3-Leg Perimeter. You have to select your desired config.

     28 29 30 31

    In this section, you have to select the behaviour of the traffic among internal, perimeter (DMZ) and external network. For example, My Forefront TMG 2010 server has been configured to route between internal and perimeter and NAT in between perimeter and external as I choose private networks in perimeter. So that I can hide IP addresses of my perimeter networks.

    32 33

    Step2: System Configuration Wizard—Use to configure operating system settings, such as computer name information and domain or workgroup settings


      35 36 37

    Step3: Deployment Wizard—Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service.

     38 39 40 41 42 43 44 45


    Networks, Proxy and Update Configuration

    Open Forefront TMG Management.  On the left hand pan, Select Update Centre. Click configure settings on task pan. Set update policy. If you have Windows Server Update Services (WSUS) then you may select WSUS or use Microsoft update services.


    Select networking>Select Networks Tab>Double click on Internal.  You will be presented with Internal Properties. Configure all the tabs as shown below.

    2 3 

    In the domain tab, add internal domain(s). For example: *



    In the web browser tab, check Bypass Proxy… and Directly Access….


    Verify all your internal IP addresses you added during installation. In this window you can add more internal IP addresses if you want.


    Check Publish Automatic Discovery information for the network and use port 80 as default.


    In Forefront TMG Client settings, Check Enable Forefront TMG client support for this network. un-check Automatically detect settings and Use automatic scripts.., Check Use a Web proxy server


    In the Web Proxy Tab, Enable HTTP and use port 80 as default. However, you can use port 8080 if you want. Click on authentication and check integrated. Click on advanced and check unlimited. Now Apply and ok.

    9 10

    Apply changes.

    11 12

    Now repeat all these config for perimeter networks as you did for internal networks.

    Connecting Active Directory, DNS and DHCP

    Setup connectivity with Microsoft Active Directory, DNS and DHCP. Click on monitoring>click connectivity verifiers>Click Create New Connectivity Verifier. Create connectivity for Active Directory, DNS and DHCP.

    13 14 15

    Click Next and Finish. Repeat it for DNS and DHCP. If you have a upstream Proxy, connect to upstream proxy using similar method.

    Create HTTP and HTTPS rule

    By default all access rules are denied. Now Create web access rules for internal networks allowing HTTP and HTTPs traffic pass through from internal network to external and perimeter. Also allow HTTP and HTTPs traffic pass through from perimeter to external and internal. Click Firewall Policy>Click Create Access Rule on Task Pan.

     17 18 19 20 21 22 23 24 25 26 27 28

    Test Forefront TMG Setup

    Now moment of truth. Log on to a computer using domain user credential in any internal network. Setup proxy in IE connections and browse internet.

     29 30


    Beer mugThumps UP.

    Remote Management Console Installation

    Forefront TMG is 64 bit but downloadable 32 bit TMG Admin Console available on this Microsoft link

  • Insert the Forefront TMG DVD into the DVD drive, or run autorun.hta from the shared network drive.

  • On the main setup page, click Run Installation Wizard.

  • On the Installation Type page, select Forefront TMG Management only.

  • On the Installation Path page, you can change the default installation path.

  • On the Ready to Install the Program page, click Install.

  • After the installation is complete, if you want to open Forefront TMG Management select Launch Forefront TMG Management when the wizard closes.


    Microsoft Forefront TMG 2010

    Downloadable TMG Admin Console

    Interoperability with BranchCache solution guide

    Understanding Service Ports

    Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

  • 348 thoughts on “Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

    1. Pingback: Migrating a single ISA Server to Forefront TMG 2010 Step by Step « Information Technology Blog

    2. Great work, Thanks for posting.

      How do we configure Multiple TMG servers For redundency?

      For redundency does both TMG servers needs to be joined in AD?


      • Hello Mohsin,
        You need TMG enterprize version. Once you configured primary TMG server. Then install second one, at the begining of installation it will ask you to join with another TMG Array or configuration and storage…. Once join the array, it will get all the config.
        Both TMG servers must join ADDS. Otherwise you will not be able to install certificates and configure integrated authentication for internal network.


    3. Pingback: How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide « Information Technology Blog

    4. Pingback: Exchange 2010 deployment in different firewall scenario « Information Technology Blog

    5. i have forefront tmg install but my reports comes with IP addresses,but i want the reports to come with user name from my active directory


    6. Pingback: How to configure reverse proxy using Forefront TMG 2010— step by step | MicrosoftGURU

    7. i just want to ask about something ,,

      how did u do your configuration NICS ? i mean u did something a bit wierd . (at least for me )
      your DNS in same range of internal Network , isnt suppose to be in same perimeter network range ?

      another question .. how i can build my DMZ network with 2 internal network ?
      the ips of inetnal network are
      the other one is

      what ip should i put to internal NIC ??



    8. Hi,

      I have the following layout:

      10.0.1.x as the internal lan,
      and eg. 4.4.4.x as the external lan.

      Now i have a hyperv host that hosts virtual machine for clients, those get 4.4.4.x range. Our internal machines (scvmm, sql, web, internal ad) etc all have 10.0.1.x ips.

      We also have external AD/dns for our virtual machine clients, hosted on 4.4.4.x net.

      Where should i put my TMG server? I would like to monitor the traffic from the virtual machines etc too, so i guess they need to go through the TMG as well.



      • Peter,
        First I dont understand what you mean by external LAN. Are you talking about external network or you have a 2nd site that you represent external lan? If you clarify these two then I give you right answer for you. whats sort of vm you hosting in hyperv?
        But my guess#1: TMG for two different sites follow my new blog in this situation you can put ad/dns/web in second sites and monitor and obtain report from both sites. Your hyperv must physically connecting to that 4.4.4.x vlan so that you add vm to that network.
        Guess#2: Create a DMZ network for external client (in your language external lan) and placing all of them in that vlan. answer is back to back dmz or 3-leg perimeter.

        If my guess is wrong then clarify those I mention earlier then I will provide perfect answer.


        • Hi,

          Thanks for your feedback. Sorry for being unclear about the setup, i’ll clarify here:

          We have 3 physical servers.

          1: Hyperv host contains:
          – AD01/DNS Internal
          – AD01/DNS Public

          2: Hyperv host contains:
          – AD02/DNS Internal
          – AD01/DNS Public
          – SQL Internal
          – WEB Internal (needs access from internet)
          – API Internal (needs access from internet)
          – SQL Internal

          3. Hyperv host containrs:
          – Purely virtual servers on 4.4.4.x (these are the customers’ virtual machines whihch needs to be accessible from the outside using RDP etc)

          So basically, what i was thinking to setup is that the customer virtual servers are added to the AD0X public, and all our internal servers are added to AD0X internal. However, the Web and the Api (and maybe others in the future) needs to have an open port 80 from the internet on a public ip, since the web contains our homepage etc, and the api should be accessible from the internet too.

          How would we set this up using TMG? Or should we do a different setup alltogether?

          Thank you.



        • In your scenario, few things going on. 1.TMG Config 2. Publishing Web 3. RDP from extranet
          Step1: Create DMZ—Place all 10.0.1.x in Internal Network, Place all 4.4.4.x in the DMZ network as you want customer to access. This is for security reason. You dont want your customer to access your internal network. You may use 3-leg perimeter also.
          Step2: Publish internal web server, API using reverse proxy functionality of TMG (Extranet client access internal web)
          Step3: Create Terminal Services Gateway using Win2k8 TS (Extranet client will be able to do RDP to internal network). Allow RDP port in Router and TMG.…/WS08TSGatewayServerStep-By-StepSetupGuide_En.doc


        • Hi again,

          I’m a little bit unclear about the third point: “(Extranet client will be able to do RDP to internal network).”. I dont want our customers to be able to access our internal network, only their vps, eg I also want to be able to access my internal servers from the internet, how do i do this? using vpn of some sort?


        • Sorry i forgot to ask about this:

          Do we need the 2 internal AD servers and the 2 public AD servers? or can the perimeter network use the internal AD servers? If this is too much for the comment section, please leave me an email and we’ll talk $$$ for you to help us with the setup.


        • Hi Peter,

          You dont need 2 AD server. If your internal DNS is ok for perimeter network. OK. if you dont want allow RDP then you can block it via TMG. type Public DNS or ISP DNS server IP in the external NIC of TMG server. You can email me on for further help. Email me your visio diagram. Lets start from there. Let me know your location. I am on WST, Australia.



    9. Pingback: Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step | MicrosoftGURU

    10. Hi,

      I am trying to setup TMG with a single network adapter, I am having lots of problems, does anyone have a step by step installation for this type of configuration.

      Thanks in advance,


    11. Hello Raihan,

      First of all, thank you very much for sharing your knowledge through your website. It helped a lot to install and configure Frorefront TMG properly. It works finally even with the web site filtering. I installed Forefront on a testing environnement I chose the back Firewall option which suits our architecture. However, I would like to filter specific URLs, but unless I’m mistaken with Forefront you only can set up a strategy within the framework of Forefront Microsoft startegy. Is there any chance to create our own startegy to filter some websites?
      Thank you in avance for your help.



    12. Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU

    13. Hello,

      Sorry to bother you Raihan. As I explained 2 weeks ago I installed Forefront TMG 2010 in a testing environment. I chose the the back firewall topology which requires 2 NICs. The installation worked perfectly thanks to your tutorial. However, I haveone question is there any means to change the back firewall topology into Single Network Adapter one? Or does it need the complete reinstallation of Forefront TMG to do that?

      Hope my question is clear enough.


      Thanks for your help again.



    14. i just installed TMG in my Network, and i have one question about Inspection settings. there is i think last option “Block archive files if unpacked content if larger than (MB).” lets say restriction is set to 40 mb. when the user tries to copy 100 mb, tmg will throw a window that this user cant copy this file because of restriction…. is it possible to edit this error message…?

      proxy error pages are editable. i found those html files and edited it… in this case if it is possible where to find it?


    15. Please,
      I have install forefront TMG with the ip using single NIC .i have about 20 branches that connect to the forefront TMG as a proxy server at the head office for internet access.
      Been working fine for some time now for all 20 branches. Suddenly some branch cannot get access to the internet with the forefront TMG set in the IE as proxy server. It is happening randomly. A branch that could not work at a certain time will work at other time.
      I captured the logging from one branch pc with the ip
      Below is the log

      Denied Connection
      Log type: firewall
      Status: A non-SYN packet was dropped because it was sent bya source that does not have an established connection with the forefront TMG computer.
      Rule: none-see result code
      Destination:local host (
      Protocol:HTTP proxy
      Will be very happy if you can help me fix this problem. Been working on to fix it for three week with no results.PLEASE HELP.SOS


      • There are always dropped packets constantly. It does not mean anything is wrong.

        The SYN error means exactly what it says. All connections begi with a SYN packet followed by an ACK packet being sent back the other way,…then the regular data portion of the session begins after that. The error is just saying something is trying to communicated with data (non-syn) packets without the connection first being established.

        You have virus/spyware infected machines in those branches. Most of these types of infections cannot be totally removed with AV or Anti-spyware tools. They get embeded in the user’s profile,…so first do a cleanup with AV or ASpy tools,…then you have to backup the MyDocs, files on Desktop, Favorites, ect,…then delete the user profile,…create a clean one,…copy the saved files back into it. Repeat for every user that has a profile ont he machine.

        Clean install windows. Update service pack, run malware removal tools. add signature blocking rule and block conficker,blaster, worm, spyware etc..


    16. i want to install fr TMG in SBS 2008 64 bit OS.

      I have read a message from MS saying that FR TMG will not work on the domain controller server.

      Pl , i want to connect 15pcs with the server through TMG . reply me wheather i have to head and buy and install or not.


      online Computers


    17. Salam Raihan,

      I have installed FF TMG. I have published a website but unable to access it or browse it. Please guide me in this regard. Thanks alot for your knowledge sharing.

      Muhammad Younas


    18. Salaam Raihan,

      I have exported fully functional ISA SE 2006 to newly installed Forefront TMG EE on server 2008 (as per standard requirment of TMG), after importing the configuration, i am not not to access my OWA and Intranet Site.


      • New TMG server got same fqdn and ip of ISA server or everything new. Did you imported certificates from previous ISA server to New TMG. Check IP addresses of external nic of TMG server that configured correctly. Check port forwarding for 443 to TMG server. Do you browse internet behind new TMG server.

        Get back to me when you finish checking all these.


    19. Salam Raihan,

      We just want to upgrade ISA 2006 to TMG 2010 (not inplace). ISA server is single network. We want to upgrade with the same IP and the same NETBIOS.

      Could you tell us step by step how to upgrade?


    20. Dear Raihan,

      You did a GREAT job here. Congratulations.
      Now and 3 days i’m experiencing a problem here. My Forefront server started blocking all incoming Replies to our messages. actually when we send a message and they reply on it. All the rest seems working ok. I haven’t made any changes on any setting. Do you know why it started doing this?
      Thank you in advance


      • Hello Victor,
        As you said, you havent made any changes, still I would suggest check your firewall rules again whether anything added or not. Did you applied any patch on server or TMG. Install TMG SP1 and see how it goes. Do you see any event in event log? install service pack on server and tmg. let me know.



    21. Dear Raihan,

      If you have a step -by -step load balancing guide
      It will be great and also what is the recommendation to do so, by single network adapter or tow network adapters, the best practice for that,

      Best regards,


    22. Dear Raihan,

      If you have a step -by -step load balancing guide
      It will be great and also what is the recommendation to do so, by single network adapter or two network adapters, the best practice for that,

      Best regards,


    23. Is it possible to have 1 upstream proxy with 2 sets of credentials and even tie in with Security Groups? ie. Admins have an ‘unfiltered’ username and password and Staff have ‘filtered’ ?

      Cheers, Aaron


    24. Pingback: Blogging year 2010—-what stats says | MicrosoftGURU

    25. This was very helpful and easy to follow.
      I still have some issues with my configuration; I your help is greatly appreciated.
      • I have configured a TMG2010 as a Domain member with two NICs, one internal and an external one on the DMZ, my goal is to explicitly use it TMG for External OWA and Mobile devices connectivity and users only need to authenticate once. I do not want internal users to use TMG to authenticate
      This is what I have completed:
      • Configured a firewall policy for OWA/Listener.
      • Re-used the same SSL certificate we are using internally for the external access.
      • I can now access the external URL but still need to add “/OWA” at the end of my URL to have it working.

      What I am having problems with is:
      • Having to add “/OWA” at the end of the URL
      • I still need to authenticate twice, it looks like pass-through authentication is not working
      • Customize the forms to allow for branding
      • Enable the external mobile connectivity
      Any help will be appreciated,
      Abdellah El Bilali


      • Right click OWA publishing rule> property>Change public name of the url that will do point webmail automatic to whatever site you want. On your CAS server please check what type of authentication has been selected. pls select appropriate authentication. Does TMG integrated to AD. please proper connectivity verifier in AD. that should solve your problem


    26. Salam dear,

      i have installed an infrastrcture with the new TMG 2010 . the existant infrastructure already had an ISA 2000 and a “network behind network” , the remote one is a remote office wish access the LAN trough and leased line directly connected to the LAN switch .

      here’s a simplified diagram :

      (Remote office : 110.100.100.x )—–leasedline———–|(LAN :100.100.100.X)

      | servers and, client have DefaultGateway


      (Internet) =============(TMG:|

      the hole thing works great with isa 2000 client from 110.100.100.x was able to access servers directly. we changed the ISA 2000 with the new TMG et everything goes wrong .

      we are able to do a ping from 100.100.100.X to 110… but anaything else wont pass , and i see a lot of a non-sync packet dropped ….message in the realtime report .

      all the routing information are correct both in clients and TMG ,all networks are correctly defined as pretected network with the good routing rule in the TMG console .

      i tried the one ”” but it dose not solved the problem .

      i m looking for anything to do . any ideas are welcom .

      thanks in advance .


    27. I’m having issues with my TMG 2010 install (std)
      The Forefront TMG denied the specified Uniform Resource Locator (URL).

      for direct internal IP
      also have another product that does a https check on a address that won’t connect to… say’s it can’t find it. If i go directly thru my browser it works just fine… but not thru this app… worked finr prior to tmg.

      I’m beating my head on the ground… any help?


    28. Raihan,

      Thanks for this article, I have followed it step by step but still haven’t accomplished to get the tmg running.

      I installed tmg 2010 on windows 2008 R2, I want all LAN traffic to go through this server to do some serious URL blocking, so I chose edge firewall to begin with, I don’t have AD, I’m not using domains, I currently have a 20pc LAN with a router for NAT. So in the server I have two NIC’s, 1st one configured as:
      WAN connected directly to cable modem
      public ip: 194.180.x.x/24
      gw: 194.180.x.1
      dns: 194.180.x.x

      LAN connecteed to a switch where other computers will connect too

      In the network and sharing center it says WAN NIC has internet access but LAN does not.

      I have created firewall rules allowing internal to have http and https access, there’s not a bond between LAN and WAN 190.184.x.x . What can I do.

      thank you very much in advance.


      • Are you able to browse internet on TMG server? Your proxy server IP and port need to be configured on client’s IE. If you configure edge firewall than routing will be autmated by TMG. you need to create rules such as for http, https, ftp etc. In your situation default gateway of client would be your TMG’s internal nic.
        You also need an authentication method for client such as Active Directory. Deliver proxy settings through GPO. setup connection verifier in TMG. than client will get internal once they log on using AD account.


        • Yes, I am able to browse internet on the TMG server. what gateway the internet network nic should have? itself? like this:
          internal nic says it has internet access only if it is in same ip network as external. but the ideal should be external with a public address and internal with a private one.
          is there a way to do it without AD authentication? I feel like by just creating the firewall rules allowing access from internal to internet and and routing and nating networks should be enough.
          I would appreciate one final advise, thank you.


        • External NIC of TMG must have IP, Mask, DG, DNS
          Internal NIC of TMG Must have IP, MASK, DNS ***no DG**

          Your internal client must authenticate to go outside. If there is no authentication than how TMG verify whos who. Finally, add internal networks IP addresses into internal ip range of TMG. check. I am sure, TMG is declining request because of authentication failure.


    29. Hi great article. It was my guide when I set up my TMG server.
      But I’m having troubles with it, can you give a little help :).
      I’m trying to setup the following.
      The TMG server has 4 networks. It will be my only router in my infrastructure,so it should be able to route between networks.
      1 – ISP (public IP)
      2 – DMZ (
      3 – Internal Clients(
      4 – Internal Servers (

      During the initial configuration I had setup 3-leg topology and there I listed the first 3 network adapters with the idea to add the fourth later.
      So I went to networks and added new Internal network Named Internal Server network and added IP range for my servers subnet.
      The problem is that in my routing table keeps “auto adding” persistent route for server network: And this is cousing my server network to not be able to be routed via TMG.
      I looked everywhere even compare Client internal and server internal but I couldn’t find any difference but the route keeps adding itself.Tried to deleted it but without success. I couldn’t find some dependency which couse it to “auto add” itself…


    30. Hello Raihan,
      i have installed a new forefront tmg 2010,but i am not able to PING or do a remote desktop the server from my workstation.please help me to fix this problem,thank you


      • Check RDP services started and automatic
        Check Remote administration Allowed in Windows firewall
        Check RDP allowed in remote settings
        Publish rules in TMG allowing rdp to the server from internal network
        Telnet Servername 3389 (check port is listening)
        Restart TMG server

        Let me know how it goes.


        • Thanks, its working now ,i had to create a rule (allow all outbound from :internal,localhost to: external,localhost) before it worked.The reason why i reinstalled my forefront tmg is not solved.
          i have 23 branches with different subnets,


          My forefront TMG is on subnet
          and the defaults gateway is
          so i have my routing in the forefront as
          Network Destination:
          All the pc in the networks uses the forefront tmg as proxy.

          All the pc`s on the subnet are able to access the internet at all times
          but although the other subnets too can get access to the internet but is not all the times.its off and will work for awhile and the next minute will go off.

          I have been having this problem of a while

          please help me .this is my 3 forefront tmg i have installed just to solve this problem .please i really need help


        • bhai mean brother.still i have no port add in tmg for web cam.please tell me which and how we add port in tmg serverplease tell me its webcam is not running at our user end .its give network error message.plz help me



        • Firewall Policy>Task pan>Tool Box>Protocols>User-Defined

          Select user-defined>New>Protocol>

          This is how you add custom protocol. Once you finish adding custom protocol, create a policy allowing this protocol for internal client


    31. thanks raihan,
      i have done that,but is it external that i am supposed to select as destination and what does external indicate?


    32. Thanks, its working now ,i had to create a rule (allow all outbound from :internal,localhost to: external,localhost) before it worked.The reason why i reinstalled my forefront tmg is not solved.
      i have 23 branches with different subnets,
      My forefront TMG is on subnet
      and the defaults gateway is
      so i have my routing in the forefront as
      Network Destination:
      All the pc in the networks uses the forefront tmg as proxy.

      All the pc`s on the subnet are able to access the internet at all times
      but although the other subnets too can get access to the internet but is not all the times.its off and will work for awhile and the next minute will go off.

      I have been having this problem of a while

      please help me .this is my 3 forefront tmg i have installed just to solve this problem .please i really need help


    33. Dear Raihan,
      I want to use two different internet connections together from different ISPs.
      ADSL and Satellite.
      ADSL used manual proxy and Satellite used no proxy.
      Can I do that in ISA 2006 or TMG 2010?
      How to configure it. please help me.


    34. I am a newbie in networking.
      Can I use loadbalancing on the ISA 2006 with ADSL manual proxy and Satellite no proxy from different ISPs.
      please help me with step by step procedures.


    35. Hello,
      i have a headoffice with branches accross the country,from the headoffice,users can browse the internet through ftmg proxy,but my branches cannot browse the internet ,they go thru the tmg proxy too.prior to do this,they can.what am i not doing well or what has gone wrong???


      • You need to explain how HO & Branch is configured using TMG. Is it site to site VPN config? You must allow http & https from all the branches to go to internal. all site ip must be added into HO TMG internal network.


    36. Thanks Raihan,
      How can i export firewall and web access policies from TMG,i encountered obstacle when browsing for the file path,it seems to be looking for a file.pls can u direct me how to


    37. Hi sir,
      I need a help from u… i have 2 domains in different vlan’s.. and the TMG 2010 is in workgroup. how can i control the users .. now everybody has access to internet. Same time i’m not able to upload or download from the ftp sites. i did ftp allow and removed the check mark from read only.. but still i can’t.. pls help.. waiting to hear from u


        • TMG is not on domain its in workgroup in separate vlan

          The two domains are single forest config..
          How to add this connection verifier?


    38. AoA,
      I have downloaded Microsoft ForeFront TMG Enterprise Edition from Microsoft website, when the installer is begin it show the error messege “Package Integrity distribution”…. Please help me regarding this error.
      Note: I am running Windows 2008 server on my Server machine(DELL PowerEdge 2600).


        • Thanks for reply.

          I am using Windows Server 2008 (Enterprise Edition) with SP1 without Hyper-V.

          And my system specification is: Dell PowerEdge Server 2600 (2.6 Mhz with 2 GB RAM, 400 GB Harddisk).


          Kashif noor


    39. Hi,

      I am facing problem with gotomeeting client communication via TGM2010 firewall. and Have noticed that its actaully dropping packet with the following error
      http status

      1790: the network logon failed.


    40. Pingback: Configure non-domain Forefront TMG to allow traffic from domain members and domain clients | MicrosoftGURU

    41. Pingback: FF TMG 2010: Configure ISP Redundancy— Step by Step | MicrosoftGURU

    42. Hello Terry,
      I do not recommend to use single NIC TMG. Single NIC is less functional than Edge configuration. There are three web listener in your case a)Sharepoint b)OWA c)IIS. Your communication is going via Cisco Pix. Please change your layout and use TMG as back firewall and reverse proxy and put Cisco firewall as front end. Alternatively, use back to back firewall and reverse proxy.

      Let me know if you need further info.



    43. Hello
      It is great posting. i have made two firewall rules in tmg 2010. 1. FROM (URls for all Org) TO specific website { users are permited to visit specific websites only}
      2.FROM I.T Department TO external {every thing is permited in these specified IPs}

      now the second rule is okay the first rule is not showing any thing to user and user can’t browse the specific website too. if i add proxy in IE lan setup it show me a block message.

      Please help what to do



    44. Users are not in both allow and deny groups. I.T department IPs are different and other users have different IPs.



    45. hello rehan

      I m going to deploy microsft exchange server2010, Fore front TMG in a new environment…can u help me in this matter..furthermore there is another in which i will be needing ur help that is migrating from 2007 t0 2010…
      I read ur profile and its quite amazing ..therefore awaiting ur positive response..


    46. hello sir,
      i deploy the forefront tmg 2010. ip have two nic.
      internet(wan) and lan. at lan nic ip 99.1/24.i want to access any website from without to configure witout proxy web access rule in forefront tmg2010. i am able to ping from to isp gateway server but not access the internet.


    47. I have installed TMG 2010. Wpad entry is there in DNS and DHCP Server. i don’t add my client in Domain. whenever they go to browser they get username and password screen and then browse internet. the problem is that the skype, yahoo messenger , gtalk & msn doesn’t work. please tell me how to do that or give me link that show each step how to do that.


    48. Dear Sir,

      i want to monitor that which user is downloading heavy file due to this my network slow. how can i do it in TMG server standard edition. all users in Active directory. your quick response would be highly appreciated.



      • Hello Sonu,
        Install TMG SP1 in your TMG server. Generate a custom report from TMG. You can setup download limit. Right click on http and https policy>Configure HTTP>Setup payload. Thats all. Regards,


    49. Hello Raihan,

      How can i come to konw that who is sending request to the printer…i.e If A printer Is attached on LAN then who is sending request to the printer..

      Your quick response will be much appreciated


    50. Dear Sir,
      When I am trying to take report form the TMG logs&reports option,it is not displaying any information.
      gateway: controller)
      Whether I have missed something in configuring the reports



    51. Dear Sir,
      How to setup logs& Reports option in forefront.
      I have tried to configure the same but coming only blank report


    52. Good Day,

      I have a checkpoint firewall with an Exchange 2010 Edge server with Forefront for Exchange running on it. I only want to use TMG as a proxy server only not as a firewall is that possible?



      • Hello Terrence,

        you can put CheckPoint on FrontEnd and TMG as Backend server. you can make a DMZ like that way. You can configure TMG as proxy and reverse proxy for Exchange CAS. Short answer possible.

        Beauty of TMG is, TMG can be used a firewall, proxy, reverse proxy, proxy cache, content filter, URL filter, publishing websites, exchange, sharepoint so many so on. Its up to you how you want to utilize.



    53. Why must implement a Gateway, such as TMG, for OWA in Exchange 2010 server?
      Is there a way that I can bypass it and just place the OWA server in a DMZ zone like Exhange 2003 server?




      • TMG is secure and provide reverse proxy functionality for OWA. You can publish Exchange server, ActiveSync, Anywhere with TMG. TMG is also capable of securing DMZ which you are thinking off. TMG is feature pack, cost effective URL filter, greater administrative control many more. so why not TMG?


    54. Hi Raihman ,
      How r u?..
      I am facing problem on my TMG server , i am not able to push patch through my patch manager on tmg srver ,same problem through antivirus server not able to push singnature on tmg server.
      in short my tmg server not updated patch & antivirus through my server.

      Sir can you help on this issue.


      • Hello Baibhava,

        Please configure a firewall policy to allow communication between antivirus server and TMG. How do you patching TMG server, you should use WSUS for patching TMG or use direct windows update to patch TMG. This should fix the issue.
        Note that TMG block all communication by default. you need to open port one by one. Regards, Raihan


        • Hi Raiman,

          How r u?
          I configured firewall rule but still facing same problem.Could u explain me how to create communication rule between antivirus server and TMG.

          For patching i am using CA ITCM and facing same problem .
          I already allow outbond port 42504 to 42511 for antivirus but still same issue.

          Sir pls can u help me on the same isssue.



    55. Hello,

      I have installed and configured TMG 2010 using a single network card setup. After following the steps above am still not able to access internet. What might be the problem? Have checked everything and seems correct.


      • Step1: check whether IE configured for proxy ?
        Step2: are you able to browse without TMG, this is confirm that the problem with somethingelse not TMG.
        Step3:configure right port for browsing
        Step4:Create Web access policy for users who wants to browse through proxy.


    56. Hi,
      You have crafted some very nice articles on TMG setup, but I’m struggling to determine the best setup for my network. Currently I have:
      Checkpoint – NAT
      DMZ (two subnets designated as internal DMZ and external DMZ

      I would like to utilise TMG for the following purposes:
      proxy for DMZ machines
      reverse proxy for some macines in DMZ and LAN with NIS
      future email hygeine
      future OWA
      What’s the best way to setup TMG, maybe Edge or Back-End?
      I’m thinking 2 NICs and Edge setup with external NIC on DMZ external subnet and Internal NIC on internal DMZ subnet? Then internal routes would all go through DMZ internal gateway?

      OR, is there a better/easier way that I have overlooked?



      • Why you making things very complicated? Keep it simple and sweet (KISS) so that policies do not over lap and topology does not contradict with each other. If I was in your situation, I would configure back to back firewall for everything and get rid of check point. TMG is very powerful firewall, proxy, revervse proxy, content filter, publishing tools. TMG 2010 Enterprise provide NLB, ISP redundancy and central management features.

        However you design is ok. But at some point it will be a complete mess. So adopt KISS polocy.


        • Thanks Raihan
          Unfortunately although it would be simpler removing checkpoint is out of my hands. With that in mind and with my suggested design how would you setup the NICs?
          I think DMZ ext NIC would have public dns server and DMZ ext gateway address and DMZ int NIC would have no gateway and no DNS but routes for all LAN subnets?
          Regards and thanks


    57. Mr. Raihan Al-Beruni
      please I study ur scenario too much time for Forefront Threat Management Gateway 2010 (TMG)
      we take this steps for this link
      but I received this message
      • Error Code: 502 Proxy Error. Forefront TMG denied the specified Uniform Resource Locator (URL). (12202)
      • IP Address:
      • Date: 8/2/2011 6:37:59 PM [GMT]
      • Server:
      • Source: proxy

      Look Mr. Raihan I will tell u about my scenario
      I have Server 2008 R2 with Internet modem D-Link
      I have 2 NIC in Server 2008
      One (Internal) that what connected by Internet modem D-Link
      IP: and Default Gateway
      Second (External) that what connected by my local Domain
      IP: and Default Gateway
      When I take ur steps I fund error message 502 Proxy Error
      Can u tell me please How I can resolve this problem or maybe I must do more steps
      I have 100 user need to use internet by proxy
      Please help me


        • Thank You too Much
          U understand my miss take by very fast time
          and because I read many configure of many web sites
          Thank you


    58. Hello,
      Thank you so much for the helpful article can you please help me out with some questions:
      i installed TMG on hyper-v virtual machine, i’m using windows 2008 r2 as an OS and i have one NIC that is connected to a router and the router to the modem i don’t have an installed DHCP
      here is where i find problems when i try to add a private IP range when installing i can’t add the range i want, when i select the adapter i have installed it takes some default values and continue with the installation correctly.
      also when i configure a firewall rule to filter and deny some URL’s user are able to browse the restricted websites

      can you please tell me what i’m doing wrong as i’m using TMG for the first time and i don’t have any experience in ISA.


    59. Hi,

      I am looking to configur the FF in back to back firewalls with ASA5510 as a front one and FF will be on VMware. Not sure if that is supported and what is the best configuration for networks as i’d like to avoid double NAT. Alos i would like not have to publish incoming rules twice, once on ASA, and second time on FF.
      Any advise would be greatly appriciated.



      • Hello Tarik,
        you can use ASA5510 as your front end firewall and FF TMG 2010 as backend firewall and proxy. But do not make it three tier using your method. alternatively, TMG as frontend and TMG as backend is much better.


    60. thank you so much for the valuable advice i installed it and i configured firewall policy rules and connected it to my AD and DC but now when i modify any client settings and try to browse the internet using TMG i get the below error:

      Technical Information (for support personnel)
      Error Code 10060: Connection timeout
      Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
      Date: 8/11/2011 7:35:07 AM [GMT]
      Server: ——————-
      Source: Firewall

      thank you so much for helping me out


    61. Dear Mr. Raihan Al-Beruni.
      First of all, thank you for your Blog. As a newbie, I find it quite helpful.
      Here is my question though. I have F TMG 2010 installed as an Edge Firewall, acting as Proxy Server which blocks the Internal Network’s HTTP and HTTPS except for a few chosen websites.
      Now I am unable to send or receive e-mail (provided by a 3rd party ISP with Outgoing Server: via this new Proxy.
      Please show me in the right direction.
      Thank you


      • Hello Hannes, Where is your mail server? is it in cloud or internal network? Is it Exchange? How do you check email via outlook client or webmail. for webmail, if you allow https than it should work. for SMTP, you need to create policy for that. Please answer my questions I will be able to help you.


        • Thanks for your help Raihan, please excuse my late reply.

          Our e-mail is provided by an external company, with their own mail servers. We download e-mail via pop3, and send via SMTP. Now, I tried creating a policy/rule: Allow POP3 & SMTP from Internal to External Network for All Users. But still MS Outlook responds that it can’t find the server (

          To be honest, I don’t have an idea about MS Exchange.
          Although I would like my server to download all mail for all users, and then forward it to each user’s PC. I assume this is when Exchange comes in. But for now, if I can receive mail via my Proxy/MGT server, it’ll be Great!

          Thnx again for your help.



    62. Hi
      I have been testing TMG 2010 std Edn with two NIC’s(One for Internal and another for Internet access). I am having a problem with FTP access i.e from FTP client am able to upload/download. But from windows FTP (ftp.exe) commandline am not able to upload files saying
      “ftp: bind :Can’t assign requested address”

      230 User 166 logged in.
      ftp> cd ar
      250 CWD command successful.
      ftp> mput test.txt
      mput test.txt? y
      > ftp: bind :Can’t assign requested address

      We are using VLAN’s. Internal P address is no gateway. External IP gateway Can you pls hep me to configure the same and make it work.


    63. Hello!

      When a user sends a request from IE to Internet, TMG opens only part of the site. TMG authorizes the user as “DOMAIN \ username” and writes in the log “OK.” Another part of the site is blocked and TMG wrote in the log “Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied” and writes the user name as Anonymous. When a user sends a request immediately from Mozilla, the site opens normally. Why?

      Best regards, Dimon


      • On the Monitoring>connectivity verifier>Add AD connection. Please configure Proxy and port for IE through GPO. Did you configure proxy in mozilla?
        TMG will block inappropraite websites and contect by default unless you create a policy for user.


        • I created a rule that allows the user to visit Web sites. TMG in the log says that it was applied this rule. I set both browsers to visit the site through a proxy server. Through the Mozilla site open completely, but the Internet Explorer site opens partially. The same site with the same computer with the same user in the same time.


    64. Dear Rehan,

      i want to install TMG, i have 3 networks local, perimeter, external (internet) i want to allow internet to all lan user and some external or remote user will use my perimeter server, i have no DC & AD is it possible that i install tmg without ad or dc and do SERVER PUBLISHING for port forwarding.

      Please add ur input with complete details, or with article



    65. Hi Raihan,
      I use my FF as an edge firewall, Now I need to forward some ports from external to a server in the internal network. How can I accomplish this? For my Sharepoint and Exchange I used the web publishing and Exchange wizard. But I also need to forward ssh and VPN with EAP + certificate authentication.


    66. Dear Raihan ,

      i have a problem … i had a rule for every department to access a certain websites . one url set of this was for gmail and it was working fine , suddenly 2day its not working for this users and its only working for the users who has unlimited access . can you help me with this issue .


    67. Hello, I’m planning to migrate from ISA 2006 to TMG 2010.
      At now, I have a 3 leg configuration with Internal, External and a DMZ used for guests connecting at my office to the internet.

      I’d like to virtulize TMG but the server can host 2 Nics tops (it’s a blade server) so I was wondering if there’s a workaround to keep 3 subnets with 2 nics.
      The other way is to keep existing ISA 2006 and side it to TMG, could it work?


      • If your blade server thats is ESX/Hyperv host connect direct to trunk port than you can configure port groups for all three vlans/subnets and add three nics for TMG server. thats easy as this. for hyperv you can configure vlan id for three subnets.
        Blade chassis directly connect to trunk port. you dont need to worry about that.


    68. Hello Raihan,
      I have a little question for you, its that the policies in TMG do not apply to secure NAT clients, I mean when I create new policy it applies to web proxy clients but not to secure NAT clients.
      I don’t want to change DHCP options (remove 003 router), is there anything that can be done in TMG server?

      Many thanks


    69. Hello Raihan,
      i have a problem with yahoo mail i cant download pdf attachment files, i use tmg in my network, and i think there something in tmg Prevents me to download these files.


    70. Raihan

      I am getting problem to access gmail and hotmail account on forfront TMG server. I didn’t make any rule to stop any website i just made rule for access all sites.

      Please reply…



    71. Hai Brother…
      I have problem… I installed FF at Branch Office with two NICs , one for LAN and the other for WAN. I am running 2 roles, DHCP and DNS in FF server.
      Oh almost forget.. The FF run on Windows 2008 SBS SP1. I connected FF to Central Office through VPN site to site. And joined to domain at Central Office. I have 6 client computers that using windows 7 pro 64 bit and joined all to domain. Everything running okay…. but suddenly all client computers could not be connected to domain controller. I saw to Network Sharing Center on Client Computer and FF server .. LAN unidentified and circle mark is still running. No IP address in All Client Computers.
      By the way I still remote FF from my Central Office….


      • Can you please run tracert command to domain and check where is client blocking to? Is your client gettting IPs from local DHCP? You config seems weird to me. Why you configured DNS and DHCP in TMG server?


    72. If you seems this is weird do I. I am just continuing to maintain the work that have done by the man before me…. (I don’t know who did give him inspiration to make configuration like this)

      This the error message that I captured from DHCP role ” The DHCP service failed to see a directory server for authorization”.
      This the result of nslookup command :
      default server : unknow
      address :

      for standard of comparison, I show you the result of nslookup command that i run in FF server (with the same configution) from another branch office that connected to central office via VPN site to site :

      This the result of nslookup command in GW-PDG server
      default server : dc2.wk.local
      address :
      (it have to be like this)

      All clients are getting IPs from local DHCP.


    73. Hi
      We are currently running a server with ISA 2000…. I want to upgrage to TMG 2010. Do I have to start from scratch for all of the incoming/outgoing rules?


    74. HI Raihan,

      First of all, thank you very much for sharing your knowledge through your website. It helped a lot to install and configure Frorefront TMG properly.

      actually I have installed successfully TMG 2010 in workgroup Environment,

      but i am facing the issue with domain environment its shwing the below mentione issue.

      can you please provide me the solution for this error?

      i will be very thankfull to you

      you can also mail me to



    75. I’m having issues with domain authentication with TMG2010 std.

      I just got a new server for the standalone perimeter device, with two NICS – one for internal LAN and the other for external. I joined it to the domain, fully updated (windows update) and then proceeded to install TMG2010.

      I followed the basic steps to the teeth yet my TMG has issues with not being able to resolve to the domain… i can ping my AD and DNS servers, but cannot authenticate.
      I’ve configured the domain for the internal network and the network adapter binding has the internal NIC at the very top so it resolves internally before it tries to go out.
      nltest /sc_query: returns an error

      Any insight on what I may have done wrong or forgotten to realize will be greatly appreciated.



    76. I have permieter Firewall as sonicwall NSA 3500 with Nating External to internal and also External to DMZ.Internal zone is connected to TMG with redundancy.

      In DMZ zone i have SSL VPN BOX also

      Issue is
      DMZ zone cannot ping or RDP to internal network
      THrough packet capture i am seeing that sonicwall is forwarding to TMG
      But no reply.


        • sir i have setup an edge network in virtual environment using hyper-v. server type is win server 2008 r2. help me out to connect internet in internal network without the use of proxy.


        • bypassing proxy for internal user will be possible if you dont configure proxy server in IE. note that TMG blocks all traffic by default if u utilize tmg as proxy server. you need to create firewall policy to allow internet


        • sir i have already created a firewall policy to allow internet. and it is working fine when i configur ie for proxy. but i need to allow internet access to internal network without use of proxy server


    77. Hi Raihan,

      Would this scanerio work?

      Internet –> Cisco ASA / NAT services (NIC –> TMG (external NIC –> TMG (Internal NIC –> Internatl web servers (192.168.10.X)

      Basically I would have all the external internet traffic coming to my Cisco ASA where I have some external valid IPs, the Cisco would translate/Nat to TMG external card that would then pass to the internal NIC / internal web servers.



    78. Hi Raihan,

      Two internet links, two TMG Servers in the same AD Domain, how to create a load balance between the servers ?

      I can create a load balance if the servers works in a Workgroup mode, but i cant find a solution to AD domain. I wouldn’t like to use a EEM server.



    79. thanks for the post sir. i have installed and done all the tmg setup successfully. my network type is edge network and i am testing it in virtual network. can you please guide me to enable internet in internal network without using proxy.


    80. Hello,

      I just installed TMG 2010 and configured it to allow web access.

      But when i installed TMG client on workstation, it is not able to connect TMG Server.

      Is there any specific policy need to be created to allow access to TMG server.

      Note. – currently internet is accessible.


    81. Hi Raihan,

      I have configured TMG for test as Edge Firewall. I have two senarios.

      1) I cannot add TMG into Local domain.

      2) I have an internally hosted website which i want my CTO to access from outside. I have done port forwarding to local server TMG is stopping IIS access to the local server from outside. I tried VPN But not able to do. Could you plz Guide Me? It will be a great help


    82. Raihan Al-Beruni hi i have problem, i have tmg service pack 1 when i remove user from the rule it did not remove after Synchronization it come back .. i must do it 3 or 4 time to remove user from the rule… when i look at troubelshuting its says that is has been removed
      can you halp me ?


      • Add AD connectivity verifier in TMG>Monitoring
        Create AD Group.
        Add that AD Group into TMG
        Add that group into firewall rules
        If you want to add or remove from any groups do it though AD not via TMG. that should work.


    83. in TMG network user face to “invalid certificate error “when open any site in mozilla and IE browser leave the proxy and not open any sites so what issues for this


    84. Hi Raihan

      I have a few queries

      1> do you need to Install EMS incase you want to have 2 array servers or can it work without EMS
      2> steps to configure first array to second server for the first time and how will it work


      Shanawaz Maktum


      • hello,
        I have a problem that when i connect through team viewer it shows black screen..i have also ISA installed can you tell me how it can be resolved


    85. Hello,

      i have TMG 2010, its working fine as web proxy and web filtering but i am facing one issue for outlook.but mail is not downloading in outlook please suggest me what step i can do for outlook.


    86. Hi,

      1.)my users wants do a RDP connection to external network due to this we have decided to go for TWO nic card setup and My servers are protected with Firewall devices.

      2.)Intern NIC ip XXX.XXX.XX.4 and Extenrl in 172.XXX.XX.7.

      3.) For External IP we have NAT in our firewall for Port 80,3389,443.

      4.)As above config if i created new rule is it possible to do a rdp session to public computers.


    87. Hi Raihan Al-Beruni,
      Thanks for posting this helpfully steps of TMG… i would like to use this step than i will tell u how i get improve my TMG from this Guide… Thanx


    88. Hi Raihan

      Need a small help, I need so test cases to test my TMG Array and other things are working fine or not, can up provide me some test cases for the same.


    89. Hi Raihan

      Really i need help me
      i have TMG Server with 1 internal lan ( external lan (x.x.x.x)

      and have vpn connection between branch the branch ip (

      i add the branch ring ip in internal network in TMG and i have connection to internet from branch but i can’t remote or access anyserves from internal servers(192.168.1.x) because
      the packet dropped because forefront tmg don’t have established connection

      if stopped service firewall every thing working but when started every thing stop unless internet browsing

      i have static route betwwen and

      can you help me plzzZz?


    90. Hi,

      Great guide, some really useful info in there. I’m currently in the process of setting up a new TMG server on our network and I have a question that I can’t seem to see the answer to. At the moment our LAN connects directly to a hardware firewall which in turn connects to a router for our ADSL connection. The TMG will sit between the firewall and the LAN so it will use two NICs, one internal and one external. The only thing I can’t see is how TMG knows that the external NIC is the one used to send traffic to that’s not local. I hope that makes sense and any clarification would be great.

      Many thanks,



    91. Hello Raihan,

      Great post!! I have a problem with my TMG config and need your help, please. The problem is:
      Downloads from our internal FTP server using TMG is corrupted.
      I added internal FTP server as Web Chaining exception, No cache, Malware exception…I don´t know what is happening.

      f I donwload the file directly (through windows explorer) from TMG Server, didnt fails. If I download the file through any other application (filezilla, coreftp, etc…) that use TMG Server as proxy, the files is corrupted

      Thanks in advance


    92. Hello Sir,

      I have TMG server and i dont have exchange server but i want to open (Test Only) how to allow this test owa site on my tmg server .Through internet it’s working fine but if i am using through proxy it’s not opening on client side.

      i dont have any exchange server it’s another comany owa which opening on internet fine but not open through proxy server on my client side pc .

      Pls do the needfull



    93. Hi there,
      I deployed TMG 2010 in my network. Problem which i am facing is the computers that connect via TMG 2010 are unable to access our VPN clients. It give error 619 during verifying username and password. The same VPN connection works fine if I bypass TMG 2010 from the same computers. I have created a rule to allow PPTP from internal to external network but of no use

      Can anyone please help me on this….


    94. Thanks a lot this artical is help me very deply configurations

      thanx once again

      my next question is this
      how i blocked these social and non social sites
      just like
      porn sites
      kindly help me out because i implement these role our organization


    95. Hi

      I am getting intermittent 502 Bad Gateway errors from one particular server accessing two urls via a TMG Server. In the TMG logs I am seeing 64 The specified network name is no longer available.

      What is the best way to troubeshoot and fix this ?


    96. Hi

      Thanks for the previous reply. Can you tell me how to override ‘Status 64 The specified network name is no longer available’ problem. It is only coming from one IP address and is very intermittent.

      Your help will be very much appreciated.


      • hi Raihan
        i hope u fine

        i want to need you kindly provide me a step by step configuration with TMG 2010 web filtering and block web sites HTTP/HTTPS i found the role of block web sites but they can’t work properly because user are go the block sites on HTTPS so kindly provide me a technical help

        Faisal Ali


    97. Hi
      I hope I’m not bothering you
      I try to join the TMG to the domain but can not I looked at Event Viewer and there I see login failed with ID 4625 I have not found a solution to that could you help me please

      Thank you


    98. Hello Sir,

      I want to setup TMG 2010 standard edition, i have a network of 30 computers, used LAN IP range is to, we dont have exchange server but wants to allow only to access outlook mail.. we have some branch users and wants to give VPN access ..which method is suitable for this.. i mean Edge firewall, 3 leg perimeter or back firewall??? please help me…


    99. Hello Raihan,
      I want to test it(TMG) and unfortunatly we have very low budget. thats why I am testing it on windows 2008 r2 64bit on intel core2duo mechine.
      I downloaded TMS trail version.
      when I am clicking on “Run preparation tool” its giving me message “This tool does not support this processor plateform. for details about operating system requirments. see the Installation Guid on the MS TMG CD”
      why this happening? I tried a lot but fails. please help me.
      thanks & regards


    100. Hi Raihan,

      Need your advise on solutioning a TMG requirement.

      We have a old ISA 2000 server which connects to both Internal offices as well as other client offices.For these client offices, this ISA server acts as a firewall to access resources with in the internal network.

      Now we are planning to deploy TMG enterprise server on virtual environment and now we have no idea how was the existing ISA 2000 configured.

      Could you please advise me which possible way we need to configure to support the requirement. The Virtual server has 2 Vnic’s and we are not sure in which network topology mode we need to install.

      I am also from Australia. If you can provide your Contact number, I can explain more on detail about the requiremnet and the environment.



    101. Dear Raihan,

      This is from the bottom of my heart that you are doing a G8 Job my Friend…. I liked a lot…. Keep it UP……..


    102. Hello Raihan,

      I need 2 Help from you the first one is that I want to block Team viewer through ISA 2006 SP1 and Second is we have installed ISA 2006 with Edge Firewall Network Topology and we are using a Single NIC for this, kindly let me know is this the proper configuration. I have gone through your article and found that there is one more Network Topology which suits my environment is Single Network Adapter Topology, as we have assigned only one NIC to our ISA Server we can go ahead and use this Topology. We are running this server on Hyper-V and now we are planning to upgrade our ISA Server to TMG, so we can go ahead and configure Single Network Adapter Topology.

      Well few more things we have 4 NIC on the Physical server and we have done Teaming 2*2 and assigned one NIC to the Virtual one.


    103. Hi Raihan,

      Please help me also, as i have TMG 2010 installed & need to configure one rule in which i want to give access to only selected websites rest all internet will be blocked. Please suggest how i can do it.



    104. muy buen aporte! muy certero, pero tengo un par de preguntas, esto sustituye al isa server logicamente, pero en mi caso tengo checkpoint firewall-1 tamien, tambien sustituiria a este?, cuales son las desventajas de forefront TMG? lei que microsoft dejaria de sacar actualizaciones ya quiere irse deshaciendo de el poco a poco, es esto cierto?


    105. Forgive the previous comment, very good contribution! Very certain, but I have a couple of questions, Forefront substitutes the IsaServer logically, but in my case I have checkpoint firewall-1. Does ForeFront do Checkpoint’s work also?, which are the disadvantages of forefront TMG? i read that Microsoft stoped of extracting updates already wants to be falling apart of little by little, is it certain this?


    106. Hello Raihan, Congrats. You have an excelent Blog and I surprised with your high experience with this solution. I would like to know what is your recommendation about my case.
      I have a cisco firewall to protect my network and OpenDNS to web filtering and malware protection but this service will not free anymore this year.

      For that reason. I am looking for a cheap and good solution as TMG but I don’t have clear what is the best fit network topology scenario. My network is 90% Microsoft and I have availability a physical server with minimum requirements and 1 license promo TMG standard.

      What do you think about this?.

      Thanks and Regards,


    107. Hi Raihan, It´s great blog. Congrats. I would like to know if you can help to me. Currenctly. We have OpenDNS for web filtering and I think that ISA Server or TMG could be a better solution for many reasons but I have a little confuse what is the best fit network model that we should be to implement. I have a Cisco Firewall to block and I think that one server with TMG for web filtering for user internal users. What is your best recommendation?.

      Thanks and Regards,


    108. Dear Raihan,

      Its Arsalan I am an IT Officer, Sir I am having some issue in TMG I have one external NIC (Public IP from ISP) & one internal NIC (Private IP for local LAN) my TMG 2010 can ping another Public IP of my sister company but my clients can’t ping or connect with the same. Sir I want to connect with my sister company through VPN because some of our servers installed in my sister company Data Center, but after deploying TMG 2010 I am unable to do that please help me out in this issue I will be thankful to you.

      Arsalan Zia
      IT Officer.


    109. I’ve configured TMG as an Edge Firewall and after configuring I’m unable to access Internet.
      Following are the configurations I made:
      Internal Network Adapter Settings:
      Subnet Mask:
      Gateway : None
      DNS: is my Domain Controller where I’m also using DHCP.

      External Network Adapter Settings:
      Subnet Mask:
      DNS: None

      After installation, I added Allow Access rule in Firewal Policy to allow DNS from Internal to External but still I’m unable to access Internet.
      Also I can’t ping to Router’s IP ( from my Internal Network PC’s.
      Please can you guide me step by step that how can I configure it properly so I can use Internet from Internal Network.
      Please guide me


      • In external NIC configure DNS. Create a Firewall rule to access HTTP/HTTPS from internal to external. TMG Console>Monitoring>Add AD, DNS and Web connectivity verifier. Web Connectivity verifier is Gateway IP of the router. by the way Are you able to browse internet from TMG server without proxy settings on IE. if you can try using proxy settings
        Configure proxy in IE of client and browse Internet.


        • I also added DNS entry in External Network Adapter & Firewall Rules were created before. DNS access rule is also there from Internal to External, alongwith HTTP & HTTPS allow rules.
          Active Directory & DNS Server connectivity verifiers is working fine but when I create a Web Connectivity Verifier it shows error.
          Router’s Default Gateway is so I created a Web Connectivity Verifier & added that IP, Group Type: Web (Internet), Verification method: HTTP “Get” request but it gives error.
          Please guide me where things went wrong. What I’ve to do now to fix this internet connectivity issue.


        • do u able to browse internet from TMG server? HTTP/HTTPS allow for All Users if you ad for selected users/groups than add yourself in that group? what error you getting


        • Yes I can browse Internet on TMG Server but only if I configure my External Adapter as following:
          If I don’t give DNS, there is no internet browsing on TMG Server, If I give DNS of Router’s IP in my External Adapter, I can access Internet even after configuring TMG Server
          Please guide me what’s the issue & what to do now


    110. Hello Raihan

      First of all, thanks for the excellent work you are doing. I am totally new to TMG & ISA and I am badly looking for some help. I hope you will be able to help me.
      We are using two CISCO Ironport as our enterprise firewalls.
      Ironport1 IP is (internal range)
      Ironport2 IP is (internal range)
      And we use the following subnets for our LAN /24 (for all servers);;;; until Inter vlan routing is configured so communication between subnets are possible.

      The ironpots are acting as our proxy as well. Some users use as proxy while others use Now we have reached a situation where we need to implement some type of network load balancing so that the requests will be equally distributed between the ironports. Also this will make the internet highly available.

      So we decided to implement TMG2010. But as I said earlier, I have no clue how to configure TMG2010 for web access and NLB. Will you be able to help me with this please ? In this scenario do I need TMG with 2 NIC’s or single NIC will do? I dont need any DMZ.

      Waiting to hear from you soon.




    111. Hello Raihan, Thanks for the support and the quick reply. I shall try the steps in the link you provided. One small doubt.
      When TMG2010 is to be configured as Edge Firewall then we need 2 NIC’s right. One for internal and one for external. We have a CISCO Ironport which is connected directly to the ISP link. It has an internal address which is in the range of say So how should i configure TMG.
      we are using to (there is inter vlan routing)
      so which ip should i give to external (with the present setting it has to be in the range of 10.232.60.x and the internal i can give

      will it work like this. and how to give the authentication in TMG. Ironport user AD accounts for authentication. pls advice


    112. Hi Raihan, I want to keep ironport. It will be main firewall. The TMG will be mostly used for the purpose of load balancing. So the issue is now Ironport will be having 2 IP address. One public and one from the internal range. And the TMG also will require 2 IP. Thats where I get confused. How can i specify 2 IP ? Is it necessary that the interface named External of TMG should have an IP which is not included in the internal range. Will it be an issue if I give an IP on the external interface which can be reached from the internal interface (due to intervlan routing). sorry for troubling you and thanks a million for your efforts.


    113. Dear Raihan, Please can you help me on the above query. Is it possible to send me ur email address so that i can attach a network diagram. Thanks Riaz


    114. Hi Raihan,

      Im new user to TMG ,We have installed TMG few months back we have a problem with web protection licence which exipered as we were processing the licence we had to make deny rule that i has to specify all the websites that users are not suppossed to visit and it worked.After licence reinstallation of licence i disabled the rule so that the previous rules can continue working but to my suprize its not working as a result users are accessing evrything.


      • I am certain that you have rule in place that allows everthing. pls go through the rule one by one and check.

        Pls do not apply any rule for All users instead use specific group such as staff or department like Finance Dept


        • Hi Raihan,

          i have checked all the rules in the web access policy they are now fine i have remained with just 4 rules
          1.Staff with no access to internet
          2.Staff with limited access to internet
          3.Staff with full access to internet except porny and business defined prohibted websites
          4.Default deny rule
          is this order of rules okay?There is also Firewall policy i have this riles there but there is additional rules for allowing users to access VPN,the other to allow Blackberry server to access internet some of the rules on this side allows all users which i guec is what is killing my web access rules is there a way sort this out without compromising my other settings.


    115. Hi Raihan,
      I have managed to sort out the issue of rules i had to redo all the rules ,Im having another problem though I have one application that uses Java its authenticated by TMG but yet it doesnt open up see the log below.

      Allowed Connection S002TMG001001 9/5/2012 5:44:16 PM
      Log type: Web Proxy (Forward)
      Status: 407 Proxy Authentication Required
      Rule: Web Access Policy for Research Users-Rule that user belong
      Source: Internal (
      Destination: External (
      Request: Public IP:443
      Filter information: Req ID: 128406e4; Compression: client=No, server=No, compress rate=0% decompress rate=0%
      Protocol: SSL-tunnel
      User: anonymous
      what could be the issue here…..


    116. Hi, Can anyone tell me how to allow Skype in TMG 2010 with HTTPS inspection enabled. When HTTPS inspection is disabled it works. I need skype working with HTTPS inspection enabled.


    117. Hi

      Can you please help me in configuring rules which allow outlook 2010 to send or receive emails from out side mail server like gmail or hotmail, TMG blocks pop, imap , smtp trafic

      Browsing is running ok in clients end on email is not working.
      I have make rule to http, https, DNS, IMAP, POP, SMTP, FROM Internal , localhost to external.

      Please advise.



      • Kashif,

        you have to open outlook application in tmg then your clients will able to send or receive emails using TMG Firewall.


        Shakeel Shahid.


        • Hi,

          Really thanks for reply me i wanted to tell you that i am using authentication on my tmg firewall and all my users are firewall client. Now firewall is working fine and internet is stopped on mobiles but some users are using android smart phone in which they can put domain credentials and they can access internet on smartphone. Now my question to you is there any option in TMG that i can make restrictions on OS in which i will block internet for android OS.

          Waiting for your kind response.

          Shakeel Shahid.


    118. Hi Raihan,
      I need to configure TMG servers in load balancing mode.(i.e, If TMG1 server fails it must work with TMG2 server.)
      For these i have installed AD (win 2008) , TMG1(win 2008) & TMG2 (Win 2008) in VM and added to TMG to domain.

      And now in TMG1 & TMG2 in which mode i need to install and how to configure load balancing mode for my TMG server.

      Pls Suggest.




    119. Hullo Admin, my question is: currently i have a network where the setup is ISP connected to the modem from the modem to the router and from the router to my server and LAN, now this is the question, i would like to add TMG firewall on the network. what set up is the best to use? and could still the config. be the same as this in the post deffinately changing the IPs?


    120. I have a problem with live streaming sites on tmg. everything works fine but when I go to a site with live streaming it says: error loading stream: could not connect to server.
      On a pc before tmg live streaming works fine…


      • Create a firewall rule allow the live stream or go to properties of existing http/https allow rule by right clicking, clicking property, click configure http then allow http payload like live streaming allow size of the payload that means MBps or kbps. that should work


        • it is selected…now i look into log i get this: 12209 Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied and user anonymous it appear…
          I dont’t understand: until i select play on the stream tv (it’s a local television) everything is ok the user is ok when i go for play I get this error with user anonymous…why changes the user?


    121. Many thanks It’s really great work.
      Please how can I configure secure NAT clients on TMG 2010 ?TMG rules works fine when i defined TMG address as a proxy server in Internet explorer LAN settings and port 8080 as well.but i prefer to use secure NAT clients instead of web proxy clients .
      Our network is complex network with routers bridging subnets between the client and Forefront TMG.

      Thanks in advance


    122. hi sir please guide me in hyper -v i how can i confiugure vitual switch setting to connect to the internet with my physical laptop wifi and also i dnt have static live ip…please guide me


    123. sir i am practicing of tmg on my laptop using hyper-v…so what configuration i need to do to connet my hyper-v switch to the physical machine wifi adapter in order to get access to the internet as well tmg work for me..
      thanks for your support sir


    124. dear sir what is the main difference between firewall policy and web-access policy…i am not clear about it…please guide me…i really like your post…


      • As the name suggest firewall and web-policy are two diffirent policy. one for any firewall and publishing of exchange, sharepoint, and website. web access is for publishing
        web access rule, configuring http, https and web inspection, configuring web proxy and web cache. just click each one and see on the tasks pan.


    125. Odd question, probably:
      1) have a two-stage H/A firewall composed of a pair of Juniper SRX and a pair of TMG2010 servers. The SRX are on the Internet side, the TMGs internal from them.
      2) I need to route an internal server through the TMG array and have the internal ip address presented to the Junipers so that it can be used as input for a VPN rule. (Partner is requiring a Public address within the tunnel, not just on the outside, so I have to do the NAT at the Juniper side)
      3) Distant end of the VPN is a Cisco ASA.
      4) Created the tunnel and set up rules to nat traffic, but I ran into an issue when trying to route via the TMG array — the array insists on NAT’ing to its ‘external’ VIP vice passing the address on to the Juniper.
      5) Attempted to get around this by sending to one member of the array and not the internal VIP, but I think this might be causing issues for the return traffic, which is sometimes being closed for non-receipt of a SYN/ACK (subsequent non-SYS packets from the client are then dropped for no existing connection)
      Any ideas?


      • First you have to create back to back firewall between Juniper and TMG. Add internal IP address range into juniper internal IP address range. this ip range must be added into the rules of juniper.

        Then same internal IP address range must be added into internal network of TMG. then publish the VPN connection within TMG and Juniper to Cisco ASA. then publish rule allowing ip range in ASA and Juniper. this is called two tier firewall. Its a great firewall from security point of view but sometimes difficult to maintain.


    126. hi
      it umer here i have a one problem in my FTMG 2010 that i have installed FTMG in server 2008 R2 and i have make allow rule in tmg and my server internal ip address is when i go to client pc the internt is not working when i am puting the of server internal in client brower proxy so then it access the internet but i want that client do want to put proxy he or she can access internt directly can any one help


      • you need to configure proxy correctly. Click networking>Internal>property>Web Proxy> see the correct port and proxy config. Also allow HTTP/HTTPS access from internal network to external. Configure IE with correct proxy settings i.e. ip address of inernal nic of TMG server and port.


    127. Hello Brother Raihan,
      I want to do the following setup

      ASA in between the router and everything else. Terminate VPN connections here.

      TMG server behind the ASA with one NIC in the outside network and one NIC to your inside network. The 3560 goes behind the TMG server.

      Use the ASA to control inbound traffic and NATing to the allowed internal servers. TMG server to control outbound Internet access,

      I want to use TMG as transparent proxy and if the TMG goes down the internet traffic will be routed to Cisco ASA

      I would highly appreciate your help.

      Thanks in advance


    128. Hi,
      Is forefront TMG support to manage internal network? I mean all client were managed by TMG to access access server, internet, wireless client, etc. Maybe I replace perimeter network on TMG toplogy (3-leg perimeter) by segment of server, wireless client, internet, etc.



    129. Dear Sir,
      I have a request that I am installing Edge Topology. kindly upload step by step guide of Edge topology basic (From external Internet to Internal Network on domain.)



    130. Hello Raihan
      I am install window server 2008 and i install domain controller and then i install on TMG 2010.Then message show TMG cannot install on domain controller.
      I can install on both function.Kindly help me.


    131. hi rehain
      i have problem to share internet in tmg 2010.
      please if you hame any solution for this I will be thank full to youy for that.
      Regards: PIR HAMED


        • i have installed tmg 2010 in hyper v and used 1 internal card and 1 private .my ip on private is preferd dns is .I have access internet on tmg but it cant forwords it to domain having ip . So what i do to share the internet on tmg and for all clients..????????????????


    132. I’m stuck trying to replace my old (but working) ISA 2006 with TMG 2010. My conf.. is as follows:
      I have a Back to Back configuration.
      Back Firewall IP Ranges:
      Internal –
      Perimeter –

      In the Perimeter network I have my web, ftp servers, etc and a router that links to some offices that are outside my location, and I provide web and mail services for them, this offices are in the network, so in the old ISA 2006 (Back Firewall/Proxy) there is a network created named DMZ with this range ( to, and a network rule with a route relationship between the internal and the DMZ, and there is also a route in windows that sets the router ( as the next hop for this address range. This works OK

      I started configuring the new server with TMG2010. I created the route in windows and I was able to ping from the TMG server the PCs on the DMZ network ( for example) and the Internal ( My PC for example), but when I create a new network, with a network rule, has are created in the ISA2006, then I get “A packet was dropped because its destination IP address is unreachable” when I try to make a ping to the same PCs

      Denied Connection PROXY 4/7/2015 9:40:16 AM
      Log type: Firewall service
      Status: A packet was dropped because its destination IP address is unreachable.
      Rule: None – see Result Code
      Source: Local Host (
      Destination: dmz (
      Protocol: PING

      I’ve created the DMZ network in three different ways Internal, Perimeter, External (except VPN Site to Site…) and I always get the same error.

      I’d appretiate any help, best regards


      • I dont see your TMG server. So my guessing is:
        You have export the config and import into TMG server. Before you do that make sure TCP/IP config of TMG server are correct. If you have any static route in ISA then apply same static route in TMG. simple is that. Route print is the command to see static route.


        • Static routes are the same in both servers, and working OK, as I said, before creating the network, just with the static routes everything works, the problem is after the creation of the network. As for the config import, that’s not exactly what I did, I made a clean install and config because there are a few things I want to change. So lets pretend that I don’t have a server working and it’s a completely new configuration. How can I reach a network segment that is accessible through the external interface, using ping? taking into account that the static route is done and working OK, the problem as I said, is when I create the new network in TMG with this address range, I stop reaching that network


    133. excellent JOB.
      in my case I already have a fortinet firewall. But just want to use TMG for proxy server with authentication, and reporting. so can you please help me with what strategy do I need Use.


    134. I have TMG 2010 and it keeps on popping up on user machines to authenticate with the proxy server. It is becoming annoying to users, how do I turn this off completely. I Just want users to jus access the internet via the proxy server without being prompted to input any credentials


    135. Hello Raihan Al-Beruni, hope you are healthy and fine
      Dear Sir,
      I have a TMG 2010 firewall installed in windows 2008 R2 and I setup my network as following.
      * Network type= work group.
      * LAN = WAN= static ip from ISP.
      * Also installed DHCP services for clients ( -
      * Created rule to allow DHCP reply and request in TMG.
      * Created rule to allow internet for client’s computers.
      I need to connect all my clients without configuration IE with proxy settings i.e. IP address and port.
      Please advice.
      Thank you
      Ajmal Saidy


    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.