Forefront TMG 2010 provides standard and enterprise version. On an Enterprise version you can deploy Forefront TMG in a single server (standalone deployment) or multiple servers in Enterprise Management Array deployment. In an Enterprise deployment, one TMG server perform as an Enterprise Management Server in an Enterprise Management Array (EMS). And rest of the TMG servers join in that array. A Forefront TMG array is a collection of Forefront TMG servers that are managed centrally, via a single management interface. It provides better management capacity, redundancy, fault tolerance and High Availability in a organisation where HA is calculated by 99.9%. An Array stored following information in Enterprise Management Server.
- Array configuration settings, which are relevant for, and shared by, all members of the array.
- Server configuration settings, which are relevant only for a specific array member, for each of the array members.
Standalone—Depending on the selected load balancing method, a standalone array can have up to 50 Forefront TMG servers managed by one of the array members that acts as the array manager; for more information about load balancing. Use this type of array if Forefront TMG is deployed in a single logical location and handles a medium traffic load.
EMS-managed—An EMS-managed array can have up to 200 Forefront TMG arrays, each holding up to 50 Forefront TMG servers, that are managed by an Enterprise Manager Server (EMS). Once you have set up an EMS-managed array, you can replicate its settings and manage up to 15 EMS-managed arrays using the same settings, thus enabling central management of up to 150,000 Forefront TMG servers.
Load balancing Forefront TMG servers in an array
An integrated Network Load Balancing (NLB) Feature is available in Forefront TMG. It enables you to take advantage of the benefits of central management, configuration, maintenance, and troubleshooting, which are not available if you configure NLB directly via the Windows-based NLB tools. Load balancing serves to balance network traffic among array members, so that traffic is optimized across all available servers.
Installation of Forefront TMG 2010 EMS
Check invoke and Click Finish once installation is done.
To assign administrative roles for enterprise administrators
1. In the Forefront TMG Management console, in the tree, click the Enterprise node.
2. On the Tasks tab, click Assign Administrative Roles.
3. On the Assign Roles tab, click the upper Add button. Then, do the following:
1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of Active Directory Lightweight Directory Services (AD LDS), and monitor arrays in the domain.
2. In Role, select one of the following:
Forefront TMG Enterprise Administrator—Authorizes the specified group or user to perform all administrative tasks in the enterprise and arrays in the domain.
Forefront TMG Enterprise Auditor—Authorizes the specified group or user to perform monitoring tasks, and to view enterprise and array configuration.
4. When you have finished, click OK.
5. In the details pane, click the Apply button, and then click OK.
To assign administrative roles for array administrators
1. In the Forefront TMG Management console, in the tree, click the Forefront TMG node.
2. On the Tasks tab, click Assign Administrative Roles.
3. On the Assign Roles tab, click the upper Add button. Then, do the following:
1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of AD LDS.
2. In Role, select one of the following:
Forefront TMG Array Administrator—Authorizes the specified group or user to perform all administrative tasks in the array.
Forefront TMG Array Auditor—Authorizes the specified group or user to perform all monitoring tasks, and to view the array configuration.
Forefront TMG Array Monitoring Auditor—Authorizes the specified group or user to perform specific monitoring tasks.
4. When you are finished, click OK.
5. In the details pane, click the Apply button, and then click OK.
To enable Microsoft Update and activate licenses
- In the Forefront TMG Management console, in the tree, click the server name node.
- On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.
- On the Microsoft Update Setup page, click Use the Microsoft Update service to check for updates (recommended).
- On the Forefront TMG Protection Features Settings page, activate licenses for the protection features you want to enable. You can only download and install updated definitions for features that you have enabled.
- If you activated the Network Inspection System (NIS) license, on the NIS Signature Update Settings page, select the automatic update action you desire.
- Complete the wizard, and then click Finish. On the Apply Changes bar, click Apply.
- For WSUS update visit this Link
To Create an Enterprise Array
1. On the EMS, in the Forefront TMG Management console, Right click on Arrays. In the task pane, click New Array.
2. In the New Array Wizard, on the Welcome to the New Array Wizard page, enter the name of the array.
3. On the Array DNS Name page, enter the Domain Name System (DNS) of the array.
4. On the Assign Enterprise Policy page, in the Select the Enterprise policy to apply to this new array list, click the enterprise policy to apply to the array.
5. On the Array Policy Rule Types page, select the types of rules that may be created for the array firewall policy.
6. Click Finish and Apply Changes.
Important! All internal networks must be able to ping DNS record mentioned in step3.
To join an enterprise array from second TMG server.
1. In the Forefront TMG Management console, click the server name node.
2. On the Tasks tab, click Join Array.
3. On the Join Membership Type page, click Join an array managed by an EMS server.
4. On the Enterprise Management Server Details page, enter the fully qualified domain name (FQDN) of the EMS server, and then click the user account form used to connect to the server.
5. On the Join EMS Managed Array page, select whether to join an existing EMS managed array, or to create a new EMS managed array.
6. If you selected to create a new EMS managed array, on the Create New Array page, enter the details of the new array or Select existing Array, Click next and Click Finish.
Configuring intra-array communication on array members
1. In the Forefront TMG Configuration console, in the tree, expand the ServerName of the array, and then click System.
2. On the Servers tab, select a server, then on the Task tab, click Configure Selected Server.
3. On the Communication tab, on the Intra-Array Communication dialog box, enter the IP address used to communicate with other array members.
Important! Apply changes after every configuration has been done in TMG EMS.
To Configure Network Topology
Forefront TMG supports unlimited network adapters. However, the following network types, you can specify an IP address range or select a network adapter associated with the network you are configuring:
- Internal network
- Perimeter network
- External network
IP addresses for network adapters associated with the same network should be identical on each array member.
Click on Enterprise Networks, Click Create a New Network Wizard or editing a selected network from Taskpad.
The list of network adapter settings configured in Windows Server is logged to the Network Adapters tab in the Networking node. You can edit the network adapter settings.
From the Taskpad, Click Create New Network Rule Wizard
Further Study:
Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)
Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II
Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems
Share this
Blog by Raihan Al-Beruni 
Pingback: Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step « Information Technology Blog
Hi,
I need your help about installation and configuration of Forefront TMG 2010 fot the edge topology. I have some problems to do it. And, i can’t see the step by step document guide about the installation and configuration of the edge topology.
can i call you? my phone number is…+241-05-300-272
LikeLike
http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
Follow this guide.
LikeLike
Dear Rehan,
How to configure EMS replica Server and how to monitor the replication of configuration storage.
I have added the new EMS server’s IP in “Replicate CCS Server” group and installed the 2nd EMS server with the option to copy its configuration from 1st EMS server. Is here anything else i need to configure??
And how to check whether the replication between both the EMS is fine??
LikeLike
Actually what putting me in confusion is that I can not see the Enterprise Array on the new EMS Server.
LikeLike
Did you add array members in the EMS? Please admin rights and vlan you placed array member.
LikeLike
AoA,
I have downloaded Microsoft ForeFront TMG Enterprise Edition from Microsoft website, when the installer is begin it show the error messege “Package Integrity distribution”…. Please help me regarding this error.
Note: I am running Windows 2008 server on my Server machine(DELL PowerEdge 2600).
LikeLike
What version of Win2k8 ?
Please check system requirement and download correct ISO from Microsoft Download center or Technet.
What version of Win2k8 ?
Please check system requirement and download correct ISO from Microsoft Download center or Technet.
araberuni@hotmail.com
Raihan Al-Beruni
http://www.microsoftguru.com.au
1
LikeLike
Thanks for reply.
I am using Windows Server 2008 (Enterprise Edition) with SP1 without Hyper-V.
And my system specification is: Dell PowerEdge Server 2600 (2.6 Mhz with 2 GB RAM, 400 GB Harddisk).
Regards
Kashif noor
LikeLike
I mean, Does your system comply with this http://technet.microsoft.com/en-us/library/dd896981.aspx.
Please check it.
LikeLike
Yes, i check it from the website u gave and my system is fullfil to install TMG axcept SP2. My Win2k is not SP2. Is it must to upgrade in SP2?
Regards
LikeLike
AOA,
I have updated my system from SP1 to SP2 but the error is still remain. The error is:
“The Contents of this file cannot be unpacked. The executable you are attempting to run has been corrupted. Please obtained another copy of the file, verify its integrity, and try again.”
LikeLike
Hi Rihan,
Thanks for this great article. I just have a (maybe silly ?) question. I have created the EMS array and joined my second TMG into that array. When I created the array, I have to specify a DNS record, which will be used by client for proxy address. But what IP should be resolved by this DNS record ? The EMS Server ? A round robin with all my TMG Array members ?
Thanks in advance for ou answer.
BR
LikeLike
Ok Rihan,
I just found the answer, I had to go in network configuration and enable NLB on my internal Networks.If I make a persistant ping on my cluster IP, I got answer (regardin mac adress, its the second TMG which is answering). If I disconnect the second TMG, I would believe that the first TMG would handle the trafic. Actually, not 🙂
When I look in Array> Systems, I can only see TMG2.
So my question is : The EMS Server is only han only a centralized configuration role and not a TMG role ? If I want to have a redondancy, shall I have 3 TMG Servers ? 1 EMS and 2 TMG integrated in the array ?
BR,
Pierre
LikeLike
Answer is Yes. EMS is for management. You need at least two TMG server for NLB.
LikeLike
thanks Raihan but please i need your help regarding how to configure NLB over TMG , awaiting your response…
LikeLike
http://microsoftguru.com.au/2011/04/30/ff-tmg-2010-configure-network-load-balancing-among-enterprise-array-members/
LikeLike
Hi Raihan,
First of all thanks for your site, this is very helpful for me as i am doing my small Laboratory to test the TMG. I just want to know on how to integrate my AD Domain Controller to my TMG server. Can you please help me the step by step by procedure to perform this task. The scenario is i have 1 AD server and 1 client PC. please help!!
regards,
glen
LikeLike
In TMG, add AD connectivity verifier more detailed are here http://microsoftguru.com.au/2010/03/08/forefront-tmg-2010-how-to-install-and-configure-forefront-tmg-2010-step-by-step/
LikeLike
Where can i find instructions for NLB with a standalone array? i am unable to find the setup instruction for the noda that will be joining the array.
LikeLike
Here is the example http://microsoftguru.com.au/2011/04/30/ff-tmg-2010-configure-network-load-balancing-among-enterprise-array-members/
LikeLike
Is it possible to install the Enterprise Management Server on a server that will also be a member of the array? I cannot seem to locate where to add in the local server into the array. Thanks!
LikeLike
EMS is a separate server. How ever you install it in Array member
LikeLike
How can install the Enterprise Management Server on a server will also be a member of the array? I did it but the TMG does not recognize the network adapters.
Can you help me with this?
Jessica Godoy
LikeLike
Nice Blog thank us for sharing information about the TMG issue .
We have an issue with NLB getting error ( RPC services unavailable) while join host another array node server
we have 2 TMG nodes and 1 EMS server both 2 nodes have been successfully joined to EMS array ,I am trying to enable NLB for both nodes in TMG console and i have enabled and check the NLB manage the another node has not join to cluster RPC error
As i was go through the comments in the blog NLB manager is not required to manager but when i enabled NLB in TMG console its trying to add using NLB manager and getting error (RPC service )
Workaround :
I disabled RPC filter in Enterprise and system array and get re- solved the RPC error but when i disabled RPC error both nodes getting configuration error in EMS server not sync
could you please provide more details how we need to work with NLB
LikeLike
Dear Raihan,
Its Arsalan I am an IT Officer, Sir I am having some issue in TMG I have one external NIC (Public IP from ISP) & one internal NIC (Private IP for local LAN) my TMG 2010 can ping another Public IP of my sister company but my clients can’t ping or connect with the same. Sir I want to connect with my sister company through VPN because some of our servers installed in my sister company Data Center, but after deploying TMG 2010 I am unable to do that please help me out in this issue I will be thankful to you.
Regards,
Arsalan Zia
IT Officer.
LikeLike