Forefront TMG 2010: Frequently Asked Questions (FAQ)

What is Forefront Threat Management Gateway?

Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats.  It provides multiple layers of continuously updated protections – including URL filtering, antimalware inspection, intrusion prevention, application  proxy, and HTTP/HTTPS inspection – that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security.  Forefront TMG enables organizations to perform highly accurate Web security enforcement by stopping employee access to dangerous site, based on reputation information from multiple Web security vendors and the technology that protects Internet Explorer 8 users from malware and phishing sites.

What features does Forefront Threat Management Gateway 2010 SP1 include? 

This service pack will include a number of improved features and enhancements, including:

Improved reporting features

  * New User activity reports to monitor Web surfing information
  * New look and feel for all TMG reports

Enhancements to URL filtering

  * User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy
  * Override for URL categorization on the enterprise level
  * Customized denial notification pages to fit an organization’s needs

Enhanced branch office support

  * Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache
  * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

Support for publishing SharePoint 2010

What is a secure Web gateway?

A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System.

How is Forefront Threat Management Gateway 2010 different than Microsoft ISA Server 2006?

Forefront Threat Management Gateway is different in four major ways:

Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic.

Improved Application Layer Defenses: Forefront Threat Management Gateway 2010 includes Network Inspection System, which enables protection against vulnerabilities found in Microsoft products and protocols.

Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall.

Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

How is Forefront Threat Management Gateway 2010 different than Forefront Threat Management Gateway, Medium Business Edition (TMG MBE)?

Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway 2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users.

Does Forefront Threat Management Gateway 2010 require 64-bit servers?

Yes, Forefront Threat Management Gateway 2010 runs on a server with a 64-bit processor. For more details, please see the system requirements.

How is TMG 2010 licensed?

See the How to Buy page.

Is Forefront TMG part of the Forefront Protection Suite and ECAL?

Forefront TMG Web Protection Service is part of Forefront Protection Suite and ECAL. Forefront TMG 2010 is not part of these suite offerings and must be licensed separately.

What is the Forefront Threat Management Gateway Web Protection Service?

The Forefront Threat Management Gateway Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.  

Does Forefront TMG 2010 include Forefront TMG Web Protection Service?

No. Forefront TMG Web Protection Service is licensed separately. It can be licensed stand-alone, as part of the Forefront Protection Suite, or Enterprise CAL.

Do Forefront TMG 2010 customers have downgrade rights to ISA 2006?

Yes.  Customers who purchase Forefront TMG have downgrade rights to Microsoft Internet Security and Acceleration Server 2006.

What is the difference between Forefront Threat Management Gateway 2010 Standard and Enterprise editions?

Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and provides extensive support for virtual environments.  The following chart outlines the differences between these editions:




Network Load Balancing



Cache Array Routing Protocol



Enterprise Management Console



Support for unlimited virtual CPUs



Can I migrate ISA to TMG and change FQDN of new TMG?

Yes you can. See  Migrate ISA

Can I install TMG on a DC?

NO. Not a supported configuration.

Can I configure reverse proxy using single NIC configuration?

Single nic and reverse proxy not good idea. why not two nics? see this Reverse proxy for more info.

How many NICs I need to configure back to back TMG firewall?

Two nics in each TMG server.

What type of IP I use on 3-leg perimeter or DMZ?

Public IP is recommended.

Can I use TMG as a router?

Yes you can configure TMG as router.

What type of VPN TMG supports?

See the VPN config

How can I configure NLB on TMG?

See this link NLB step by step

How can I configure cluster of TMG?

See this link

Can I manage TMG from my admin pc?

Yes you can. Link

Can I configure TMG as proxy cache?

TMG proxy Cache step by step

How can I retrieve custom report from TMG server?

See built in TMG reporting and Proxy inspector

How can I configure reverse proxy using TMG?

See this Reverse proxy for more info

Can I configure a back end TMG server behind Cisco ASA firewall?

Yes you can.

How can I configure ISP redundancy?

Here is a guide for ISP redundancy

How can I reinstall TMG?

See this link for answer

20 thoughts on “Forefront TMG 2010: Frequently Asked Questions (FAQ)

  1. Hi Raihan
    I have same design as discuss by milind. Detail is given below.
    1 ASA fire wall(external interface is connected to the switch 2960 which is further connected to WAN router)
    2. ASA Firewall (Internal interface in connected to switch 2960, which is further conneted to the TMG( external interface). and 3.the web server is connected to the switch.
    4. TMG is further connected to the CORE SWITCH (mean layer
    3 switch.)
    5. which is futher connecte to other switches.
    6. servers (exchane sever , database server are connected to one of these switches.

    Please reply that this network desgin will work if not then suggest any change



  2. Hi raihan,

    I have a question, pls, if I buy for example 300 licenses for tmg web protection services and I use 301 users or devices, is there any consideration? the service will be available for the 301 users? tks


  3. hi Rehan,
    kindly advise how to configure TMG behind ASA… scenario is i want to place TMG between ASA and Switch…

    kind regards,


  4. Hi Raihan, For #2 shauakt mentioned the cisco ASA connecting to switch and the TMG external interface connecting to this same switch. WOuld this switch having that same subnet be the dmz? would it also work with public ip addresses on this switch for all servers? i am doing a back firewall scenario.

    If i place a lync edge server on this switch/dmz with public IP’s, how would i route this? i was thinking static NAT with the public addresses within the cisco ASA. does it get routed to the external interface of tmg or directly to the lync edge servers interface? does this mean i have a transit dmz instead of a layer 7 dmz? what would be the best way to do this?




  5. Dear Mr. Rehan,

    kindly share the configuration to block https:\ by tmg, i tried it hard but tmg is blocking only http site not https facebook, please add ur input…




  6. Dear Rehan,

    Thanks to share ur experience, rehan kindly tell me why i am not getting ping reply from tmg IP internal ip Address from local lan PCs, and also update about cache containner initializing error, cache permission insufficient error.




  7. Dear Rehan,

    thanks for update, i have a question that i am ruuning tmg standalone and some time my browsing got slow what is reason behind it.




  8. Dear Rehan,

    Please tell me how to downgrade From forefront 2010 to ISA 2006, i have forefront 2010, how to get to license key of ISA 2006 ?



    • Please explain few things here. are you downgrading tmg to isa on the same box? if you downgrade to isa you will loose all the good features and functionality of tmg. your license key is pidded with ISA installer or you should be able see from microsoft volume license portal if you have or call the reseller whom you bought product.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.