Configure non-domain Forefront TMG to allow traffic from domain members and domain clients

In this article, I will explain how to configure non-domain FF TMG to allow traffic from domain members and clients. 

Log on to FF TMG server as an administrator. In the FF TMG Management console, in the tree, click Firewall Policy>Click on the Tasks tab, click Configure Authentication Server Settings>Click on LDAP Servers Tab.



Click Add to add a LDAP server set>Type name of the LDAP server set.


Click Add to add each LDAP server name, description, and time-out. Time-out is the length of time (in seconds) that Forefront TMG tries to obtain responses from the LDAP server before trying the next LDAP server in the ordered list. Note that you can change the order in which the servers are accessed by using the UP ARROW and DOWN ARROW keys. you can keep time out as default 5 times.


In Domain, provide the fully qualified domain name (FQDN) for Active Directory. Note that this is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.  Select Use Global Catalog (GC) if you are using a global catalog.

Select Connect LDAP servers over secure connection if you want to encrypt the LDAP communication (use the LDAPS protocol). You can type the credentials used to connect to Active Directory for verifying user account status and changing account passwords. This provides you with password management functionality for HTML form authentication.

Click OK to close the Add LDAP Server Set dialog box.

In Login Expression, click New to add a login expression. A login expression allows you to assign an LDAP server set to a specific group of users. For example, you can assign one LDAP server set to the users MicrosoftGURU* and another LDAP server set to the users Mydomain*. The login expressions are queried by Forefront TMG in the ordered list. You can change the order using the UP ARROW and DOWN ARROW keys.




Once you finish configuring Authentication, verify your settings. Click Apply>Click Ok.


Finally, you apply changes. Click ok to close. 

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , . Bookmark the permalink.

4 Responses to Configure non-domain Forefront TMG to allow traffic from domain members and domain clients

  1. Max says:


    do is it possible to use this configuration to enable VPN sign on for AD users ?




  2. Hemant says:

    Hello Raihan,
    I have installed TMG and connected to one SharePoint intranet secure (https) site. It is working fine when internal/external user enters his/her credentials. I have couple of queries
    1. If user is logged in to Domain; how does TMG will accept domain user credentials without re-entering those? Where do I set this inside TMG2010
    2. How do I increase https timeouts for internal user inside TMG2010 settings?
    3. How do I set another WFE for network load balancing inside TMG2010?

    Thanks in advance


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s