Forefront UAG 2010 Patching Order

I have written the following articles few weeks back. One thing I would like to add on to these articles is the patching order of Forefront UAG 2010.

You must have a base build Windows Server 2008 R2 SP1 with all Microsoft security and critical updates. you install the UAG from the this source Forefront_UAG_Server_2010_64Bit_English_w_SP1 with correct product key from Microsoft volume licensing center.

The following the order of patching UAG before you start configuring UAG.

1. TMG-KB2555840-amd64-ENU

2. TMG-KB2689195-amd64-GLB

3. UAG-KB2288900-v4.0.1269.200-ENU

4. UAG-KB2585140-v4.0.1773.10100-ENU

5. UAG-KB2710791-v4.0.2095.10000-ENU

6. UAG-KB2744025-v4.0.3123.10000-ENU

UAG Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

How did this blog perform in the year of 2011

This blog was viewed about 190,000 times in 2011.


The busiest day of the year was December 7th with 1,150 views. The most popular post that day was Install and Configure Lync Server 2010—Step by Step.

Some visitors came searching, mostly for tmg reverse proxy, lync server, tmg 2010 pdf, fax server windows 2008, and forefront site to site vpn configuration.


The top referring sites in 2011 were:

The most commented on post in 2011 was Microsoft Active Directory—Best Practice

The popular posts:

  1.  Install and Configure Lync Server 2010—Step by Step
  2.  Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
  3.  How to configure reverse proxy using Forefront TMG 2010— step by step
  4.  Configure FAX server using Windows Server 2008 and Standard Fax Modem
  5.  Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

I look forward to serving you again in 2012! Happy New Year!

Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare windows server 2008 using Microsoft recommended hardware. Below is a standard systems requirement for TMG:

  • Supported Operating Systems: Windows Server 2008 SP2 or Windows Server 2008 R2
  • A computer with 4 core (2 CPU x dual core or 1 CPU x quad core) 64-bit processor
  • 4 gigabytes (GB) or more of memory
  • 2.5 GB of available hard disk space. This is exclusive of hard disk space that you want to use for caching or for temporarily storing files during malware inspection
  • Two disk for system and TMG logging, and one for caching and malware inspection
  • 3 network adapter (3-Leg Perimeter)




you can add multiple internal network ranges such as and in TMG but assigned internal NIC of TMG server will be just one. In this situation, you have to create vlans, IP routing and access rule in the core switch or layer 3 switch. You can add multiple perimeter networks also in your infrastructure. In this scenario, you have to assign specific NIC for specific perimeter network. You may visit specific server manufacturer web site to find out maximum number of supported NIC in a server hardware and Microsoft website to see supported maximum number of NICs in a physical and virtualized windows server. In real life DMZ and External network must have public IP addresses i.e. routable IP addresses.

In a perimeter, you can publish Exchange CAS, OCS and Sharepoint Frontend server or choice of your web server. The following Visio diagram depict a typical 3-leg perimeter or DMZ. 


Install Windows server 2008 in a virtual or physical machine with recommended systems requirement. insert TMG DVD or mount TMG iso on virtual server. Run TMG preparation tools and Run Installation wizard. Follow my previous step by step TMG installation guide to install TMG. It would redundant to write again.

Configure 3-leg perimeter :


Open Forefront TMG Console>Select TMG Array>Launch Getting Started wizard from Task Pan. You will be presented with configuration wizard. Click Configure network settings>Click Next> Select 3-Leg Perimeter>Click Next.

 3 4

 5 6

 7 8

Select internal, external and perimeter network on the following three steps. Remember, you must configure static IP for all NICs.

9 10

11 12

 13 14

15 16

Now configure system settings and define deployment options on the next steps.

 17 18

 19 20

 21 22

 23 24

 25 26


Click on networking option>verify all the settings by visiting property of internal and perimeter networks. You may add desired routing rules in the network rules.

DNS Configuration for Perimeter Network:

To allow LDAP authentication in perimeter network, right click on firewall policy>Click new>Click Access policy.


Type name of the policy>Click next>Click Allow>Click next

 29 30

On the selected protocol, Add DNS, Kerberos-Admin (TCP), Kerberos-Admin (UDP), LDAP, LDAP(UDP), LDAP (GC), Kerberos-Sec (TCP), Kerberos-Sec (UDP), Microsoft CIFS (TCP), Microsoft CIFS (UDP), NTP, PING, RPC (All Interface). On the source, specify particular web server (or server) and on the destination specify AD DNS server. For this article, I am adding perimeter and internal network as a whole . However, in production environment I would not recommend to do so. For security season, by default everything is blocked in TMG server. you have to add protocols and rules one by one. Create specific rule for specific purpose.

 31 32

 33 34


Apply changes>Click ok. Right Click on the rule>Click property>verify all protocols, source and destination.

To publish any web server in the perimeter, follow the link provided in the relevant articles. To publish secure web sites, import web server certificates in TMG server and web server and follow the web publishing rule.

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

Publish Exchange Anywhere

Publish Exchange OWA

How to configure reverse proxy using Forefront TMG 2010— step by step

In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start with a proxy server. What is a proxy or forward proxy server? A proxy or forward proxy is a server (a computer system, devices or an application program) that acts as an intermediary for requests from internal clients seeking resources from external servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource, available from a different server. The proxy server evaluates the request according to its rules or filtering rules and pass on to the server inside or outside network. A proxy server can also act as a gateway between external and internal networks. A forward proxy secures networks by hiding IP address of internal network from outside network. It also cache contents and provide filtering functionality.
Windows Server 2012 Step by Step

A reverse proxy as name suggests relays request from opposite direction i.e. from external clients to internal servers or perimeter servers i.e. a reverse proxy has more than one network cards and one NIC faces toward internet having another network card facing perimeter or internal network. A reverse is place in the neighbourhood of web servers. A reverse proxy also hides actual IP address of networks or servers from external or VPN clients. A reverse proxy encrypts data, provide load balancing, act as server cache, optimize compression and publish web sites for extranet.

Advantages: A reverse proxy server provides the following advantages over a direct connection to a web server:

  • Security  
  • SSL encryption and acceleration 
  • SSL bridging  
  • SSL offloading  
  • Load balancing  

Reverse Proxy Prerequisites: Before you can create reverse proxy in your organisation, you need prepare following infrastructure in your organisation. 

  • Prepare 3-Leg perimeter (DMZ) or back-to-back perimeter
  • Configure internet facing network adapter of TMG Reverse proxy server with publicly routable IP
  • All the intended web server(s) must have accessible public IP
  • Verify proper routing (if required depends) on your DMZ design
  • Install Forefront TMG Server
  • Configure Firewall Policy to open specific ports
  • Request and configure a digital certificate for secure reverse proxy
  • Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.
  • Verify or configure authentication and certification on IIS virtual directories.
  • Create an external DNS entry with ISP or Domain registrar
  • Verify that you can access the Web site through the Internet



Windows Server 2012 Step by Step



Important! you can use Front End TMG server as a reverse proxy server if you don’t want to use single NIC reverse proxy in DMZ. Please note that there is no specific design and step by step guide for individual situation. I have written this article for generic reverse proxy situation. You can have a single NIC reverse proxy in DMZ or multiple NIC reverse proxy (one-external NIC, another-internal).

Configure Network Adapter of Reverse Proxy Server:

1. On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.

2. Right-click the external network connection to be used for the external interface, and then click Properties.

3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.

4. On the Internet Protocol (TCP/IP) Properties page, configure the real IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.

5. Click OK twice.

6. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties. Repeat steps 3 through 5 to configure the internal network connection.

Create Local DNS Record in AD DS Server: This includes configuring DNS records to point to appropriate web server(s) in the perimeter network, so that internal users can access those web sites locally. An internal DNS A record that resolves the FQDN.

Create External DNS Record with ISP or Domain registrar: Create an external DNS A record pointing to the external interface of reverse proxy TMG server, as described in the following section. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. In this step, You need help with domain registrar or ISP.

Request and configure a digital certificate for SSL: Request and install certificate using FQDN for each web server to prevent DNS spoofing. The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running TMG Server 2010. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.

  • You must install a Web server certificate on reverse proxy TMG Server. This certificate should match the published FQDN of your external Web farm where you are hosting web sites.
  • If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN or web servers.


Import Certificate:

  • On the TMG Server computer, click Start, type mmc, and then press Enter or click OK.
  • Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Certificates and then click Add
  • Select Computer Account and then click Next, Click Local Computer and then click Finish
  • Click OK in the Add Or Remove Snap-ins dialog box
  • Expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
    Right-click the Certificates node, select All Tasks, and then select Request New Certificate
  • the Welcome To The Certificate Import Wizard page appears. Click Next.
  • On the File To Import page, type the location where the certificate is located
  • On the Password page, type the password provided by the entity that issued this certificate
  • On the Certificate Store page confirm that the location is Personal
  • The Completing The Certificate Import Wizard page should appear with a summary of your selections, Review the page and click Finish

To verify that your CA is in the list of trusted root CAs

  • On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
  • On the File menu, click Add/Remove Snap-in, and then click Add.
  • In the Add Standalone Snap-ins box, click Certificates, and then click Add.
  • In the Certificate snap-in dialog box, click Computer account, and then click Next.
  • In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
  • Click Close, and then click OK.  In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  • In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server.

Publish Web Server using TMG Web Publishing Wizard:

Creating an HTTPS Web Listener: Follow these steps to create a new Web listener on TMG to use HTTPS
1. On the TMG computer, open the Forefront TMG Management Console.
2. Click Forefront TMG (Array Name) in the left pane and click Firewall Policy.

3. In the right pane click the Toolbox tab, right-click Web Listener under Network
Objects, and then click New Web Listener

4. The Welcome To The New Web Listener Wizard page appear, Type a name for this Web listener and click Next.

5. Leave the default option selected (SSL), and click Next.

6. On the Web Listener IP Addresses page, select External and click Next.

7. On the Listener SSL Certificate page, click Select Certificate, choose the certificate for
this listener, and then click Select

8. On the Listener SSL Certificates page, confirm that the selected certificate appears and click Next.

9.On the Authentication Settings page, choose HTML Form Authentication from the drop-down box. Leave the other options at the default selection, and click Next.

10. For the purpose of this example disable SSO settings, Click Next.

11. On the Completing The New Web Listener Wizard page, review the selections. Click Finish and then click Apply to commit the changes.

Creating a Secure Web Publishing Rule: Follow these steps to create a secure Web Publishing rule on TMG using the listener that you previously created
1. Expand Forefront TMG (Array Name) in the left pane.
2. Right-click Firewall Policy, point to New, and click Web Site Publishing Rule.

3. The Welcome To The New Web Publishing Rule Wizard page appears,. Type a name for this publishing rule and click Next.

4. On the Select Rule Action page, leave the default selection (Allow) and click Next.

5. On the Publishing Type page, leave the default option and click Next.

6. On the Server Connection Security page, you specify whether TMG will use SSL to
connect to the published Web server. For this rule, leave the default option and click Next.

7. On the Internal Publishing Details page, type the internal site name and click Next.

8. For the Web site that we are publishing, our goal is to allow access to all the content within
the Web server. Therefore, the path should be /*. Click Next.

9. On the Public Name Details page you need to specify the name that the remote clients will use to reach the published server. Type in FQDN (example, leave the other options as default and click Next.

10. On the Select Web Listener page, choose HTTPS Listener (Web Listener That Was Created Previously) from the Web Listener drop-down list, Click Next.

11. On the Authentication Delegation page, click the drop-down list and choose No Authentication. Click Next.

12. On the User Sets page, leave the default option to enforce all users to authenticate before accessing the internal Web server . Click Next to continue.

13. On the Completing The New Web Publishing Rule Wizard, review the summary of the selections for this rule. To confirm that the publishing rule is working properly, click Test Rule. If everything is configured properly. Click Finish and then click Apply to commit the changes.

Verify or Configure Authentication and Certification on IIS Virtual Directories:  Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.

clip_image001[3]1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.

3. Right-click <default or selected> Web Site, and then click Properties.

4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.

5. On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard. Click Next.

6. On the Server Certificate page, click Assign an existing certificate, and then click Next.

7. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.

8. On the Certificate Summary page, verify that settings are correct, and then click Next. Click Finish.

9. Click OK to close the Default Web Site Properties dialog box.

clip_image001[4]Verify Access through Your Reverse Proxy: Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly. For each web Server, type a URL similar to the following: https://externalwebfarmfqn/  externalwebfarmFQDN is the external FQDN of the Web farm .

Relevant Articles:

Configure DMZ using back to back topology

How do I reset the hosts file back to the default?

Install and configure TMG step by step

Add a resource record step by step

Adding CNAME using Cpanel

  Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

Placing a firewall in a corporate network puts you in commanding position to protect your organisation’s interest from intruder. Firewall also helps you to publish contents or share infrastructure or share data securely with eternal entity such as roaming client, business partners and suppliers. Simply, you can share internal contents without compromise security. For example, publishing Exchange Client Access Server, OCS 2007 and SharePoint front-end server in the perimeter.

More elaborately, the front-end and the back-end topology is commonly seen in multi-tier applications where the user interacts with a front-end server (Example: CAS server) and that server interacts with a back-end Server (Example: HT server). In this exchange deployment scenario, users interact with a front-end CAS Web server placed in DMZ or perimeter to get Outlook Web Access for reading and sending email. That Web server must interact with the back-end mail server or HT server, but Internet users do not need to interact directly with the back-End HT server. The front-end and back-end server(s) does all these for you providing maximum security. visit Exchange 2010 deployment in different firewall scenario

In this article, I am going to illustrate Back-to-Back Firewall with DMZ. This topology adds content publishing to the back-to-back perimeter topology. By adding content publishing, sites and content that are developed inside the corporate network can be published to the server farm that is located in the perimeter network.


  1. Isolates customer-facing and partner-facing content to a separate perimeter network.
  2. Content publishing can be automated.
  3. If content in the perimeter network is compromised or corrupted as a result of Internet access, the integrity of the content in the corporate network is retained.
  1. Requires more hardware to maintain two separate farms.
  2. Data overhead is greater. Content is maintained and coordinated in two different farms and networks.
  3. Changes to content in the perimeter network are not reflected in the corporate network. Consequently, content publishing to the perimeter domain is not a workable choice for extranet sites that are collaborative.


  1. Internal IP range:
  2. Perimeter IP Range:
  3. Public IP:203.17.x.x/24

Note: In the production environment, perimeter IP must be public IP accessible from internet.


Computer Internal NIC Configuration External NIC Configuration
TMG 2010
(two NICs)
TMG 2010
(Two NICs)
2nd DNS:203.17.x.x (public IP)
IP:203.17.x.x (public IP)
DG:203.17.x.1 (public DG)
DNS:203.17.x.x (public DNS)
Not Applicable

Routing Relation:

Back-end TMG Internal to PerimeterPerimeter to External

Perimeter to Internal

RouteNAT (Default)


Front-End TMG Internal to External
(All TMG Default)
NAT (Default)

Persistent Routing in Front-End TMG and all servers placed in perimeter/DMZ: You must add following routing table in front-end TMG server and all other servers placed in perimeter in elevated command prompt. To do that, just log on as administrator, open command prompt and type following and hit enter.


Configure Back-End TMG Server:

Log on to TMG Server using Administrative credentials and define internal IP as shown on TCP/IP property.


Define Perimeter IP As shown on TCP/IP property


Now add TMG server as a domain member. Install Forefront TMG using Step by Step Guide Lines. Open TMG Management console, Launch Getting started Wizard. Configure network Settings. Select back Firewall.


Click Configure Systems Settings.


Click Define Deployment Options.


Click Close. Apply Changes and Click Ok.

Create connectivity with AD and DNS.


Add and Verify IP addresses of internal ( and perimeter network (


Add Network Rules:

Create Network Rule. To do that click on Networking>Network Rules>Create a New Network Rule Wizard.


Here, Rules 1 to 4 will created by default while initial configuration as shown below. You have to  create rule 5 and 6 by repeating above steps.


Configure Firewall Rules:

Actions Allow
Protocols DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface)
Source DC, Front-End TMG
Destination DC, Front-End TMG
Conditions All Users

Now Publish DNS for perimeter network.  Right Click on Firewall Policy, Click New, Click Access Policy, Name new access policy. On the selected protocol add DNS, Kerberos-Sec(TCP), Kerberos-Sec (UDP),Kerberos-Admin (UDP), LDAP, LDAP (UDP), LDAP (Global catalog), Microsoft CIFS (TCP) ,Microsoft CIFS (UDP), NTP (UDP), PING, RPC (All Interface), Click next.

On the Access Rules Sources, Click Add, Select Computers, Click New, Type Netbios name of DC and Type IP, Click Ok. Select DC and Click Add. Repeat this process for Front-End TMG server i.e. add name and IP of front-end TMG server and Click Add.

On the Access Rule Destinations, Click Add, from the computers list add DC and front-End TMG servers. Click Next and Click Finish. Apply changes and click ok.

Create an Access Rule allowing all outbound traffic to go from internal to perimeter.

Actions Allow
Protocols All Outbound Traffic
Source Internal
Destination Perimeter
Conditions All Users

Create another access rule allowing HTTP and HTTPS to go from internal to perimeter and external.

Actions Allow
Protocols HTTP, HTTPS
Source Internal
Destination External
Conditions All Users


Configure Front-End Forefront TMG  Server:

Prepare another Windows Server 2008 x64 computer. Log on as an administrator. Define internal and external IP addresses as shown below.

Internal TCP/IP property:


External TCP/IP property


Open Command prompt>type following command to add persistent Routing:

c:\>Route Add –P DestinationIP  DestinationMask  SourceIP


c:\>Route Print


Add Front-End TMG as domain member. Follow same installation and initial configuration options shown in back-end TMG server.  There are only two differences while initial Network Settings configuration that are selecting internal ( and external (203.17.x.x/24) network. Those are shown below.



Create Connectivity Verifier with AD, DNS and Web.


Networking>networks>internal>Add and as internal IP. Make sure internal IP and perimeter IP of back-end server are both internal IP of Front-end server. keep default routing rules in Front-End TMG. Configure property of internal network.





Verify Network Rules:


Configure firewall to allow HTTP/HTTPS : Firewall Policy>New>Access policy>Allow HTTP and HTTPS for all users. Do not Allow all outbound traffic to go from internal to external in Front-End Server. Only specific ports and protocols should be allowed. 


Test Firewall: Log on to a computer in internal network behind Back-End Firewall. Setup Proxy in IE as shown below and browse internet.


Placing Front-End Server(s) or a member server in DMZ:

One you have completed above steps, you are ready to place any Front-End server(s) such as Exchange CAS, OCS 2007 and SharePoint Servers  in DMZ/Perimeter. You need to import certificates from Enterprise Root CA placed in internal network (behind Back-End TMG) to Front-End TMG server to publish secure web sites such as OWA, Outlook Anywhere or OCS. All Publishing Rules Applied in Front-End TMG server. Here, I am not writing OWA or Anywhere because it would redundant for me to write again as I have shown all these in my previous posting. Visit the links mentioned below.

Prerequisite for placing a member server in DMZ: A member server must have following TCP/IP configuration to work in perimeter.

IP (Perimeter IP Range)
DG (Internal IP of Front-END TMG server)
DNS (Internal DNS)
2nd DNS 203.17.x.x (Public DNS)
Routing As Mentioned in Persistent Routing Section of this Blog






























































Relevant Articles:

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

How to publish Exchange Anywhere in Forefront TMG 2010

How to publish Exchange ActiveSync in Forefront TMG 2010

Exchange 2010 deployment in different firewall scenario

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

How to create E-Mail protection Policy in Forefront TMG 2010

Forefront TMG 2010: Publishing Exchange server 2010

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine