Welcome to Forefront Endpoint Protection 2010

Microsoft has released successor of Forefront Client Security i.e. Forefront Endpoint Protection 2010.

Minimum Systems Requirement for Management Server: windows server 2003 SP2

Component required:  Windows installer 3.1, .Net 3.5 SP1, SQL 2005SP2 or SQL 2008

SCCM 2007 SP2 installed with Hardware Inventory, Software Distribution and Desired Configuration Management are configured.

Client: Windows XP Sp3, Vista, Windows7, Windows Server 2003/2008

Components installed: Configuration Manager agent, Windows Installer 3.1, Filter manager rollup (KB914882), WFP rollup package (KB981889),Redistributed by client, Windows Update

What’s new? Forefront Endpoint Protection is built on SCCM. FEP provides single point of management and monitoring facilities.

  • FEP protects your organization from following threats:
  • FEP protects against the latest malware and rootkits with low false positives.
  • FEP detects system behavior and file reputation data to identify unknown threats.
  • FEP keeps employees productive with low performance impact scanning.
  • FEP helps administrators centrally manage Windows Firewall protections across the enterprise.

You can download FEP beta from Forefront Endpoint Protection site . Installation and deployment guidelines are available on TechNet. Basic setup guide is available on this link .

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Forefront TMG 2010 provides standard and enterprise version. On an Enterprise version you can deploy Forefront TMG in a single server (standalone deployment) or multiple servers in Enterprise Management Array deployment. In an Enterprise deployment, one TMG server perform as an Enterprise Management Server in an Enterprise Management Array (EMS). And rest of the TMG servers join in that array. A Forefront TMG array is a collection of Forefront TMG servers that are managed centrally, via a single management interface. It provides better management capacity, redundancy, fault tolerance and High Availability in a organisation where HA is calculated by 99.9%. An Array stored following information in Enterprise Management Server.

  1. Array configuration settings, which are relevant for, and shared by, all members of the array.
  2. Server configuration settings, which are relevant only for a specific array member, for each of the array members.

Standalone—Depending on the selected load balancing method, a standalone array can have up to 50 Forefront TMG servers managed by one of the array members that acts as the array manager; for more information about load balancing. Use this type of array if Forefront TMG is deployed in a single logical location and handles a medium traffic load.

EMS-managed—An EMS-managed array can have up to 200 Forefront TMG arrays, each holding up to 50 Forefront TMG servers, that are managed by an Enterprise Manager Server (EMS). Once you have set up an EMS-managed array, you can replicate its settings and manage up to 15 EMS-managed arrays using the same settings, thus enabling central management of up to 150,000 Forefront TMG servers.

Load balancing Forefront TMG servers in an array

An integrated Network Load Balancing (NLB) Feature is available in Forefront TMG. It enables you to take advantage of the benefits of central management, configuration, maintenance, and troubleshooting, which are not available if you configure NLB directly via the Windows-based NLB tools. Load balancing serves to balance network traffic among array members, so that traffic is optimized across all available servers.

Installation of Forefront TMG 2010 EMS

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

20

Check invoke and Click Finish once installation is done.

To assign administrative roles for enterprise administrators

1. In the Forefront TMG Management console, in the tree, click the Enterprise node.

2. On the Tasks tab, click Assign Administrative Roles.

3. On the Assign Roles tab, click the upper Add button. Then, do the following:

1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of Active Directory Lightweight Directory Services (AD LDS), and monitor arrays in the domain.

2. In Role, select one of the following:

Forefront TMG Enterprise Administrator—Authorizes the specified group or user to perform all administrative tasks in the enterprise and arrays in the domain.

Forefront TMG Enterprise Auditor—Authorizes the specified group or user to perform monitoring tasks, and to view enterprise and array configuration.

4. When you have finished, click OK.

5. In the details pane, click the Apply button, and then click OK.

21

22 

To assign administrative roles for array administrators

1. In the Forefront TMG Management console, in the tree, click the Forefront TMG node.

2. On the Tasks tab, click Assign Administrative Roles.

3. On the Assign Roles tab, click the upper Add button. Then, do the following:

1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of AD LDS.

2. In Role, select one of the following:

Forefront TMG Array Administrator—Authorizes the specified group or user to perform all administrative tasks in the array.

Forefront TMG Array Auditor—Authorizes the specified group or user to perform all monitoring tasks, and to view the array configuration.

Forefront TMG Array Monitoring Auditor—Authorizes the specified group or user to perform specific monitoring tasks.

4. When you are finished, click OK.

5. In the details pane, click the Apply button, and then click OK.

To enable Microsoft Update and activate licenses

  1. In the Forefront TMG Management console, in the tree, click the server name node.
  2. On the Tasks tab, click Launch Getting Started Wizard, and then click Define deployment options.
  3. On the Microsoft Update Setup page, click Use the Microsoft Update service to check for updates (recommended).
  4. On the Forefront TMG Protection Features Settings page, activate licenses for the protection features you want to enable. You can only download and install updated definitions for features that you have enabled.
  5. If you activated the Network Inspection System (NIS) license, on the NIS Signature Update Settings page, select the automatic update action you desire.
  6. Complete the wizard, and then click Finish. On the Apply Changes bar, click Apply.
  7. For WSUS update visit this Link

To Create an Enterprise Array

1. On the EMS, in the Forefront TMG Management console, Right click on Arrays. In the task pane, click New Array.

35

2. In the New Array Wizard, on the Welcome to the New Array Wizard page, enter the name of the array.

 36      

3. On the Array DNS Name page, enter the Domain Name System (DNS) of the array.

37

4. On the Assign Enterprise Policy page, in the Select the Enterprise policy to apply to this new array list, click the enterprise policy to apply to the array.

38

5. On the Array Policy Rule Types page, select the types of rules that may be created for the array firewall policy.

39

6. Click Finish and Apply Changes.

40

42

41

Important! All internal networks must be able to ping DNS record mentioned in step3.

To join an enterprise array from second TMG server.

1. In the Forefront TMG Management console, click the server name node.

2. On the Tasks tab, click Join Array.

43

3. On the Join Membership Type page, click Join an array managed by an EMS server.

  44 45   

4. On the Enterprise Management Server Details page, enter the fully qualified domain name (FQDN) of the EMS server, and then click the user account form used to connect to the server.

46

5. On the Join EMS Managed Array page, select whether to join an existing EMS managed array, or to create a new EMS managed array.

47

6. If you selected to create a new EMS managed array, on the Create New Array page, enter the details of the new array or Select existing Array, Click next and Click Finish.

48

49

Configuring intra-array communication on array members

1. In the Forefront TMG Configuration console, in the tree, expand the ServerName of the array, and then click System.

2. On the Servers tab, select a server, then on the Task tab, click Configure Selected Server.

3. On the Communication tab, on the Intra-Array Communication dialog box, enter the IP address used to communicate with other array members.

Important! Apply changes after every configuration has been done in TMG EMS.

To Configure Network Topology

Forefront TMG supports unlimited network adapters. However, the following network types, you can specify an IP address range or select a network adapter associated with the network you are configuring:

  • Internal network
  • Perimeter network
  • External network

IP addresses for network adapters associated with the same network should be identical on each array member.

Click on Enterprise Networks, Click Create a New Network Wizard or editing a selected network from Taskpad.

 23 24 25 26

27

The list of network adapter settings configured in Windows Server is logged to the Network Adapters tab in the Networking node. You can edit the network adapter settings.

From the Taskpad, Click Create New Network Rule Wizard

  28  30

29

31 32 33

34

Further Study:

Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Forefront TMG and BranchCache Hosted Cache deployed on the same host

BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

  1. Install and configure TMG Server (Upstream Proxy)
  2. Add FQDN of branch TMG server in DNS server
  3. Prepare necessary routing for both TMG

Branch Office:

  1. Install and configure TMG server
  2. Create DFS share in Branch Office
  3. Install and configure Branchcache File Server
  4. Configure GPO for Branchcache
  5. Validate hosted cache is working

By default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host. To allow BranchCache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules so that BranchCache clients and the BranchCache Hosted Cache must communicate. To allow this communication you must define two Forefront TMG policy rules:

  1. Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server.
  2. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client.

Step1: Connect Branch TMG (downstream TMG) with Head office TMG (Upstream TMG), Microsoft Active Directory and DNS.

1.Click on Monitoring, click Connectivity Verifiers, Click Create New Connectivity Verifier, Type the name of new connectivity verifier, Click Next.

2. Select Web Connectivity from drop down list, Type FQDN of Upstream proxy, Click Next and Click Finish.

3. Repeat step 1 and step 2 to create connectivity for Active Directory, and DNS.

4. Apply changes and Click ok.

Step 2: Write down which ports clients are actually configured to use

Choose any BranchCache client and check the registry. The registry keys below will contain the actual value if the defaults were modified.

  • The Retrieval port registry key (if not specified, the default is 80):
    HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\

             DownloadManager\Peers\Connection

  • The Hosted Cache port registry key (if not specified, the default is 443):
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection

Step 3: Define the Retrieval protocol

  1. Select the Firewall Policy node.
  2. Select the Toolbox tab.
  3. Expand Protocols.
  4. Click New and then select Protocol.
  5. Enter the protocol definition name as “BranchCache -Retrieval” and click Next.
  6. Click New and add the new protocol, as follows:
    1. Protocol Type: TCP
    2. Direction: Outbound
    3. Port Range: From 80 to 80 (replace 80 if otherwise identified in step 1)
    4. Click OK.

  Step 4: Define the Hosted Cache protocol

  1. Select the Firewall Policy node.
  2. Select the Toolbox tab.
  3. Expand Protocols.
  4. Click New and then select Protocol.
  5. Enter the protocol definition name as “BranchCache -Advertise” and click Next.
  6. Click New and add the new protocol, as follows:
    1. Protocol Type: TCP
    2. Direction: Outbound
    3. Port Range: From 443 To 443 (replace 443 if otherwise identified in step 1)
    4. Click OK.

 Step 5: Create a rule to allow Hosted Cache Inbound Connections

  1. Select the Firewall Policy node.
  2. Select the Tasks tab.
  3. Click Create Access Rule.
  4. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next.
  5. On the Rule Action page, select Allow and then click Next.
  6. On the This rule applies to page:
    1. Choose Selected Protocols from the list, and then click the Add button.
    2. In the Add Protocols dialog box, expand User-defined protocols.
    3. Select BranchCache -Retrieval protocol and click Add.
    4. Select BranchCache -Advertise protocol, click Add and then click Close.
    5. Click Next.
  7. On the Access Rule Sources page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
    3. Click Next.
  8. On the Access Rule Destinations page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
    3. Click Next.
  9. On the User Sets page, click Next to apply the rule to all users.
  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 6: Create a rule to allow Hosted Cache Outbound Connections

  1. Select the Firewall Policy tab.
  2. Select the Tasks tab.
  3. Click Create Access Rule.
  4. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next.
  5. On the Rule Action page, select Allow and then click Next.
  6. On the This rule applies to page:
    1. Choose Selected Protocols from the list, and then click the Add button.
    2. In the Add Protocols dialog box, expand User-defined protocols.
    3. Select BranchCache -Retrieval protocol and click Add.
    4. Click Next.
  7. On the Access Rule Sources page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
    3. Click Next.
  8. On the Access Rule Destinations page:
    1. Click Add.
    2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
    3. Click Next.
  9. On the User Sets page, click Next to apply the rule to all users.
  10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.
  11. Click Apply to save the changes and update the configuration.

 Step 7: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic

NIS is a protocol decode-based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS,

This topic is not applicable if NIS is not enabled. To check if NIS is enabled:

  1. Select the Intrusion Prevention System node.
  2. On the Tasks pane, click Configure Properties.
  3. On the General tab, verify that the Enable NIS check box is selected.

When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server.

In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue:

Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host.

The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons:

  • NIS is applied to all other traffic, continuing to defend all internal un-patched machines. Forefront TMG itself, as an edge-located security device, is expected to be patched at all times, and thus protected from all known threats.
  • By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols.
  • Forefront TMG does not initiate outbound web-access. As a result, the vulnerability of the host itself to web-originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host.

To disable NIS for traffic destined explicitly to the host or originating from the host:

1.The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray

\Debug\IPS\IPS_LOCALHOST_INSPECTION_MODE

2. Re-apply the Forefront TMG policy:
Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply.

3.Change the BranchCache protocols default port numbers (from 80 and 443) to custom port numbers.
Explanation: By default NIS inspects only HTTP and HTTPS on localhost traffic. To retain that inspection without impacting BranchCache performance requires that BranchCache default ports be changed to any other available ports.

Branch Forefront TMG also provides:

  • Secure web-access via anti-malware, URL filtering and HTTPS inspection.
  • Firewall and Network Inspection System (NIS).
  • Reverse proxy (web-publishing) of web-applications at the branch.
  • Site-to-site VPN.
  • Roaming-user VPN.

Step8: Installing BranchCache File Server on TMG

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Step 10: Use Group Policy to configure branch cache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Step 9: use registry editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Step 10: Setup branchcache support tag on a file server

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Step 11: Configure client using GPO

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Step 12: Validate the Hosted Cache is working properly

  1. Choose any client on the Branch Office.
  2. Open the Performance Monitor and track the BranchCache “Bytes from Cache” counter and take note of the current value
  3. Open your Internet Browser. Clear the browser cache to make sure it is not utilized in this validation.
  4. Instructions for clearing the cache using Internet Explorer 8:

    1. On the Tools menu, select Internet Options.
    2. On the General tab, in the Browsing History section, click the Delete… button.
    3. In the opened dialog box, select the Temporary Internet Files check box and clear the other check boxes, then click Delete.
    4. Wait for the operation to complete, and then close the dialog boxes.
  5. Using the client, access or download an object with a known size from an HTTP/S application on a Windows 2008 R2 server.
  6. Expected result:
    • If the object was never accessed from the Branch, the counter should increment by the object size on the third attempt to access it (between attempts, make sure you clear the browser cache).
    • If the object was already accessed from the Branch, the counter should increment by the object size on the first or second attempt.

Relevant Study:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

DFS Step-by-Step Guide for Windows Server 2008

How to configure DFS to use fully qualified domain names in referrals

How to configure Windows Server Update Services (WSUS) to use BranchCache

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Forefront TMG got inbuilt capabilities to work as an anti-spam, antivirus and content filter for E-Mail protection. TMG 2010 works hand to hand with Forefront Protection 2010 and Exchange Edge Transport Server to provide mail relay, anti-spam and antivirus protection. These two technologies include a variety of anti-spam and antivirus features that are designed to work together, to reduce the spam that enters and exits an organization. When deploying the e-mail protection feature in Forefront TMG, install Exchange Edge Transport Role and Forefront Protection for Exchange Server on the Forefront TMG computer. Forefront technologies provides layers of protection for Exchange Messaging Technologies.

Protection on the Edge: Provide a complete inspection and scan of all emails entering and leaving from organisation.

Integrated: Forefront TMG, Forefront Protection and Edge Transport are integrated (installed) in a single point.

Extended management: TMG enterprise version works in a management  array. So that you can install and manage more then one TMG server.

Network Load Balancing (NLB): Using NLB and a virtual IP address, you can deploy an array of firewall using Forefront TMG servers at the entry point of your organisation, thereby processing each and every email entering in your organisation. By deploying multiple Forefront TMG servers, each running Exchange Edge Transport Role and Forefront Protection , you can more easily maintain a highly available (HA) and protected vital messaging technology in your organisation.

Compiling Mail Exchanger (MX) Record: MX Record registered with ISP and pointing external IP address of TMG server

To install the Exchange Server Edge Transport role

  1. Run the Exchange Server Setup.exe file, and follow the steps in the Exchange Server Setup Wizard, including the installation of all the prerequisites.

  2. On the Installation Type page, click Custom Exchange Server Installation.

  3. On the Server Role Selection page, select Edge Transport Role, and click Next. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. Then, click Install to install Exchange.

  4. On the Completion page, click Finish.

For more information about Edge Transport and FPES visit Step by Step Guide on Exchange Server 2010 Edge Transport Role and Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

To configure E-Mail protection, log on to TMG server as an administrator. Open TMG Management console>Click on E-Mail Protection>Enable entire protection systems on E-Mail Policy Tab.

1

Click on Spam filtering tab> Click on enable on IP Allowed List>Add all internal IP addresses in your network.

2 3

4

Once finish. Click on Apply and OK.

Click on Enabled on sender reputation>Select Enabled in general tab.on the Thresholds Tab, select reputation ratings starting from 0 to 9. Apply and Ok. 

 8 9

Click on enable on content filtering. On the General Tab select enabled. Custom Words tab>Add blocked contents whatever you like. If you like you can add exceptions also on exception tab. Click SCL Thresholds tab>select desired options such blocked or quarantine email based reputation ratings.

 5 6 7

Apply and OK once finish.

In the sender filtering option, you can block based on domain name. domain name must added as www format.

 10

Click enabled on the file filter. Click file filter tab>click add button. Check enable this filter, select type of actions from drop down list. Purge will remove the content and deliver email only. Delete will delete the message with the contents. In the File Types tab, select preferred file types. You can add custom file types from File Name Tab. 

11 12 13 14 15

In the Antivirus configuration, select desired Antivirus engine that means the Antivirus you have installed in TMG server, preferred remediation method and Actions, TMG will take in-case TMG found virus.

16 17 18 19 20 21 22

Once all the configuration finished. Then Apply changes and click Finish.

23 

Important! Don’t forget to backup TMG server after changes you made.

Definition and Engine Update: To keep your systems protected from the latest threats, verify that Forefront TMG has connectivity to the selected update source, Microsoft Update or Windows Server Update Services (WSUS), and that automatic installation of the latest signatures is enabled. For more information visit Install and configure WSUS 3.0 SP2 – Step-By-Step and Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

shareAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

Forefront TMG maintains the definitions of known viruses, worms, and other malware. To keep these important definitions up to date, Forefront TMG has built in a centralized mechanism called the Update Centre that allows the administrator to configure the update frequency as well as the automatic update action. The Update Centre can be accessed from the Forefront TMG console.

The following features in TMG rely on signature updates:

clip_image001 Network Inspection System (NIS) Microsoft Update delivers signatures and protocols that help protect the network.

clip_image001[1] Malware Inspection Microsoft Update delivers Microsoft Antivirus definitions to filter virus-infected files that can be downloaded by the users from the Internet.

clip_image001[2] Exchange (Anti Spam) Microsoft Update delivers Anti Spam signatures to the

clip_image001[3] Exchange Anti Spam agent.

clip_image001[4] Forefront Security for Exchange (FSE) Recipient Update Services deliver definitions to multiple antivirus engines used in FSE.

clip_image001[5] URL Filtering Updates Microsoft Updates delivers new URL Filtering categories to filter out unwanted sites.

Configuring Windows Server Update Services (WSUS), follow the steps:

1. Log on to WSUS server.

2. Open WSUS Console. In the left hand pan Click Options.

3. Click on Products and Classifications, Products and Classification Window will appear

4. On the Products Tab, scroll down to Forefront. Check Forefront Threat Management Gateway Definition update for HTTP malware Inspection, check Forefront TMG MBE and Forefront TMG definition update for Network Inspection system.

5. Click on Apply and Ok. Close WSUS Console.

To configure Update Centre in Forefront TMG 2010, follow these steps:

1. In the left pane of the TMG management console, click Update Centre.
2. In the right pane, under Tasks, click Configure Settings

3. The Update Centre Properties setting appears, with the Definition Updates tab selected

4. Highlight Malware Inspection and click Configure Selected.
5. The Definition Update Configuration settings appear

6. The default automatic update action is Check For And Install Updates. The other two options available are Only Check For Updates and No Automatic Action. For this example we will leave this at its default and recommended setting.

7. The Automatic polling frequency is set to 15 minutes by default. This is the time
interval in which TMG will poll for new definition updates. This can be increased up to 4 hours.

8. You can also set an alert to be triggered in case no new updates are installed within
a certain number of days. The default value for that is set to 5 days.
9. Click OK to return to the Definition Updates tab under Update Centre Properties
settings.
10. Highlight Network Inspection Service (NIS) and click Configure Selected. Again the Definition Update Configuration settings for NIS appears, which is the same as what we saw for Malware Inspection except for the number of days to trigger an alert (45 days for NIS).
11. Click OK to return to the Definition Updates tab under Update Centre Properties
settings.
12. Click the Microsoft Update tab

13. TMG uses Microsoft Update services to deliver malware updates to TMG. For TMG to receive these updates make sure that the option Use The Microsoft Update Service To Check For Updates is selected.
14. Click Microsoft Update Service to configure the policy configuration for protection mechanism definition updates

15. The option selected by default is Use Machine Default Service But Fallback To Microsoft Update. Here, check use Windows Server Update Services (WSUS).

16. Click Apply and OK to return to the TMG console.

Relevant Articles

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to publish Exchange ActiveSync in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Exchange ActiveSync. Click Next. Now follow the screen shots for rest of the configuration.

1 2 3 4 5 6 7 8 9 10 11

Click Finish and Apply changes.

12 13

Once, Exchange ActiveSync published. Now You have to setup authentication type mentioned earlier. Click on E-Mail Policy>Select E-Mail Policy Tab>Select SMTP/Internal/External Policy you have created  earlier for Outlook Web Access using Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010 this link. Double click on the policy>click Listener Tab>Click on Advanced>check same authentication type (for example: basic authentication) selected in this rule. Apply and Ok.  Repeat all other rules you have created such as OWA, Outlook Anywhere.

In the exchange ActiveSync publishing rule, I have selected basic authentication. So I have to setup authentication type in the IIS of CAS server placed in DMZ or perimeter. Now log on to Exchange CAS server. Start menu>Administrative Tools>Internet Information Services (IIS) manager>Click Default Web Site. On the right hand side window, double click on Authentication. Now select basic authentication>right click and enable basic authentication. If you have selected different authentication type in exchange publishing rule then select and enable the authentication type as appropriate for your situation.

 14 15

Relevant Articles:

Understanding Exchange ActiveSync

Understanding Outlook Anywhere

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

How to publish Exchange Anywhere in Forefront TMG 2010

share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to publish Exchange Anywhere in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Outlook Anywhere and Publish additional folders on the exchange server for outlook 2007 clients. Click Next. Now follow the screen shots for rest of the configuration.

1 2 3 4 5 6 7 8 9 10 11

Once you click finish then apply changes.

Relevant Articles:

Understanding Outlook Anywhere

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine