Forefront TMG 2010: Frequently Asked Questions (FAQ)

What is Forefront Threat Management Gateway?

Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats.  It provides multiple layers of continuously updated protections – including URL filtering, antimalware inspection, intrusion prevention, application  proxy, and HTTP/HTTPS inspection – that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security.  Forefront TMG enables organizations to perform highly accurate Web security enforcement by stopping employee access to dangerous site, based on reputation information from multiple Web security vendors and the technology that protects Internet Explorer 8 users from malware and phishing sites.

What features does Forefront Threat Management Gateway 2010 SP1 include? 

This service pack will include a number of improved features and enhancements, including:

Improved reporting features

  * New User activity reports to monitor Web surfing information
  * New look and feel for all TMG reports

Enhancements to URL filtering

  * User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy
  * Override for URL categorization on the enterprise level
  * Customized denial notification pages to fit an organization’s needs

Enhanced branch office support

  * Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache
     Server
  * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

Support for publishing SharePoint 2010

What is a secure Web gateway?

A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System.

How is Forefront Threat Management Gateway 2010 different than Microsoft ISA Server 2006?

Forefront Threat Management Gateway is different in four major ways:

Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic.

Improved Application Layer Defenses: Forefront Threat Management Gateway 2010 includes Network Inspection System, which enables protection against vulnerabilities found in Microsoft products and protocols.

Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall.

Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

How is Forefront Threat Management Gateway 2010 different than Forefront Threat Management Gateway, Medium Business Edition (TMG MBE)?

Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway 2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users.

Does Forefront Threat Management Gateway 2010 require 64-bit servers?

Yes, Forefront Threat Management Gateway 2010 runs on a server with a 64-bit processor. For more details, please see the system requirements.

How is TMG 2010 licensed?

See the How to Buy page.

Is Forefront TMG part of the Forefront Protection Suite and ECAL?

Forefront TMG Web Protection Service is part of Forefront Protection Suite and ECAL. Forefront TMG 2010 is not part of these suite offerings and must be licensed separately.

What is the Forefront Threat Management Gateway Web Protection Service?

The Forefront Threat Management Gateway Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.  

Does Forefront TMG 2010 include Forefront TMG Web Protection Service?

No. Forefront TMG Web Protection Service is licensed separately. It can be licensed stand-alone, as part of the Forefront Protection Suite, or Enterprise CAL.

Do Forefront TMG 2010 customers have downgrade rights to ISA 2006?

Yes.  Customers who purchase Forefront TMG have downgrade rights to Microsoft Internet Security and Acceleration Server 2006.

What is the difference between Forefront Threat Management Gateway 2010 Standard and Enterprise editions?

Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and provides extensive support for virtual environments.  The following chart outlines the differences between these editions:

Feature

Standard

Enterprise

Network Load Balancing

No

Yes

Cache Array Routing Protocol

No

Yes

Enterprise Management Console

No*

Yes

Support for unlimited virtual CPUs

No

Yes

Can I migrate ISA to TMG and change FQDN of new TMG?

Yes you can. See  Migrate ISA

Can I install TMG on a DC?

NO. Not a supported configuration.

Can I configure reverse proxy using single NIC configuration?

Single nic and reverse proxy not good idea. why not two nics? see this Reverse proxy for more info.

How many NICs I need to configure back to back TMG firewall?

Two nics in each TMG server.

What type of IP I use on 3-leg perimeter or DMZ?

Public IP is recommended.

Can I use TMG as a router?

Yes you can configure TMG as router.

What type of VPN TMG supports?

See the VPN config

How can I configure NLB on TMG?

See this link NLB step by step

How can I configure cluster of TMG?

See this link

Can I manage TMG from my admin pc?

Yes you can. Link

Can I configure TMG as proxy cache?

TMG proxy Cache step by step

How can I retrieve custom report from TMG server?

See built in TMG reporting and Proxy inspector

How can I configure reverse proxy using TMG?

See this Reverse proxy for more info

Can I configure a back end TMG server behind Cisco ASA firewall?

Yes you can.

How can I configure ISP redundancy?

Here is a guide for ISP redundancy

How can I reinstall TMG?

See this link for answer

Troubleshooting Outbound FTP Access in ISA & TMG Server

Internal networks protected by Microsoft ISA or TMG may require access to FTP sites on the Internet. ISA/TMG Server support for outbound FTP access depends on a number of factors, including:

  • Type of client request.
  • Limitations of the FTP client application.

ISA Server provides support for three types of clients:

  • Firewall clients   Client computers with Firewall Client for ISA Server software installed and running have full support for complex protocols with secondary connections, such as FTP.
  • SecureNAT client computers that use ISA Server in their route to the Internet   In a simple network, these SecureNAT clients have a default gateway pointing to the ISA Server computer. ISA Server provides application filters to handle complex protocols for SecureNAT. FTP support is provided by the FTP access filter.
  • Web proxy clients   Web proxy clients make CERN proxy requests to FTP servers on the Internet. When an FTP client application is configured to use ISA Server as a Web proxy, FTP requests are handled by ISA Server Web Proxy Filter, and passed over Hypertext Transfer Protocol (HTTP) between the client and ISA Server. The FTP client application can be an Internet browser, such as Microsoft Internet Explorer®, or a command-line or graphical user interface (GUI) FTP tool (CuteFTP or WS_FTP).

Client support can be summarized as follows:

  • For Web proxy client requests, ISA Server does not support FTP uploads. FTP requests are passed over HTTP, and support for Active or Passive mode is a global ISA Server setting.
  • For non-Web proxy requests from Firewall clients or SecureNAT client computers, read/write FTP access is supported. The default setting for the ISA Server FTP access filter is read-only. Either Active or Passive FTP mode can be used, according to communications with the FTP server.
  • For more information about having more granular control of client FTP commands, see the topic “FTP Access Filter” in “Configuring Add-Ins” in the ISA Server SDK at Microsoft MSDN.

The following sections describe common troubleshooting issues.

Web proxy clients cannot upload to an FTP site
  • Symptom: Web proxy clients cannot upload to an FTP site. The following message may appear: “The folder FTP_Name is read-only because the proxy server is not set up to allow full access.”
  • Issue: When a client computer makes a request as a Web proxy client, FTP requests are passed over HTTP, and only FTP downloads are supported.
  • Solution: Install Firewall Client for ISA Server software to configure the computer as a Firewall client, or configure the computer as a SecureNAT client. For more information about client configuration, see “Internal Client Concepts in ISA Server 2006” at the ISA Server TechCenter. You may not have to remove Web proxy settings on the client. For example, a browser such as Internet Explorer will try to make a SecureNAT client request before making a Web proxy request. Success is dependent on the ability of the browser to resolve the FTP server name to an IP address.
Web proxy clients cannot download from an FTP server using PASV mode
  • Symptom: Attempts by Web proxy clients to download from a PASV mode FTP server fail.
  • Issue: By default, FTP traffic handled by Web Proxy Filter uses Active mode.
  • Solution: Set the DWORD value NonPassiveFTPTransfer to 0 in the registry on the ISA Server computer, which sets the mode to Passive. The default value is 1, indicating that Active mode is used. For information about setting this registry key, see the Microsoft Knowledge Base article 300641 “How to enable passive CERN FTP connections through ISA Server 2000 or ISA Server 2004 Standard Edition.” The registry instructions in this article also apply to ISA Server 2006 and ISA Server 2004 Enterprise Edition.

How to ensure that FTP requests are not proxied over HTTP

  • Symptom: Outbound FTP requests from internal clients are being proxied over HTTP and are thus read-only.
  • Issue: FTP over HTTP is limited to read-only.
  • Solution: If you are using Internet Explorer, you can configure the browser to access FTP servers directly. Alternatively, you can configure client computers as SecureNAT clients, or install Firewall Client software. ISA Server will detect these settings, and FTP traffic will be handled by the Microsoft Firewall service and will not be proxied. For information about configuring Internet Explorer to make a direct FTP request, see the section “How to enable Internet Explorer to make a request directly to the FTP server,” later in this topic.
How to enable Internet Explorer to make a request directly to the FTP server
  • Symptom: By default, Internet Explorer make a direct request to an external FTP server, instead of making the request over HTTP.
  • Issue: You can specify a setting in Internet Explorer so that requests are made directly.
  • Solution: Specify the appropriate setting in Internet Explorer by doing the following.

To proxy an Internet Explorer FTP request

  1. Start Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. Click the Advanced tab.

  4. In the Settings list, do the following:

Note that when you select the Enable folder view for FTP sites check box, Internet Explorer behaves as a standard FTP client and uses Active mode, even if the Use Passive FTP check box is enabled.

image image

How to configure Passive and Active mode in Internet Explorer

Issue: Internet Explorer needs to be configured to use Passive or Active mode.

Solution: Before configuring Passive or Active mode, it is useful to understand the implications for each mode, as follows:

  • In Active mode, the FTP client uses a PORT command to inform the server that it should connect to a specific IP address and port, and then send the data. This requires that the firewall allows inbound access from port 20 on the FTP server to all high-number ports for the client.
  • In Passive mode, the FTP client uses a PASV command to request that the server tells the client to which IP address and port it should connect to, to send and receive data. This requires that the firewall allows outbound access to all high-number TCP ports on the FTP server, and to inbound high-number TCP ports for the client.

ISA Server supports both modes. To configure Internet Explorer in Active or Passive mode, do the following:

To configure Internet Explorer 7 to use Passive mode

  1. On the Tools menu of Internet Explorer, click Internet Options.
  2. Click the Advanced tab.
  3. In the Browsing section of the Settings list, do the following:

To configure Internet Explorer 7 to use Active mode

  1. On the Tools menu of Internet Explorer, click Internet Options.
  2. Click the Advanced tab.
  3. In the Browsing section of the Settings list and follow steps steps in above pictures.

How to access an FTP site that is not anonymous using Internet Explorer

  • Symptom: Internet Explorer cannot access FTP sites requiring credentials.
  • Issue: When FTP requests are sent over HTTP for Web proxy clients, only anonymous access is allowed. To use Internet Explorer as an FTP client when an FTP server requires authentication, you must configure Internet Explorer for direct FTP access.
  • Solution: Enable the Enable folder view for FTP sites check box in Internet Explorer. This causes Internet Explorer to prompt for credentials. Then specify credentials in the following format: ftp://username:password@ftp.usdirectcom.net/. Alternatively, configure the client as a SecureNAT or Firewall client and access the FTP server using an alternative FTP client.
HTTP 502 Proxy Error – The login request was denied
  • Symptom: When accessing an external FTP site that requires authentication, the following error is received: “HTTP 502 Proxy Error – The login request was denied.”
  • Issue: Web proxy normally sends anonymous authentication information to an FTP site in the first request. If the FTP site rejects and closes the connection at the first try, this error is issued. If you monitor the FTP traffic, you will see a log entry similar to: “Port: 21 FTP failed connection attempt user: anonymous request: Get ftp://FTPServer/.”
  • Solution: When accessing an external FTP site that requires authentication from a Web proxy client, provide credentials in the URL, in the following format: ftp://username:password@FTPServerName.

This issue does not occur in the following circumstances:

  • SecureNAT clients or Firewall clients make the FTP request.
  • The Enable folder view for FTP sites check box is selected in Internet Explorer. With this setting enabled, Internet Explorer sends the request directly to the FTP site if it can resolve the remote host name, ignoring browser settings. If the host name cannot be resolved, the browser is used.
Firewall client computers require the FTP access filter for outbound FTP access
  • Symptom: An access rule to allow Firewall client computers outbound FTP access must use the FTP access filter.
  • Issue: Even though Firewall client computers can handle complex secondary protocols such as FTP, the FTP access filter is required.
  • Solution: Although the FTP access filter is not required for Firewall clients to handle the complex FTP protocol, the FTP access filter defines and dynamically opens the secondary connections required for FTP. ISA Server provides a predefined FTP protocol, but the protocol definition only includes the primary connection.
Permissions error message when Firewall clients access an Active mode FTP server using ISA Server 2004

Symptom: Client computers running Firewall Client for ISA Server software receive an error message when accessing an external FTP server. Clients using Internet Explorer receive the following error message: “Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.” Clients using other FTP client applications may receive the following message: “425 Can’t open data connection.”

Issue: The problem is the handling of the TCP connection in the following circumstances:

  • ISA Server 2004 Firewall Client software is used.
  • ISA Server 2004 Standard Edition is installed.
  • When using Internet Explorer, the Enable folder view for FTP sites check box is selected.
  • When using Internet Explorer, the Use Passive FTP check box is cleared.

Solution: Check that you have the hotfix installed that is described by the Microsoft Knowledge Base article 884580 “Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004.” This hotfix is included in ISA Server 2006 and ISA Server 2004 Enterprise Edition.

SecureNAT clients cannot access external FTP servers

Symptom: Computers configured as SecureNAT clients (with their default gateway pointing directly or indirectly to the ISA Server computer for Internet access) cannot access external FTP servers.

Issue: There may be an issue with protocol definitions, access rules, or client settings.

Solution: Check the following:

  • SecureNAT clients must be able to resolve the FTP server name themselves. Ensure that name resolution is working correctly for SecureNAT clients.
  • SecureNAT clients require the FTP access filter for FTP communications. To check that the filter is enabled, do the following.

To verify that the FTP access filter is enabled

  1. In ISA Server Management, expand the Configuration node, and then click Add-ins.

  2. On the Application Filters tab, right-click FTP Access Filter, and then click Properties.

  3. On the General tab, ensure that Enable this filter is selected.

image image

4. Click OK. Note: Do NOT allow active FTP access box ticked. This will potentially an unsafe feature to activate.

5. When using ISA Server Enterprise Edition, if this filter is enabled at the enterprise level, it is enabled for all arrays, and it cannot be disabled at the array level.

image

image image

  • Check that an access rule is configured to allow outbound FTP access. For example, to allow access to all users, the following rule would be configured:
  • Selected protocols: FTP
  • From: Internal
  • To: Create a computer set with the address of the FTP server
  • User sets: All Users
  • We recommend that the rule destination is limited to the FTP server. Create a computer set containing the IP address of the FTP server. The rule should be applied to all users. SecureNAT clients cannot use access rules requiring authentication. The predefined FTP protocol is bound by default to the FTP filter.
  • Check that the predefined FTP protocol used in the rule has the correct ports enabled. If you want to access an FTP server on an alternate port, you cannot access it using a SecureNAT client. Instead, you must install Firewall Client for ISA Server software on the client, and then create a custom FTP protocol definition with the alternative port. Note that the FTP access filter only listens on the standard FTP control port, TCP port 21. You cannot modify the port settings for the FTP access filter.
  • If you are using a non-browser FTP client application, ensure that it does not have Web proxy settings configured.
FTP upload is not available in a single network adapter configuration
  • Symptom: Internal clients are not able to do FTP uploads when ISA Server is installed with a single network adapter.
  • Issue: In a single network adapter scenario, FTP requests are handled by Web Proxy Filter, as FTP over HTTP requests. Web Proxy Filter supports FTP download only.
  • Solution: Verify the limitations of a single network adapter configuration. For more details, see the following documents at the ISA Server TechCenter at Microsoft TechNet:

Troubleshooting Unsupported Configurations in ISA Server and Configuring ISA Server 2004 on a Computer with a Single Network Adapter (Note that the information in this document also applies to ISA Server 2006.)

ISA Server does not support outbound secure FTP connections
  • Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
  • Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
  • Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.

share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to create E-Mail protection Policy in Forefront TMG 2010

1. On the TMG computer (or using the remote management console), open the Forefront TMG Management Console.

2. Click Forefront TMG (Array Name) in the left pane.

3. Click E-Mail Policy and in the task pane click Configure E-Mail Policy

4. When you access this option, the E-mail Protection Wizard launches. Click Next to continue

5. The next step allows you to define two options: the internal mail server that TMG will send e-mail to and the domain from which TMG will accept messages. The internal mail server for this scenario will be the Exchange 2007 Hub Transport Server (Example: 10.10.10.10/24) and TMG will accept messages only when the destination is domain(Example: wolverine.com.au). If you have multiple domains and multiple HT within your organization you also can add multiple entries in this option. the page of the wizard that allows you to perform this configuration.

6. To add Exchange 2007 Hub Transport Server’s IP Address, click Add. Add the Exchange 2007 Hub Transport Server(s) computer name and IP address

7. Click OK. The Internal Mail Server Configuration page now has the Exchange server(s) name and IP address

8. Click Add to add domain (Example: wolverine.com.au)

9. Click OK. The Internal Mail Server Configuration page now shows the accepted domains, Click Next to continue.

10. On the next page of the wizard, you define which network interface TMG uses to Communicate with the Exchange Server that you specified in step 6 (Example: 10.10.10.10). For this example select Internal Interface where TMG has connectivity to the Exchange Hub Transport Server,

11. Click Next. The External Mail Routing Configuration page appears

12. Enter the fully qualified domain name (FQDN) that will appear in the response to a HELO or EHLO SMTP command. This name should be the one that resolves to the reverse DNS lookup of the external TMG’s IP address. Select the TMG interface that will be used to communicate to the Internet. For this example the FQDN is mail.wolverine.com.au and the interface will be External

13. Click Next and the Mail Protection Configuration page appears. Select both options (Enable Spam Filtering and Enable Virus And Content Filtering).

14. Click Next. A summary page with all selections appears

15. Click Finish. The dialog box appears, asking whether you want to enable the system policy for SMTP Protection. Click Yes.

16. The E-Mail Policy tab changes according to the settings that you selected in the Wizard,

17. Click Apply to save the changes and then click OK.

18 Apply changes. Close TMG console.

Relevant Articles:

Understanding E-Mail Protection on Forefront TMG

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and install Forefront Protection 2010 in a server that is assigned Microsoft Exchange Client Access Server (CAS) role. CAS is internet facing server placed in a perimeter (DMZ). To ensure comprehensive protection, Microsoft Forefront Protection 2010 for Exchange Server (FPE) can be deployed on Exchange Edge Transport, Hub Transport, Mailbox server, or combined Hub/Mailbox roles. Forefront Protection 2010 for Exchange Server can be install combined with Forefront TMG 2010 if TMG 2010 installed in an Edge Transport server. Systems requirement for Forefront Protection 2010 is similar to other Exchange Server Roles. You need additional 2GB free RAM and 2GB free disk space on top of all other requirements.

Installation of Forefront Protection 2010

 1 2 3 4 5 6 7 8 9 10 11 12 13

Monitoring Configuration

Once you finish installation. Open Forefront Protection 2010 from start menu. Now configure monitoring of Incident, quarantine and notifications.

14 15 16

Policy Management Configuration

Now configure Policy Management. enable Edge Transport, Proxy, Antispam. Setup Engine, Setup internal and external scan. Place internal IP addresss in allow list.

17 18 19 20 21 22 23 24 25 26 27 28

29

Relevant Topics:

Download Forefront Protection 2010

Microsoft Forefront Protection 2010

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and install Forefront Protection 2010 in a server that is assigned Microsoft Exchange Client Access Server (CAS) role. CAS is internet facing server placed in a perimeter (DMZ). To ensure comprehensive protection, Microsoft Forefront Protection 2010 for Exchange Server (FPE) can be deployed on Exchange Edge Transport, Hub Transport, Mailbox server, or combined Hub/Mailbox roles. Forefront Protection 2010 for Exchange Server can be install combined with Forefront TMG 2010 if TMG 2010 installed in an Edge Transport server. Systems requirement for Forefront Protection 2010 is similar to other Exchange Server Roles. You need additional 2GB free RAM and 2GB free disk space on top of all other requirements.

Installation of Forefront Protection 2010

 1 2 3 4 5 6 7 8 9 10 11 12 13

Monitoring Configuration

Once you finish installation. Open Forefront Protection 2010 from start menu. Now configure monitoring of Incident, quarantine and notifications.

14 15 16

Policy Management Configuration

Now configure Policy Management. enable Edge Transport, Proxy, Antispam. Setup Engine, Setup internal and external scan. Place internal IP addresss in allow list.

17 18 19 20 21 22 23 24 25 26 27 28

29

Relevant Topics:

Download Forefront Protection 2010

Microsoft Forefront Protection 2010

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

 

Intrusion Prevention System

Log on to Forefront TMG server using admin credential. Open Forefront TMG 2010>Expand Forefront TMG>Intrusion Prevention System>Right Click>Configure Property

 1 2 3

Add Network sets and web sites for exemptions

5 

4  6

7

8

Forefront TMG 2010 Web Caching 

Open Forefront TMG 2010>Expand Forefront TMG>Web Access Policy>Task Pan>Click on Configure Web Caching

 9 10 11 12

Apply>Close Cache Settings.

13

24

Apply Changes>ok.

Forefront TMG 2010 Log

Open Forefront TMG 2010>Expand Forefront TMG>Logs & Reports>Tasks Pan>Click on Configure Web Proxy Logging

 1 2

3

Repeat these for TMG Firewall Logging.

Forefront TMG Reporting

 4 5 6 7 8 9 10

11

Forefront TMG E-mail Policy (Adding Exchange Hub Transport Server)

Open Forefront TMG 2010>Expand Forefront TMG>E-Mail Policy>Configure E-mail Policy. Adding Exchange 2010 hut Transport Server will allow SMTP traffic to pass through among internal, perimeter and external networks.

 12 13 14 15 16 17 18 19

20

Relevant Topics:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step Part I

Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Blogs on Microsoft ISA Server

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

 

Intrusion Prevention System

Log on to Forefront TMG server using admin credential. Open Forefront TMG 2010>Expand Forefront TMG>Intrusion Prevention System>Right Click>Configure Property

 1 2 3

Add Network sets and web sites for exemptions

5 

4  6

7

8

Forefront TMG 2010 Web Caching 

Open Forefront TMG 2010>Expand Forefront TMG>Web Access Policy>Task Pan>Click on Configure Web Caching

 9 10 11 12

Apply>Close Cache Settings.

13

24

Apply Changes>ok.

Forefront TMG 2010 Log

Open Forefront TMG 2010>Expand Forefront TMG>Logs & Reports>Tasks Pan>Click on Configure Web Proxy Logging

 1 2

3

Repeat these for TMG Firewall Logging.

Forefront TMG Reporting

 4 5 6 7 8 9 10

11

Forefront TMG E-mail Policy (Adding Exchange Hub Transport Server)

Open Forefront TMG 2010>Expand Forefront TMG>E-Mail Policy>Configure E-mail Policy. Adding Exchange 2010 hut Transport Server will allow SMTP traffic to pass through among internal, perimeter and external networks.

 12 13 14 15 16 17 18 19

20

Relevant Topics:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step Part I

Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Blogs on Microsoft ISA Server