URL Filter – Blog by Raihan Al-Beruni

Branding and Customizing the ADFS Sign-in Pages

Branding and promoting Company name and logos are common business practices. You would like to see your own brand whilst signing into to Microsoft Office 365. ADFS provides opportunity for businesses to customize sign in page and promote own brand. Here are the simple steps and procedure to brand ADFS sign in page.

Remote into ADFS Server and implement below steps to customize ADFS Portal.

Change company name

Import-Module ADFS

Set-AdfsGlobalWebContent –CompanyName “Domain Corp”

Change company logo

Create a logo with 260×35 pixels @ 96 dpi with a file size of no greater than 10 KB and save the file into a path e.g. C:\Domain\logo.png. Then execute the PowerShell.

Set-AdfsWebTheme -TargetName default -Logo @{path=”c:\Domain\logo.png”}

Change Illustration

Create an illustration photo to be displayed on the left hand side of the sign in page. Photoshop illustration.png file to be 1420×1080 pixels @ 96 DPI with a file size of no greater than 200 KB.

Set-AdfsWebTheme -TargetName default -Illustration @{path=”c:\Domain\illustration.png”}

Add sign-in page description

Set-AdfsGlobalWebContent -SignInPageDescriptionText “<p>Sign-in to Domain Corp requires you comply with corporate information uses policy. Click <A href=’http://www.Domain.com/policies/’>here</A> for more information.</p>”

Add Help Desk Link

Set-AdfsGlobalWebContent -HelpDeskLink https://www.Domain.com/help/ -HelpDeskLinkText Help

Add Home Link

Set-AdfsGlobalWebContent -HomeLink https://www.Domain.com/home/ -HomeLinkText Home

Add Privacy Link

Set-AdfsGlobalWebContent -PrivacyLink https://www.Domain.com/privacy/ -PrivacyLinkText Privacy

Customize the Update Password page description

Set-AdfsGlobalWebContent -UpdatePasswordPageDescriptionText “This is the Domain Corp Update Password page.”

Customise error page

Set-AdfsGlobalWebContent -ErrorPageGenericErrorMessage “This is a generic error message. Contact Domain Corp IT Support on 123466 for assistance.”

Build Custom theme

Export current theme using below Cmdlets.

Export-AdfsWebTheme -Name default -DirectoryPath c:\Domain\Theme\Custom

Replace existing theme with Custom Theme.

New-AdfsWebTheme -Name Custom -SourceName default

Open the script file you downloaded from “C:\Domain\Theme\Custom\script\onload.js” in Notepad

Add this line at the bottom of the script to change the placeholder text in the username input box

document.forms[‘loginForm’].UserName.placeholder = ‘username@domain.com’;

Add these blue lines at the bottom of the script to add a text above the login form, this is an example from Microsoft that you can find further down

// Sample code to update the username format test “someone@example.com”.

var userNameInput = document.getElementById(Login.userNameInput);
if (userNameInput) {
// userNameInput element is present, modify its properties.
userNameInput.setAttribute(‘placeholder’, ‘Corp UserName OR EmailAddress’);
}

// Sample code to change “Sign in with organizational account” string.

// Check whether the loginMessage element is present on this page.
var loginMessage = document.getElementById(‘loginMessage’);
if (loginMessage)
{
// loginMessage element is present, modify its properties.
loginMessage.innerHTML = ‘Sign in with your company email address OR Corp UserName and password’;
}

var AppendUPN = function () {
var userName = document.getElementById(Login.userNameInput);

if ((/^\d+$/.test(userName.value)) && userName.value.length == 6)
{
userName.value = ‘Corp\\’ + userName.value;
}
return true;
}

document.getElementById(‘submitButton’).onclick = new Function(“AppendUPN();return Login.submitLoginRequest();”);
document.getElementById(‘loginForm’).onkeypress = function(event){ if(event && event.keyCode == 13) {AppendUPN();Login.submitLoginRequest()}};

When you are done and save changes. Upload the changes to the newly created theme

Set-AdfsWebTheme -TargetName Custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’; path=”c:\Domain\Theme\Custom\script\onload.js”}

Now apply the changes with this command

Set-AdfsWebConfig -ActiveThemeName Custom

Use these commands to verify your settings

Get-AdfsWebConfig

Get-AdfsGlobalWebContent

Configure Forefront TMG as a Proxy Cache

A Proxy Server provides a number of useful functions in a company’s network infrastructure. Proxy Servers will go out and retrieve Web pages and content and return the Web pages to the internal network users. The fact that the proxy is retrieving the Web pages and not the actual clients adds an extra layer of protection to the clients because their internal IP addresses are hidden from the Internet. The proxy mechanism makes surfing external Web sites safer for internal clients.

If employees are constantly requesting pages from the same Web sites, the proxy server can store those requests locally on the server. When additional requests are made for content that has already been retrieved and stored locally, the proxy server will send the requesting client the copies of the pages from its stored cache. Utilizing this function, a proxy server will not have to go back out again and fetch the requested Web pages.

Forefront TMG 2010 can be configured to act as a proxy server in your environment to accelerate the performance of Internet access, as the name implies. In the following flow chart shows how TMG perform Proxy Cache.

Figure: Flow chart

Forefront TMG 2010 performs the following steps:

1. Forefront TMG 2010 checks whether the object is valid. If the object is valid, Forefront TMG 2010 retrieves the object from the cache and returns it to the user.

2. If the object is invalid, Forefront TMG 2010 checks the Web Chaining rules.
3. If a Web Chaining rule matches the request, Forefront TMG 2010 performs the action specified by the Web Chaining rule; for example, route the requested directly to a specified Web server, an upstream proxy, an alternate specified server.

4. If the Web Chaining rule is configured to route the request to a Web server, Forefront TMG 2010 determines whether the Web server is accessible.
5. If the Web server is not accessible, Forefront TMG 2010 determines whether the cache was configured to return expired objects. If the cache was configured to allow Forefront TMG 2010 to return an expired object as long as a specific maximum expiration time hasn’t passed, the object is returned from the cache to the end user.

6. If the Web server is available, Forefront TMG 2010 determines whether the object may be cached depending on whether the cache rule is set to cache the response. If it is, Forefront TMG 2010 caches the object and returns the object to the end user.

Figure: Simple Visio diagram of proxy cache

Cache Storage: Forefront TMG 2010 can store objects on the local hard disk, and for faster access can store most of the frequently requested objects on both the disk and the RAM. Cached pages
can be stored immediately in memory (RAM) to be accessed by end users requesting the Web content. A lazy-writer or buffered-writer approach is used to write pages to the disk. By default, 10 percent of physical memory is allocated for RAM caching. The cache file can be stored as follows:

Drive:\urcache\Dir1.cdat
Must be NTFS non system partition (Local disk)
Maximum cache size 64GB

Types of Cache:

Forward Caching: To cache all Internet traffic from external to internal.
That’s all Internet pages requested by internal users.

Reverse Caching: To cache all objects sent from internal to external. This
works with publishing to help offloading the published server.

Configuring Forefront TMG 2010 Web Proxy & Proxy Cache

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Web Access Policy

3.In the right pane under the Tasks tab, scroll down and click on Web Proxy. Check enable web proxy client connections for this network. Check Enable HTTP and type port 80 or if you want to use web proxy port 8080 then type port 8080.

4. Click on Authentication, Select integrated. Click ok.

5. Click on Advanced, select unlimited Click ok.

6. Now click on Apply and ok.

7. Click on Configure Web Caching , You’ll see the Cache Settings dialog box. Click the Cache Drives tab to access the Forefront TMG 2010 cache storage configuration.
3.Select the array member to enable the Configure button

3. Click Configure to define the cache size and location.

4.To define the cache location and size, select the non system partition where you want to store the cache file and enter the desired size of the cache file in the Maximum Cache Size (64000MB) text box. Click Set and then click OK to close the Cache Settings window.
6. click Apply to apply changes.

Add new cache Rule

1. Go back to Cache Settings mentioned above

2. Click on Cache Rules Tab, Click New button, you will be presented with Cache rule wizard

3. Type name of cache rule for example: Microsoft update Cache rule, click Next

4. You will see cache rule destination, Click Add>Click New>Click URL sets

5. Type Name of the URL sets (For Example Microsoft Update). Click on Add and type URL. Repeat it and the following urls.

6. Click Ok. Now you will see Microsoft Update URL set. Select Microsoft Update URL set. Click Add and Click close to close URL sets.

7. Click Next. Select “If a valid version of the object exist in the cache. If no valid version exists. Route the request to the server”. Click Next.

8. In the cache content window select “If source and request header indicate to the cache” You may also select dynamic contents. Click Next

9. In the Cache Advance Configuration Window, Check Do not cache object larger then 1GB or your preference but remember you have 64GB cache size. Check Cache SSL response. Click next.

10. In the HTTP caching window, keep default settings, Click next

11. In the FTP caching window, keep default or Modify, Click next

12. Click Finish. Apply Changes.

Relevant Articles:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mug

How to create E-Mail protection Policy in Forefront TMG 2010

1. On the TMG computer (or using the remote management console), open the Forefront TMG Management Console.

2. Click Forefront TMG (Array Name) in the left pane.

3. Click E-Mail Policy and in the task pane click Configure E-Mail Policy

4. When you access this option, the E-mail Protection Wizard launches. Click Next to continue

5. The next step allows you to define two options: the internal mail server that TMG will send e-mail to and the domain from which TMG will accept messages. The internal mail server for this scenario will be the Exchange 2007 Hub Transport Server (Example: 10.10.10.10/24) and TMG will accept messages only when the destination is domain(Example: wolverine.com.au). If you have multiple domains and multiple HT within your organization you also can add multiple entries in this option. the page of the wizard that allows you to perform this configuration.

6. To add Exchange 2007 Hub Transport Server’s IP Address, click Add. Add the Exchange 2007 Hub Transport Server(s) computer name and IP address

7. Click OK. The Internal Mail Server Configuration page now has the Exchange server(s) name and IP address

8. Click Add to add domain (Example: wolverine.com.au)

9. Click OK. The Internal Mail Server Configuration page now shows the accepted domains, Click Next to continue.

10. On the next page of the wizard, you define which network interface TMG uses to Communicate with the Exchange Server that you specified in step 6 (Example: 10.10.10.10). For this example select Internal Interface where TMG has connectivity to the Exchange Hub Transport Server,

11. Click Next. The External Mail Routing Configuration page appears

12. Enter the fully qualified domain name (FQDN) that will appear in the response to a HELO or EHLO SMTP command. This name should be the one that resolves to the reverse DNS lookup of the external TMG’s IP address. Select the TMG interface that will be used to communicate to the Internet. For this example the FQDN is mail.wolverine.com.au and the interface will be External

13. Click Next and the Mail Protection Configuration page appears. Select both options (Enable Spam Filtering and Enable Virus And Content Filtering).

14. Click Next. A summary page with all selections appears

15. Click Finish. The dialog box appears, asking whether you want to enable the system policy for SMTP Protection. Click Yes.

16. The E-Mail Policy tab changes according to the settings that you selected in the Wizard,

17. Click Apply to save the changes and then click OK.

18 Apply changes. Close TMG console.

Relevant Articles:

Understanding E-Mail Protection on Forefront TMG

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mug

How to configure HTTS Inspection in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mug

Configure Malware Inspection, NIS and URL Filter in Forefront TMG 2010

Enabling Per-Rule Malware Inspection

1. On the Forefront TMG Management Console, click Web Access Policy.

2. Select the access rule that you want to change, right-click it, and choose Properties

3. Click the Malware Inspection tab. Check Inspect content download from web server and Force Full Content Request.

4. Click Apply and Ok. Apply Changes

Testing Internet Access with Malware Inspection

1. Click Forefront TMG (Array Name) in the left pane.

2. Click the Logs & Reports node in the left pane and then click Edit Filter in the Task Pane

3. In the Filter By drop-down list, select Client IP.

4. In the Condition drop-down list, select Equals.

5. In the Value field, enter the IP address of the test client, such as 10.10.10.10

6. Click Add To List and then click Start Query.

7. At a test client workstation, launch Internet Explorer and open the Web site http://www.eicar.org/anti_virus_test_file.htm

8. Click the file called eicar.com in the download area for HTTP Protocol. The user will receive the notification from TMG

9. In TMG Logging you can see that the file was blocked, along with details about the reason why was blocked.

Configuring URL Filtering

1. In the left pane of the TMG management console, select Web Access Policy.

2. In the right pane, click Configure URL Filtering.

3. To enable URL Filtering globally, on the General tab of the URL Filtering Settings dialog box, select Enable URL Filtering

4. In the URL Filtering Settings dialog box, click the URL Category Override tab. Note that by default this list is empty.

5. Click OK to close the URL Filtering Settings dialog box.

6. In the right pane of the TMG management console, click the Toolbox tab.

7. In the Toolbox, click New and then click URL Category Set

8. On the Welcome To The New URL Category Set Wizard page, type Blocked Categories and click Next.

9. On the URL Category Selection page, do the following:

· Select Includes All Selected URL Categories.

· In the URL Category list, select Dating / Personals, Media Sharing, and Web Phone

10. On the Completing The New URL Category Set Wizard summary page, verify that the configuration agrees with that described by the Security team and click Finish.

Per-Rule URL Filtering Configuration

1. In the TMG management console centre pane, double-click the Blocked Web Destinations deny rule.

2. In the Blocked Web Destinations Properties dialog box, click the To tab, and then click Add.

3. In the Add Network Entities dialog box, expand URL Category Sets, select Blocked Categories, click Add, and then click Close.

4. In the Blocked Web Destination properties dialog box, verify that the destinations list appears as shown

5. Click the Action tab.

6. In the Denied URL Request Action section, do the following:

· Select Display Denial Notification To User.

· Type Access to this site is blocked by Security Team in the Add Custom Text Or HTML To Notification Text field.

· Select Add Denied Request Category To Notification.

7. Click OK to close the Blocked Web Destinations Properties dialog box.

8. In the TMG management console centre pane, click Apply to enforce the rule changes. When prompted by Change Control, enter a description of your actions and click Apply.

Testing URL Filtering

At any client served by TMG, open a browser and type http://explicit.bing.net in the address bar. Notice that the request denial page includes the message “Access to this site is blocked by Security Team” you specified in step 6 of Per-Rule URL Filtering Configuration.

Network Inspection System (NIS)

1. In the left pane of the TMG management console, select Intrusion Prevention System

2. In the middle pan, Select Network Inspection System, Click on Enable. NIS property will appear

3. Click General Tab, Check Enable NIS

4. Click on Exceptions Tab, Select Site Exempt from NIS, Click Add button and add desired sites. Click Add button again to add Network Set such as Internal Network.

5. Click Definition Tab. You may keep default settings or desired settings

6. Click Protocol Anomalies Policy Tab, Click on Allow to avoid legitimate sites

7. Apply changes. Click ok.

8. Click on Behavioural Intrusion Detection Tab, Enable all Common behavioural intrusion detection check boxes.

9. Apply changes and Click Ok.

Important! In the NIS Tasks, you can add desired policies or accept Microsoft Default Policies. You can also define exception rules in NIS.

Generating Malware, NIS and URL filter report

1. Click Logs & Reports in the TMG console, click the Reporting tab, and then click Create One-Time Report under Tasks in the right pane

2. The One-Time Report Wizard launches. Enter a name for the report and click Next.

3. On the Report Period page, you can specify the start time and end time for data collection to be shown in the report. The start and end times can be based on a day or a month. Because reports are based on the previous day, the date needs to be prior to the current date. After selecting the start and end dates, click Next.

4. On the Report Content page, you can select the content to be included in the report. If you want only malware statistics, check boxes Malware Protection/URL Filtering/Network Inspection System/Security (one or more boxes) and click Next.

5. On the Send E-Mail Notification page, you can configure TMG to send e-mail notification for completed reports. After filling in the relevant fields, click Next.

6. On the Report Publishing page, the administrator can choose to publish the report to a central directory either on the same TMG server or a remote different server. After filling in the relevant fields, click Next.

7. On the Completing the One-Time Report Wizard page, you are notified that you have successfully completed the One-Time Report Wizard. You can also view a brief summary of the report’s configuration. Click Finish.

8. The report now appears under the Reporting tab with the information that you just configured. Click Apply to process the report.

9. Click Logs & Reports in the TMG console and then click Create Recurring Report Job under Tasks in the right pane. Follow similar steps and add schedules to run the report.

Relevant Articles

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mug

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010 has been built on top of the core capabilities delivered in Microsoft Internet Security and Acceleration (ISA) Server 2004/2006 in order to deliver a comprehensive, enhanced and integrated network security gateway. Forefront TMG provide additional protection capabilities to help secure the corporate network from external/Internet-based threats. Forefront TMG 2010 prevent abuse of networks from internal and external entity. Forefront provide more management capabilities in terms security and protection. Forefront TMG 2010 is available in Standard Edition and Enterprise Edition. Standard version does not support Array/NLB/CARP support and Enterprise Management. For E-mail Protection both version requires Exchange license.

Forefront TMG 2010 provide the following enhanced protection capabilities:

Malware inspection

URL filtering

HTTP filtering

HTTPS inspection

E-mail protection

Network Inspection Systems (NIS)

Intrusion detection and prevention

Secure routing and VPN

Understanding Network Topology

The following Forefront TMG network topologies are available:

Edge firewall—In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).

3-Leg perimeter—This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network.

Back firewall—In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.

Single network adapter—This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.

Functionality of a single network adapter topology

The single network adapter topology enables limited Forefront TMG functionality, that includes:

Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
Web caching for HTTP and CERN proxy FTP.
Web publishing. HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
Dial-in client virtual private network (VPN) access.

Limitations of a single network adapter topology

The following limitations apply when you use the single network adapter topology:

Server publishing and site-to-site VPN are not supported.
SecureNAT and Forefront TMG Client traffic are not supported.
Access rules must be configured with source addresses that use only internal IP addresses.
Firewall policies must not refer to the external network.

Hardware Requirements

Systems requirements depends on number of users and deployment scenario. Forefront TMG is a vital part in a ICT infrastructure. To achieve best performance, you must add best processing power and memory in TMG server however the following will give you an optimum performance.

Processor- Intel Xeon (Dual core/Quad-core/i7) or AMD Opteron (dual core/quad core). Intel Hyper-Threading Technology enabled in bios if Intel server board.

RAM-8GB

Disk Space –50GB systems partitions and 150GB logging +60GB-100GB Web caching in a separate partition. RAID 5 config would be highly recommended.

NIC- 2 Gigabit NIC with redundant config (number of NICs depends on deployment scenario)

Important! Forefront TMG has been built on 64 architecture.

Operating Systems and features

Windows Server 2008 SP2 64 bit or Windows Server 2008 R2

Microsoft .NET Framework 3.5 SP1

Windows Web Services API

Network Policy Server.

Routing and Remote Access Services.

Active Directory Lightweight Directory Services Tools.

Network Load Balancing Tools.

Windows Power Shell

Windows Installer 4.5

Important! It’s not recommended to install any application or programme in TMG server other then antivirus program. It must be a dedicated server for Forefront TMG. Disable unnecessary services after installing operating systems. Install Machine Certificate from Enterprise Root CA Authority before installing TMG. TMG server must be a member of Active Directory Domain.

Installation of Forefront TMG

Prepare a 64 bit Windows Server 2008. Insert Forefront TMG DVD into the server. Run preparation tools.

Click continue on UAC authorization prompt.

Check Launch TMG installation. Click finish.

Add ranges of internal IP address For example: 10.10.10.1 to 10.10.10.255. You can as many subnet ranges as you have for internal networks.

Open Forefront TMG Management from start menu. TMG will automatically prompt you for initial configuration.

Step1: Network Setup Wizard—Use to configure network adapters on the server. Network adapters are associated with a unique Forefront TMG network. Note that you must have static IP address in all NIC of TMG server before you proceed for network settings.

This is highly important part of config because in this section you will mention what type of network topology you are going to use. Here, I am configuring De-militarized Zone (DMZ) or 3-Leg Perimeter. You have to select your desired config.

In this section, you have to select the behaviour of the traffic among internal, perimeter (DMZ) and external network. For example, My Forefront TMG 2010 server has been configured to route between internal and perimeter and NAT in between perimeter and external as I choose private networks in perimeter. So that I can hide IP addresses of my perimeter networks.

Step2: System Configuration Wizard—Use to configure operating system settings, such as computer name information and domain or workgroup settings

Step3: Deployment Wizard—Use to configure malware protection for Web traffic, and to join the customer feedback program and telemetry service.

Networks, Proxy and Update Configuration

Open Forefront TMG Management. On the left hand pan, Select Update Centre. Click configure settings on task pan. Set update policy. If you have Windows Server Update Services (WSUS) then you may select WSUS or use Microsoft update services.

Select networking>Select Networks Tab>Double click on Internal. You will be presented with Internal Properties. Configure all the tabs as shown below.

In the domain tab, add internal domain(s). For example: *.wolverine.com.au

In the web browser tab, check Bypass Proxy… and Directly Access….

Verify all your internal IP addresses you added during installation. In this window you can add more internal IP addresses if you want.

Check Publish Automatic Discovery information for the network and use port 80 as default.

In Forefront TMG Client settings, Check Enable Forefront TMG client support for this network. un-check Automatically detect settings and Use automatic scripts.., Check Use a Web proxy server

In the Web Proxy Tab, Enable HTTP and use port 80 as default. However, you can use port 8080 if you want. Click on authentication and check integrated. Click on advanced and check unlimited. Now Apply and ok.

Apply changes.

Now repeat all these config for perimeter networks as you did for internal networks.

Connecting Active Directory, DNS and DHCP

Setup connectivity with Microsoft Active Directory, DNS and DHCP. Click on monitoring>click connectivity verifiers>Click Create New Connectivity Verifier. Create connectivity for Active Directory, DNS and DHCP.

Click Next and Finish. Repeat it for DNS and DHCP. If you have a upstream Proxy, connect to upstream proxy using similar method.

Create HTTP and HTTPS rule

By default all access rules are denied. Now Create web access rules for internal networks allowing HTTP and HTTPs traffic pass through from internal network to external and perimeter. Also allow HTTP and HTTPs traffic pass through from perimeter to external and internal. Click Firewall Policy>Click Create Access Rule on Task Pan.