Forefront Threat Management Gateway
Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway from Microsoft. It is a Common Criteria certified (EAL4+) enterprise-class application-layer firewall that includes support for proxy services (forward and reverse proxy), content caching, and VPN (both site-to-site and remote access). Forefront TMG is licensed per processor; no client access licenses are required. It can be deployed in all of these roles, or any subset of them.
Secure Web Gateway
Forefront TMG 2010 is commonly deployed as a secure web gateway. With advanced web protection capabilities including URL filtering, gateway-integrated virus and malicious software scanning, intrusion detection and prevention, and outbound SSL inspection, Forefront TMG provides a high level of protection for internal clients when they are accessing resources on the public Internet. URL filtering and virus/malware scanning does require an additional license – the Web Protection Service subscription license.
Secure Remote Access
For secure remote access to Exchange and SharePoint, Forefront TMG 2010 excels. With tight AcitveDirectory integration, Forefront TMG can pre-authenticate users with native Forms-Based Authentication (FBA), ensuring that all access to Exchange CAS or SharePoint front-end servers is authenticated and authorized. Forefront TMG also supports multi-factor authentication using certificates or smart cards. Forefront TMG can even provide load balancing services for Exchange CAS and SharePoint front-end servers, eliminating the need for internal load balancing.
Secure Mail Relay
Forefront TMG 2010 can also be deployed as a secure mail relay. The Exchange Edge Transport role (Exchange 2007 SP2 and later) and Forefront Protection for Exchange (FPE) be installed directly on the Forefront TMG firewall. This allows for perimeter host consolidation and streamlined management, as e-mail policy and spam filtering are configured with a single interface – the TMG management console.
Virtual Private Networking
Virtual Private Networking (VPN) for both remote access and site-to-site are both included with Forefront TMG 2010. Fore remote access VPN, Forefront TMG supports three protocols – PPTP, L2TP, and SSTP. SSTP is a compelling new VPN protocol supported in Windows Vista SP1 and later clients. It uses SSL and is very firewall friendly. For site-to-site VPN, TMG supports PPTP, L2TP, and IPsec tunnel. IPsec tunnel is commonly used to terminate tunnel endpoints between TMG and third-party VPN products such as Juniper, Checkpoint, and Cisco.
Network Placement
The Forefront TMG networking model is very flexible, allowing it to be deployed as an edge firewall, back firewall, or internal firewall. Multiple perimeter (DMZ) networks can be configured, allowing for traffic segmentation and granular access control. Forefront TMG can also be configured as a dedicated unihomed proxy (transparent or explicit) in an existing perimeter network.
Summary
Forefront Threat Management Gateway (TMG) 2010 is a multi-layered perimeter defense system. An enterprise-class firewall with advanced web protection features such as URL filtering, gateway-integrated virus and malicious software scanning, network intrusion detection and prevention, and outbound HTTPS inspection, Forefront TMG provides exceptional protection from advanced, persistent threats. It also provides secure remote access to internal networks and applications and can serve as a consolidated secure mail relay.
After the brief explanation for Forefront Treat management server lets go through step-by step TMG 2010 installation and configuration on Windows Server 2008 R2
Before starting installation make sure that the network configured properly and the server joined to domain
Install TMG on windows 2008R2 x64 bit OS, 6 GB RAM and 50GB HDD
The server must Joined to domain
Install and configure NIC’s card, I have installed 3 nic card installed on my server and configured for Internal, External and DMZ net work access
Then check and apply latest windows update
Insert TMG media and launch the installation, read deployment guide, run windows update and preparation tool before you start the installation.
Accept the term of the License Agreements and click “Next” to continue
Select Forefront TMG services and management
Type Product Serial Number and then “Next”to continue
choose installation path or accept the default path then click “Next” to continue
Define the internal network and associate with the network adapters
the installation completed successfully, we will continue to the basic network setup, IP setting, network relationships and routing rules.
The Forefront Treat management Server can install as a Edge server on your network, Back Firewall
Edge firewall
In this technology Forefront TMG (Local Host) is deployed at the edge of the Internal Network and has two network adapters, one adapter is connected to the Internal Network, either directly or through a router or another firewall. Another adapter is connected to the external network (Internet)
Back firewall
In this technology Forefront TMG (Local Host) has two network adapters; one adapter is connected to the Internal Network, either directly or through a router or another firewall. The other adapter is connected to the Perimeter network.
Single network adapter
In this technology Forefront TMG (Local Host) has one network adapters connected to the Internal Network or to a Perimeter network. In this configuration Forefront TMG can function as a forward or reverse proxy, caching server, and as a VPN server for Dial-in clients.
Select the network template that fits your network topology.