Forefront TMG

forefront_tmg

Forefront Threat Management Gateway

Forefront Threat Management Gateway (TMG) 2010 is an integrated edge security gateway from Microsoft. It is a Common Criteria certified (EAL4+) enterprise-class application-layer firewall that includes support for proxy services (forward and reverse proxy), content caching, and VPN (both site-to-site and remote access). Forefront TMG is licensed per processor; no client access licenses are required. It can be deployed in all of these roles, or any subset of them.

Secure Web Gateway

Forefront TMG 2010 is commonly deployed as a secure web gateway. With advanced web protection capabilities including URL filtering, gateway-integrated virus and malicious software scanning, intrusion detection and prevention, and outbound SSL inspection, Forefront TMG provides a high level of protection for internal clients when they are accessing resources on the public Internet. URL filtering and virus/malware scanning does require an additional license – the Web Protection Service subscription license.

Secure Remote Access

For secure remote access to Exchange and SharePoint, Forefront TMG 2010 excels. With tight AcitveDirectory integration, Forefront TMG can pre-authenticate users with native Forms-Based Authentication (FBA), ensuring that all access to Exchange CAS or SharePoint front-end servers is authenticated and authorized. Forefront TMG also supports multi-factor authentication using certificates or smart cards. Forefront TMG can even provide load balancing services for Exchange CAS and SharePoint front-end servers, eliminating the need for internal load balancing.

Secure Mail Relay

Forefront TMG 2010 can also be deployed as a secure mail relay. The Exchange Edge Transport role (Exchange 2007 SP2 and later) and Forefront Protection for Exchange (FPE) be installed directly on the Forefront TMG firewall. This allows for perimeter host consolidation and streamlined management, as e-mail policy and spam filtering are configured with a single interface – the TMG management console.

Virtual Private Networking

Virtual Private Networking (VPN) for both remote access and site-to-site are both included with Forefront TMG 2010. Fore remote access VPN, Forefront TMG supports three protocols – PPTP, L2TP, and SSTP. SSTP is a compelling new VPN protocol supported in Windows Vista SP1 and later clients. It uses SSL and is very firewall friendly. For site-to-site VPN, TMG supports PPTP, L2TP, and IPsec tunnel. IPsec tunnel is commonly used to terminate tunnel endpoints between TMG and third-party VPN products such as Juniper, Checkpoint, and Cisco.

Network Placement

The Forefront TMG networking model is very flexible, allowing it to be deployed as an edge firewall, back firewall, or internal firewall. Multiple perimeter (DMZ) networks can be configured, allowing for traffic segmentation and granular access control. Forefront TMG can also be configured as a dedicated unihomed proxy (transparent or explicit) in an existing perimeter network.

Summary

Forefront Threat Management Gateway (TMG) 2010 is a multi-layered perimeter defense system. An enterprise-class firewall with advanced web protection features such as URL filtering, gateway-integrated virus and malicious software scanning, network intrusion detection and prevention, and outbound HTTPS inspection, Forefront TMG provides exceptional protection from advanced, persistent threats. It also provides secure remote access to internal networks and applications and can serve as a consolidated secure mail relay.

After the brief explanation for Forefront Treat management server lets go through step-by step TMG 2010 installation and configuration on Windows Server 2008 R2

Before starting installation make sure that the network configured properly and the server joined to domain

Install TMG on windows 2008R2 x64 bit OS, 6 GB RAM and 50GB HDD

TMG_HW01

The server must Joined to domain

TMG_HW02

Install and configure NIC’s card, I have installed 3 nic card installed on my server and configured for Internal, External and DMZ net work access

TMG_HW03

Then check and apply latest windows update

TMG_HW04

Insert TMG media and launch the installation, read deployment guide, run windows update and preparation tool before you start the installation.

TMG_01

TMG_02

Accept the term of the License Agreements and click “Next” to continue

TMG_03

Select Forefront TMG services and management

TMG_04

TMG_05

TMG_06

TMG_07

Type Product Serial Number and then “Next”to continue

TMG_08

choose installation path or accept the default path then click “Next” to continue

TMG_09

Define the internal network and associate with the network adapters

TMG_10

TMG_11

TMG_12

TMG_13

TMG_14

TMG_15

TMG_17

TMG_18

TMG_19

the installation completed successfully, we will continue to the basic network setup, IP setting, network relationships  and routing rules.

TMG_20

TMG_21

The Forefront Treat management Server can install as a Edge server on your network, Back Firewall

Edge firewall
In this technology Forefront TMG (Local Host) is deployed at the edge of the Internal Network and has two network adapters, one adapter is connected to the Internal Network, either directly or through a router or another firewall. Another adapter is connected to the external network (Internet)

Back firewall
In this technology Forefront TMG (Local Host) has two network adapters; one adapter is connected to the Internal Network, either directly or through a router or another firewall. The other adapter is connected to the Perimeter network.

Single network adapter
In this technology Forefront TMG (Local Host) has one network adapters connected to the Internal Network or to a Perimeter network. In this configuration Forefront TMG can function as a forward or reverse proxy, caching server, and as a VPN server for Dial-in clients.

Select the network template that fits your network topology.

TMG_22

TMG_23

TMG_24

TMG_25

TMG_26

TMG_27

TMG_28

TMG_29

TMG_30

TMG_31

TMG_32

TMG_33

TMG_34

TMG_35

TMG_36

TMG_37

TMG_38

TMG_39

TMG_40