«

»

Dec 20 2011

Install Forefront TMG 2010 on Windows Server 2008 R2

You may wonder what is Forefront TMG (Threat Management Gateway) 2010, and what can I do with it ? Well…is a proxy server, is a firewall, is a web content filtering, is a VPN Server, is… enoch. To be short, is a network security and protection solution from Microsoft. I’ve been using this great product for many, many years, and I’ll tell you, once you get to know TMG you will love it too. You can use it as a firewall to protect your company, campus, school etc; you can use it as a proxy server to filter websites or the content of those websites. Before you can do all this stuff with it, first you need to install the product, and in this step by step guide I’ll show you how to install Forefront TMG 2010 in firewall mode.

For this exercise you need to have on the host system two network cards, one called LAN and the other one WAN. I renamed the network adapters to distinguish better witch one is connected to internet and witch one is connected to the internal network.

First let’s start configuring the network cards, so open Network Connections from Control Panel, right click your LAN connection (the one that is connected to your internal network) and choose Properties. Click Internet Protocol Version 4 (TCP/IPv4) and Properties. Select Use the following IP address and complete the boxes with your own settings. Leave gateway field empty because packets will be routed thru the external network card. In the Preferred DNS Server put the IP of your internal DNS server, if you have one, if not put an IP address of an external DNS server (OpenDNS or Google). Click OK and Close.

Next we need to configure the external network card (the one that is connected to the internet). Right Click and choose Properties. Again select the IPv4 protocol and click Properties. Now you need to know if the ISP assigned to you a static IP address or a dynamic one. If you have a static IP address choose the option Use the following IP address, but if you have a dynamic IP leave the defaults.

When you are done with the IP settings click the Advanced button, go to the DNS tab and uncheck Register this connection’s address in DNS. Now select the WINS tab, and here click the Disable NetBIOS over TCP/IP and uncheck the Enable LMHOSTS lookup. When you’re done click OK, and OK again.

Back to the adapter properties, uncheck the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Click Close.

Before we start the installation we need to prepare the environment. On the TMG screen click the Run Preparation Tool, and just follow the wizard.

When you get to the Installation Type screen leave the defaults, witch is to prepare the environment for the TMG services and the management console. Click Next.

After the environment preparation is done, click the Finish button to start the TMG 2010 installation.

Skip the welcome screen by clicking Next. To be able to continue with the installation you need to accept the EULA, so choose I accept the terms in the license agreement, then click Next.

Fill in the customer information and serial number and click Next.

Leave the default installation path and click Next.

Here we need to tell TMG witch network adapter installed in the system is our internal one. Click the Add button, then Add Adapter. In the Select Network Adapters window select the LAN adapter. Click OK two times, then Next.

This screen is telling us that some services will restart or will be disabled during installation. Click Next to continue.



To start the installation all you have to do is click Install.

You can go start a campaign of StarCraft (if you know the game) ’till is done, because it will take a while. When the installation is finished and you open the TMG 2010 console for the first time a Configuration Wizard pops-up.

Let’s start with the first one Configure Network Settings. Click Next on the Welcome screen. Since we have two network cards in our machine TMG 2010 already knows that we deploy an Edge Firewall. Leave the defaults and click Next.

From the drop down list select the network adapter witch belongs to the internal network. In our case is LAN. Click Next.

In this screen TMG 2010 already selects the available network adapter as an external one.

If your WAN adapter is configured for dynamic IP addresses, the wizard will inform you that is going to enable a security rule for the DHCP traffic. Just click OK and continue the wizard.

On the Summary screen click the Finish button. We reached the second step of the TMG 2010 Configuration Wizard. Click the link Configure System Settings. After the welcome screen we tell TGM if is part of a domain or workgroup. Since I never mentioned anything about TMG being part of a domain, leave the defaults and finish the wizard.

Launch the last step by clicking the link Define Deployment Options. When you reach the Microsoft Update Setup screen choose either to download updates from Microsoft or not. I recommend you select the first option Use the Microsoft Update service to check for updates, so your TMG 2010 server will be up to date with the latest security and vulnerability patches.

Here choose if you wan NIS to be enabled and your outgoing web traffic should be scanned for malicious code.

If you enabled NIS a screen appears to configure the interval when checking for updates and install them.

On the Customer Feedback screen select not to participate, and on the Telementery Reporting Service screen choose either you want to send information to Microsoft about malware or not. Finish the wizard and click the Close button. Now you have a fresh new installation of TMG 2010.

 Pfff this was a long run, but was worth it.

Want content like this delivered right to your

email inbox?


53 comments

Skip to comment form

  1. hurera

    Dear Adrian Costea,

    1. I also want to install AD and TMG on different systems, I want to know I have static IP from my ISP let suppose 182.188.143.100, what setting I should give on my WAN Network Card ?
    2. 2nd thing is that some clients have cell phone and they want to use internet on their cell phone then how can i run internet on their cell phone if their cell phones do not have proxy option ?

    1. Adrian Costea

      Hi,

      1. From your service provider you need the IP, mask and gateway which you will set on the external interface on your TMG.
      2. I should work even if you don’t configure a proxy address on those devices (is a transparent proxy). All you have to do is create an access rule to allow internet traffic (port 80 and 443 for secure sites). Go here to see how to create access rules.

      1. Mesbah

        From my experiment, web access rules which prevent – for example – facebook or youtube, are not applied except if we configure the proxy settings in the Internet Explorer of the client machine to point to the ip of the TMG, so how can we make these proxy settings applied automatically to cellular phones????

        1. Adrian Costea

          Hi,
          You either have to filter by IP address or use NTLM authentication. Filter by IP address is easier but you will have to reserve a range of IP addresses to cellular phones, and you will filter that IP range. With NTLM is more granular and you can filter by user.

  2. rabbit

    hi there

    i’m trying to print to a printer from my workstation through tmg but does not want to print.

    1. Adrian Costea

      Is it a USB printer or a network printer ?

  3. Misbah Uddin Asim

    Dear Adrian Costea,

    I want to configure a network on TMG in a small office.
    I have purchased 2 servers (1 for TMG and other is for Active Directory Controller).
    Have 12 to 15 users computers. Where I want to set, most of them as a email users only and some of them will have all the internet services rights.
    Have DSL Modem/ Connection, 8 port switch, WIFI router, WIFI cards installed on all users machine.

    I need a guidance, so could you please guide me according to your skills. I will be very thankful to you.

    Regards,
    Misbah

    1. Adrian Costea

      Hi,

      This is a straight forward process.
      Install TMG and AD on the servers, NOT on the same server.
      Configure the modem in a bridge mode with the TMG server. This means that the TMG server will dial the connection and control the firewall rules.
      I alway create a rule: All Traffic from Internal to Localhost, and from Localhost to Internal, so I don’t have problems contacting the TMG server from internal clients.
      Create a rule to allow traffic from Internal to External.
      Let me know how it works. Cheers

  4. nasrin

    thanks for your article.
    I installed tmg and configured it as edge firewall, i didn’t define any rule to access internet for localhost(tmg server). and defualt rule (deny rule for all network) is enabled. but my localhost hase internet access! how could it be possible? how can i deny internet?!!!!!
    I was wonder if you could give me some advice?!
    thanks

    1. Adrian Costea

      Yes that’s normal for HTTP traffic; HTTPS should not work by default. TMG has some rules (system rules) that apply before the Default Rule, and one of those system rules is permitting localhost to access the outside world. Go to Firewall Policy and in the Tasks pane click Show System Policy Rules. Search for Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads), right-click and choose Edit System Policy. Remove the check and Apply the changes. HTTP traffic will be stoped from localhost to internet.

  5. Hardik

    Hi,
    I have configured TMG with the above steps. On the DC machine nic does DG need to point to the internal IP on TMG machine? In my case TMG can ping DC. However I cannot ping TMG from DC and hence no internet connectivity on DC.

    1. Adrian Costea

      Because you did not created a Firewall rule to allow PING from internal clients. Create a Firewall rule on the TMG server to allow any traffic from internal to localhost and to localhost to internal. It should work then.

      1. Ruben Tjok

        Good day Adrian,
        I’ve just installed TGM2010 on Server 2008 R2 AGAIN.
        The reason why I’m replying on your comment is because i can PING the TMG local IP, but I can’t ping the Hostname of the server it self.
        From the Host server I can PING every HOSTNAME on the network, except for the opposite way.

        1. Adrian Costea

          Hi,

          Yes I know the situation. This is because your computer(s) are not trusted to TMG. You can edit the rule (System rule) Allow ICMP (PING) requests from selected computers to Forefront TMG and put your computer(s) or subnet in the Remote Management Computers listener. The simplest way is to just create a new rule and allow all traffic between your TMG and local computers and vice-versa; but this depends on the security constraints on your network. Let me know how it works.

  6. Adrian Costea

    Hi,
    Is similar just as you configure it with two network cards, but what makes the difference is on the clients side. You need to go and configure their browsers to use a proxy server, and put the IP or name of the TMG server in the Proxy Server box. This is a great ideea for a future article :-).

    Thanks

  7. James

    Hi I work for a small company where we only have one server. I am wanting to configure web access so users can’t browse sites with adult content or facebook etc.

    Is it safe to install TMG on to the server which also has Active Directory, firewall, exchange, sql and files on it? Or should I use an alternative?

    1. Adrian Costea

      NEVER. Look at the above comment. You should not install on the TMG server any other role. You need to purchase another server and install TMG on it. The same goes for Exchange; do not install it on a domain controller, even tough I don’t think you can. Never tried it. AD and TMG should be running on their own boxes with nothig else installed on them.

  8. Lyle Stanford

    I’ve followed the instructions. Two questions

    1) Do my workstations get IP’s from the router through the firewall or must I configure a DHCP server on th TMG server.

    2) What rules must I create for a school enviroment where teachers still need access to Youtube, banking & mail.

    Kind Regards
    Lyle Stanford

    1. Adrian Costea

      Hi,

      1) Never put any other roles or features on the TMG server, because you will always have some problems after that, and too many ports need to be open. Install the DHCP role on a domain controler or a file server if you are in a small environment.
      2) If your TMG server is joined to the domain you can create a rule and apply just to a speciffic security group; in that group you put those teachers. If TMG is not joined to a domain you will need to filter by IP. Reservations in DHCP needs to be made for this.

  9. Bubbie

    Kick the tires and light the fires, problem ofificlaly solved!

    1. Adrian Costea

      Glad I could help

  10. Lina

    Great post with lots of impotrant stuff.

    1. Adrian Costea

      Thanks for your comment; I try my best to create hight quality posts

1 2 3

Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php