«

»

Dec 20 2011

Install Forefront TMG 2010 on Windows Server 2008 R2

You may wonder what is Forefront TMG (Threat Management Gateway) 2010, and what can I do with it ? Well…is a proxy server, is a firewall, is a web content filtering, is a VPN Server, is… enoch. To be short, is a network security and protection solution from Microsoft. I’ve been using this great product for many, many years, and I’ll tell you, once you get to know TMG you will love it too. You can use it as a firewall to protect your company, campus, school etc; you can use it as a proxy server to filter websites or the content of those websites. Before you can do all this stuff with it, first you need to install the product, and in this step by step guide I’ll show you how to install Forefront TMG 2010 in firewall mode.

For this exercise you need to have on the host system two network cards, one called LAN and the other one WAN. I renamed the network adapters to distinguish better witch one is connected to internet and witch one is connected to the internal network.

First let’s start configuring the network cards, so open Network Connections from Control Panel, right click your LAN connection (the one that is connected to your internal network) and choose Properties. Click Internet Protocol Version 4 (TCP/IPv4) and Properties. Select Use the following IP address and complete the boxes with your own settings. Leave gateway field empty because packets will be routed thru the external network card. In the Preferred DNS Server put the IP of your internal DNS server, if you have one, if not put an IP address of an external DNS server (OpenDNS or Google). Click OK and Close.

Next we need to configure the external network card (the one that is connected to the internet). Right Click and choose Properties. Again select the IPv4 protocol and click Properties. Now you need to know if the ISP assigned to you a static IP address or a dynamic one. If you have a static IP address choose the option Use the following IP address, but if you have a dynamic IP leave the defaults.

When you are done with the IP settings click the Advanced button, go to the DNS tab and uncheck Register this connection’s address in DNS. Now select the WINS tab, and here click the Disable NetBIOS over TCP/IP and uncheck the Enable LMHOSTS lookup. When you’re done click OK, and OK again.

Back to the adapter properties, uncheck the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Click Close.

Before we start the installation we need to prepare the environment. On the TMG screen click the Run Preparation Tool, and just follow the wizard.

When you get to the Installation Type screen leave the defaults, witch is to prepare the environment for the TMG services and the management console. Click Next.

After the environment preparation is done, click the Finish button to start the TMG 2010 installation.

Skip the welcome screen by clicking Next. To be able to continue with the installation you need to accept the EULA, so choose I accept the terms in the license agreement, then click Next.

Fill in the customer information and serial number and click Next.

Leave the default installation path and click Next.

Here we need to tell TMG witch network adapter installed in the system is our internal one. Click the Add button, then Add Adapter. In the Select Network Adapters window select the LAN adapter. Click OK two times, then Next.

This screen is telling us that some services will restart or will be disabled during installation. Click Next to continue.



To start the installation all you have to do is click Install.

You can go start a campaign of StarCraft (if you know the game) ’till is done, because it will take a while. When the installation is finished and you open the TMG 2010 console for the first time a Configuration Wizard pops-up.

Let’s start with the first one Configure Network Settings. Click Next on the Welcome screen. Since we have two network cards in our machine TMG 2010 already knows that we deploy an Edge Firewall. Leave the defaults and click Next.

From the drop down list select the network adapter witch belongs to the internal network. In our case is LAN. Click Next.

In this screen TMG 2010 already selects the available network adapter as an external one.

If your WAN adapter is configured for dynamic IP addresses, the wizard will inform you that is going to enable a security rule for the DHCP traffic. Just click OK and continue the wizard.

On the Summary screen click the Finish button. We reached the second step of the TMG 2010 Configuration Wizard. Click the link Configure System Settings. After the welcome screen we tell TGM if is part of a domain or workgroup. Since I never mentioned anything about TMG being part of a domain, leave the defaults and finish the wizard.

Launch the last step by clicking the link Define Deployment Options. When you reach the Microsoft Update Setup screen choose either to download updates from Microsoft or not. I recommend you select the first option Use the Microsoft Update service to check for updates, so your TMG 2010 server will be up to date with the latest security and vulnerability patches.

Here choose if you wan NIS to be enabled and your outgoing web traffic should be scanned for malicious code.

If you enabled NIS a screen appears to configure the interval when checking for updates and install them.

On the Customer Feedback screen select not to participate, and on the Telementery Reporting Service screen choose either you want to send information to Microsoft about malware or not. Finish the wizard and click the Close button. Now you have a fresh new installation of TMG 2010.

 Pfff this was a long run, but was worth it.

Want content like this delivered right to your

email inbox?


53 comments

Skip to comment form

  1. Sudarmani

    Dear Adrian,

    Yesterday i have install the TMG server in my office.
    This guide is so helpful for me.
    Thanks a lot adrian.

  2. Zubair Alam

    i have to install TMG on server 2008 R2. i want to know which roles and features we have to add before installing TMG.

  3. Robin

    i am using Forefront TMG 2010.. environment –> workgroup
    can i block particular website for a particular ip
    like facebook.com should be block on 192.168.1.8, and 192.168.1.10 can surf facebook,com at the same time??
    please help

    1. Adrian Costea

      Hi,
      Of course you can. Before you start creating an access rule you need to create a computer or computer set (this will be your source). Then you need to create a URL set (this will bee the destination) and put all the websites you want to block. Now create an access rule and on the source put your computer or computer set and on the destination put your URL set. Move the rule above any access rule that you might have that permits web access. Let me know if you need more info.

  4. James

    excellent walk-thru and great tips! i like seeing people put in efforts like this to help other admins in their day-to-day operations. tight work!

    i dont have a TMG server in production right now, but instead have moved to testing the appliance in a virtual environment.

    here is the thing.. the vm (Windows 2008R2 on Win7x64 host on i7 w/16 gigs RAM)is fine all the way up to the exchange part. the problems occur when the Forefront protection for Exchange + Exchange Edge server role are added. i understand that a VM is not the ideal environment for exchange, much less TMG…

    thing is, once the forefront and edge role are assigned, the CPU maxes out at 100% and stays there…

    do you have any insights as to what might be causing that? is there something that doesnt fly when virtualized?

    1. Adrian Costea

      Hi,
      Never used this configuration, and maybe I will create an article some day. Try by restarting the agent services and see if that works.

  5. Doleeb

    Dear
    I have a problem with VPN i can’t login to my internal network through TMG , the problem is when I ping the router of internet (the public ip ) 123.123.123.123 [IP removed for security reasons] this is gateway its replay and the configuration in the WAN card is 123.123.123.123 [IP removed for security reasons] IP in tmg with subnet mask and default gateway but when I ping it from anther public ip I got sms request time out ,for knowing I configure access rule for VPN but I tired to get in please help me

    1. Adrian Costea

      Hi,
      I can’t say for sure what the problem is because I don’t know your TMG configuration, but make sure the VPN protocols match on the client and the TMG, the credentials are working and IP’s can be leashed to the clients. Take one step at the time to troubleshoot this. Let me know how it goes.

  6. paya

    hi
    I want to install tgm2010 on the windows server 2008
    error : the secenario cannot install on the domain controller ?

    1. Adrian Costea

      Hi,
      I’ve said this and I will say it again: Do not install TMG on a domain controller, it needs to be a separate box.

  7. Sulman Butt

    Hi
    I want creat TMG and ADc at the same server,it is my task somewhere in this regard my question is this one should instal TMG 1st or ADc??????????

    1. Adrian Costea

      Is not recommended to install TMG and AD on the same machine. I tried it once just for fun, and believe me I had fun ! If you do it you will have a lot of problems, believe me. Don’t recommend.

  8. tanguyngoy

    Good Day Adrian!

    But my problem is that I don’t have access to the Cisco interface, the ISP provider is the only one allowed to change configurations in it (not to mention that I don’t know Cisco myself 🙂 )…

    Also, another problem would be the servers that should be visible and accessed from the outside (Sharepoint site, VOIP and Dialer servers, CCTVs, etc.)

    Thanks again for your help, Adrian…

  9. tanguyngoy

    Thanks for the reply, Adrian!

    Actually, I might need your help here. This is our current setup:

    Our ISP provided us a Cisco 1941 router for the service. It provides the 192.168.1.x address for the workstations. To cater mobile devices, a former IT staff connected the Cisco to another wireless router, a Linksys E1200, which gives a 192.168.2.x address to wireless clients. With this, the Linksys serves as the DHCP server (which made all connected devices a 192.168.2.x address, disregarding Cisco) and our main gateway (from which port forwarding is setup). If I were to illustrate, our setup would be –
    (Internet) Cisco 1941 Linksys E1200 Internal network

    What I have in mind is :
    – to make TMG as the main gateway (as it is in the Edge firewall setup above)
    – connect the Linksys within the internal network to act as an access point for wireless devices.

    If this would be the case, who will provide the addresses for the clients? (given that clients config are set to obtain IP address automatically)

    Thanks again, Adrian…

    1. Adrian Costea

      The setup sounds great but I you might like mine 🙂
      Leave the Cisco router as your gateway to do NAT and also be your DHCP server. This is going to be your way out to the world.
      Remove the Linksys router from this scheme and configure it as an Access Point, no routing or anything fancy.
      Configure your TMG server as a proxy only server, if you really want to have a proxy in your network. http://www.vkernel.ro/blog/configuring-tmg-2010-with-a-single-network-adapter-proxy-mode

  10. tanguyngoy

    Hi Adrian,

    Great post!

    I’ve been planning on implementing TMG in our small office when i saw this post. This is a great help.

    Just a few concerns:

    1. Our ISP router has DHCP enabled, but I guess it cannot assign IP addresses for the internal network, am I right? Do i have to turn it off? Can I use a WiFi router to act as my DHCP server internally?
    2. I have several machines that needs to be accessed from the outside, and I did this through port forwarding. Can TMG do this? Does TMG has the features usually configured in a home router?

    Thanks again…

    1. Adrian Costea

      Hi,
      I’ll get strait to the point:
      1. You don’t have to turn DHCP off on you WAN adapter (the one you connect you ISP router), TMG works with DHCP just fine. The problem with DHCP for internet addresses is that when you want to publish a web site or something for your users, complications arise since the IP keeps changing. I recommend you request a static IP address, or tell your ISP to create a reservation for your address. If you don;t have those kind of services in your network then go ahead with DHCP.
      2. Back to step one; you will need an IP address that does not change. And to answer you question, YES TMG knows port forwarding. Just click the link Publish Non-Web Server Protocols and follow the wizard.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php