OK, this is an easy one, and the configuration is more about on the client side than on the TMG server itself. You might wonder why do you need this kind of scenario. Well… maybe you already have a firewall in place and all you need is an extra protection for your internet traffic. How can you get that extra protection ? by placing a proxy server in your network, off course. This is exactly how TMG will act in this case, and it does a pretty good job too.
I’m not going trough the all installation process again, because is the same as you install TMG 2010 using multiple network adapters, well almost the same. Right after installation on the Network Setup Wizard you will only have the option to configure TMG with a single network adapter. Just move along here.
On the Local Area Network Settings page, make sure you configure a static IP address for the internal network. If the IP address keeps changing your clients will not be able to surf the internet, because the proxy configured (well…that we are going to configure later on) in their browsers will not be able to find that proxy server address.
You can have the TMG server joined to a Windows domain or not, but I like to have it in a domain, is just easier with the security on users. Before we start configuring the clients, make sure you decide on what port should TMG listen for web traffic. For that go to Networking, right-click your internal network and choose Properties.
On the Web Proxy tab you can configure the listening port, you can disable the proxy by removing the check from the Enable Web Proxy client connections for this network box, or you can secure the proxy traffic. Usually these settings are left alone. The more important one is the Authentication button. If you leave the defaults they will work in most cases, but under any circumstances do not check the box Require all users to authenticate. This will enable authentication to all web traffic, so goodbye Windows Update. It is recommended to use the Access Rules to enable authentication for specific users. I talk more about this as we move along. For now just leave the defaults, and let’s go configure the clients.
Clients are configured by simply typing the IP address or the name of the proxy server in the LAN Settings of IE. I’m going to use IE since integrates well with Group Policy. For those that are in a domain environment is very easy, all you have to do is create a GPO that apply to all users (not computers) you want to browse the internet trough a proxy server. In the GPO editor go to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Connection, right-click Proxy Settings and choose Properties.
Check Enable Proxy Settings and type the IP address and port of your proxy server. Leave Do not use proxy server for local (intranet) addresses box enabled, so web browsing will not go trough proxy for local (internal) web sites.
Make sure you configure this right from the first time, because this settings will tattoo the clients registry, and even if you come back and modify/correct them in the GPO later, they will not change on clients. You will need to use a script to modify the proxy settings, or go the old fashion way…manual.
If you have some clients that are not part of the domain, the only way is to either train the user to make the modification (which I doubt you will succeed), or go yourself and do it (this is the best and ugly choice). Open IE, go to Settings > Internet Options, click the Connection tab > LAN Settings button. Check the box Use a Proxy server for your LAN, then type the proxy IP address and port in the bellow boxes. Don’t forget to also check Bypass proxy server for local addresses.
The last step is to create an access rule if you didn’t do it until now. Since only web browsing traffic will hit the TMG server you need to grant HTTP and HTTPS protocols.
Now test from one of your clients and see how traffic is hitting the proxy server, by looking at the TMG logs. All you have to do now is create Users Sets in TMG and put those User Sets in Access Rules, to deny or allow browsing for specific sites to specific users.
Let’s see how this works for those computers that are not joined to the domain, but users have AD accounts in it. Go and modify the rule so only authenticated users can browse the internet. These means that those workgroup computers you might have will be asked to authenticate before accessing the all world. Remove All Users from the list and put All Authenticated Users. Click OK then apply the changes to TMG.
Now if a user tries to surf the internet from one of those non-domain computers they will be asked to authenticate, or an error message will be displayed:
Error Code: 407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209).
To pass this error message, just type your AD username and password in the authentication box when it pops-up.
And voilà, it works.
Want content like this delivered right to your