Install Forefront TMG 2010 on Windows Server 2008 R2
You may wonder what is Forefront TMG (Threat Management Gateway) 2010, and what can I do with it ? Well…is a proxy server, is a firewall, is a web content filtering, is a VPN Server, is… enoch. To be short, is a network security and protection solution from Microsoft. I’ve been using this great product for many, many years, and I’ll tell you, once you get to know TMG you will love it too. You can use it as a firewall to protect your company, campus, school etc; you can use it as a proxy server to filter websites or the content of those websites. Before you can do all this stuff with it, first you need to install the product, and in this step by step guide I’ll show you how to install Forefront TMG 2010 in firewall mode.
For this exercise you need to have on the host system two network cards, one called LAN and the other one WAN. I renamed the network adapters to distinguish better witch one is connected to internet and witch one is connected to the internal network.
First let’s start configuring the network cards, so open Network Connections from Control Panel, right click your LAN connection (the one that is connected to your internal network) and choose Properties. Click Internet Protocol Version 4 (TCP/IPv4) and Properties. Select Use the following IP address and complete the boxes with your own settings. Leave gateway field empty because packets will be routed thru the external network card. In the Preferred DNS Server put the IP of your internal DNS server, if you have one, if not put an IP address of an external DNS server (OpenDNS or Google). Click OK and Close.
Next we need to configure the external network card (the one that is connected to the internet). Right Click and choose Properties. Again select the IPv4 protocol and click Properties. Now you need to know if the ISP assigned to you a static IP address or a dynamic one. If you have a static IP address choose the option Use the following IP address, but if you have a dynamic IP leave the defaults.
When you are done with the IP settings click the Advanced button, go to the DNS tab and uncheck Register this connection’s address in DNS. Now select the WINS tab, and here click the Disable NetBIOS over TCP/IP and uncheck the Enable LMHOSTS lookup. When you’re done click OK, and OK again.
Back to the adapter properties, uncheck the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks. Click Close.
Before we start the installation we need to prepare the environment. On the TMG screen click the Run Preparation Tool, and just follow the wizard.
When you get to the Installation Type screen leave the defaults, witch is to prepare the environment for the TMG services and the management console. Click Next.
After the environment preparation is done, click the Finish button to start the TMG 2010 installation.
Skip the welcome screen by clicking Next. To be able to continue with the installation you need to accept the EULA, so choose I accept the terms in the license agreement, then click Next.
Fill in the customer information and serial number and click Next.
Leave the default installation path and click Next.
Here we need to tell TMG witch network adapter installed in the system is our internal one. Click the Add button, then Add Adapter. In the Select Network Adapters window select the LAN adapter. Click OK two times, then Next.
This screen is telling us that some services will restart or will be disabled during installation. Click Next to continue.
To start the installation all you have to do is click Install.
You can go start a campaign of StarCraft (if you know the game) ’till is done, because it will take a while. When the installation is finished and you open the TMG 2010 console for the first time a Configuration Wizard pops-up.
Let’s start with the first one Configure Network Settings. Click Next on the Welcome screen. Since we have two network cards in our machine TMG 2010 already knows that we deploy an Edge Firewall. Leave the defaults and click Next.
From the drop down list select the network adapter witch belongs to the internal network. In our case is LAN. Click Next.
In this screen TMG 2010 already selects the available network adapter as an external one.
If your WAN adapter is configured for dynamic IP addresses, the wizard will inform you that is going to enable a security rule for the DHCP traffic. Just click OK and continue the wizard.
On the Summary screen click the Finish button. We reached the second step of the TMG 2010 Configuration Wizard. Click the link Configure System Settings. After the welcome screen we tell TGM if is part of a domain or workgroup. Since I never mentioned anything about TMG being part of a domain, leave the defaults and finish the wizard.
Launch the last step by clicking the link Define Deployment Options. When you reach the Microsoft Update Setup screen choose either to download updates from Microsoft or not. I recommend you select the first option Use the Microsoft Update service to check for updates, so your TMG 2010 server will be up to date with the latest security and vulnerability patches.
Here choose if you wan NIS to be enabled and your outgoing web traffic should be scanned for malicious code.
If you enabled NIS a screen appears to configure the interval when checking for updates and install them.
On the Customer Feedback screen select not to participate, and on the Telementery Reporting Service screen choose either you want to send information to Microsoft about malware or not. Finish the wizard and click the Close button. Now you have a fresh new installation of TMG 2010.
Pfff this was a long run, but was worth it.
Want content like this delivered right to your
email inbox?
i cannot find 2 nic after forfront installation
Hi,
You can’t find it in the TMG console or in the system?
I’ve just installed TGM2010 on Server 2008 R2, but the problem is that it need proxy server ip in clients this is a big challenge that i set proxy ip in each client. please help me what should i do to solve this problem. thank you in advance
Hi,
You don’t need to set any proxy on clients everything can be done transparently. What exactly are you trying to achieve?
Thanks a lot for this wonderful form.
I am facing a problem can anybody acces me…..
I have two server One is D.C (Domian Controller) and other is TMG. I have install ACTIVE DIRECTORY on Domain Controller.
I have all Users and computer on Domain controller, but I can not show my Users and Computer on TMG….. I have newly Install TMG.
Stupid question…Does the host computer need to have two separate network cards or can I get away with one network card in the host computer and within VMWare Workstation 12, virtually create two network cards, one of which would be bridged to the host via WAN and the other card configured as a LAN. The thought behind this is to create a Windows Server 2012 RS server, running AD, DHCP and DNS to some virtual Windows 8.1 clients. I would like the clients to have LAN and Internet access.
Hi,
Yes, the computer on which you want to install TMG 2010 needs to have at least two network cards in order to NAT or route the traffic. I guess NAT in your case. If you are using just one adapter, you are configuring TMG only in proxy mode, and you are a little bit limited.
hello sir how are you?
sir i want to install TMG in a organization .
my first question sir how many servers are required for that.
my second question is that what things i need to block the HTTP and HTTPS traffics please sir help me out
Hi,
It all depends on how many TMG servers you need in your organization. If you only need one then one server is enough for that. To block HTTP and HTTPS traffic all you need to do is create a Web Traffic rule and configure the clients you want to block.
Hello,
Thanks for the Great post !
I am planing to install TMG on windows server to control Internet uses for users.
I am looking for guideline.
what i have on single serve:
windows server 2008r2.
single network adapter connected to router for internet
soft-ether VPN server
i have 5 users who connect simultaneously through soft-ether VPN and login to server via remote desktop
(I have single server, don’t have any other PC on local network)
what i need:
Need configuration setting where i can control internet uses for RDP users.
Hi Shashi,
Follow this guide and you should be all set. Let me know how it goes.
Hi,
Yesterday i have install the TMG server in my office.
This guide is so helpful for me.
Once again thanks a lot.
You’re welcome. I’m glad it helped you out.